Wednesday, October 27, 2004

Privacy Policies: The Nuts and Bolts

Privacy Policies: LAW

More and more laws will require that websites post privacy policies. The Federal Trade Commission has information about U.S. laws. From their home page put - online privacy policy - in the search field and you'll see thousands of results, peppered with legal tangles that could have been avoided. The FTC's Privacy Initiatives provide a wealth of legal references, and their own privacy policy is an excellent example for further study.

You can get ideas for your own privacy policy by reading high quality examples like the FTC's, or you can use the Direct Marketing Association's privacy practices generator. The DMA's questions are more thorough and detailed than the needs of most small organizations. Edit the output for simplicity, and test your results on friends and family.

Privacy Policies: YOUR CUSTOMERS

If the law isn't inspiring you to put up a polished privacy policy ASAP, here are some highly motivating facts. The statistics are from a 2004 eMarketer article that assessed research from the Annenberg Public Privacy Policy Center and the Customer Respect Group. The interpretation is mine.

  • Only 7.6% of respondents say that they either don't bother to read privacy policies, don't care about them, or put in false information.
  • 22.4% say that if a site DOESN'T HAVE a privacy policy they don't provide information.
  • 26.6% say that if they DON'T LIKE the privacy policy they don't provide information.

What does "don't like" mean? Consider that less than 50% of at-home net users think privacy policies are easy to understand.

Privacy Policies: BENEFITS

  1. Each visitor to your site is a prospective sales lead. If you have a poor or nonexistent privacy policy you lose at least 49% of the leads who've thought to check your privacy policy before giving you information. A customer cannot buy from you without giving you information.
  2. Anyone who checks your privacy policy wants to know if they can trust you. This puts them in a special category: sales leads who are deciding if they want to trust you. In the brick-and-mortar world you could feed that trust by employing polite, well-informed salespeople who could answer questions. Online, your customers don't know what to expect unless you tell them and show you mean it.
  3. Overall, 29% say that they look to see if a site is secure (SSL, or a https URL) before providing information. If you pay for SSL, show your customers you take their privacy seriously by TELLING them you use SSL to protect their information and at what point they'll be referred to your secure pages.

My expectation is that the SSL issue would strongly influence anyone who sticks around long enough to try to register for a newsletter or make an order. That 29% who checks to see if a site is secure would probably leave if they felt the site's owner is asking for too much information without showing concern for a client's privacy.


Pay attention to the facts. This isn't rocket science, folks. It's the Golden Rule: do unto others as you would like others to do unto you.

  • Online businesses should not ask for identifying information unless the input form is hosted on a secure site.
  • Any shopping cart that requires you to register outside of a secure page is poorly written.
  • Every page that asks for any sort of information should have an obvious link to a privacy policy.
  • If you have a non-SSL form on your site, don't ask for too many details.

Go ahead and ask customer service related questions. However, unsecured, potentially identifying demographic information should be optional and unrelated to questions that the cautious client would relate to identity theft: no income level and no specific physical address.

Your customer's respect and trust is much more important than knowing their phone number ASAP.