/beyond/security/article.php/3848246/What146s-Your-Policy-150-Creating-a-Privacy-Policy.htm What's Your Policy? - Creating a Privacy Policy

What's Your Policy? - Creating a Privacy Policy

By Curtis Dicken

Introduction to Website Security

Since the internet explosion of the 90’s many people and government agencies have been watching how information, especially personal information, is collected and distributed through the continual advancements in technology. Those concerned with protecting individual rights and privacy have been educating the public on how to keep their private information safe. The website Privacy Policy is both a tool and a promise to your website visitors, letting them know how the information you collect is protected and distributed.

Who Needs a Privacy Policy?

In short, if your website collects any kind of personal information, whether voluntary or involuntary, you should provide a privacy policy. Voluntary personal information consists of anything personally specific to the user such as name, address, telephone number, personal ID numbers, etc. which can be submitted via an online form or other means. Involuntary information would be any information that can be collected behind the scenes such as the user’s IP address, geographic location, browser, etc. without the user taking any action except for visiting the web page.

What’s in a Privacy Policy?

You privacy policy is simply a list of what you will and will not do with information collected on your website. It should be as detailed as possible but does not necessarily have to be written by an attorney or read like a court document. The goal is to put your site's visitors’ minds at ease, not to confuse them with highly technical text. Below you will find a list of basic sections that you should include in your privacy policy:
  1. Policy Effective Dates – Your privacy policy should be reviewed at least once a year. That doesn’t mean you have to change it each year but it should be reviewed to ensure that your policies still apply, taking into consideration any changes that may have occurred with your data collection or website functionality since the last review.
  2. General Information – It may seem redundant but you should provide a basic summary of your privacy policies before you give all of the specifics. Be sure to include the domain name for your website even though it is obvious.
  3. Contact Information – Be sure to include as much contact information as is appropriate. If your website is a club or other non-commercial website the contact information may be as limited as an email address. If the policy is used for commercial purposes such as an ecommerce store then more information such as an address, telephone number and email address is expected.
  4. Dispute Resolution – In the unlikely event that one of your visitors feels that you have somehow violated your own policies, they need to be provided a method to contact you or whoever handles your privacy policies. In most cases this is as simple as an email address for the person in charge of your privacy policies.
  5. Information Collection – Here is where you list the specifics of what information you collect and whether or not that information is optional. For example, a user’s name and email address may be optional while http header information is logged automatically for statistical purposes without explicit consent from the use, which is not optional. If you intend to implement P3P, you may find it easiest to list the information you collect with the same naming convention used in the P3P policies XML file (e.g. user.home-info.online.email for the user’s home email address). More about P3P in the next section. This section should also include details on who has access to the data that you collect and whether the data is shared with anyone outside your company or organization.
  6. Information Recipients – This is something that you probably will have already included in the Information Collection section above but it is good practice to repeat it again here. Define again who has access to the data that you collect and whether the data is shared with anyone outside your company or organization.
  7. Information Retention – This will probably be the shortest section of your policy. Simply define how long you retain data that you collect. If need be, break it down into logical sections. For example, personal data may be retained for 2 years but http header data may be retained indefinitely.
  8. Opt-in and Opt-out – This gives the user options for how their information is shared and/or whether their information is retained. All users should have the option of having their personal data removed from your database if they so choose. You can achieve this with something as simple as an email address where they can send a request all the way up to an online form that is as complex as you need it to be.
  9. Cookies – Last but not least is the old cookie. Generally this is a reassurance that you will not place any identifiable personal information in a cookie which, by the way, should be your common practice. You may also want to include a brief description of what cookies are and what purpose they serve.

Presenting Your Security Policy

Once your privacy policy is complete the obvious next step is to create a web page for it and tie that page into your website’s navigation, usually in the footer. If you want your policy to display in the privacy policy tools that are found in browsers like Internet Explorer and Firefox you will need to include some XML files as defined by the W3C P3P standards. P3P is something that many web developers hate because it just adds more detail work to their list of things to do. Creating everything necessary for P3P requires two different XML files which are placed in a specific directory in the root of your web. Between the two XML files (p3p.xml and policies.xml) are the definitions for everything we discussed above. As you can imagine it’s a very time consuming process if done by hand.

The Lazy Method

For those of you that are inherently lazy like me, we are not in the habit of reinventing the wheel. Instead I prefer to use a privacy policy generator and save myself many hours of grief. You can find such web-based generators all over the web and most are under $20 to generate a privacy policy and the associated P3P files. Generally they will take you through a step by step wizard-like process. At the end of the process you should have the necessary text (sometimes even formatted) for your privacy policy web page plus all of the required P3P files. That reduces your part of the job to defining your policy, reformatting the policy web page if necessary, and uploading the P3P files.


A good comprehensive privacy policy can go a long way to easing the minds of your website visitors. It should be a part of any website that collects and stores user data. If you find a reliable privacy policy generator, it should only take you a few hours and a few bucks to get a comprehensive policy up on your website.

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
Thanks for your registration, follow us on our social networks to keep up-to-date