Description
Privacy on the Internet continues to be an issue of global concern with the creation of more and more sophisticated software tools to capture personal details of users with or without their knowledge or consent.
Although this acted as an initial deterrent to e-commerce in the early years, much legislation on privacy and data protection has been enacted in most major jurisdictions to assure online users that website operators are legally required to treat their personal data responsibly and openly advise them what parts (if any) of their details will be disclosed and to whom.
Internet users now expect website operators to act responsibly with respect to their users’ personal data and are legally required to display privacy policies, statements or notices advising the user what information can be gathered automatically when they use the website, what they themselves disclose to fulfil an enquiry or order and what the operator will or will do with their personal information.
To some degree or another, the website operator will gather “personally identifiable information” about the user which usually includes a first and last name, a home town or other physical address,(if goods require to be paid and/or delivered) including street name, city or town, an email address, a telephone number, perhaps also credit/debit card or other payment details (if the user is buying/paying online), perhaps also a social security number or any other identifier that permits the physical or online contacting and identifying of a specific individual.
A website operator’s privacy policy should specify the following things:
● Identify the categories of personally identifiable information that the operator collects through the website regarding users, and identify the categories of third parties with whom the operator may share that personally identifiable information. For example, the policy may indicate the operator will collect the user’s name, address, social security number, and/or other relevant information. The policy may identify, for example, that the operator will share the personally identifiable information collected with third party processors of for example, payment, credit or loan data.
● A description of the process, if any, that the operator maintains for a user to review and request changes to any personally identifiable information that’s been collected by the site. For example, the operator may require an individual to submit a signed letter containing information sufficient to assure the operator that the individual is who he or she claims to be, requesting to review and/or revise the personally identifiable information collected.
● Describe the process by which the operator notifies users of material changes to the privacy policy. For example, will an email be sent to each user, will the changes be posted to the policy itself and the effective date revised, or will a pop-up window appear on the website for a certain period of time?
The website operator’s privacy policy should be “conspicuously” posted on the website. The “conspicuous” requirement may be complied with by any one of the following:
● Posting the actual privacy policy on the home page or first significant page after entering the website.
● Including an icon containing the word “privacy” on the home page, or first significant page after entering the website, that hyperlinks to the actual privacy policy. The icon must use a colour to contrast with the background colour of the web page or be otherwise distinguishable.
● Including a text link hyperlink to a web page on which the actual privacy policy is posted. The text link must be located on the home page or first significant page after entering the website. The text link must conform to one of the following: include the word “privacy”; the text is written in capital letters equal to or greater in size than the surrounding text; the text is written in larger type than the surrounding text, or in a contrasting type, font, or colour to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
● Any other functional hyperlink displayed so that a reasonable person would notice it.
The above “bare-bones” requirements should render compliance under most jurisdictions a simple matter.
Privacy and data protection will continue to be a huge area of debate in many jurisdictions and the subject of many and varied legislative measures and case law.