When privacy policies are being mentioned online or in the news, it’s usually not to praise them. During the past few years, several companies have been criticized, censured, or sued when the privacy policies they have posted on their Web sites don’t reflect what the business actually does.

RealNetworks , for example, came under scrutiny last November when it was learned that the company had been collecting information on its users through globally unique identifiers (GUIDs), a practice that wasn’t spelled out in its privacy policy.

Although RealNetworks changed its policy statement to include its data-collection method, it’s likely some consumers still associate the company with the privacy gaffe. And while the practice of using GUIDs isn’t uncommon, not informing customers that they were in use couldn’t have helped RealNetworks’ business.

So what should your business include in its privacy policy? How do you let visitors to your Web site know how personal information is being used?

Understand your data collection
Atlanta-based lawyer Peggy Eisenhauer often receives requests from clients who want her to help them put together privacy policies. But that’s not the first step she encourages businesses to take.

“I always tell them that’s the wrong place to start,” said Eisenhauer, who works for Hunton & Williams . “The first place is actually understanding your current data-collection practices. And second, deciding what you want them to be.”

For example, does your company share information it collects with third parties? What kinds of consumers are you trying to attract? Are you collecting sensitive data like social security numbers?

Only after a business understands how they collect information from users should they formulate a privacy policy.

“If you start by drafting a privacy policy, it’s not likely going to reflect your business,” Eisenhauer said. “If you start by understanding your business, then your privacy policy is going to be much more accurate.”

What your policy should cover
Eisenhauer recommends that any privacy policy should have these components:

  • Notice Tell users what kind of data is being gleaned from them, how you will use it, and who else might see it.
  • Choice Can users decide how collected information is used? Can users opt out of having information collected?
  • Access To comply with the Federal Trade Commission, users must be able to review, update, or correct information.
  • Security Tell users how you will safeguard the information collected on them.
  • Educate Make sure users can come away knowing your company’s practices and that the policy accurately reflects your practices.

Is it understandable?
Whether a visitor to your site is an IT professional or a first-time Web user, privacy policies should be easy-to-read and aimed at your consumers. If the wording of your privacy policy is unclear to you, it’s certainly not going to make sense to the people you’re trying to reach.

Yahoo! and privacy
Eisenhauer praised Yahoo!’s privacy policy for being readable and comprehensive. At the bottom of the Yahoo! home page, a link takes users to the portal’s privacy policy, which explains:

  • What information is collected from users and how it is used
  • How the information is collected and with whom it is shared
  • What choices users have in terms of information collection and use
  • How users can access their information
  • How Yahoo! handles users’ personal financial and health-related information
  • How Yahoo! safeguards information

The site also carries a seal of approval from TRUSTe, a nonprofit company that awards seals to a business’ Web site after it meets a list of privacy guidelines.

What is your privacy policy worth?
With thousands of businesses on the Web vying for traffic, and with consumers who are becoming more aware of how much information is gathered, a sound privacy policy could be one of the things that keeps a user on your site.

“Privacy is a multi-headed beast,” said International Data Corporation analyst Chris Christiansen. “Consumers, especially consumers with children, are worried about disclosure, sale, and control of what they consider private information.”

Companies who follow their privacy policies can use them as another way to reassure their customers.

“Your privacy policy ought to be in some ways like a warranty,” Eisenhauer said. “It’s a statement of who you are and what you do, and it ought to be something that you tell people about.”
Does your company’s privacy policy include the elements we’ve mentioned here? Do you believe that users value privacy statements? Post a comment below or send us an e-mail.