Here are some of the key provisions you need to make sure are included:
1. What information is being collected
Your policy must clearly outline all the various pieces of data that are being collected. This generally falls into three categories:
- User submitted information. Your policy must specify what information is being collected that user’s themselves supply, either during the registration/account creation process, or through general use of the site. This may include their email address, phone number, billing information, demographic information, date of birth etc. You would still be required to disclose this information even if it is collected through a third party site or credentialing service, such as Facebook Connect.
- Information collected automatically. The policy must address whether the site is collecting any information automatically through the user’s use of the site, for example, their IP addresses, mobile device ID, the location information, browser, operating system, URL of pages visited prior to visiting, ads clicked on, length of time on the site etc. As with user submitted information, you must disclose this information even if it is being collected through third party providers, such as Google Analytics.
- You must disclose whether your website is storing cookies, web-beacons or any other tools, on your users computers / devices to collect and track their online movements.
2. What is done with information
Your policy must specify the intended purpose for which the information is being collected and whether any of it will be shared with third parties, such as service providers, analytics companies, law enforcement etc. Also, user’s should be informed whether the information is shared with its personally identifying elements attached, or if it is being shared in an aggregated and anonymized form. Furthermore, the policy should describe what happens to the information in the event of a merger, acquisition or bankruptcy.
All websites that direct their services to children under the age of 13 must comply with the Children’s Online Privacy Protection Act (COPPA). The COPPA has a number of detailed requirements which are beyond the scope of this article, but if your site is not intended to be used by children under the age of 13, then a statement to that effect must be included in the policy.
This one is easy: include the date the policy was posted or last updated.
Make sure your policy includes a provision which states how users can review and change their stored personal information.
6. Where to Place
- The policy is posted on the home page of the website;
- The policy is linked to the homepage with an icon that includes the word “privacy” (note: the icon color must differ from the homepage background); or
- The policy is linked to the home page by a link that contains the world “privacy” and is distinguishable from the surrounding text (ie. written in capital letters greater in size than the surrounding text, or in a type, font or color that contrasts with the surrounding text of the same size).
- States what type of personal information is being collected;
- States the process for users to review / change their personal information;
- Lists the categories of third parties that the site shares personal information;
7. Third Party Direct Marketing
If your site shares any personal information with third parties for direct marketing purposes then make sure you Include a link on your home page.
8. Drafting Principles
- What personal information does the organisation collect?
- Identify the organisation’s basic functions and activities to determine the type of personal information that is commonly collected to facilitate those functions.
- Consider why the information needs to be collected.
- Where does the information flow to and how is it used or handled?
- Examining the organisation’s personal information handling functions allows a greater understanding of whether the organisation is currently complying with the IPPs and how the IPPs work in everyday practice.
- How is the information held by your organisation stored and protected?
- If the organisation generally handles information that requires a high level of security, or if it handles sensitive information, specific assurances should be given about access controls and security measures in place to protect that information.
- the identity of the organisation and how to contact it;
- the fact that an individual is able to gain access to their personal information, and how the individual can do so;
- the organisation’s main functions and the sorts of personal information the organisation generally collects and holds to fulfill those functions;
- how personal information is usually used and to whom it is usually disclosed;
- whether collection of personal information is compulsory or optional (including referring to any legislation which authorizes the collection, use or disclosure of the information, such as the Local – Government Act or taxation legislation); and
- the date and version reference for the policy.
- If the transfer is authorised or required by legislation this should also be specified, as well as the steps the organisation will take to protect the information.
- Does the organisation collect or deal with sensitive information (IPP 10), such as information about an individual’s race, ethnicity, political opinion or party membership, religion, union membership, sexual preference or criminal record?
- The three primary legal requirements for truth in advertising are:
- Advertising must be truthful and not misleading.
- Advertisers must have evidence to back up their claims.
- Advertisements cannot be unfair.
To honor these legal requirements when advertising on the Internet, the FTC recommends that businesses:
- Place disclosures on the same Web page as the claim they apply to, and when necessary, provide adequate visual cues to indicate that a consumer must scroll down on the page to view the disclosure.
- When hyperlinking to disclosures, make the link obvious and noticeable, label the link accurately and indicate its importance, place the link near relevant information, ensure that the link takes consumers directly to the disclosure, and monitor link usage to ensure its effectiveness.
- Display disclosures prior to purchase.
- Ensure that an advertisement’s “text, graphics, hyperlinks, or sound do not distract consumers’ attention from the disclosure.”
- If your Web business sells other companies’ products, be aware that the FTC can also hold you responsible for misleading ads and product descriptions, even when those materials are provided by the manufacturer. The FTC recommends that “to protect themselves, catalog marketers should ask for material to back up claims rather than repeat what the manufacturer says about the product” and that “in writing ad copy, catalogers should stick to claims that can be supported.” The FTC pays closest attention to ads that make health or safety claims, or that present data or statistics that consumers would have difficulty verifying.