Whether you run an online business, member site or organization, gathering information from site users and visitors is essential to providing the best experience possible. The same applies to real-world, brick and mortar establishments as well, as many businesses and organizations require personal information from customers and members who visit their shops or offices.
When a customer or member physically visits your location, though, the person has the peace of mind of being able to see or know with whom he/she is dealing. That aspect of the experience is not possible when using a website. Consequently, many Internet users are (and rightly so) wary of sharing personal or identifiable information online.
Modern Internet users are much more careful about sharing information than they were just a few years ago. However, most users are more than willing to share their contact or other identifiable data with sites – as long as they know who will see the information, for what purpose it will be used and how it will be protected. Implementing a comprehensive privacy policy on your site will go a long way in gaining the trust of customers or visitors of your website.
All members of the Online Privacy Alliance are required to post a privacy policy on their websites to ensure site visitors are aware of their rights regarding data and information collected. The following is meant to help clarify essential requirements for privacy policies as well as why they are required.
Why Your Site Needs a Privacy Policy
Besides the fact that all Online Privacy Alliance members are required to post privacy policies on websites, there are other legal reasons you may need to do so. While the United States does not have any Federal laws that require the posting of privacy policies on websites, many individual states do have this type of legislation. Additionally, the countries within the European Union (EU) have also enacted similar legislation that requires websites that collect personal or identifiable data to post privacy policies regarding its use.
If your site receives traffic from countries or jurisdictions that require privacy policies, you are obligated to follow the applicable laws or statues. Even if you reside in a country or locale that does not require a privacy policy (or your server is hosted in such a location,) you definitely should still follow the laws and requirements for those areas that do.
If you fail to comply with laws for posting privacy policy, jurisdictions may impose many types of fines or penalties. Even if the country, state or locale has no jurisdiction in your area, they may penalize your site by forcing Web hosting providers, telecom companies and other Internet infrastructure entities to block access to your website. So, unless your site doesn’t depend on traffic from a country with Internet Privacy Policy laws, it is advisable to comply with the requirements and post a legal privacy policy.
Notice of Data Collection
To satisfy Online Privacy Alliance’s requirements for providing notice of your Privacy Notice to site users, you must post a link to the document page in a conspicuous, easy-to-find location. The easiest way to satisfy the posting notification requirement is to post the link on the home page of your website and ensure that the font used is large enough for site visitors to view easily. This is particularly important because the policy must be available for users or visitors to review – before they ever submit any private or personally identifiable data on your website.
In the Privacy Notice itself, you must also document the consequences – if any – for a member, user or visitor who fails to provide or submit such data. For instance, if the data is required for a person to create an account on your website, you should state in the Privacy Policy that failure to provide the information will result in the person not being able to create an account or use you the service.
Disclosure of Policies
One of the most important aspects in a Privacy Policy is disclosing who accesses, views or receives data submitted on your website. Therefore, your Privacy Policy must also disclose to all website users and visitors of any and all persons, companies or organizations that may see or access personal or identifiable data collected on your website. If data or information collected on your website is shared with third parties, you must list their names, address, email addresses and contact information – in addition to listing your own address and contact information of course.
The disclosure also applies to any outside or third-party companies or entities to whom data or information may be sold, give, transferred or otherwise disseminated. If your site or organization engages in the sale or transfer of personal or identifiable data or information, you must list the name, address and contact information of any entities that may receive, view or access the data. Likewise, if you store customer or visitor data or information off site or on a third-party server, you must list the name of the person or entity that owns the location, applicable email addresses and contact information.
Purposes of Collection
One of the first things that pops to the minds of users or members of your website when asked to enter or submit private or identifiable data is to wonder for what purpose the information will be used. Therefore, Online Privacy Alliance members are required to list all purposes for which they will use collected data or information in the Privacy Policy.
For instance, if your site uses collected data to create user accounts or log-in credentials, the Privacy Policy must state as much. Likewise, if you use data collected from users regarding surfing habits or pages visited to target ads, you must state that in the Privacy Policy as well. If you do not list a particular purpose in the Privacy Policy, your website cannot collect, gather or mine data or personally identifiable information for that task or reason. Your website can only gather or collect data for purposes listed specifically in the language of the Privacy Policy.
Consent to Collect Data
As mentioned above, all visitors and users of your website must be notified of the Privacy Policy before you collect any personal or identifiable data from them. For users that don’t immediately create accounts or sign up for services on your website, this is best accomplished by posting a link to the Privacy Policy on the home page. In addition to notifying users of the Privacy Policy, though, you must also receive their consent to collect and use their data and information in accordance with the terms of the policy.
When users create an account or begin to enter or submit personally identifiable data on your website, the sign-up process should include a step that asks the visitor to review and accept the terms of the Privacy Policy. In the policy, you must include language that states your website or organization will not use, sell, transfer or otherwise disclose users data or information without their prior consent.
The Privacy Policy must also include directions on how users can opt-out or discontinue use of the website. The Privacy Policy should state explicitly that when a user opts out or discontinues use of the website, he/she revokes consent for the use or dissemination of data or identifiable information. If your website shares data or information with other companies, organizations or websites, the Privacy Policy must also contain directions that detail the steps needed for users to opt-out or provide a link to that allows them do so.
Security of Collected Data
All member of the Online Privacy Alliance are committed to the security and safeguarding of user data collected or submitted on their websites. To that end, your Privacy Policy must include language that addresses any potential data-security concerns users or visitors of your website may have. The Privacy Policy must state your company or organization’s commitment to safeguarding user data. The Policy must also outline any and all steps used to secure identifiable data or information and ensure that it is safeguarded at all times.
If the your website or organization discloses data or information to outside parties, the Privacy Policy must also detail how the third parties store and maintain data or information disclosed to them. Additionally, the Policy should also state that your organization informs third parties of security policies and makes reasonable attempts to ensure all third parties and outside organizations (that have access to data or information) follow security procedures as outlined in the Privacy Policy.
User Access to Data
Members of the Online Privacy Alliance must always make personally identifiable information accessible to users of their websites. Users must be able to edit, change or delete information from the website at any time in a simple and straightforward manner. To assist users in editing or deleting their data, the Privacy Policy must ensure users that they have access to their data and information and include instructions on how to edit or change the data if they need to do so. Additionally, the Privacy Policy must include detailed instructions on how to delete accounts, remove personally identifiable information or otherwise cease the sharing of their private data if they choose to do so.
Accountability Issues
To help users of your website understand that your website is committed to the responsible and ethical use of their personal data and information — in accordance with Online Privacy Alliance rules and requirements — your Privacy Policy must include language that provides directions on how users or visitors can correct inaccuracies in their personal data.
The Privacy Policy must include contact details of the organization that provides oversight for your website’s policy and monitors its strict implementation. The Online Privacy Alliance strongly recommends that all member websites use an independent third-party validation service for compliance monitoring. If you site uses a third-party validation service, the Privacy Policy must provide contact details for the organization. If your organization self-regulates it Privacy Policy, the Privacy Policy must list the name, email address, phone number and address of the person in your organization responsible for enforcing the Privacy Policy.