Privacy Policies

The whole issue of privacy, not only on the web but in general, is one of the key problems for any business. The only difference is, it is much easier for a small business to address this issue than it is for a large corporation.

Privacy Policies 101: The What, the Why, and the How - TermsFeed

Your first concern should be your customers. Are you asking them for data when they contact you, whether it is on the Internet or not? If you are, will your customers know how this data is going to be used or will they wonder whether they should worry? The key characteristics of a good privacy policy are:

– you ask for only the minimum data that will fulfill the purpose for which that data is being collected;

– you keep the data secure and ensure that it is only used for the purpose for which it was collected;

– you don’t keep the data after you’ve used it;

– you destroy the data in a secure fashion;

– you inform your customers of the steps you are taking to accomplish all of the above.

Once you’ve taken care of your customers’ concerns, you should probably try and make sure your practices are not illegal in the jurisdictions where you have customers. This may eventually become your number one concern but, for the moment, there are no jurisdictions which are actively enforcing very strict privacy laws for out-of-jurisdiction companies although there are several where the practices of many American companies would be illegal and many more where strict privacy legislation is being considered. It is actually not that difficult to keep your privacy practices mostly legal. Legislation focuses on four areas:

– you must advise the customer of the purpose for which data is being collected and he must agree to have you collect it for that purpose;

– the data must not be used for any other purpose without getting a renewed agreement from each customer whose data is being used;

– the data must be held securely and access must be restricted to persons who need access to carry out work in accordance with the data’s agreed purpose;

– the data must be securely destroyed when the agreed purpose has been accomplished.

It is easy to see how a small business could put these restrictions into practice, for example by just making one employee responsible for the data. For a large corporation it is much more difficult to keep track of who is supposed to have access to what, what should be destroyed and who agreed to anything. This means that having a good privacy policy and implementing it in a credible fashion can be a competitive advantage for a small business. A lot of large corporations already have a trust-deficit. If your small business can get in there with a good, credible privacy policy, you’ll be one step ahead.