In my last post I discussed why I think virtually every small biz website should have a privacy policy. This time, I’d like to discuss three things every policy should have, which I commonly find to be missing.
First, a quick run-down of the basic purpose for a privacy policy is in order. Privacy policies basically fulfill two functions. They: 1) tell visitors what information you collect from them (whether the collection is overt, such as through an email opt-in, or covert, such as through tracking cookies); and 2) what you will and will not do with the information.
Now on to the three things every policy should have (but often don’t):
A Notice About Tracking Cookie Usage. If you use third-party analytics or ad serving, then it is virtually guaranteed that your site places tracking cookies on your visitors’ computers. If you have any sort of “sign-in” functionality to your site, chances are session cookies are also utilized keep users logged in, for security, or to make log-in easier. Your privacy policy should disclose your cookie usage, how information collected is used, and what cookies are controlled by third-parties. When appropriate, reference the privacy policies of these third-party cookie using providers so your visitors know what they do with information collected.
COPPA Notice. Whether or not your site is oriented toward collecting information from children under 13 years of age, you should be referencing the Children’s On-Line Privacy Protection Act (“COPPA”) in your privacy policy. On one hand, if your site either expressly collects information children under 13 or can be seen as attractive to children under 13 (think cartoon characters, child-oriented language, toys, etc) then you MUST make sure your privacy policy complies with COPPA. On the other hand, if your site clearly doesn’t market to or collect information from children under 13, then you should say so both in your site’s Terms and Conditions, and in your privacy policy. You should also give parents an email address they can use to contact you if they believe their under 13 child has been submitting personal information your site, and specify in your policy that you will delete any information that you end up inadvertently receiving from any children under 13.
Email Contact for Complaints. I firmly believe that many lawsuits against businesses come about because people either feel like they have been offended and/or cannot contact the offending business. Indeed, good customer service can often be better than effective legal planning for avoiding lawsuits. When it comes to liability relating to your privacy practices, a dedicated email address for receiving and resolving complaints can be a very effective safety valve that can allow you to address them before they blow up into a lawsuit or social media crisis.
Finally, posting a privacy policy that you do not follow can create legal and regulatory risks than the previously discussed risks. Accordingly, it is of critical importance to understand not only your own privacy practices and the data collecting features of your site’s platform, but also the privacy practices of third party apps or services you utilize – and make sure your privacy policy accurately reflects everything.
How about you? What do you think privacy policies should have but often don’t?