Privacy and You!

So you have built your first web site but have you made a privacy policy? Its important that you write a policy both in Europe and the US you can leave your self up for either Fines and or being taken to court by individuals if you do not have a policy in place. But don't worry because I have done the hard work for you!

Before you start you will need to know:
Does your site use cookies?
Does your site use third party javascript (Google analytics/visitor counters etc)
Do you pass any information to any other company?
Do you accept payments through the site?
Do you use a third party payment system that takes users off site (paypal etc)?
Do you host your own server?

Once you have that your good to go, Our policy is divided into sections the first and last sections are compulsory the middle sections are only required if you answered yes to the above. oh and replace the bold with the correct words

Webdigity Privacy sample policy
-------Section 1 ---------
Introduction
This site is governed by all the rules and regulation of the country of The Country of Business and is hosted in Country server is hosted. The site is owned and maintained by Company or Individual name and any enquires regarding privacy should in the first instance be directed to Email Address.
Please note we hold all data for the minimum period of time prescribed by law for our country of origin any personal data that is held in a public facing part of the site can be removed if request in writing is made to the address below, please note a small administration charge may be applied.

Tracking of data
This site tracks data in accordance with laws of of Country server is hosted this site collects logs which include IP address but does not collect personally identifiable data from visitors, the server logs are used to track problems within the site however the information is made available to police and other authorities in the country of Country server is hosted as dictated by local laws.

------Section 2 Optional-------
Cookies & Sessions - For tracking
The site uses cookies and sessions for tracking identifiable data about a machine this can include browser type amongst other information, however only personal identifiable information that you give can be placed in the cookie, the cookie resides in the machine that visited the site for a period of time. The following Cookies are used on the site
List cookies

------Section 3 optional--------
3rd Party information
While we do not sell information to third parties, we do pass information on to other parties to provide a richer experience the following third parties have access to some or all of our data.
List third parties + Reason use
Example - Google Analytics cookies, Google analytics is our primary web statistics software no identifiable data is sent to Google analytics but rough geographic locations are included where available.

-------Section 4 Payments-----
Payment Systems
Our payment system are handled in a secure manner using SSL and all payments are made through our merchant provider Merchant provider The payments are handled on/off site.
-------On site------
On site payments are done is a secure area This area has been verified through the following provider XXXX and any data collected there will be stored securely the following identifiable data is collected from you at the time of purchase:
List data
Example - Name & Address, Credit card numbers etc
After a transaction is completed we Store your credit card details to make future purchases easier/never store your credit card details to prevent misuse
-----Off site------
All payments are handled by our third party merchant provider at the following address URL you can get in touch with them via [/b]Email address[/b] The following information is kept on our site:
List details
Example - Name, delivery address
If you have any concerns please get in touch with us regarding orders via the phone XXXXXXXXX

------Section 5 optional-----
Server Hosting details
As the owners of the server for this ste we are legally obliged to retain information regarding traffic entering and leaving the site in relation to the laws governing the use of computers in the country of origin.

---------Section 6 Compulsory---
Disputes
If you require information or believe an error has been made within this document you should in the first instance contact Email or via a letter to
Address
If you feel the matter has not be dealt with correctly you can contact the following organisations XXXXX & XXXXX
We take your privacy seriously and do not sell or use your data in a way that could be considered inappropriate both morally and in the eyes of the governing laws.

Wow that's a great piece of information! Thanks for posting this :)

Should I copy/paste it to this site? I've just realized that webdigity has no privacy policy.....

Thanks Tim, I think we need to follow this guideline with all of our websites...

I remember that I did some investigations for privacy / disclaimer here in the Netherlands and I talked to some of the people from bigger ISP's. The problem is that here is almost no regulation for internet privacy on regular websites.

Most of the website owners didn't know the difference between disclaimer and internet privacy statement. ... and there was a seminar about this Item given by the chamber of commerce, the result was that the event was canceled because of a lack joining people :(

Not sure about the rest of Europe but the UK has started enforcing the EU legislation on data privacy, other countries probably are as well, so it is a legal  requirement (in most of europe) to have an identifiable privacy policy, which provides a method for disputes, and its a good idea to avoid conflicts.

you're absolutely right (and I don't like to run after the facts)

Thanks for the privacy policy. I think I got it right, but can you review it?

Thanks,
Natnan P.

required by law? I guess I have some sites that need to be updated...

At least I'm past this hurdle...

Once again, I have to figure this out, and how it applies to my business's site.

Done! The results are at http://joffeepublish.com/privacy.html . Take a look, and tell me if I did a good job, please.

Looks very professional. Good work :)

Thanks Nikolas! Glad I managed to figure this one out!

Tim again thanks for sharing this howto.

I placed the suiteable infromation for my new project here:

http://www.remote-screenshots.com/privacy.php

I have a questions about two things:

the next part is a gallery of screenshots or a kind of directory, using this form the user has to enter much more information, f.e. the e-mail address. Do I need additional information?

what about the information is collected by Adsense? do I need to mention that?

I think the section #3 of Tim's tutorial can be used for adsense too as it is a third party module.

yes thats what I thought, but on the other site only google can access this information...

Adsense should be included as a third party, in this case the third party is Google who tracks click through to advertisements placed on the site, this click through rate is shared by the site and in some cases limited third party advertisers however no individual click through are recorded and any enquires should be directed to Google TOS documents.

:)

Ok sounds good, what about the question about data entered by the user during the submission process?

Once again thanks!

Thanks mate :)

Wow!
I have a Privacy page, but as I see its not good enough!
Thanks for this info. Ive got work to do.

Take care,

That is a great resource Tim  ;)

I have been meaning to make a privacy policy for my site for some time, but never quite got around to it!

I have a few questions if you would be so knid to answer-

1. I have a phpbb forum on my site that uses cookies, but I am not sure what to put where it lists the sites cookies?

2. My web hosting company is 1and1 uk, but the server is based in Germany, does the privacy policy still stand in Germany?

3. Where it says "If you feel the matter has not be dealt with correctly you can contact the following organisations XXXXX & XXXXX" I have no idea what to put here?

4. I have google adsense on my site, should this be mentioned in the privacy policy?

Thanks in advance

chez

glad you liked it,

1)PHPBB uses php sessions for anonymous tracking I believe and only uses cookies for those logged in so something to the effect,

Our forum software tracks user actions anonymously and places a cookie to allow personalised services for those who have chosen to register and opt into the site.

2) you will need to indicate both countries so

3) Probably best to place an address people can write, to and also for the UK include a link to the ICO office who are the ultimate authority

4) nope adsense doesn't use cookies and the user has to opt in (i.e click the link) before data is transmitted you should be declaring them as external links though :D

hope that helped.

This answer helped me out as well. I see I have some updating to do.

Thanks very much Tim  ;)

I'll get this sorted in the next few days.

Thanks again for your help

I think I have sorted the privacy policy now- http://www.ultimatehandyman.co.uk/privacy_policy.htm

Just one more question-

Does it matter how many links you have to the privacy policy, is one link on the homepage ok, or should it be at the footer of every page?

Thanks in advance

chez

Excellent question it is at this point I shall put my "I'm not a lawyer" hat on.

The reason is its incredible vague so I'm suggesting a rough guideline if you need anything more concrete then visit a lawyer.

beware this is now very much UK specific----

If you are a limited company then you must place your registration number, full company name and link to a privacy document on ever page. This is not because of the Data protection or retention rules but because of the E-commerce Regulations (they came into force in the UK in 2002) you should also be including your registration number in all Electronic communication.

For everybody else is covered under a more grey cloud, you need to provide access to your privacy document whenever the user is presented with a choice, either to opt in or out obvious things would be during signups for emails or registration, however it also includes Stats tracking as the user can choose to opt out (turn off cookies), now since users can arrive at any page on your site if your using cookie based stats you have to provide access to the policy on every page of the site.

I would therefore suggest that in 8/10 sites you would need it on every page, small SEO suggest make the links to the privacy no-follow on all but maybe 1 or 2 pages (such as register or sign ups)

Should have mentioned if the company is limited or has VAT number it needs to indicate that.

Also I should mention that UK limited companies have a  unique status in that UK law overrides all other country laws for UK limited companies, so if your site is hosted in California while the "site" may have to follow Californian laws and guidelines the company policies regarding the site must follow "UK law" this is becoming more common across the EU and generally makes life easier for companies though Lawyers may think overwise. It also means if your sued in California by a US company the worse that can happen is your servers will be shut down, until they lodge the case in the UK.

Thanks very much Tim,

I'll change it immediately and place a link at the footer of each page.

Thanks for your help with this!

Having a limited company in itself is a right pain in the butt to be honest as there is so much paperwork etc.

But it does offer some protection, should someone follow the advice on my site and try to sue- even though there is a disclaimer on there!

Anything involving company house is complicated and normally involves 40% more paperwork :)

I know some credit card and other affilitates require privacy policy. 
The only time I gave it much thought was to make some of my sites "appear" more authoritive, which can be beneficial.

Actually virtually ever country in the world requires web site owners to provide some sort of privacy disclosure (with it being backed up with fines and prison sentences in many EU countries) and Google Adsense requires a privacy policy so nearly every single site on the web should have one