Privacy Policies

See FTC Enforcement of Privacy Policies.

According to the Federal Trade Commission, Online Privacy Policies should disclose the following:

• What information is collected;
• How the information is collected;
• How the information is used;
• Whether information is disclosed to others;
• How choice, access and security are provided to consumers;
• Whether other entities are collecting information through the site (e.g., third party advertisers); and
• Who is collecting the data.

See Fair Information Practices

The FTC has developed four criteria for effective privacy programs:

• Notice - Web sites should provide consumers clear and conspicuous notice of information practices, including what information is collected, how it is collected (e.g., directly or through less obvious means such as cookies or webbugs), how the information is used, how consumers are provided Choice, Access, and Security, whether information is disclosed to other entities, and whether other entities are collecting information through the site.
• Choice - Web sites should offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice encompasses bother internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities).
• Access - Web sites should offer consumers reasonable access to the information collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information.
• Security - Web sites should take reasonable steps to protect the security of the information collected from consumers. [Privacy Online 2000 p. iii]

Privacy policies should be clear and free of contradictory or ambiguous language. When changes are made to policies, notice should be provided to individuals from whom the sites have collected material information, and affirmative opportunity to consent or opt out might be required. [Privacy Online 2000 p. 26]

Better policies are shorter.  They should not be buried in a barrage of legalize, terms and conditions, which of tern are too long and incomprehensible to consumers.  To be effective, privacy policies should build consumer trust.

Privacy Policy Generators can help get you started:

• DMA's Privacy Policy Generator
• Microsoft Privacy Wizard
• OECD Privacy Policy Generator
• Secure Assure Privacy Profile Wizard
• TRUSTe Privacy Statement Wizard

The FTC also recognizes that enforcement is also a necessary component of any successful privacy program. In self regulation efforts, enforcement may come about contractually where sites participate in privacy seal of approval trust programs and are confronted with potential removal from that program. The government may also have a role where sites post privacy information and fail to comply with those representations, or follow other privacy practices that might otherwise be considered deceptive.

Form of the Privacy Policy:

• Consumer readable policies
• Standardized policies
• Machine readable policies (P3P)
• Full policies
• Full screen privacy policies versus mobile device small screen privacy policies
  

Papers

• Center for Democracy and Technology, Behind the Numbers: Privacy Practices on the Web (1998)
• Georgetown Privacy Policy Survey: Report to the Federal Trade Commission (June 1999).