Go Public With Web Site Privacy Policy


A Web site is a great way for small businesses to disseminate information about their products and services and gather contact information from potential customers or clients. But before you start collecting information from people who visit your site, be sure to put some thought into a privacy policy.

A Federal Trade Commission study released last week looked at 1,400 randomly selected commercial Web sites and found that 85% collected some type of personal information from consumers, but only 14% offered any notice about how the information is used and only 2% included a comprehensive privacy policy. This is despite a concerted effort by the Clinton administration to encourage companies to voluntarily develop privacy programs. The report concluded that the “industry’s efforts to encourage voluntary adoption of the most basic fair information practices have fallen short of what is needed to protect consumers.”


Formulating a privacy policy and posting it on your company Web site isn’t just a good idea, it’s good for business. A survey conducted by the Boston Consulting Group for Truste, a privacy advocacy organization, found that “76% of respondents expressed concern about sites monitoring user browsing on the Internet; 70% worried about online purchases.” In the words of FTC Chairman Robert Pitofsky, the “online marketplace is unlikely to reach its full potential until consumers are confident that adequate protections are in place to protect their personal information.”


If your business has a Web site or is planning to set one up, it’s important to develop and post a privacy policy. Think about what information you collect from visitors. Do you require or invite them to register and, if so, what information do you ask them to enter? If you sell merchandise or take orders online, you obviously have to collect personal information, which is OK as long as you are responsible about what you do with it.


Be aware that consumers are skeptical about giving out personal information online. Ninety percent of respondents to a Business Week/Harris Poll survey reported they are very (65%) or somewhat (25%) concerned about the security of their personal financial information when it comes to buying a product online. I find this ironic, considering that most people seem to have no qualms about handing credit cards to shopkeepers, waiters and gas station attendants. Nevertheless, in business, perception is reality, so it’s up to business owners to make people feel comfortable about conducting business online.

If you want your site to be well liked by Net surfers, the best policy is to never sell, barter or trade information about your visitors or customers without their expressed permission in advance. Some companies who wish to reserve the option to provide customer information to other companies include a check box, which allows their visitors to give or deny permission to do so.


Personally, I prefer sites that ask as little about me as necessary. Stores don’t usually require people to fill out paperwork before letting them browse through a shop, so why make people register just to visit your site? If you must ask people information about themselves, avoid questions that make people uncomfortable such as their income or age, and make it clear to people why you need this information and what you plan to do with it.

Truste recommends that every site that collects information create a privacy policy that includes:

* What information the site gathers or tracks.

* What the site does with the information it gathers or tracks.

* With whom the site shares the information it gathers or tracks.

* The site’s opt-out policy.

* The site’s policy on correcting and updating personally identifiable information.



Truste’s Web site has a sample privacy policy and a wizard tool you can use to create a privacy policy for your own site. Companies that do business on the Web can join Truste by agreeing to abide by its policies and paying a membership fee that starts at $249 a year.

Of special concern to the FTC and some consumer groups is the practice of collecting information directly from children without first asking for parental permission. Eighty-nine percent of the children’s sites in the FTC survey collect personal information from children, but only 23% tell children to seek parental permission before disclosing information.

The Center for Media Education, which has been at the forefront of this issue, has developed guidelines for the collection of information from children.

“Data collectors,” say the guidelines, “may not collect personal information from children, unless it is relevant, necessary and socially acceptable.”

* has a special privacy policy for site visitors 16 and under that states that “no information should be submitted to or posted at Disney Online’s Web sites by children 16 years of age or under without their parent’s or guardian’s consent.” The company further states that it “does not provide any personally identifying information, regardless of its source, to any third party for any purpose whatsoever.”

America Online last week announced a new privacy policy that gives users more control over how their personal information is used and promises not to collect information from children under 12 without written parental consent.

The FTC report recommended legislation that would require site operators to obtain parental consent before information is collected from children under 12. For kids over 12, the agency wants to require that parents be told the site is collecting information about their kids and “give them the opportunity to remove the information from the site’s database.”


As I wrote in an earlier column, using a Web site to collect e-mail addresses is a good way to keep in touch with customers, but there is a distinction between wanted commercial e-mail and spam. If you do create an e-mail list, only mail to people who have asked to receive your mail and give people information on how they can “unsubscribe.” And be sure to disclose your policies regarding the e-mail list as part of your privacy policy.


You can e-mail Lawrence J. Magid at and visit his Web site at On AOL, use keyword “LarryMagid.”