The FTC recommendations define four areas that should be covered in your privacy policy.
First, your privacy policy should provide "notice". From the FTC Report:
Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site. (FTC 2000)
There are many requirements packed into just one sentence, so let us pull it apart and look at each piece separately.
First, the privacy policy should be clear. There is a trend among organizations and governments encouraging or requiring companies to communicate with consumers in "plain" or "simple" language. The concept of plain language takes into account that most consumers do not have a law degree, and therefore do not understand the legalese that is typical of most contracts. By requiring agreements be made in simple terms, the information that you are trying to convey can be comprehended by the audience that you are trying to reach. Keep your privacy statement simple. Do not use legal or technical terms that are not commonly known, and when you must use such terminology; clearly explain it in non-technical language. To see how not to write a simple privacy policy, look at the privacy policy for the California State Library which is almost entirely a quote from the California State code. Any policy beginning with "pursuant" is likely headed in the wrong direction. For a positive example, drop by the White House web site. Written in a simple but effective prose, the White House policy is a refreshing change from the typical government legalese.
Second, make your privacy policy conspicuous. Many sites that have a privacy policy bury the link at the bottom of the page in small type. During my research, I often had to use search to find the policy. If your users cannot find the policy easily, it is just like not having a policy at all. For sites that have users less than 13 years old, the Child Online Privacy Protection Act (Federal Register 1999) requires that the link be prominently displayed. For a good example, visit the FTC web site or the Disney web site.
Third, disclose what information you are collecting and how you will collect it. This is not limited to forms that you require users to submit, but includes information that you collect using cookies, web server log files, crumbs and any other sources. A good rule of thumb; when in doubt, disclose the information. No company will be accused of giving the consumer too much information about the data they are collecting. A great example of information gathering disclosure comes from the Best Buy web site. They do a great job of spelling out exactly what information is collected, how it is collected and to what purpose it is used.
The next part of the sentence restates the final three points of the recommendation, so we will leave our examination of choice, access and security until we have completed our in depth look at notice.
Finally, disclose any third parties who will have access to the collected data. The exact nature of who has access to the data can be murky waters, especially if you are using third parties to provide functionality for your site (e.g. chat service, email service, etc.). Again, when in doubt, disclose the information. One area that may escape your attention at first glance may be an advertiser on your site. For instance, a third party advertising broker (think Double-Click, Engage, 24/7 Media or Link Share) that you use to serve the ads on your site may be placing cookies, "web beacons", "web bugs" or similar tracking elements on the ads that they serve, collecting your users’ surfing habits. This should be disclosed to your users so that they can understand who, besides the site they see in the address bar, is collecting information. According to the FTC, "although 57% of a random sample of the busiest Web sites allowed third parties to place cookies, only 22% of those sites mentioned third-party cookies or data collection in their privacy policies" (FTC 2000). In a recent Business Week poll, 91% of responders were either "not very comfortable" or "not at all comfortable" if a site "Shared information so you could be tracked on multiple Web sites." (Business Week 2000) You cannot afford to ignore such a large pool of prospective users.
Make sure that you also include a statement to the effect that you will release customer records to law enforcement officials when criminal activity is suspected. Normally, information is shared with law enforcement in response to a subpoena or court order, but in the shadow of the horrific events of September 11, many companies are rewriting their privacy policies to make it clear that they will share all available information without a court order or subpoena in the case of national emergency. (Olson 2001) Read the Armstrong policy for a great example of how this information should be presented.
Ken Wilson has over 15 years of IT experience, primarily in the legal and financial industries. For the past several years his focus has been on Internet Development, building systems for dotcoms such as Juniper Financial and Bill-Me-Later.com and is currently hard at work on an Investor Portal for Deutsche Bank. Ken is a Senior Architect at Kaloke Technologies, Inc. and a Product Manager for their successful KWML framework.
Home 
Top 25 
Wow Lists 
Latest Reviews
Login
Search 
Suggest 
Print 
E-mail 
Feedback 
Rate 
First, the privacy policy should be clear. There is a trend among organizations and governments encouraging or requiring companies to communicate with consumers in "plain" or "simple" language. The concept of plain language takes into account that most consumers do not have a law degree, and therefore do not understand the legalese that is typical of most contracts. By requiring agreements be made in simple terms, the information that you are trying to convey can be comprehended by the audience that you are trying to reach. Keep your privacy statement simple. Do not use legal or technical terms that are not commonly known, and when you must use such terminology; clearly explain it in non-technical language. To see how not to write a simple privacy policy, look at the privacy policy for the 
Second, make your privacy policy conspicuous. Many sites that have a privacy policy bury the link at the bottom of the page in small type. During my research, I often had to use search to find the policy. If your users cannot find the policy easily, it is just like not having a policy at all. For sites that have users less than 13 years old, the Child Online Privacy Protection Act (
Third, disclose what information you are collecting and how you will collect it. This is not limited to forms that you require users to submit, but includes information that you collect using cookies, web server log files, crumbs and any other sources. A good rule of thumb; when in doubt, disclose the information. No company will be accused of giving the consumer too much information about the data they are collecting. A great example of information gathering disclosure comes from the 
Finally, disclose any third parties who will have access to the collected data. The exact nature of who has access to the data can be murky waters, especially if you are using third parties to provide functionality for your site (e.g. chat service, email service, etc.). Again, when in doubt, disclose the information. One area that may escape your attention at first glance may be an advertiser on your site. For instance, a third party advertising broker (think Double-Click, Engage, 24/7 Media or Link Share) that you use to serve the ads on your site may be placing cookies, "web beacons", "web bugs" or similar tracking elements on the ads that they serve, collecting your users’ surfing habits. This should be disclosed to your users so that they can understand who, besides the site they see in the address bar, is collecting information. According to the FTC, "although 57% of a random sample of the busiest Web sites allowed third parties to place cookies, only 22% of those sites mentioned third-party cookies or data collection in their privacy policies" (
