Privacy Policies and Internet Advertising Rules of the Road

Developing Your Privacy Policy

Now that you are aware of the laws governing Internet privacy, it is time to develop a privacy policy for your business. A privacy policy is a legal document that:

• Explains to consumers how your business will collect, use, and keep secure any information you obtain about them.
• Demonstrates a level of responsibility to your customers, forming a bond of trust that will increase their confidence in you and willingness to do business with you.
• Helps your business meet legal requirements.
• Functions as a guideline for making business decisions.

Following is a summary of the FTC's recommendations for a privacy policy:

• Notify consumers about your Web site's information collection policies.
• Allow consumers to choose how your business uses any information you collect which personally identifies them.
• Give consumers a mechanism for reviewing the information you collect about them.
• Ensure the security of all consumer information that your business collects.

Two excellent examples of a privacy policy can be found at www.ftc.gov/ftc/privacy.htm and www.amazon.com. The remainder of this article discusses the elements of a complete privacy policy.

What Information Is Collected and How

Your privacy policy should clearly state what consumer information you collect from anyone who visits your Web site (or communicates with your business in any other manner). There are two broad types of consumer information:

• Personally identifiable information (PII) is the most sensitive because it can be used to identify an individual. PII includes a person's legal name, e-mail address, physical mailing address, social security number, phone number, medical records, and bank account numbers or other financial data. Consumers feel most secure when the only PII you collect is information they provide to you directly, such as by filling out a form on your Web site.
• Non-PII is anonymous information that cannot be used to identify an individual. Non-PII is often used to track how visitors navigate your Web site, which pages were viewed most often, what other Web sites they have visited, and similar data.

You should also identify the technologies and methods your business uses to collect consumer information. Disclosing your methods accomplishes two things: increases customers' trust and confidence in your business, and helps technically-savvy customers opt-out of data collection. For non-technical customers, however, you should explain how they can opt-out of providing both PII and non-PII.

How Collected Information Is Used

In this section you tell consumers exactly how you will and will not use the information you collect. Use this as an opportunity to sell them on your Web site's features and services. For instance, maybe you use cookies to track what articles they read so that you can suggest related articles.

Because e-mail spam is such a problem, the first question consumers usually have for a business is, "Will you give my e-mail address to anyone else?" Customers are usually most comfortable when their e-mail addresses are only used by the business they directly give them to. However, there are many situations where businesses can benefit from sharing their customers' e-mail addresses. Whether you plan to share customers' information or not, it is vital that your privacy policy accurately describes your business practices and, in the process, reassures customers so they will continue to provide the information you need to successfully run your business.

How Consumers Can Opt-Out

Generally speaking, PII should only be collected with the consumer's consent. Non-PII can be collected without the consumer's consent, but your privacy policy should clearly explain how the consumer can opt-out of your data collection process. The actual steps for opting-out depend on the type of information you collect and the technologies you use to do it.

If you allow third-party advertising companies, such as 24/7 Real Media or DoubleClick, to run advertisements on your site, you should tell consumers how to opt-out of these companies' information collection process as well. However, you do not have to provide the exact instructions; simply point customers to the appropriate page on the third-party's Web site. Alternatively, if the third-party advertiser is a member of the Network Advertising Initiative (NAI), point your customer to the NAI opt-out page at http://www.networkadvertising.org/optout_nonppii.asp.

For more information about third-party advertisers and the NAI, please see our article "Introduction to Internet Advertising."

How Collected Information Is Kept Secure

Privacy and security are two separate issues. The security section of your privacy policy should describe how you ensure that all consumer information is protected from theft. If you share consumer information with business partners, what steps do you take to ensure they keep the information secure?

With Whom You Share Collected Information

It is not necessary that you list every single company, business partner, or entity that you might share collected information with. You should, however, mention types of entities you will share information with; for instance: business partners, credit card companies, and government agencies. For each type of entity, list the type of collected information you would share and under what circumstances.

Getting More Information

There are several organizations that can assist your business by recommending privacy policies and security technologies, reviewing your privacy practices, and providing endorsements. One of the most respected is TRUSTe (www.truste.org), an independent, non-profit organization established to safeguard Internet privacy and security.

Look at your competitors' privacy policies and consider them from a customer's perspective. Make sure that your policy does a better job of informing and reassuring potential customers.
If you have questions about advertising and privacy laws, or how they are interpreted and applied to business, we recommend that you consult a lawyer. For information about running an Internet advertising campaign, see our article "Introduction to Advertising."