As a starting point there are some basic guidelines / things to think about that we like to share with our clients when it comes to Website Privacy Policies:
- You should be clearly explaining how you collect private data through your website. Does your website utilize cookies or an online account system?
- If your website is an eCommerce website utilizing third-party merchant services there may be requirements your site needs to meet to comply with their terms.
- How do you store the information you collect?
- For what period of time do you hold collected data?
- Who within your organization has access to the data?
- If your website serves an audience (or anyone for that matter) under the age of 13 audience there are specific requirements you must adhere to under Federal Law as set forth by the Children's Online Privacy Protection Act of 1998 (COPPA)- http://www.ftc.gov/ogc/coppa1.htm
- Does your site have any links to third-party websites or organizations (i.e. - is your site displaying Google Adsense Ads? Many times these sites have their own privacy requirements that you need to incorporate in your policy.
- If your website is collecting data from users in California, the State of California has created the "California Office of Privacy Protection." It mandates that:
"If you operate a commercial website that collects personal information on California Residents:
- In your privacy statement, identify the categories of personal information that you collect through the Web site on people who use or visit your site.
- In your privacy statement, describe any process you maintain that allows someone to review or ask for changes to any of his or her personal information collected through the Web site.
- In your privacy statement, identify the effective date of the policy. California Business & Professions Code sections 22575-22579: Online privacy protection act.
- Additional information regarding COPPA and how to comply - http://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act
- David Johnson (Digital Media Lawyer Blog) provides some more detailed individual market requirements for privacy - http://www.digitalmedialawyerblog.com/2009/11/do_i_need_a_privacy_policy_whe.html