How to Create a Private Policy?

In light of recent FTC legal developments against the startup Nomi for collecting private data, here is a primer on creating the perfect private policy for your business.

Step 1: WHAT

Determine what information you want to collect. Common information includes Name; Email Address; Mailing Address; Phone Number; and Credit Card Information.

Step 2: WHEN

Determine when you collect the information. You can ask a user to register on your website or join a newsletter. You can also bait them with a white paper.

Step 3: WHY

Why do you want to collect user information? Will you use it to improve the website, customer service, send emails?

Step 4: DEFINE

Define Steps 1-3 into a paragraph. Keep the language simple and honest. The trend is to avoid legal jargon. Tell the user concisely, when, and why you are collecting the information.

Step 5: Payment Card Industry Compliance

If you sell anything online, then you need to comply with the PCI guidelines. PCI compliance means you must scan your website regularly. This includes scanning for malware every so often. For more information: www.pcicomplianceguide.org/pci-faqs-2/

Step 6: COOKIES

Not the type you eat. A cookie is a file stored on a user’s computer. This deserves an entire paragraph of two. You need to DEFINE why you need a cookie: Is it to help users? Is it to track advertisements? Is it to compile data that you will use later? Define clearly how the cookie collects the information and why you need to collect information. Also notify users that they can disable cookies.

Step 7: THIRD PARTY

Do you use third party links? Are you offering third party products or services? Remember third parties have different websites and should have separate and independent privacy policies. Make sure you include a paragraph stating you are NOT responsible or liable for what happens outside your website.

Step 8: SELLING / TRADING

Some websites collect information to sell or trade Personally Identifiable Information. This is a big business. If you sell or trade you need to include paragraphs with clear language stating exactly what information you are sharing and how you share it. I do not advise selling or trading PII. It’s a landmine.

Step 9: ADSENSE

Another optional section, should you run Google AdSense. Google is a third party vendor that uses cookies to serve ads. For more information see: support.google.com/adsense/answer/1348695?hl=en

Step 10: Children’s Online Privacy Protection Act

If you collect information from children under the age of 13 you will have to comply with COPPA. For more information see: www.coppa.org/comply.htm

Step 11: Fair Information Practice

Yeah, another agency. Rather than bore you too much you can check out this website: http://www.nist.gov/nstic/NSTIC-FIPPs.pdf Make sure you have a plan that notifies users if there is a data breach.

Step 12: CAN-SPAM

And another…   Here’s the information: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

Step 13: FINISHED?

The above should cover the large majority of websites. However, if you have specific questions feel free to contact a lawyer.

Phone Resources

No Call Lists (Phone): telemarketing.donotcall.gov

Before you call a potential client you have to make sure they are not on donotcall list. The first few area codes are free, but there’s a fee for additional. Complaints can result in fines. And repeat violators can face even heavier penalties.