FTC has enacted several new laws which help protect an individual’s on-line privacy and their data security. Failure to comply can have a disastrous financial effect on a website owner.
Two Cardinal Rules Regarding Privacy And Data Security
- Disclose clearly, the categories of information collected at the site
- How this information will be used
- With whom the information is shared ( or who will have unfettered access to this information )
Do check if:
- Does it describe all the ways you use the information?
- Does it describe with whom such information is shared ( or who has the means to access it )?
Cookies require special disclosures. Distinguish between:
- 1st party cookies – Cookies that that you serve
- 3rd party cookies – Cookies served by others such as by Google for its Google Analytics service.
There has been quite a lot of litigation and controversy in using Flash cookies. If flash cookies are used then ensure that their use is explained clearly, and indicate what data they collect and process unambiguously.
Behavioral Adverts Driven By 3rd Party Cookies
Disclose whether you are serving 3rd party cookies for the purpose of delivering behavioral adverts, especially if the website participates in Google´s AdSense network. Behavioral adverts are based on anonymous data collected on how a user´s computer browses the Internet, including websites visited, searches made, and content read.
Personal Information Categories
Clearly indicate all categories of personal information collected on the site. Personal information includes any kind of information that may be used to identify a person, such as their email address.
Personal Information Sharing
Clearly indicate all of the ways that the website shares personal information. Especially is such information is shared for the purposes of direct marketing. Identify all 3rd parties that you share personal information with such as corporate affiliates, service providers, and/or any party that may acquire your website business in the future.
State that visitor’s should review the privacy policies on these sites. Indicate that you are in no way responsible for the privacy policies and practices of these ( linked to ) sites.
Disclose the standards for data security in use on the website. Even if one is silent regarding the data security standards in use on the website, do remember that FTC requires that all website owners initiate and maintain reasonable and appropriate data security procedures.
Children´s Online Policy
Updating Personal Information Collected By The Site
Provide details on how any site visitor, who creates an account with the site, may update their personal information.
Privacy and Security Practices Required By FTC
Physical Data Security – A Website Owner´s Responsibilities
The FTC requires that all website owners must initiate and maintain reasonable and appropriate data security procedures. These procedures include physical security measures and logical data access protection with strict controls over internal and external access to data.
Physical Data Security – Service Providers Responsibilities
The FTC also requires that any third party, such as a website:
- Content / design developer
- Maintenance service provider
- Hosting service provider
- Anyone, who has access to personal information in the website´s server
Should be bound contractually to maintain the privacy and security of personal information.
Website Hosted With Hosting Providers
The key to complying with FTC requirements is to ensure that the website hosting service provider´s security practices are equal to, or much greater than, the security practices you would put into place if you were self hosting.
Website Administrative Security
FTC requires the following for administrative controls for data security.
- Administrators must use hard-to-guess passwords that are changed frequently
- Administrative passwords must be suspended or disabled after a reasonable number of unsuccessful login attempts
- There is restricted access to any administrative controls
Identity Theft Policy
If your site acts as a creditor by:
- Using consumer reports with credit transactions
- Furnishing information to a consumer reporting agency for a credit transaction
- Advancing funds to or on behalf of a person based on a person´s obligation to repay the funds
- Repayment from specific property pledged by or on the person´s behalf
- Then the website is required to implement a policy by the – Fair and Accurate Credit Transactions Act of 2003.