Law in the Internet Society
Web Site Privacy Policy Statements


Some U.S. web sites have come under fire in recent months for failing to disclose properly what user information they are tracking and sharing with or selling to third parties. Yet, many companies are unaware of the controversy, or do not know what to disclose or how to disclose it. Web site operators should not rely solely upon their technical support or Internet contractors to address these issues, because it is likely they do not have a total picture of what the company, its various contractors and advertisers are doing with user information. Or worse, they may not understand the legal implications themselves. Importantly, some web sites also are subject to specific privacy laws and regulations due to the nature of their business (e.g., financial institutions and companies seeking customer information from a financial institution or directly from a customer of a financial institution are subject to the Gramm Leach Bliley Act), their Internet audience (e.g., the collection of information from children from a site directed at children under the age of 13 is subject to the Children's On-Line Privacy Protection Act and related regulations) or because they do business overseas (the European Union has a Directive on Data Privacy which is quite comprehensive; for information on the Safe Harbor available to U.S. companies, see the U.S. Department of Commerce's site at

Basic Recommendations

Every company operating a web site (the "Company") should evaluate its procedures for tracking and monitoring information it collects from members and other visitors to its web site. The Company should also learn what information its various Internet service providers, other contractors and advertisers are collecting and sharing. The Company should also focus upon how the information is stored, combined with information from outside sources, and shared with third parties. Finally, it should understand the requirements of laws applicable to the Company and its web site due to the nature of its business, its Internet audience, and where it does business. Then a "Privacy Policy" should be created and posted on the web site that discloses each of the information gathering, storing and sharing practices, as well as any additional provisions required by applicable laws. The Privacy Policy also should be evaluated on a regular basis by knowledgeable legal counsel and company personnel to determine whether changes in the practices or law require amendment of the Privacy Policy. The most recognized and accepted general components of a Privacy Policy in use by web sites are discussed in this memorandum. Consider Certification by a Self-Regulatory Organization For customer relations and public policy reasons, the Company may also want to consider joining TRUSTe or a similar privacy self-regulatory organization. TRUSTe is a nonprofit organization formed by a group of Internet companies to promote self-regulation of privacy practices of Internet web sites. The program was viewed both as a method to build consumer confidence and as an offensive measure to thwart off government intervention. TRUSTe provides a certification process which when successfully completed allows a web site operator to place a TRUSTe "seal" on its web site. The goal is to make the seal a symbol of web sites that consumers can trust and believe in. Visitors can click on the TRUSTe seal to verify a web site's good standing. Visitors also can report to TRUSTe any alleged violations of a web site's privacy policy, which TRUSTe will then investigate. TRUSTe will invalidate the seal of approval when certain violations are shown. TRUSTe and similar programs should be evaluated carefully to determine that they provide a "fit" with the Company's goals.

Developing a Privacy Policy

A Company should first evaluate its current procedures for tracking and monitoring its subscriber and visitor information, and a Privacy Policy should be written that reflects those practices. Several principles and elements have been identified by the FTC and self-regulatory organizations such as TRUSTe that can help provide a road map of what to include in a Privacy Policy. In the FTC's 1998 report to Congress concerning online privacy, the FTC identified five core principals of privacy protection: (1) notice and awareness; (2) choice and consent; (3) access and participation; (4) integrity and security; and (5) enforcement and redress. TRUSTe has both mandatory and recommended privacy policy components for the web sites carrying their seal. Their goal is for the privacy policy to be written so that the users have no questions about why they are providing the web site with personal information.

Placement - Make it Accessible

The Privacy Policy should be prominent and easy to find. For example, (1) the Privacy Policy should be (a) set apart on its own web page or as part of a separate "legal notices" page; (b) readily accessible from both the site's home page and any web page where information is collected from the web site user; and (c) easily located from anywhere on the site through a word search; (2) the online subscription and membership form(s) and other areas where member information is requested should contain a hypertext link to give prospective members an option to view the Privacy Policy before completing their application or registration or entering or participating in the applicable feature of the site; and (3) any Q & A or other aspects of the web site referring to member or subscriber information should mention, and contain a hypertext link directly to, the Privacy Policy.


A Company's Privacy Policy and information practices should be reviewed regularly by competent counsel knowledgeable about your business. The review should be done with Company personnel conversant in the Company's technical operation of the web site, and use and sharing of the personal data collected. Business needs, legal requirements or public pressure may necessitate changes in information collection, storing and sharing practices, and a related update of the Privacy Policy.


-- KyuYoungLee - 31 Jan 2009

  • Once again, because you were trying to do a semester's work in a weekend, the quality of the output has suffered. If one takes the "Privacy Policy" sham seriously, it comes to this: you can promise to do exactly what you want, and if you post prominently your promise to do exactly what you want, regardless of its effect on your users, the FCC will leave you alone. What this has to do with privacy policy, as opposed to "Privacy Policy," one can hardly imagine and you do not explain. I discussed this aspect of the situation in class, so in essence this essay writes up less than I taught and presents it as a deeper view of the subject. A further draft would have been necessary to make something of it, but there is no time remaining for further drafts.



Webs Webs

r2 - 02 Feb 2009 - 13:43:51 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM