Privacy Notice

Why privacy notices on web sites are so important


Simply put, when you visit a site you look for signs of credibility when considering interactions with companies. So do your customers. A link at the bottom of your home page can be reassuring.

“Privacy policies are about transparency and are key to building trust between you and your customers,” said Alison Southwick, a BBB spokesperson. “While it’s easy to get intimidated by the scope and legalese, the bottom line is you will increase consumer confidence in doing business on your website if you have a clear privacy policy.”

Ignorance doesn’t provide protection from prosecution. Failure to protect personal data can result in fines, loss of reputation, lost future sales, lawsuits, and even loss of a license to practice or imprisonment. You’ll want to check with your legal counsel to get guidance to comply with state, federal, international and other regulations.

For instance, if you collect personal information about California residents, then you must post a privacy policy on your web site to comply with California’s Online Privacy Protection Act of 2003 (CalOPPA).

The Better Business Bureau understands the importance for consumers to trust businesses online. Businesses must post privacy statements on their web site to earn the BBB seal of accreditation. The Direct Marketing Association requires its members to do the same to meet their ethical guidelines.


Charged with enforcing the prohibition of unfair or deceptive practices, the FTC prosecutes businesses that fail to protect the personal information of customers and others. Until comprehensive U.S. privacy legislation is passed, FTC actions provide guidance.

Once you post your privacy notice, it’s critical to maintain your practices to match that notice. Many FTC actions result from companies doing something different from what their posted privacy notices state. One company, which did not have a privacy notice on their site, was penalized for failing to observe the privacy notices of its clients.

Industry Self-Regulation

The Better Business Bureau and the Direct Marketing Association both will report substandard marketplace practices to the FTC, not only of their members, but also of non-members, as will other privacy industry watchdogs, such as Privacy Rights Clearinghouse and investigative reporter Brian Krebs.

The Council of Better Business Bureaus (CBBB) serves both businesses and consumers by administering court-approved, class-action settlements.

Handling personal information across the pond: U.S./E.U. Safe Harbor

Does your site collect personal information from European web visitors?

The CBBB educates companies across all industry sectors on how to comply with European privacy requirements, which are stricter than those in the U.S. The BBB EU Safe Harbor program promotes privacy best practices, while enabling participating companies to provide independent, secure, and easy-to-use online dispute resolution free of charge to European consumers.

The Safe Harbor frameworks allow U.S. businesses to self-certify their compliance with European privacy standards, assuring European consumers that their data will be adequately protected. Participating companies must also offer consumers an accessible, independent dispute resolution option for privacy complaints.

Important components of a good privacy notice

A good privacy statement details how a company collects personal information, with whom it is shared, how it can be accessed and corrected, how data is secured, how policy changes will be communicated and how to address concerns over misuse of personal data.

The BBB provides a sample privacy policy for customization. Here are the key components and a more detailed checklist of considerations:

  • Policy (what personal information is being collected on the site)
  • Choice (what options the customer has about how/whether her data is collected and used)
  • Access (how a customer can see what data has been collected and change/correct it if necessary)
  • Security (state how any data that is collected is stored/protected)
  • Redress (what customer can do if privacy policy is not met)
  • Updates (how policy changes will be communicated)


Beyond a web site privacy statement

The privacy notice or statement that goes on your web site is different from a privacy policy that you would use internally to guide your staff. Privacy notices and policies are just two parts of a comprehensive overall strategy and program.

Massachusetts’ regulation 201 CMR 17.00 is just one example of broader rules that may apply to you. In this case, if you do business with state residents, your business must “maintain a comprehensive information security program that…contains administrative, technical, and physical safeguards…”

Earn the trust of your web site visitors by posting a complete privacy notice. Keep it up-to-date as you change your business practices. Make sure to proceed to create a comprehensive privacy program. You’ll be glad you did.