How to Write a Website Privacy Policy

Andrew Monroe Baer

Written by

Internet Lawyer

Contributor Level 9

Posted over 4 years ago. 0 helpful votes



Hire an Internet Lawyer

Most web startups don't have a lot of money, and saving on legal fees is an understandable concern. However, privacy is an area where you shouldn't skimp, particularly if you have a highly interactive site collecting various types of personal information from users. To begin with, certain types of business, such as medical practices and banks, are subject to federal privacy laws (HIPAA and Gramm-Leach-Bliley, respectively). Even where this is not the case, the Federal Trade Commission has been increasingly aggressive in demanding and enforcing (by administrative actions seeking fines, restitution and other sanctions) greater notice and disclosure to consumers, and in some cases affirmative consent, regarding online data collection practices. Also, states like California have statutory requirements relating to the posting and content of website privacy policies. You should have your privacy policy drafted, or at least reviewed, by an attorney knowledgeable about these areas of law.


Don't Simply Copy Someone Else's Privacy Policy and Change the Site Name

Privacy policies are widely -- and mistakenly -- viewed as "forms," i.e., something you can easily dupe from another site. In fact, they are anything but. Privacy policies need to be specifically tailored to the data collection, use and disclosure practices of each individual site, and no two sites are identical. The FTC frequently brings administrative proceedings (under its power to sanction unfair or deceptive marketing practices) against online businesses whose actual data collection, use and disclosure practices do not conform to what is disclosed in their privacy policies. So, to give a concrete example, if you copy another site's privacy policy, and they don't share customer information with third-party marketers but you do in limited circumstances, you could get in big trouble if you don't disclose this. You should have a conversation with your lawyer about your specific approach to online privacy prior to having him or her draft or review your policy.


Don't Limit Your Disclosure to the Collection of Personal Information

Obviously, consumers and federal and state regulatory authorities are most concerned with adequate disclosure concerning the collection, use and disclosure of personally identifiable information (such as name, credit card or financial account number, Social Security Number, driver's license number, e-mail address, or any of these identifiers combined or associated with information like mailing address, age, etc.) However, many sites also collect information that may be computer- or device-specific (like IP address), even if it is not personally identifiable. Such information, when associated with other information collected by the site or available on the Internet, such as online browsing activity, can be used to build extremely detailed data profiles and/or to obtain other information of a more personal variety. The FTC is sounding the alarm about this, so make sure your privacy policy covers information collected by cookies, web beacons and other web technologies.


Be Clear; Avoid Too Much Legalese

Have a lawyer draft or review your privacy policy, but make sure a non-legal user reading it can understand what you do and don't do with respect to information collected online. The FTC is increasingly looking at how you disclose in addition to what you disclose.


Highlight Any Collection or Sharing of Personal (or User- or Device-Specific) Information for Behavioral Advertising

In February 2009, the FTC issued "self-regulatory" guidelines for sites that collect and share information to be used in behavioral ad targeting. These guidelines emphasize the need for special notice, disclosure and affirmative consent, and strongly discourage burying disclosures about behavioral advertising in privacy policy legalese. Don't interpret "self-regulatory" to mean "optional," because the FTC stated at the end of the document that it is prepared to bring enforcement proceedings against violators under its power to sanction unfair or deceptive marketing practices. It also has commented recently that it feels the self-regulatory regime isn't working, so a new regulatory regime may be forthcoming in 2010. For now, talk to your lawyer about whether you share user profile or activity information with marketers such as ad networks, and, if you do, consider writing a special prominent disclosure of these practices, combined with an ability for users to opt out.


Prominently State the Effective Date of Your Privacy Policy and Think About How to Notify Users of Changes

A California statute requires private policies to contain a clear statement of their effective date, and the FTC has also expressed displeasure about material changes to website privacy practices being applied retroactively, i,e., to information collected prior to the new effective date. You should have an effective or "last updated" date at the beginning or end of your privacy policy, and if you make material changes to your privacy practices (such as changes in what personal or device- or user-specific information is collected, or how this information is disclosed or used), you should think about sending an e-mail notice to your website users, or posting some sort of announcement on the site, and requiring your users to re-accept the updated privacy policy the next time they sign in or request a transaction, if this can be done without destroying the user experience.

Additional Resources

Baer Business Law site

Rate this guide

Can't find what you're looking for? Ask a Lawyer

Get free answers from experienced attorneys.


Ask now

26,933 answers this week

2,969 attorneys answering