Why Your Site Needs a Privacy Policy

If you scroll the bottom of most websites these days, you will find a link that most people never click on: “Privacy Policy.” Those who do click on it will often find some lengthy, dense text that appears to have been written by attorneys who were paid by the word. Why do businesses go to such trouble to create and post these documents that the huge majority of their visitors will never look at? It turns out there are some very good reasons.

SmashStack Presents: Lessons in Privacy Policy History

First, a brief history: Shortly after the World Wide Web was born, it became clear that the Internet enabled personal information to be collected and used (or misused) far more efficiently than ever before. In 1995, the European Union implemented the Data Protection Directive, which defines the concept of “personal data” and what can legally be done with it. The U.S. Federal Trade commission followed suit with nonbinding guidelines. On the basis of these guidelines, many companies started crafting privacy policy documents to post on their websites or distribute in other ways. Over the years, privacy policies have become mandatory for businesses in certain locations or industries.

Privacy policies typically enumerate what kinds of personal data an organization may collect, for what purposes, and how and with whom that data may be shared. Particularly for websites, the privacy policy may discuss the company’s use of web cookies or other technologies that can be used to collect information from or about site visitors.

In some cases, a person doing business with an organization is required to explicitly indicate understanding and acceptance of the privacy policy (typically in the course of registering an account or conducting a transaction). In many cases, however, the policy is simply made available with no requirement that any user explicitly acknowledge it.

Privacy Policy — Protector of Bank Accounts

But what does the privacy policy actually do in practice? Like all contracts and written agreements, it protects each party from misunderstandings. A customer can examine a company’s privacy policy and decide whether or not to do business there. A company can protect itself from legal action by telling potential litigants, “this policy was made available to you, and you (explicitly or implicitly) agreed to it.”

And that leads to why you ought to have a privacy policy for your website: legal protection.

“But,” you’re saying, “Do I still need one? I don’t collect any information from my site visitors!”

Au contraire, Pierre. Whether you know it or not, your site—or more specifically, your site’s web server—collects scads of information about your site visitors. Even if it doesn’t identify them by name, it knows their:

  • IP addresses
  • often, the URL of the site that linked to yours
  • limited browsing history (if your site uses cookies in any way, even if it’s to identify if your user has been to the site recently and/or if the user is logged on)

This information, combined with other information that is available, can provide a rough estimate of visitors’ locations and browsing habits. If your site uses cookies, you can get even more detailed information.

So, in all likelihood, you should probably have at least a bare-bones privacy policy for your website. Fortunately, privacy policies are not difficult to come by; you don’t even need to retain the services of a lawyer. Many sources offer free or low-cost generic privacy policies that you can modify for your specific circumstances, and some services will generate one on the basis of your answers to a few questions.

Considering the low cost of implementing a privacy policy against the potential hassle of not having one, the choice is pretty clear. They don’t take a lot of space, and they don’t change often. You should probably review it once a year or so to ensure that it covers any new functionality on your site, but other that it’s pretty much “set it and forget it.” The protection it affords you is well worth the minimal effort required.