used with permission from SBA.gov
by Caron Beesley

If you are starting an online business, conducting email marketing, or interacting with your customers via your website, then you need to be aware of and adhere to online privacy policies.

What do online privacy policies accomplish? Why do you need one? Sometimes, it’s required, such as the statutes that govern email SPAM. Others are optional. In general, your online privacy policy is your company’s pledge to your customers about how you will use, not use, and protect the consumer data you collect from them. Check out SBA.gov’s own privacy policy as an example.

A privacy policy is not just lip service to your customers. You’ll need to make sure your business follows the policy by implementing reasonable security measures to protect your customers’ data. Failure to follow your business’s privacy policy can result in costly legal fees.

The thing about online privacy policies is that they differ from business to business and must be tailored to fit each business’ needs. However, there are some general guidelines and laws to be aware of as you craft your policy.

1. Explain How You Collect and Use Personal Information

While not required by law (although the Federal Trade Commission prohibits any deceptive practices), creating a privacy policy is important if you want people to buy your products. This is particularly important if you are involved in e-commerce or if you collect information in surveys or marketing forms. Every customer has a right to know how you collect and use their information.

Online privacy policy generators (just run a search on that term and you’ll find them) can help you craft a policy. As you craft yours, be sure to clearly explain the following:

  • Your Cookie Policy – Cookies are used to store user preferences or shopping cart contents. Clearly explain your cookie practice.
  • How You Share Customer Information – Customers need to know that their data will only be used to complete the transaction and that any further use of that data (including selling or distributing it) requires their consent.
  • Contact Information – Make it easy for your customers to contact you or file a complaint.

2. Display Your Privacy Policy

Make sure new customers or users have easy access to your policy by prominently displaying links to it (from your home page, product pages, and in the shopping cart). Remember, you want them to feel comfortable that you take their online security seriously.

3. Publish Your Email Opt-Out Policies

Include opt-out options in your email marketing (the CAN-SPAM Act requires it) and on your website so that your customers have the option of changing or canceling their email notices. Read more about opt-out and CAN-SPAM laws in SBA’s guide to Online Advertising Law.

4. Collecting Data from Children

If your website targets children under the age of 13, you’ll need to comply with the Children’s Online Privacy Protection Act (COPPA).

5. Adhere to Your Policy

Adherence to your policy is important from the standpoint of both customer credibility and the law: the Federal Trade Commission will investigate complaints of unfair or deceptive practices. A case in point: its recent investigation of Facebook privacy practices. As new technologies emerge, such as mobile apps, online communities, and social media, be sure to update your privacy policy to align with any changes to the way you capture and protect consumer information.

6. Get a Seal of Approval

Third party validation of your online privacy and security policy can enhance your credibility. For a fee, these companies can help you create your privacy policy, or review your existing one, and conduct an annual audit to test your compliance.

7. Talk to an Expert

The Federal Trade Commission is constantly reviewing privacy issues. Areas such as cloud computing, mobile applications, social media, and other online services are increasingly coming under the spotlight. If you do most of your business online, talk to a lawyer who specializes in Internet or online law to determine whether your policies are adequate.