Difference between revisions of "Privacy Policy"
| (39 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
| − | A privacy policy is a statement of how and why your company / website collects | + | ==Privacy policy== |
| + | A privacy policy is a statement of how and why your company/ website collects [[Personally Identifiable Information (PII)]], what it does with it, what choices the consumer has about how it is used, whether the consumer can access the information, and what you do to assure that the information is secure. | ||
| − | Other privacy concerns that a privacy policy should address are the use of [ | + | Other privacy concerns that a privacy policy should address are the use of [https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_cookie cookies] and [https://secure.wikimedia.org/wikipedia/en/wiki/Web_bug web bugs], if any. |
| − | For a more detailed explanation on what a privacy policy is and possible legalities requiring you to have a privacy policy on your website, please refer to this [ | + | For a more detailed explanation on what a privacy policy is and possible legalities requiring you to have a privacy policy on your website, please refer to this [https://secure.wikimedia.org/wikipedia/en/wiki/Privacy_policy Wikipedia article]. For help in creating your own privacy policy, the [http://www.oecd.org/sti/interneteconomy/informationsecurityandprivacy.htm OECD information security and privacy website] has good advice. There is also a [[How_To_Privacy_Policy| WOT Privacy Policy how-to]] that offers help in creating your own privacy policy. |
| + | ===Free privacy policy generator=== | ||
| + | [http://www.generateprivacypolicy.com/ Generate Privacy Policy]: "You may create professional privacy policies with our user friendly tools. Privacy policy agreements are tailored specifically for your website, your business and your requirements." | ||
| − | + | ==Cookie policy== | |
| + | A cookie policy is usually part of the privacy policy. It is addressed within its own section (normally a paragraph) which states what type of [http://en.wikipedia.org/wiki/HTTP_cookie cookies] are used: session or persistent. | ||
| + | |||
| + | Your site should offer as few cookies as possible, preferably none. More widgets, advertising, and other third-party intervention causes your site to drop more cookies on your visitor's computer. When you do use scripts, or browser bars, or social networking link "buttons", etc you should address this use in your cookie policy and offer explicit links to the other privacy policies available on these outside sources. | ||
| + | |||
| + | When using third-party advertising such as Google or DoubleClick, reference their usage and include the appropriate links. Google is just one example of many advertising sites. | ||
| + | |||
| + | * [https://support.google.com/adsense/bin/answer.py?answer=2839090 DoubleClick cookies] | ||
| + | * [https://www.google.com/adsense/support/bin/answer.py?answer=100557 Google Adsense] | ||
| + | * [https://www.google.com/policies/technologies/ads/ Google Advertising and Privacy] | ||
| + | |||
| + | ===Tracking=== | ||
| + | A cookie policy should also mention whether the site uses any third-party trackers: Google Analytics and Quantserve are two popular ones. Tracking may also be done by using [http://en.wikipedia.org/wiki/Web_beacons web beacons], e.g. web bug, tracking bug, tracking pixel, pixel tag, 1×1 gif, clear gif. This should be explicitly mentioned in your privacy policy if your site uses this technology. | ||
| + | |||
| + | [https://www.google.com/analytics/terms/gb.html Google Analytics Terms of Service, Section 7], Privacy: | ||
| + | <blockquote>You will not (and will not allow any third party to) use the Service to track, collect or upload any data that personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to such information by Google. You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service.</blockquote> | ||
| + | |||
| + | ===Local shared object (LSO)=== | ||
| + | [http://en.wikipedia.org/wiki/Local_Shared_Object Local shared objects (LSO)] are also referred to as "zombie" or "super" cookies. They are part of Adobe Flash. Quoting from Adobe: | ||
| + | <blockquote>Local shared objects, sometimes referred to as "Flash cookies," are data files that can be created on your computer by the sites you visit. Shared objects are most often used to enhance your web-browsing experience. A website can write a cookie on your computer, and the next time you visit it will load that cookie and its information in a way that provides a more customized experience. For example, you may have asked a site to remember your login name. That information is stored in the cookie and retrieved on your next visit so that the website displays your name in the login field on the site.</blockquote> | ||
| + | The interesting thing about LSO's are that when you delete your cookie cache, the LSO is able to rewrite the cookie. This causes the LSO to be used not only for tracking, but for spyware as well. The only time your site should use Adobe Flash LSO's are when you have created Flash files (.SWF / .FLV) to share with your visitors and these local stored objects should not be abused with the intent on spying upon your site visitors. | ||
| + | |||
| + | A little more information may be found on [[local shared object|local shared object]]. | ||
| + | |||
| + | ==EU legislation on cookies== | ||
| + | EUROPA websites must follow the Commission's guidelines on [http://ec.europa.eu/ipg/basics/legal/data_protection/index_en.htm privacy and data protection] and inform users that cookies are not being used to gather information unnecessarily. | ||
| + | |||
| + | The [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML ePrivacy directive] – more specifically Article 5(3) – requires prior informed consent for storage of or access to information stored on a user's terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them. | ||
| + | For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual's wishes. | ||
| − | + | ==COPPA== | |
| + | ''Children's Online Privacy Protection Act'' | ||
| − | + | Sites hosted within the USA, or on US servers (when whois registration is private) must adhere to COPPA. COPPA should also be referenced within your site's privacy policy. The FTC specifically says that websites that are collecting information from children under the age of thirteen are required to comply with Federal Trade Commission (FTC) Children's Online Privacy Protection Act (COPPA). | |
| − | |||
| − | |||
| + | ===International scope=== | ||
| + | COPPA is United States law, however, the U.S. Federal Trade Commission has made it clear that the requirements of COPPA will apply to foreign-operated web sites (referred to as <em>operators</em>) if such sites "are directed to children in the U.S. or knowingly collect information from children in the U.S." per the [http://www.ftc.gov/privacy/privacyinitiatives/childrens.html FTC Privacy Initiatives]. For additional information about COPPA, see the following references: | ||
| − | + | * [http://www.coppa.org/ Children's Online Privacy Protection Act website] | |
| − | + | :- [http://www.ftc.gov/opa/2013/07/coppa.shtm revised July 2013] | |
| + | :- [http://www.ftc.gov/opa/2012/12/coppa.shtm modified December 2012] | ||
| + | * [http://www.business.ftc.gov/privacy-and-security/childrens-privacy FTC Bureau of Consumer Protection] | ||
| + | * [http://www.ftc.gov/privacy/privacyinitiatives/childrens.html The Children's Online Privacy Protection Act] via FTC | ||
| + | * [http://www.ftc.gov/privacy/coppafaqs.shtm COPPA FAQ] via FTC | ||
| + | * Wikipedia [http://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act COPPA article] | ||
| + | |||
| + | ==P3P== | ||
| + | The [http://www.w3.org/P3P/ Platform for Privacy Preferences] (P3P) are standards developed by the World Wide Web Consortium (W3C). | ||
| + | |||
| + | ==WOT Forum== | ||
| + | A few [http://www.mywot.com/forum/7300-privacy-lawsuit-targets-net-giants-over-zombie-cookies articles] of interest: | ||
| + | * Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies | ||
| + | * Browser Fingerprints Threaten Privacy | ||
| + | * A Primer on Information Theory and Privacy | ||
| + | * Flash Cookies and Privacy | ||
| + | |||
| + | ==Other references== | ||
| − | * [http://www. | + | * The EU Internet Handbook |
| − | * [https://www. | + | ** [http://ec.europa.eu/ipg/index_en.htm Information Providers Guide] |
| + | * Federal Trade Commission | ||
| + | ** [http://www.ftc.gov/multimedia/video/privacy.shtm Sharing Information: A Day in Your Life] | ||
| + | **: Video: [http://www.ftc.gov/bcp/edu/multimedia/video/privacy/personal-info_day-in-life.flv FLV] | [http://www.ftc.gov/bcp/edu/multimedia/video/privacy/personal-info_day-in-life_720p.mov MOV] | [http://www.ftc.gov/bcp/edu/multimedia/video/privacy/personal-info_day-in-life_480p.wmv WMV] | ||
| + | ** [http://business.ftc.gov/privacy-and-security Privacy and Security] | ||
| + | ** Protecting Consumer Privacy in an Era of Rapid Change (March 2012) | ||
| + | **: [http://www.ftc.gov/opa/2012/03/privacyframework.shtm Press release] | [http://www.ftc.gov/os/2012/03/120326privacyreport.pdf Report PDF] | ||
| + | ** Evolution of a Prototype Financial Privacy Notice (February 2006) | ||
| + | **: [http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf Report PDF] | ||
| + | * [http://www.networkadvertising.org Network Advertising Initiative] | ||
| + | * [https://www.eff.org/wp/osp EFF - Best Practices for Online Service Providers] | ||
| + | * Better Business Bureau | ||
| + | ** [http://www.bbb.org/us/corporate-engagement/security/ BBB Security & Privacy - Made Simpler] | ||
| + | **: [http://www.bbb.org/us/storage/16/documents/SecurityPrivacyMadeSimpler.pdf Report PDF] | ||
| + | ==See also== | ||
| − | |||
[[Personally Identifiable Information (PII)|Personally Identifiable Information (PII)]] | [[Personally Identifiable Information (PII)|Personally Identifiable Information (PII)]] | ||
Latest revision as of 21:39, 21 January 2015
Contents
Privacy policy
A privacy policy is a statement of how and why your company/ website collects Personally Identifiable Information (PII), what it does with it, what choices the consumer has about how it is used, whether the consumer can access the information, and what you do to assure that the information is secure.
Other privacy concerns that a privacy policy should address are the use of cookies and web bugs, if any.
For a more detailed explanation on what a privacy policy is and possible legalities requiring you to have a privacy policy on your website, please refer to this Wikipedia article. For help in creating your own privacy policy, the OECD information security and privacy website has good advice. There is also a WOT Privacy Policy how-to that offers help in creating your own privacy policy.
Free privacy policy generator
Generate Privacy Policy: "You may create professional privacy policies with our user friendly tools. Privacy policy agreements are tailored specifically for your website, your business and your requirements."
Cookie policy
A cookie policy is usually part of the privacy policy. It is addressed within its own section (normally a paragraph) which states what type of cookies are used: session or persistent.
Your site should offer as few cookies as possible, preferably none. More widgets, advertising, and other third-party intervention causes your site to drop more cookies on your visitor's computer. When you do use scripts, or browser bars, or social networking link "buttons", etc you should address this use in your cookie policy and offer explicit links to the other privacy policies available on these outside sources.
When using third-party advertising such as Google or DoubleClick, reference their usage and include the appropriate links. Google is just one example of many advertising sites.
Tracking
A cookie policy should also mention whether the site uses any third-party trackers: Google Analytics and Quantserve are two popular ones. Tracking may also be done by using web beacons, e.g. web bug, tracking bug, tracking pixel, pixel tag, 1×1 gif, clear gif. This should be explicitly mentioned in your privacy policy if your site uses this technology.
Google Analytics Terms of Service, Section 7, Privacy:
You will not (and will not allow any third party to) use the Service to track, collect or upload any data that personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to such information by Google. You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service.
Local shared objects (LSO) are also referred to as "zombie" or "super" cookies. They are part of Adobe Flash. Quoting from Adobe:
Local shared objects, sometimes referred to as "Flash cookies," are data files that can be created on your computer by the sites you visit. Shared objects are most often used to enhance your web-browsing experience. A website can write a cookie on your computer, and the next time you visit it will load that cookie and its information in a way that provides a more customized experience. For example, you may have asked a site to remember your login name. That information is stored in the cookie and retrieved on your next visit so that the website displays your name in the login field on the site.
The interesting thing about LSO's are that when you delete your cookie cache, the LSO is able to rewrite the cookie. This causes the LSO to be used not only for tracking, but for spyware as well. The only time your site should use Adobe Flash LSO's are when you have created Flash files (.SWF / .FLV) to share with your visitors and these local stored objects should not be abused with the intent on spying upon your site visitors.
A little more information may be found on local shared object.
EU legislation on cookies
EUROPA websites must follow the Commission's guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily.
The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage of or access to information stored on a user's terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.
For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual's wishes.
COPPA
Children's Online Privacy Protection Act
Sites hosted within the USA, or on US servers (when whois registration is private) must adhere to COPPA. COPPA should also be referenced within your site's privacy policy. The FTC specifically says that websites that are collecting information from children under the age of thirteen are required to comply with Federal Trade Commission (FTC) Children's Online Privacy Protection Act (COPPA).
International scope
COPPA is United States law, however, the U.S. Federal Trade Commission has made it clear that the requirements of COPPA will apply to foreign-operated web sites (referred to as operators) if such sites "are directed to children in the U.S. or knowingly collect information from children in the U.S." per the FTC Privacy Initiatives. For additional information about COPPA, see the following references:
- FTC Bureau of Consumer Protection
- The Children's Online Privacy Protection Act via FTC
- COPPA FAQ via FTC
- Wikipedia COPPA article
P3P
The Platform for Privacy Preferences (P3P) are standards developed by the World Wide Web Consortium (W3C).
WOT Forum
A few articles of interest:
- Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies
- Browser Fingerprints Threaten Privacy
- A Primer on Information Theory and Privacy
- Flash Cookies and Privacy
Other references
- The EU Internet Handbook
- Federal Trade Commission
- Sharing Information: A Day in Your Life
- Privacy and Security
- Protecting Consumer Privacy in an Era of Rapid Change (March 2012)
- Evolution of a Prototype Financial Privacy Notice (February 2006)
- Network Advertising Initiative
- EFF - Best Practices for Online Service Providers
- Better Business Bureau
