This is the second part of an article on the subject of the World Wide Web ("WWW") Privacy Policy. While part one focused on broad-based WWW privacy issues, part two will discuss specific guidelines for preparing and implementing a company's privacy policy as well as the specific requirements that have been mandated by the recently passed Children Online Privacy Protection Act of 1998.
GUIDELINES FOR DEVELOPING AND MAINTAINING YOUR WEB SITE'S PRIVACY POLICY
The most effective way to establish a privacy policy is to make certain that it specifically addresses (1) all the important privacy and legal issues, (2) your company's specific business requirements, (3) the privacy concerns of your web site visitor and (4) is written in a manner so that it "works" for your targeted audience.
The process for creating a privacy policy is very similar to the preparation of any other marketing and sales business policy that is developed for your company as it will require the across-the-board support from management, marketing and sales, and information services.
The first step in developing the privacy policy should be an audit of what is currently being done on your site with respect to the collection, use and dissemination of information. The audit and subsequent analysis must include a review of (1) where and how information is collected at different locations on your site; (2) what happens to the information once it is collected, - some of the issues that must be addressed include: "Who receives it?", "Is it combined with other data?", "Who has access to the information?", "How is the information currently used?, "How will the information be used in the future?"; (3) a review of any privacy statements that may already exist on the site and (4) an analysis of any special privacy policy requirements that may exist as a result of the type of information being collected at your site or because of the specific industry you are in.
Step two involves an evaluation of your company's objectives. The primary focus during this step should revolve around the purpose of the web site and the current and/or planned uses for the collected data.
The third step results in the formulation and preparation of your company's privacy policy. This is the stage where decisions are made regarding the type of information that will be collected and how this information will be used. During this stage many technical questions involving the design of the site and the data structure will be raised and it becomes very important to make certain that the company's privacy policy and the site's technical requirements are compatible. An important decision that should be addressed during is whether to join a privacy seal program such as "TRUSTe" or "BBBOnLine".
Step four then proceeds to designing writing the company's privacy policy that will appear on the web site. The primary model for developing an information privacy policy has been one that was promulgated by the FTC and has subsequently been adopted by other online organizations. This model permits consumers to participate in decisions regarding the collection, dissemination and use of their personal information and is combined with the knowledge that this information is being collected within a framework that provides for the security and integrity of the collected data. The elements of this "Fair Information Practices" model includes (1) "notice" the privacy policy should be easily found on your site and should clearly state the practices that are involved in collecting, using and disclosing information before any such information is collected; (2) "choice" or "consent" this applies when the information that was collected for a primary use will subsequently be used for another purpose and such secondary use requires the consumer's consent; (3) "access" this means that the consumer will have access to his/her information and the ability to correct any errors in the data or to delete the information; (4) "security" web sites should protect the security of the information and take steps to protect it from being altered; and (5) "enforcement" this is the heart of a self-regulation model and it requires that the privacy policy and its principles are enforceable for it to be effective.
The fifth and sixth steps involve the implementation and maintenance of the privacy policy. These steps may require (1) the development of company training programs to ensure that the company's employees understand the importance of the privacy policy and the pitfalls that may result from the wrongful disclosure of a consumer's personal information; (2) a review of third party contracts especially as they relate to privacy issues; (3) the development of a policy for third party links and frames that informs the visitor to your web site that they are no longer protected by your company's privacy policy; and (4) a policy whereby senior management approves any web site changes and information collection practices that may have an impact on the company's privacy policy.
CHILDREN ONLINE PRIVACY PROTECTION ACT OF 1998
The Children Online Privacy Protection Act of 1998 ("COPPA") that was recently passed will go into effect on April 21, 2000. The FTC will be responsible for enforcement of COPPA. COPPA requires a privacy policy for those sites that target children and/or have actual knowledge that children come to the site and such site collects "personal" information from children. Children as defined by COPPA are those younger than 13 years of age. COPPA strictly limits the way the site can gather or use such information. The passage of COPPA means that a privacy policy is no longer an option for any web site that targets children. Instead, it means that any such web site must have a fully functional and operational privacy policy that meets the requirements specified in COPPA on it web site no later than April 21, 2000.
The COPPA regulations only apply to the collection of personal information. The FTC rules have distinguished between "personal" and "general" information as follows: personal information includes the name, address, phone number, e-mail address, and any other information that may be used to locate a child online or offline while general information includes such things as hobbies or preferences.
Under COPPA the web site must: (1) provide notice on the site of the information it collects, how such information will be used, and under what conditions the information will be disclosed; (2) obtain verifiable parental consent to collect, use and disclose any information; (3) provide means by which a parent can review the information that has been collected; (4) initiate a procedure whereby a parent can refuse to permit the use of their child's information and also permits the parent to delete the information from the web site's database; (5) restrict the amount of information collected to only that which is necessary to participate in activities on the site and (6) establish and maintain web site policies and procedures that will ensure and protect the confidentiality, security and integrity of the information that has been collected.
COPPA also applies to "banner advertisers" if the advertiser has advertising on a site that is directed to children and/or is knowledgeable that information is being obtained from children.
Although COPPA does not go into effect until April 21, 2000 web sites and advertisers who target children and/or are knowledgeable that children visit their site should begin developing procedures and policies to comply with COPPA's provisions. One difficulty in implementing such a policy and/or procedures is the newness of COPPA and the fact that there currently does not exist any precedence to serve as guidance. Therefore, it would probably be advisable for web sites and advertisers to consult with legal counsel in preparing a privacy policy that meet the COPPA regulations and FTC guidelines
ADS
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment