How to Craft a Privacy Policy for Your Website : Social Media Examiner

social media how toDoes your website have a privacy policy?

This article will tell you what you need to know to create a privacy policy for your website.

Why a Privacy Policy?

As online professionals and entrepreneurs, you know that collecting information on visitors to your (or your client’s) website can help tailor goods and services. It offers insight that previously could only be gathered through expensive research. Today, though, data collection can be easy and inexpensive.

But with this type of information, businesses face a daunting task of protecting the data and telling visitors and/or consumers what will be done with the information. Regardless of whether site visitors read the terms and conditions, companies can’t overlook the creation of policies that set out how such information will be used.

privacy policy and descriptive link

Example of a well-placed privacy policy and descriptive link. Disney Muppets website.

Interestingly, except for regulated industries, there is no federal law requiring an online business to have a privacy policy. More importantly, no company has ever been sued for not having a privacy policy. But, for those businesses located in California or those that do business in California (many online companies!), there is a California state law requiring the posting of a privacy policy.

As professionals in the online world, often we’re expected to know all of the rules and regulations when it comes to what a company can and cannot collect or do with the information that is collected. Marketing wants to collect certain information and use it as a competitive advantage, but the company as a whole may want to convey a different sense of privacy, which creates internal conflict.

Privacy and personal data collection are areas where consulting with legal counsel may be necessary if your industry is regulated or if you want to be very aggressive with the data collected. The collection methods also need to be confirmed with the IT professionals who create the back-end tools.

In addition, following the policy set forth is imperative so there is no risk of sanctions. This is why having a policy custom-tailored will always be better than using a stock policy or cutting and pasting from what you find on the Internet.

The Elephant in the Room

It wouldn’t be a complete discussion about online privacy without mentioning Facebook and the recent ruling by the FTC that the social network deceived consumers by telling them their information was private when in fact the data was exploited beyond what was agreed.

While Facebook was not fined, the settlement is quite strict and obligates Facebook to undergo third-party reviews for 20 years.


Sometimes young companies learn the hard way.

For a platform that relies on users sharing information, Facebook turned a blind eye to the disparity between what they agreed to do and what, in fact, they did. But consumers are very savvy and complaints ignored by the company were taken to the FTC.

The social network faced the potential for millions of dollars in fines. Ultimately, though, that may have been a lesser punishment than what was agreed upon because of the length of monitoring.

Unlike for most companies, users of Facebook are highly involved and very vocal. Even though the company is still in its infancy, this big stumble was likely a wake-up call. Not just for the social network, but also for the online business community as a whole. Consumer deception is becoming a bigger concern, and Internet users are savvier with each passing day.

Creating a Great Privacy Policy

When you think of the policies and disclosures that belong on websites, it should come as no surprise that big companies have them drafted by a team of lawyers. If you’ve ever read them, you’d agree.

However, when it comes to a privacy policy, sometimes the best thing to do is write it out yourself first. You know best what you’re doing with the information. When it’s done, run it past an attorney.

What to Include in a Privacy Policy

First, and foremost, write it in plain English (or if your primary language is something else, then that language). Determine what information you would be gathering—email, cookies, subscription information, credit card, login, gender, age, etc.—and make sure there is a legitimate reason for collection. And once you have all this information, identify what you are doing with it.

Next comes putting it together—all it takes is 8 easy steps to an awesome privacy policy!

  1. Write in language that is easy to read and understand.
  2. Explain what information will be collected and whether it will be identifying or anonymous. If it’s both, say so.
  3. Without getting into lengthy detail, explain how it’s collected (such as search terms, sign-up, log files, clicked links, cookies).
  4. If you’ll share information with affiliated, partner or other sites, be clear about this. Most people are concerned with who else is getting their information.
  5. Simply state that if compelled by law to disclose, then you’ll comply with such orders.
  6. Give readers the option of verifying, correcting, changing or removing personal registration information. I suggest having a separate email for this purpose so you know exactly the nature of this communication.
  7. Provide a way for people to opt out of future communication. If someone wants to be removed, make it easy. Having a “privacy policy email” allows for these types of communications to be routed for easy handling.
  8. State that the policy will be updated periodically and how you will communicate such changes.

Privacy Policy Best Practices

Creating, updating, monitoring or managing privacy policies and practices may not be your responsibility. But that doesn’t mean you should ignore possible missteps. More importantly, those who are responsible may not know the rules, regulations or best practices.

For those who are responsible, whether it’s part of your job because you’re an entrepreneur and everything is your responsibility, or you’re hoping to add this area to your book of knowledge, there are best practices to keep in mind.

  1. Don’t ignore the FTC or state laws that provide minimum standards.
  2. Write the policy in plain English. If you have a lawyer draft your policy, ask that it be written so your consumer or visitor will clearly understand.
  3. Don’t cut and paste something you found for free on the Internet. Because the risk of penalties is very real, this is not the time to be cheap. Your policy should be your own and reflect the unique circumstances of your site.
  4. Update your policy regularly to reflect changes in the online environment, what your company actually does with information and clarify areas that may be vague. And once it’s updated, communicate the update!
  5. Follow the policy! If there is only one thing learned from the FTC sanctions of Facebook, it is that you should follow your policy and not engage in deceptive practices.
  6. Allow consumers, readers, forum visitors or others to opt out of having their personal information retained. And then follow through with their wish.
  7. Make your policy easy to find and accessible. One of the biggest complaints I hear is that the policies are buried or inaccessible due to broken links.
  8. Ensure that the stored information is, indeed, secure. Security breaches are not only very costly in terms of having to invest in infrastructure, the potential disclosure or sale of private information can be devastating.
  9. Utilize a well-respected privacy certification program to add credibility.
  10. Do not ask for intrusive or excessively personal information unless it’s absolutely necessary. Consumers are getting savvier and are less willing to provide sensitive information if they don’t feel the situation merits such an intrusion. If you need this information, be clear as to why and include how you will protect the data.


garden gate

Putting up a sign may work for your garden, but not for your online business. Image:

Privacy policies are often not given the attention they deserve. Many companies churn them out, not realizing their true importance. While not everyone will read the policy, it’s these types of policies that say a lot about what the company stands for and what it wants to achieve. Information is key to future growth. It provides insight that can’t be replicated in other ways.

Most companies don’t have the resources or reputation that the largest social networking site has, and being singled out for deceptive practices could easily crush them.

Success tomorrow depends on not just doing the right thing today, but doing it every day. Most of us want our information kept secure. And our most valuable asset—our customers, users and community members—do too.

What do you think? Have you written a policy for your business? Leave your questions and comments in the box below.

* This article does not specifically address policies regarding children under 13. The Children’s Online Privacy Protection Act (“COPPA”) will be addressed in a future treatment.
Disclosure: While Sara Hawkins is an attorney, this article is for informational purposes only and is not to be considered legal advice.
Image: Simon Howden /
Tags: , , , , , , , ,

Get Social Media Examiner’s Future Articles in Your Inbox!

Join 450,000+ of your peers! Get our latest articles delivered to your email inbox and get the FREE Social Media Marketing Industry Report (49 pages, 77 charts)!