When Did You Last Review Your Website Privacy Policy?

Posted by Ivan Bayross

 

Privacy Policy image

It´s that time of the year when resolutions are made. Cut down ( or stop ) visiting the pub, Join a gym, run the half marathon, Lose 15Kg, all great stuff, but if you run an E-Commerce website maybe it’s time to review your privacy policy.

FTC has enacted several new laws which help protect an individual’s on-line privacy and their data security. Failure to comply can have a disastrous financial effect on a website owner.

Two Cardinal Rules Regarding Privacy And Data Security

When crafting your website’s privacy policy it´s important to focus on the following fundamentally important rules. They are:

Rule No. 1: The purpose of any website based, privacy policy, is to:

  • Disclose clearly, the categories of information collected at the site
  • How this information will be used
  • With whom the information is shared ( or who will have unfettered access to this information )

Rule No. 2: The Federal Trade Commission (FTC) treats a privacy policy as though it was a contract being entered into with your website´s visitor. If the website promises certain practices in its privacy policy, but fails to deliver on such a promise, the FTC says the website owner is liable for damages.

Read through your website´s privacy policy, keep these cardinal rules in mind. Understand and document all that your website does regarding the collection, use and sharing of personal information belonging to any website visitor.

Do check if:

  1. The privacy policy discloses all categories of private information collected?
  2. Does it describe all the ways you use the information?
  3. Does it describe with whom such information is shared ( or who has the means to access it )?

Once done, sit down and compare what is promised in the privacy policy and how the website´s products and services are actually marketed.

Privacy Policy Checklist

Here´s a privacy policy checklist which can assist during the review of your websites online privacy policy.

Cookies

Cookies require special disclosures. Distinguish between:

  1. 1st party cookies – Cookies that that you serve
  2. 3rd party cookies – Cookies served by others such as by Google for its Google Analytics service.

There has been quite a lot of litigation and controversy in using Flash cookies. If flash cookies are used then ensure that their use is explained clearly, and indicate what data they collect and process unambiguously.

Behavioral Adverts Driven By 3rd Party Cookies

Disclose whether you are serving 3rd party cookies for the purpose of delivering behavioral adverts, especially if the website participates in Google´s AdSense network.  Behavioral adverts are based on anonymous data collected on how a user´s computer browses the Internet, including websites visited, searches made, and content read.

Personal Information Categories

Clearly indicate all categories of personal information collected on the site. Personal information includes any kind of information that may be used to identify a person, such as their email address.

Personal Information Sharing

Clearly indicate all of the ways that the website shares personal information. Especially is such information is shared for the purposes of direct marketing. Identify all 3rd parties that you share personal information with such as corporate affiliates, service providers, and/or any party that may acquire your website business in the future.

The Privacy Policy Of Other Sites Your Website Links To

State that visitor’s should review the privacy policies on these sites. Indicate that you are in no way responsible for the privacy policies and practices of these ( linked to ) sites.

Data Security

Disclose the standards for data security in use on the website. Even if one is silent regarding the data security standards in use on the website, do remember that FTC requires that all website owners initiate and maintain reasonable and appropriate data security procedures.

Children´s Online Policy

If the website does not collect information from or sell to children under the age of 13, state this clearly in the website´s privacy policy. If the website is crafted to specifically work with children under the age of 13, it must comply strictly with the Children´s Online Privacy Protection Act (COPPA).

Updating Personal Information Collected By The Site

Provide details on how any site visitor, who creates an account with the site, may update their personal information.

Privacy and Security Practices Required By FTC

The FTC has made it abundantly clear that a website´s privacy policy is only the tip of the privacy and security iceberg. As website owner you have other obligations that fall within the purview of privacy and security practices, which are separate, but related to, the website´s privacy policy.

Physical Data Security – A Website Owner´s Responsibilities

The FTC requires that all website owners must initiate and maintain reasonable and appropriate data security procedures. These procedures include physical security measures and logical data access protection with strict controls over internal and external access to data.

Physical Data Security – Service Providers Responsibilities

The FTC also requires that any third party, such as a website:

  1. Content / design developer
  2. Maintenance service provider
  3. Hosting service provider
  4. Anyone, who has access to personal information in the website´s server

Should be bound contractually to maintain the privacy and security of personal information.

Website Hosted With Hosting Providers

The key to complying with FTC requirements is to ensure that the website hosting service provider´s security practices are equal to, or much greater than, the security practices you would put into place if you were self hosting.

Website Administrative Security

FTC requires the following for administrative controls for data security.

  • Administrators must use hard-to-guess passwords that are changed frequently
  • Administrative passwords must be suspended or disabled after a reasonable number of unsuccessful login attempts
  • There is restricted access to any administrative controls

Identity Theft Policy

If your site acts as a creditor by:

  • Using consumer reports with credit transactions
  • Furnishing information to a consumer reporting agency for a credit transaction
  • Advancing funds to or on behalf of a person based on a person´s obligation to repay the funds
  • Repayment from specific property pledged by or on the person´s behalf
  • Then the website is required to implement a policy by the – Fair and Accurate Credit Transactions Act of 2003.

In Conclusion

A review – and possible update – of the website’s privacy policy and all related privacy and security practices must be a high priority in 2012. The checklist and other points provided in this article are definitely not exhaustive, but help point in the right direction.

Techno geek, Mentor and Friend

Posted in: Uncategorized
Tagged: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge