Privacy Policy Basics

Most websites now include a reference to a privacy policy, a written statement that describes how a website collects and utilizes personally-identifiable information about its visitors. The inclusion of such a policy is often mandated by law or by interested third parties, such as advertisers. For example, the state of California requires that you display a privacy policy on your site if you collect personal information about California residents. Similarly, Google requires participants in its AdSense advertising network to include privacy information on any site that displays AdSense advertisements. If you don’t already have a privacy policy on your website, it’s something you’ll be adding to it soon enough. Let’s go over some of the basics.

A privacy policy is meant to inform the visitor to a site about what personal information it collects about its users and what it does with that information. As such, the policy should be easily accessible to new users of a site – a link in the header or footer of the home page is often the best choice. It’s also advisable to link to it from the “about” page of the site. Some sites don’t have a separate page for the policy, but rather include it as a section within another page, such as the general terms of use for the site. It needs to be easily found, however, no matter where it is on the site.

You may think you don’t need such a policy, but you’re wrong. Every web server collects some basic information about its users, even if the website owner doesn’t do anything with it. This information includes the IP address of the visitor (which can identify the visitor’s general location in many cases, thanks to reverse IP lookup databases), the visitor’s language preferences, what kind of browser they use, and various other kinds of data. Web servers also generally use cookies or other kinds of tags to track a visitor’s use of a website, whether directly or by using third-party services like Google Analytics. A good privacy policy describes the collection of this routine information, even when it’s not directly attributable to a particular user.

Any personally-identifiable information such as email addresses and user names must be mentioned in the policy. You may be collecting this information without really knowing it – most WordPress blogs, for example, allow anyone to register with the blog as a subscriber. Technically, this information collection must be mentioned in the policy.

After describing what information is collected, the privacy policy should also describe what it does with that information. Many websites do nothing with personal information other than aggregating the routine web server data for things like traffic analysis and website optimization. When personal information is collected, however, the policy needs to describe who has access to that information. In particular, you need to mention if you plan on selling or renting email addresses to third parties for advertising or other purposes.

AdSense publishers should take note that Google requires that you include specific language in your privacy policy that mentions use of cookies and web beacons by Google in order to serve the advertisements it displays on your site. Other advertising networks may have similar requirements, so be sure to check the particulars with each network you use.

If you don’t feel comfortable wording your own privacy policy, there are a number of examples and templates — even a few privacy policy generators — available on the web. Or use a policy from a major commercial site as a template for your own policy. You can also pay a lawyer to create a custom policy for you, which is a good idea but certainly not inexpensive.