If you are doing business on the Web, you should have a privacy policy. Everyone –government, industry and consumers — agrees with that statement. The polls suggest that many consumers look for privacy policies, and a fair percentage actually read them. An incomplete, missing or disingenuous policy statement could lose you a customer in a mouse click.
I recently went to a Web site to place an order for a product from a catalog. I didn't find a privacy policy to reassure me that my information wasn't going to be sold or shared, so I went elsewhere. Am I a bad example? Sure, but I'll bet that you still want my business.
Writing a decent privacy policy isn't rocket science, but there are a number of threshold issues to consider. Here are a few ideas to help you get started:
* Does your company have a non-Web privacy policy? Most Web sites do not exist in a vacuum. Some Web sites are wholly self-contained, but most supplement existing activities. If so, then a Web privacy policy is likely to have a hole from the start if you haven't thought about non-Web activities. You should consider all functions that involve consumer information. If you still decide to have just a Web policy, at least you will know what is missing.
* Does your company do business on the Web, or are you just using the Web to provide information to customers? Even if you have only a one-page Web site that does not collect any personal information from consumers, you still need a privacy policy. The policy may be short and direct, but it needs to be there.
* If you think that your company is not collecting any information from visitors to your Web site, you are probably wrong. Most Web sites maintain logs that contain some amount of information about every visitor to the site. Most of this information is not identifiable, but some of it may be under some circumstances. A privacy policy should disclose the collection and use of Web log information. A site that maintains a Web log cannot say that it does not collect any information on visitors. This is one common error in privacy policies.
* Another common error in privacy policies is when a company says that it never discloses consumer information to anyone. Such a statement is invariably wrong, and it is an invitation to a lawsuit. Companies make routine disclosures of personal data to their lawyers, auditors and computer service companies, among others. None of these disclosures is sinister or troublesome, but it is important that they be disclosed. Telling consumers will not scare them off. If anything, a careful and precise description will give a privacy policy more credence.
In this area, I strongly disagree with the policy of BBBOnline, one of the privacy seal organizations. BBBOnline will approve a policy that fails to tell consumers that their information could be subpoenaed. Because any information is subject to disclosure through a subpoena or search warrant, a policy that fails to disclose that possibility is incomplete. BBBOnline says that the risk of a subpoena is obvious. I don't agree. BBBOnline's policy allows seal holders to mislead consumers. The point of a disclosure statement is to disclose information. Nothing should be treated as obvious in a privacy policy statement. Telling the whole story is not hard. Consumers appreciate honesty and fair dealing.
* It is important that a privacy policy reflect both the actual information practices of a company and its culture. When I write Web privacy policies for clients, I always begin with fair information practices. But I don't necessarily use a formal fair information practice structure. A policy should convey something more. Accomplishing this is not easy, but it is possible.
* Members of the Direct Marketing Association can go to the organization's Web site and find tools that will help them develop a privacy policy for their Web site. My advice is to ignore the DMA. Its standards are so weak and so limited that any privacy policy based on DMA recommendations will automatically be deficient. Do not assume that any of the DMA's privacy policies will be accepted as adequate by consumers, privacy advocates or international privacy authorities like the European Union. The DMA has one of the weakest privacy self-regulatory standards of any trade association. It won't kill your company to exceed the DMA's standards.
The truth is that most companies can have reasonable and responsible privacy policy statements that address most or all fair information practices without great cost or major change. Even companies that have indifferent privacy practices can offer an honest Web privacy statement that informs consumers and gives them a fair chance to decide whether to do business with them. Even a halfway decent privacy policy will attract and not repel consumers.
Consumers who don't care about privacy are not at issue. It's the consumers concerned about privacy who are unlikely to do business with you, and they are an increasing percentage of Web surfers. Why scare anyone away from your Web site when it isn't that hard to satisfy them with a decent Web privacy policy?
