Ok, I know you’re yawning at the headline already, and to be honest, I’m with you on this one: who really cares about things like privacy policies, right? They’re like those oft-maligned Apple terms and conditions we all blindly hit “agree” to without reading: it’s just a bunch of legalese designed to cover their asses. Oh wait, yeah. Read that last line again. That’s why you should care about things like privacy policies: they’re not just for the benefit of your website visitors, they’re designed to protect you too. And not against any imaginary, insanely improbable disasters either, but real ones that happen all the time.
You’ll see it in the news constantly – the hacker group, Anonymous, has targeted Twitter accounts. Or a system bug exposed the personal data of millions of Facebook users. A couple of years ago, Evernote was forced to reset 50 million passwords after its security system was breached – and they are by no means the only major company to have faced this kind of problem.
What Should a Website Privacy Statement Include?
When you enact a website privacy statement, make sure it accurately reflects your policies. That may seem obvious, but some website owners fail to do this; even when they are well-meaning and trying to provide visitors with accurate information, their statements are sometimes contradicted by facts.
Law professor Jonathan I. Ezor, director of the Touro Law Center Institute for Business, Law and Technology, explains why:
"Most websites (especially business ones) have posted 'privacy policies,' but too many simply copy language they’ve found on other Web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy...."
Some language is particularly problematic. Consider a statement like, "We will not share your information with any third party," which Ezor describes as:
"Very reassuring; almost certainly false. When it comes to the Web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the bank's clearing credit card payments, etc… When it comes to privacy policies, inaccuracy can be expensive."
Be aware that laws are in place to protect audiences in certain locations and of certain ages. For example, if you're based in the U.S. and your site's audience includes visitors under age 13, you must adhere to certain requirements set forth under the Children's Online Privacy Protection Act of 1998 (COPPA).
Every country has different requirements, so you need to double check what the law is for you. In the U.K. for example, the Data Protection Act of 1998 covers any activity relating to data acquisition, organisation, retrieval, use, and disclosure. The act requires fairness and lawfulness in all cases. The State of California has its own mandate for sites collecting data from its residents, which requires that you disclose what you do, and do what you say, along with several other requirements.
Finally, if your site links to third-party websites (Google Adsense, for instance) you may be required to adhere to the privacy requirements of these sites, as well.