One of the biggest concerns among visitors to Web sites is how their personal information is going to be used. This isn’t a new development; back in March of 2000, BusinessWeek did a cover story on Internet privacy, including a survey showing that the vast majority of users were either very or somewhat concerned about how their information would be used. The same cover story discussed how best to inform and reassure users. (You can see other such surveys, dating back to 1997, here.)
Unfortunately, while the number of businesses with web sites has continued to expand, as has the sites’ sophistication, the level of disclosure of data practices has not significantly improved. True, most web sites (especially business ones) have posted “privacy policies,” but too many simply copy language they’ve found on other web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.
How do well-meaning companies get themselves into trouble with their privacy policies? Among the biggest problems is a statement such as, “We will not share your information with any third party.” Very reassuring; almost certainly false. When it comes to the web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the banks clearing credit card payments, etc.
Another problematic statement: “We collect your information through the form you complete on the site.” This may be true, but the site owner will likely also be collecting personal information about the user from text messages, e-mails, faxes, telephone calls, postal mail or other communications with the user, as well as from outside sources (credit card processors, database vendors), etc. Further, though there is not (yet) a federal law requiring all Web sites to have privacy policies, states such as California have rules about policies and what needs to be included in them. (California’s Civil Code Section 1798.83, which mandates certain language and procedures for privacy policies, can be found on this page.)
There are also organizations that offer templates and consulting to help with policies. You may find some good information from the International Association of Privacy Professionals (IAPP). Finally, if your site collects information from children, includes health or financial data, or you have operations in other countries, there may be additional laws with which you must comply. For those, asking a competent lawyer is definitely a good idea.
Businesses with websites that may have users who are EU citizens are required to have privacy policies must comply with GDPR, the new data and privacy security legislation. Essentially, its purpose is to help EU citizens understand how businesses collect, secure, use, and share their data.
Believe it or not, privacy of information is one thing that is barely regulated in the US compared to other countries. We take a comparatively laissez-faire approach to things like personal privacy and property. This might be due to our enterprising, go-getter do-it-yourself culture.
Explain what data will be taken
Tell the client exactly what information you will or may be taking from them. For example:
Porcupine Media, Inc. may collect the following information from our customers:
• Your name/job title
• Your contact information
• Demographic data such as preferences/interests and postal area
• Other information relevant to client-based surveys
Explain your secure storage strategy. Maybe you use secure software, maybe you you use de-identification methods. Either way, the customer should know about it.
Anonymization, or de-identification, is a process of rendering personal data unidentifiable by removing or replacing personal identifiers. Porcupine Media, Inc. performs a 4-step data de-identification process. We are committed to the persistent and perpetual improvement of our data protection strategy. Porcupine Media, Inc.’s automatically de-identifies data that has been stored in an identifiable form in our system for longer than 2 months.
State your purpose
Explicitly disclose what you intend to do with your clients’ private information. Will you be using it for survey purposes? Financial analysis?
We require this information in order to provide you with a better service, and apply it to the following purposes:
• Internal record keeping.
• Improvement and possible promotion of products and services.
• We may occasionally use your information to conduct critical market research. We may contact you by email, phone, fax or mail.
• Though we may occasionally provide your information to our third party partners, we will do so for express purposes of marketing or promotion only. Porcupine Media, Inc. will never sell your information.
We will never sell your information.
Give the user control
Allow the user to verify and control the nature of his private information’s use. Provide details on exactly what steps the user may or must take to keep his or her information private. This section is often entitled “User Rights.” The main thing is to make your clients feel comfortable sharing their information, knowing that they are doing so by choice.
You may restrict our collection or use of your personal information, by clicking to the box on our website forms that indicates you do not want your information to be used.
You should also alert user to your policy on updates, and let them know how to be sure they are alerted to any changes that are made.
Be sure to visit the Federal Trade Commission’s website to review your legal responsibilities in detail. Also check your state and city websites to see if any local laws apply.
How users can opt-out. Privacy policies use opt-out clauses to explain how users can opt out of having their data or information shared with third parties for marketing, direct email marketing, direct mail marketing, or other announcements related to the website. This section should be designed so that it is easy for users to read and follow.
Data/Identity Security – If you keep customers’ personal information on file, you must by law have a secure electronic system in place. It is your responsibility to protect info you’ve been entrusted with from identity theft.
Financial Information – There are very clearly defined practices for the use and sharing of financial information. If you provided investment services, insurance or any other financial services, you need to train your employees in the correct procedures and ensure they follow them to the letter.
Credit Reports – If you conduct customer evaluations based upon credit reports, you need to follow the correct procedures for the use, protection and disposal of said credit reports. Hit the FTC website’s section on this subject for details.
GDPR - If you do business in Europe, you must comply with the EU General Data Protection Regulation (GDPR).