Privacy Practices | Privacy & Free Speech: It's Good for Business

Do we have a real "privacy" policy?

Every company that operates a commercial Web site in California must post a conspicuous privacy policy on its Web site that discloses the kinds of personally identifiable data that it collects and shares with third parties. But the term "privacy policy" is often misleading. Although consumers expect that privacy policies actually protect consumer privacy, such policies may instead state, in effect, that the company may do as it pleases with whatever information it chooses to collect.

Having a real privacy policy designed to inform users is not just the law, it is also good business. A strong privacy policy can be a marketing tool, attracting users who prefer to do business with a trustworthy company that safeguards their private information.

Explain what data you collect. Do you collect personal information, such as phone numbers, addresses, or Social Security numbers? Do you create a log of users' online histories? Do you collect clickstream data?

89% of consumers in 2006 felt more comfortable giving their personal information to companies that have clear privacy policies.

Explain how data is stored. How long is each category of data stored? What data is linked to an individual? What data is anonymized and after how long? What data is combined?

Explain how data will be used or shared. Do you create a user profile? Do you use it to deliver targeted advertising? Do you sell or share this data? If so, with whom? How do you ensure that this data is not being misused or resold? How can users stop their data from being shared?

Explain your processes for responding to data requests by government and third parties. What data could be requested and disclosed? What standards must the government or third parties meet in order to obtain that data from your company? When and how will you provide notice to users about requests for information? Will you challenge questionable demands on behalf of your users?

Explain how users can view and control their own data. What options do users have to view data? What categories of data can be deleted and how? How quickly is data purged, both online and in archives? What procedures are in place to fix errors?

According to a 2009 study, the most common categories of concern in complaints to both the Federal Trade Commission and the Privacy Rights Clearinghouse involved public display of personal information and lack of user control.

Notify users in advance if your privacy policy is about to change. Give users the opportunity to terminate use of the system and have existing data deleted or keep using your service but opt out of having their existing data processed under the new policy.

Always follow your privacy policy. Your policy is a contract that you make with your users; failure to follow it can result in the loss of user trust as well as lawsuits by users and action by the Federal Trade Commission and other state and federal agencies.

59% of consumers said they would recommend a business to their family and friends if they believe that it follows its privacy policies.