Boring But Important: Why You Really Need A Privacy Policy

Ok, I know you’re yawning at the headline already, and to be honest, I’m with you on this one: who really cares about things like privacy policies, right? They’re like those oft-maligned Apple terms and conditions we all blindly hit “agree” to without reading: it’s just a bunch of legalese designed to cover their asses. Oh wait, yeah. Read that last line again. That’s why you should care about things like privacy policies: they’re not just for the benefit of your website visitors, they’re designed to protect you too. And not against any imaginary, insanely improbable disasters either, but real ones that happen all the time.

You’ll see it in the news constantly – the hacker group, Anonymous, has targeted Twitter accounts. Or a system bug exposed the personal data of millions of Facebook users. A couple of years ago, Evernote was forced to reset 50 million passwords after its security system was breached – and they are by no means the only major company to have faced this kind of problem.

As each new breach occurs, the website privacy policy becomes increasingly important (along with actually beefing up your site security of course). Website visitors are getting warier about sharing information, and they want to know you aren't using their information improperly or storing it somewhere that might make them vulnerable. So read on for an explanation of what a privacy policy is and why your website needs one.

What Is a Website Privacy Policy?

A website privacy policy is essentially a statement by you to your website visitors about what you plan to do with any information you glean from them, a disclosure of your methods of information gathering, and how and where you plan to store the information. This disclosure is meant as a measure of protection for consumers.

What Should a Website Privacy Statement Include?

You privacy policy statement should answer several questions. How do you collect data? Does your site use cookies? What do you intend to do with data you collect? How do you store the information, and for how long? Who can access the data?

When you enact a website privacy statement, make sure it accurately reflects your policies. That may seem obvious, but some website owners fail to do this; even when they are well-meaning and trying to provide visitors with accurate information, their statements are sometimes contradicted by facts.

Law professor Jonathan I. Ezor, director of the Touro Law Center Institute for Business, Law and Technology, explains why:

"Most websites (especially business ones) have posted 'privacy policies,' but too many simply copy language they’ve found on other Web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy...."

Some language is particularly problematic. Consider a statement like, "We will not share your information with any third party," which Ezor describes as:

"Very reassuring; almost certainly false. When it comes to the Web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the bank's clearing credit card payments, etc… When it comes to privacy policies, inaccuracy can be expensive."

Disclosure Requirements

Be aware that laws are in place to protect audiences in certain locations and of certain ages. For example, if you're based in the U.S. and your site's audience includes visitors under age 13, you must adhere to certain requirements set forth under the Children's Online Privacy Protection Act of 1998 (COPPA).

In the U.S. the FTC and each state's Attorney General scrutinize websites for inaccuracies, and Ezor warns, "[T]he enforcers can and do sue and fine sites whose privacy policies are well-meaning but wrong." Here in Germany, where I’m based, it’s rumoured that there are law firms whose entire business is based around finding sites which don’t include an Impressum (roughly the legal equivalent of a Privacy Policy), and sending letters reminding business owners of this requirement – along with a bill for their time of course.

Every country has different requirements, so you need to double check what the law is for you. In the U.K. for example, the Data Protection Act of 1998 covers any activity relating to data acquisition, organisation, retrieval, use, and disclosure. The act requires fairness and lawfulness in all cases. The State of California has its own mandate for sites collecting data from its residents, which requires that you disclose what you do, and do what you say, along with several other requirements.

Finally, if your site links to third-party websites (Google Adsense, for instance) you may be required to adhere to the privacy requirements of these sites, as well.

The Takeaway

What you should take away from this is that your website needs a privacy policy that discloses accurately to your audience how you assemble data, how you use it, and who has access. Accuracy is crucial since world government bodies and organizations you link to often have requirements to which you must adhere. If you need help developing a privacy statement, the Better Business Bureau provides a sample policy you can modify, to help you get started.