Skip to Content

Getting Started: Web Site Privacy Policies

Posting privacy policies is essential in building trust between Web sites and their users; policies are created to inform users of a site’s data collection, use and disclosure practices.

Advice to consumers: The mere presence of a policy, however, does not mean that a site protects privacy. Clearly, a user must read the “fine print” carefully.

Advice to Web site operators: A good policy should be based on the fair information practices set forth in the OECD Guidelines and other compilations of privacy principles. Once created, the policy should be posted online with prominent links from pages where data is collected.

Here is a short set of questions that should be answered in a privacy policy:

  • What information is being collected? Is the information personally identifiable?
  • Why is it necessary to collect this information? Is the data collection appropriate to the activity or transaction? If not, why does the site need it?
  • How is the data being collected? Does the site set cookies? Does the site maintain web logs?
  • How is personal information used once it is collected? Is it ever used for purposes other than those for which a visitor has provided it? (If so, the visitor should be informed of the use.) Has the visitor consented to it? Does the visitor have the option to prohibit such secondary use? Can a visitor prohibit it and still enjoy the site?
  • Does the site offer different kinds of service depending on user privacy preferences? Does a user have a choice regarding the type and quantity of personal information that the site collects? Does the site disadvantage users who exercise data collection choices?
  • Can users access information that has been collected about them? Are users able to correct inaccurate data?
  • How long is personal information stored? Is it kept any longer than necessary for the task at hand?
  • What is the complaint and redress process? Whom can users contact?
  • What laws govern the collection? Is it a federal government site regulated by the Privacy Act? Is the entity collecting information regulated by another privacy law?

While some sites will need to go into highly specific detail on one or more questions, a good starting point is a short, easy to read set of answers with links to more specific information (e.g. descriptions of technical information in web logs, links to governing laws), which enables a user to get a general idea without having to read through legalese and tech speak.

The team that creates a privacy policy should include all relevant Web site policy makers, legal advisors, the Webmaster, data managers, marketers and others.