Create Privacy Policy How-To: Part III

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, [slider title="How to create a Privacy policy"]Entries in this series:
  1. How to Create a Privacy Policy
  2. Creating a Privacy Policy
  3. Create Privacy Policy How-To: Part III
  4. How to Create a Privacy Policy Part 4
  5. How to Create a Privacy Policy | Part 5
[/slider]

Create A Privacy Policy – Our Story So Far

Let’s take a look at what we accomplished so far, in the previous article:

 

Sample Privacy Policy

Purpose:  To define privacy expectations of visitors to the ArielSilverstone.com website.

What We Collect

We respect the privacy of our visitors.   We generally do not collect personally-identifying information on this website.   We do, however:
a) Employ certain automated tools that collect statistical information visitors to our site.
b) Provide you with the option to leave comments, or contact us, by entering your email address and, optionally, other contact information as you may choose to share with us.

 

Today, we will continue by focusing on the How and discuss cookies.

How do we collect personally identifying information?

When creating a privacy policy, we must consider all elements of our web site.  These include both automated means and human activated techniques.  For example, without even intending to, you probably are collecting IP addresses, browser versions, and the location (web site) the visitor came from, and other miscellanea.  In addition, certain tools, for example Overture, collect other information, some of which is not even shown to you without a direct request.

In the non-automated department, each web site has its own reason d’etre.  Do you have a contact form?  Survey?  Do take credit cards?  Do you ask for email address?

So now, let’s compile a list of all we ask for and all that we automatically get.  Let’s review that list for PII and add the items to our policy.

 

The Cookie Jar

Many web sites, and many programs running on web sites, collect certain information and deposit such information in Cookies.   Cookies are small files that reside on the computer visiting such sites.    There are generally two types of cookies:  Session based and permanent.

As the name suggest, a session cookie exists for the duration of the visit to that specific site or program.   The permanent variety is typically stays on the visiting computer until deleted by the user or by another program.   Cookies can be either human-readable or machine-readable, and could be encrypted.   The “dirty” secret of cookies is that sometimes cookies can be shared between multiple sites.   That means that if you put information into one site, that information can be carried by a cookie and give to another site, even to a site that you have not given permission to – to have this information!

Be careful when using cookies.  There are many tools out there to tell a visitor if you are embedding cookies in their machines, and the savvy visitors will be suspicious of permanent cookies and cookies which are able to be read by multiple sites.   I know I would.

If you use cookies, make sure that you inform your visitors:

Sample Privacy Policy

Purpose:  To define privacy expectations of visitors to the ArielSilverstone.com website.

What We Collect and How

We respect the privacy of our visitors.   We generally do not collect personally-identifying information on this website.   We do, however:
a) Employ certain automated tools that collect statistical information visitors to our site.
b) Provide you with the option to leave comments, or contact us, by entering your email address and, optionally, other contact information as you may choose to share with us.
c) From time to time, we may offer you to opportunity to participate in surveys or polls, and we may be provided with such information as you choose to provide us.

Cookies

In general, we do not use persistent cookies, unless you request that our site remember you.   Other cookies that we use are session based and expire or set to be deleted when you close your browser window or restart your computer.  Our cookies are not made to be read by other sites, and maybe refused by setting your browser options to do so.  Refusing some cookies may alter your site experience, and especially movement between pages that require authentication.  We do not use the values stored in cookies for any other purpose beyond those declared above, in the What we collect section.

 

In the next article in this series, we will discuss calling out disclosure and sharing of collected information, and we will then close by discussing updates to our privacy policies.

See you soon!

 

 

Creating a Privacy Policy

This entry is part of a wonderful series, How to create a Privacy policy»

 

In the previous article, we discussed items that you should collect in order to start creating a privacy policy.

Today, we will take the next step: deciding what, how, when and where to collect.

 

Create A Privacy Policy – Less is More

One of the basic principles of privacy policy, and one that is sometimes missing from our daily life is the notion that aggregation creates risk.    For example, one person’s credit card, while to that person is significant, is a small risk to an organization compared to the collections of hundreds, or hundreds of thousands, credit card and their accompanying personally-identifying information (PII).

When you look at my previous article, you will see that one of the steps I defined (step ) states the following:

Analyze what data you need to collect and what you intend to do with it!
I cannot emphasize this point too much:

Ariel’s Privacy Rule #1:  Do NOT collect, nor store, information you do not need.

You can also find a related, but not exact, Principle in the AICPA Generally Accepted Privacy Principles:

Principle 4: Collection

…Communicate to individuals that personal information is collected only for the purposes identified in the notice (see Criterion 4.1.1)

· Communicate to individuals types of personal information collected and the methods of collection used (see Criterion 4.1.2)…

(You can find the GAAP in my USA Privacy Laws pages. www.arielsilverstone.com/privacyR)

Ariel’s Privacy Rule #2:  In most cases, it is better to ask for private information again, than to store it.

Further, even if some private information is divulged to you, and you do not need it, why keep it?  Generally, I suggest you follow this rule:

Personally-identifying information is not only sensitive when stored, it also “turns off” a certain number of your customers.   I, for example, would loathe to provide my social security number to the great plurality of sites that request it of me.  I care about my privacy.

So, let’s continue….

Internal Versus External Use

In most jurisdictions, as an employer, you have a right to know certain things about your employees that normally you would not have.  For example, in the USA it is generally ok, and even required, for you to know the employee’s social security number.  It might be even ok for you (or to a particular subset of your employees) to know whether employee Y has kids, a car, or even a certain health condition.   Those fields, however, fall into the category of “obviously don’t have a right to know” if you are just a run-of-the-mill website.  So: know your audience.

Knowing your audience leads to the first part of your information privacy policy.  This is the part called “applicability”, or, “purpose” by some.   This section appears just underneath the title.  Let’s build a sample together, for my website.

Sample Privacy Policy

Purpose:  To define privacy expectations of visitors to the ArielSilverstone.com website.

As you can see above, this policy does apply to my visitor, but NOT to any of my admins, authors, or such personnel.  You also note that the statement is quite short….  There is no particular need to make it long, convoluted or complex.

Ariel’s Privacy Rule #3:  Keep It Simple

 

How to Collect

Most of us would be astonished to find out just how much personally-identifying information is collected about us.   This also holds true when you talk about the average website.   Let me show you a real life example:

Visitor Detailed Information

From this simple screenshot, you see that the website operator, for example can gather ALL this information, even when NOT using cookies.  Here is just a brief list:
name

  1. Visitor IP address
  2. The location of that visitor in the world
  3. What operating system the visitor used
  4. What browser he/she used
  5. What screen resolution was used
  6. When they visited
  7. Where they came from
  8. What language they had their browser configured to use
  9. Whether or not they enabled Javascript
  10. What pages in my site they visited
  11. Oh, and by the way – everything showing in blue-and-underline is, of course, a link which, when followed, gives a ton more information.

While most of this information above is not considered PII, you may agree that the IP address IS.  Likewise, item #7 might be revealing and telling-all.   In this case, they came from Professor’s Gene Spafford’s own blog.   I am honored to be mentioned there.

So, at the bare minimum, we should inform people in our Privacy Policy that we collect such information.   I prefer something simple, again:

Sample Privacy Policy

Purpose:  To define privacy expectations of visitors to the ArielSilverstone.com website.

What We Collect

We respect the privacy of our visitors.   We generally do not collect personally-identifying information on this website.   We do, however:
a) Employ certain automated tools that collect statistical information visitors to our site.
b) Provide you with the option to leave comments, or contact us, by entering your email address and, optionally, other contact information as you may choose to share with us.

 

In the next article on How to Create a Privacy Policy, I will talk further on the How and discuss cookies.

See you soon!

 

 

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedIn