Many times website owners want to ignore the privacy policy for their site because there isn't a lot of clear information on needs and requirements. The privacy policy for a website is a very important element -- seemingly more and more important with each breach of security reported on in the news. A website privacy policy is the declaration you are making to your website visitors about what you will do with information gathered from them, how you are gathering that information & how the information will be stored (to name a few things it should cover).
Having a website (or online) privacy policy is only 1/2 the equation -- the second critical element is your organizations commitment to adhering to the statements made in the policy. It is important that all team members have a clear understanding of your organization's privacy practices and can clearly communicate it to customers and website users.
In terms of what your privacy policy should say is really up to your organization and its individual commitment(s) to privacy. To get 100% accurate answer to this question for your specific situation (and accurate guidance) you really need to consult with an attorney that specializes in laws related to digital and online media.
As a starting point there are some basic guidelines / things to think about that we like to share with our clients when it comes to Website Privacy Policies:
- The biggest topic is collection of personal data. If your site is collecting this type of information you really should be explaining to your users (through your privacy policy) what you intend to do with that data.
- You should be clearly explaining how you collect private data through your website. Does your website utilize cookies or an online account system?
- If your website is an eCommerce website utilizing third-party merchant services there may be requirements your site needs to meet to comply with their terms.
- How do you store the information you collect?
- For what period of time do you hold collected data?
- Who within your organization has access to the data?
- If your website serves an audience (or anyone for that matter) under the age of 13 audience there are specific requirements you must adhere to under Federal Law as set forth by the Children's Online Privacy Protection Act of 1998 (COPPA)- http://www.ftc.gov/ogc/coppa1.htm
- Does your site have any links to third-party websites or organizations (i.e. - is your site displaying Google Adsense Ads? Many times these sites have their own privacy requirements that you need to incorporate in your policy.
- If your website is collecting data from users in California, the State of California has created the "California Office of Privacy Protection*." It mandates that:
"If you operate a commercial website that collects personal information on California Residents:
- Say what you do: Post a statement of your privacy policy in a conspicuous location on your Web site.
- Do what you say: Comply with the terms of your privacy policy.
- In your privacy statement, identify the categories of personal information that you collect through the Web site on people who use or visit your site.
- In your privacy statement, describe any process you maintain that allows someone to review or ask for changes to any of his or her personal information collected through the Web site.
- In your privacy statement, describe the process you use to notify those who use or visit your site of changes to your privacy policy.
- In your privacy statement, identify the effective date of the policy. California Business & Professions Code sections 22575-22579: Online privacy protection act.
- When was your website privacy policy last updated? A privacy policy is something that should be reviewed (and modified as deemed appropriate) at least once a year (we are talking about technology and technology advances & changes quickly.)
Take a moment and review your privacy policy and see if it meets today's needs of your organization and your website. If you don't have a privacy policy hopefully this will provide some clarification that "Yes your website needs a privacy policy" & "What your website privacy policy" should cover.
Additional Resources:
- The Better Business Bureau has a pretty comprehensive starting point on their site - Sample Website Privacy Policy Bear in mind you need to READ through this document, modify and adhere to as your organization sees fit -- this is not a one size fits all solution.
- Additional information regarding COPPA and how to comply - http://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act
- Smith Simmons, PLLC Blog provides some more detailed reasons for the need of a privacy policy - http://www.smithsimmons.com/blog/2016/june/website-privacy-policies/
*Disbanded, now under the authority of California Attorney General - https://www.oag.ca.gov/privacy