There are numerous articles available on the internet listing reasons to have a privacy policy for your website. What makes this one different is it includes a reference to recently introduced U.S. federal legislation requiring privacy policies from all entities that collect PII (personally-identifiable information). This bill, in my opinion, is now the most compelling reason most websites and blogs need to have a privacy policy posted. Thus, it’s the first item in the list below.
Commercial Privacy Bill of Rights Act of 2011
Now, you might think that because you only operate a content-driven website or blog and don’t sell products, you do not need to be concerned. Think again. The Commercial Privacy Bill of Rights Act of 2011 includes email address in its list of data elements defined as PII. So, for example, if your site allows visitors to enter an email address to subscribe to a newsletter, you are a collector of PII and this proposed legislation applies to you.
As technology evolves and criminals find new ways to steal PII from companies of all sizes – particularly those with a presence on the internet – regulators, consumer advocates, and internet industry leaders continue to add measures to protect the public interest. A key element of that protection is a clear, comprehensive statement from businesses to customers (and employees) about how PII is collected, used, shared, stored, and disposed of.
The List
Here is my list of 11 reasons to have a privacy policy prominently posted on your website or blog:
1) U.S. Federal Law: The Commercial Privacy Bill of Rights Act of 2011 – This bill empowers the Federal Trade Commission to establish rules that require collectors of PII to provide, among other things, notice to individuals on PII collection practices and the purpose for such collection. Previously, the FTC only recommended this type of notice and took action when companies violated their own policies. Now, explicit notice will be required by federal law. Here is a link to the text of the bill at govtrack.us Commercial Privacy Bill of Rights Act of 2011. (Update: the bill died in committee.)
To be clear, there are numerous bills pending in Congress that address online privacy and full disclosure tends to be a common element. Just take a look at a recap compiled by InsidePrivacy.com. It’s an excellent summary of privacy and data security-related bills proposed at the federal level so far in 2011. In my opinion, however, the Kerry/McCain Commercial Privacy Bill of Rights Act, or something close to it, probably has the best chance to make its way into law. That’s just an opinion, of course. Time will tell. As a service to readers of this blog, I will update this post as significant information becomes available regarding this legislation.
Bottom line, it seems imminent that federal law will soon require all collectors of PII to maintain an accessible privacy policy.
2) State Laws – If forthcoming federal law is not enough impetus for you, some states already have laws on the books mandating online privacy policies. California and Massachusetts are two good examples. They explicitly require PII management procedures to be conspicuously posted on a website if PII is collected. With the federal government now mandating privacy policies, state laws are somewhat moot when it comes to the need to provide notice. However, many states have other very specific, stringent rules that must be followed if PII is collected from their residents. So, unless your site is equipped with software that filters out visitors from these states, it’s prudent to be aware of, and adhere to, those rules. For more information about state requirements check out one of my earlier articles entitled “Are Privacy Policies Required by Law?”
3) Analytics Software, Terms of Service – Some web analytics programs require users to have a privacy policy. Google Analytics, for example, requires users to disclose the use of a cookie that collects anonymous traffic data. See: Google Analytics Terms of Service, section 7.
4) Ad Networks, PPC & Affiliate Programs – If you advertise your site through an ad network such as Google AdWords or Microsoft Advertising, certain disclosures must be included in your site’s privacy policy. Likewise, if you monetize your site through a network or service (i.e. Google AdSense), similar disclosures may be required.
5) Crafting a privacy policy forces you to think through important issues – Once you start the process of formulating your site’s privacy policy, you will see there is a lot to consider. This thought-process will not only help you minimize your risk of breaking the law, it will also help you gain a clear understanding of the inner workings of your site relative to things like tracking cookies, third party cookies, and flash cookies. Even if you have someone else write the document, as the owner/operator, in the eyes of the law, the buck stops with you. You need to have a clear understanding of its contents and make sure it jives with reality.
6) Minimize Costs of a Breach – Costs associated with a PII breach can be both tangible and intangible. The tangible category includes court costs, attorney’s fees, regulatory fines, and more. For example, in settling with the FTC, it’s not uncommon for a company to be required to hire an independent, third-party auditor to assess its security program, in some cases for an extended period into the future (click here to go to the FTC website for an example case). Intangible costs include brand damage and a tarnished reputation. Typically, the larger the breach, the higher the costs. By implementing a well defined PII data security plan, businesses can minimize the size of a breach which will keep costs to a minimum.
7) Provide Clarity for Your Employees and/or Contractors – For companies that have HR departments, this is usually standard operating procedure. However, for busy online entrepreneurs with a small number of employees, the issue of PII security may fall to the low end of the priority list. Once a privacy policy has been finalized and documented, it’s a good idea for you to review it with your employees and contractors and have them sign for a copy. This will help minimize (or hopefully eliminate) breaches due to sheer ignorance on the part of individuals acting on your behalf. They can’t say they didn’t know!
8) Add Credibility to Your Website or Blog – Having a privacy policy link in the footer of every page of your site can add a level of credibility in the eyes of some savvy web surfers. Conversely, NOT having one there can raise a red flag and chase potential customers away. Now that privacy policies will soon be required by U.S. federal law, I suspect that latter group will grow.
9) COPPA – The Children’s Online Privacy Protection Act (COPPA) is a federal law requiring website owners that collect PII from children under the age of 13 to have a privacy policy, among other stipulations. The goal is to give parents control over information collected from their children online and how that information is used. If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that you are collecting personal information from children, you must comply with the Children’s Online Privacy Protection Act. (Source: http://www.coppa.org/comply.htm)
10) European Union – If you have a worldwide vision for your online business, you need to be aware that different PII security requirements exist outside the United States and you may need to expand your privacy policy. The European Union (EU), for example, is expected to introduce (sometime in 2011) the concept of the “right to be forgotten” which allows individuals to request that their data be completely removed once it has served its original purpose. Holders of information, such as ISPs and search engines may have to reveal who is collecting data and for what purpose. (Source: European Commission website, Safeguarding privacy in the digital age)
11) Courtesy – Last but not least, a good reason to post a clear, concise privacy policy on your website or blog is…it’s the right thing to do. Even if you do not collect any PII (no contact forms, no analytics support, and no ads that trigger tracking cookies), why not let your site visitors know that so they don’t have to wonder. If someone is willing to spend time on your site, they probably trust it/you. Why not repay that trust with full disclosure.
The internet can be a dangerous place when it comes to PII. Do yourself, your business, your customers, and your employees a favor and establish best practices for handling PII. The first step is writing a privacy policy.
Posted 3 years ago
jofra
The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. The motive behind introducing such a regulation was to provide data subjects with more control over their personal data.
data protection policy template
Posted 14 years ago
John Mooney
Great info !