°Û °Û ÞÜ ±Û °Û °Û ÜÛÛ ÛÜ ±Û ²Û°ÛÛÛÛß°Û ÜÜÜ ±Û ÜÜ ÜÛÛÛÜ°ÛßßßÛ°Û °Û ÛÛ ° ÛÛ±Û ±Û ÛÛ ±ÛÛßßßÛܱÛÛßß°ÛÜÜÜß °Û°ÛÛÛ ÛÛ ° ÛÛ±Û ±Û ÛÛ ±Û °Û±Û °ÛÜ °ÜÛßßÛ°Û °Û ßÛ ÛÛß °ÛÛÛ ßÛÛÜ°ÛßÛÛÛÛß±Û °ÛÛÛß°ÛÜÜÛ²°Û °Û Outbreak Magazine Issue #12 - Article 7 of 18 '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' Privacy Policy Introduction by cxi (cxi@compulsive.org) Recent studies have shown that the majority of websites do not have privacy policies. Many of us who run our own websites may have at some point tried to build a privacy policy – and a very popular way to do this is to use templates or look at established websites privacy policies and using what is in there. While creating at least some policy for how you protect user privacy and personally identifiable information (PII), it is very important that you adhere to a set of guidelines for what your policy should include, and you word the policy very clearly to try and leave as little grey areas as possible. It is our responsibility as website administrators to let users know exactly how we deal with privacy and what exactly we do with any information they provide us (as well as the information they may not be aware they are providing through click-stream data, clear-gifs, and cookies). In the United States, the current set of guidelines, as outlined by the Federal Trade Commission, for privacy policies is known as Fair Information Practices (FIP). FIP includes 5 sections: Notice: What does the policy cover, what information is collected, how the information is used, what PII is collected, notice about cookies/clear-gifs. Choice: If PII is collected and is used for any reason other than one given at the time of collection, you must provide a reasonable opportunity to choose to allow it (opt-in or opt-out). Access: If PII is collected you must allow reasonable access for users to view or correct errors in the information your site collected. Security: Is the PII protected during storage and transmission? Enforcement: Is there a way to make sure you do what you say? Do you have a privacy seal or at least give contact information for people to address questions, comments, or concerns about your privacy policy. This section also includes how you will notify users about policy changes. If you look at most privacy policies on the web, you’ll find that, unfortunately, they do not follow FIP. While they may include some or most of the aspects, it is all of these criteria combine the make for a good privacy policy that users should feel confident about. To analyze a current privacy policy, go through each part of FIP and look whether or not each part is included. There are a few other aspects that are very important to privacy policies that are not explicitly included in FIP – readability, and ability to find policy easily. While a privacy policy that includes all of FIP is a great thing, if it’s all legalese, it’s not exactly giving good Notice; and if you don’t give an obvious link to the privacy policy, how will users know what your practices are at all? Website administrators may also be interested in implementing Platform for Privacy Preferences Project (P3P – full documentation at http://www.w3.org/p3p/) P3P was developed by the W3C, who finalized V1.0 in April 2002. It is a machine-readable (XML) privacy policy that new web browsers (such as IE v6 and Mozilla v1.0) read and determine, based on user settings, whether or not a website has good privacy practices. The XML “policy reference files” that indicate which policy applies to which part of the site. Check out the w3c site for more information on how to build a p3p policy. While there are no current US laws that demand websites to include privacy policies (unless you’re a financial, government, or some health institutions), but most users are becoming more aware of privacy concerns and expect websites to disclose their privacy practices. By developing a good privacy policy and making users aware of privacy concerns on your website through your policy, you can help spread the standard for websites to adhere to FIP – which would encourage more companies to develop good policies with the fear that people will not use their websites without a good privacy policy in place.