A major concern among visitors to websites is how their personal information will be used. Although, most websites have posted privacy policies, many just copy language found on other websites. The problem is that the borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.

A privacy policy is a disclosure document, whose purpose is to inform consumers on how a website deals with consumer information i.e. how your website will protect the information you gather from consumers. When it comes to consumer protection, the FTC and state attorneys general have jurisdiction, the enforcers can and do sue and fine sites whose privacy policies are inaccurately describing the sites actual practices.

Well-intentioned companies can get themselves into trouble with their privacy policies by unknowingly making inaccurate statements. Among the biggest problems is a statement such as, “We will not share your information with any third party." This sounds great, but is usually false. When it comes to the Web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the delivery service delivering purchases, the banks clearing credit card payments, etc. It’s generally OK to make these disclosures, but you need to inform your users.

Generally, there are four critical issues that should be addressed in website private policies. The issues are:

  1. Notice – data collectors must disclose their information practices before collecting personal information from consumers;
  2. Choice – consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided;
  3. Access – consumers should be able to view and contest the accuracy and completeness of data collected about them; and
  4. Security – data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.

Another issue is related to children under the age of 13. Because of the legal requirements related to collecting information from children, most websites chose to restrict use to users over the age of 13. If this is not feasible from a business perspective, your privacy policy needs to include additional notices and terms, and you will need to implement certain safeguards when interacting with children.

In addition, the FTC has recently issued a report on internet privacy advocating a “Do Not Track" system. Although merely suggestions to the legislature, if implemented this proposal could significantly affect many internet business models that rely on the ability to target advertising to visitors. Web companies should closely watch the development of this area of law.

Given that copying another site’s language is a bad way to create a privacy policy, you should think about contacting an attorney. An attorney familiar with the laws and rules about data can guide you through the process of learning exactly how your company collects data, how it uses the data and how it shares them with others, so the policy can be accurate as well as flexible enough for future uses.