A privacy policy is a legal document that discloses some or all of the ways a website gathers, uses, shares, discloses and/or manages a website visitor’s data. The exact contents of a privacy policy will depend upon the applicable law and may need to address the requirements of multiple countries or jurisdictions. Many advertising networks require their partners to publish a Privacy Policy on their website. There is no universal one-shot catch-all Privacy Policy for all uses, but most visitors to this site are primarily interested in the Privacy Policy required by publishers using Google Adsense’s PPC (Pay-Per-Click) program.

The European Union’s Directives

In 1995 the European Union (EU) introduced the Data Protection Directive for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year the U.S. Federal Trade Commission published the Fair Information Principles, which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies. Both the EU and US Governments are worriedly preparing to legislate rules and regulations regarding privacy on the Internet.

FTC Fair Information Practice

There are four critical issues identified in Fair Information Practice:

  1. Notice – data collectors must disclose their information practices before collecting personal information from consumers
  2. Choice – consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided
  3. Access – consumers should be able to view and contest the accuracy and completeness of data collected about them
  4. Security – data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.

In addition to the above, the principles elaborate the need for enforcement mechanisms to impose sanctions for noncompliance with these fair information practices.

Current enforcement in the United States.

The United States does not have a federal regulation establishing the implementation of privacy policies. Congress is considering comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act and the Online Privacy Protection Act of 2001, but none have been enacted.

In many cases, private parties enforce the terms of privacy policies by filing class action lawsuits, which may result in settlements or judgements.

Applicable US law

While no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:

  • The Children’s Online Privacy Protection Act (COPPA)
    This law affects websites that collect information about or target at children under the age of 13. Any such websites must post a privacy policy and adhere to enumerated information-sharing restrictions. COPPA includes a Safe Harbor provision to promote industry self regulation.
  • The Gramm-Leach-Bliley Act
    This requires that institutions “significantly engaged in financial activities” give “clear, conspicuous, and accurate statements” of their information-sharing practices. The Act also restricts the use and sharing of financial information.
  • Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules
    This requires notice in writing of the privacy practices of health care services. This requirement also applies if the health service is electronic or online.

The Internet Privacy Act
There is no such thing as “The Internet Privacy Act”. The Internet Privacy Act is a non-existent law cited by websites that conduct illegal activities in an attempt to scare off organizations or regulators that look to prosecute such activities. Networks, search engines and torrent sites which share or pirate music, films and software, for example, will often display the fictitious act in an attempt to protect themselves from arrest by being able to claim entrapment in court. In the statement, websites try to claim that it prevents organizations which may be associated with anti-P2P (Peer-To-Peer) or government organizations from entering the site or network as it would breach the terms of the act. Nobody is really fooled by this, least of all, law enforcement.

According to the statement which many sites display, it was signed by Bill Clinton in 1995, but in reality he never signed the act as it never existed.

You can see this or similar text on many such piracy sites:

 

If you are affiliated with any government, police, anti-piracy group or other related group or working for Adidas, Manolo Blahnik, Converse, Louis Vuitton, Chanel, Burberry, Hermes, Prada, Air Jordan, Nike, Timberland, Gucci, Cartier, Oakley either directly or indirectly, or any other related group, or were formally a worker, you CANNOT enter these web pages, links, nor access any of its files and you cannot view any of the HTML files. If in fact you are affiliated or were affiliated with the above said companies, by entering this site you are not agreeing to these terms and you are violating code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995 and that means that you CANNOT threaten our ISP(s) or any person(s) or company storing these files, and cannot prosecute any person(s) affiliated with this website.

 

US State Laws
Some states have implemented more stringent regulations for privacy policies. The California Online Privacy Protection Act of 2003 – Business and Professions Code sections 22575-22579 requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site”.

Nebraska and Pennsylvania also have laws treating misleading statements in privacy policies published on Web sites as deceptive or fraudulent business practices.

The European Union

There are significant differences between the EU data protection and US data privacy laws. These standards must be met not only by businesses operating in the EU, but also by any organization that transfers personal information collected concerning citizen of the EU. In 2001 the United States Department of Commerce worked to ensure legal compliance for US organizations under an opt-in Safe Harbor Program. The FTC has approved eTrust to certify streamlined compliance with the US-EU Safe Harbor.

Online Privacy Certification Programs

Online Certification or “Seal” programs are an example of industry self-regulation of privacy policies. Seal programs usually require implementation fair information practices as determined by the certification program and may require continued compliance monitoring. TRUSTe, was one of the first online privacy seal program, with thousands of members. Other online seal programs include the Trust Guard Privacy Verified program, eTrust, and Webtrust.

Technical implementation

Some websites also define their privacy policies using P3P or the Internet Content Rating Association (ICRA), allowing visitors to automatically assess the level of privacy offered by the site, and allowing access only when the sites’ privacy practices are in line with the users’ privacy settings. These technical solutions do not guarantee that the websites actually follows the claimed privacy policies. For this to work, users would need to have a minimum level of technical knowledge in order to configure their own browser privacy settings. That is primarily why these types of privacy policies have not caught on.