The BBB provides recommendations on what to include in your business website’s privacy policy.
The Better Business Bureau (BBB) has a novel idea: Write an understandable privacy policy for business websites and don’t hide the document on the last webpage in barely readable print. That said, first things first–from the BBB article BBB Tip: Writing an Effective Privacy Policy for Your Business’ Website: “Whether you are processing credit-card payments, saving shipping or contact information, or simply signing customers up for a newsletter, they should know what data the business collects and how it is used.”
SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF download (TechRepublic)
The privacy policy is a legal document
A business website’s privacy policy should be considered a legal document, which means those responsible should understand all obligations advertised in the policy; if not, it is vital to seek legal guidance before publishing the policy. It is also vital to ensure the policy complies with applicable state and federal laws.
What to address in the privacy policy
The people at the BBB put together a list of what they consider important information to include in website privacy policies.
What data is collected: It may seem obvious, but there is a great need to identify every type of data being collected. “In addition to names, home addresses, email addresses, phone numbers, credit card information, and IP addresses, the website may be collecting information about customer interests, purchase histories, or demographic information such as gender, age, income or marital status,” advises the BBB authors.
Something else to consider are third-party vendors such as analytics providers, advertisers, and payment processors who collect data on the company’s business website. Customers should be advised who collects what data and given access links to the appropriate privacy policies.
How data is collected: Using forms to collect contact information or financial data for purchases are obvious collection points. What may not be obvious is the data collected by cookies and trackers, and website visitors have the right to know what that information is.
What is being done with customer data: Besides telling website visitors and customers how their data is being used, how it is stored, and how long it is saved, it is important to make known whether customer data is shared with affiliates, service providers, or sold to business partners and/or marketing firms. In other words, inform customers of every possible way their data may be used.
How customers can control their data: The BBB advises companies to provide a contact to help customers with privacy issues–even those as simple as closing accounts or unsubscribing from mailing lists. The article also suggests, “If marketers are using the company website to collect browsing data for interest-based advertising, customers should be provided with opt-out information.”
How data is protected: No effort should be spared when it comes to protecting customer data, and publishing what safety measures are employed in the privacy policy will help reassure customers. Interestingly, the BBB warns about offering too much detail because doing so might unknowingly help cybercriminals.
SEE: Privacy policy (TechRepublic Premium)
What makes a good privacy policy
As to what makes a good privacy policy, the BBB suggests the following.
Keep it visible: As mentioned earlier, make it easy to find the privacy policy. The people at the BBB recommend including a link in the header or footer of every page so visitors can check out your policy before they interact with your site. The article adds, “At a minimum, the privacy policy should have a link on the homepage and any other pages where data is collected.”
Keep it simple: This suggestion is likely the most difficult to implement. What would it be like to read a privacy policy and actually understand it? “The policy is a legal document, but consumers don’t want to read technical jargon or legalese,” explain the article’s authors. “The privacy policy should be clear, concise, and written in plain language so customers can readily understand how their information is being handled.”
Keep it real: Keeping the privacy policy accurate is important. It sends a message to the customers–a pledge as to how their personal data will be handled and protected. “It should accurately reflect data practices unique to the business,” suggests the BBB. “It might help to check out policies of similar businesses, but don’t cut and paste another company’s policy–one size does not fit all.”
Keep it current: Since the privacy policy is a legal document, it is vital to ensure the policy is updated when a change in business operations affects customer privacy. It is also important to communicate the changes to customers before they are enacted.
Final thoughts
Whether it’s required for your business, creating a privacy policy is a good idea. The BBB authors explain, “Even if sales are not processed on the website, visitors’ personal data may be captured to generate leads, make appointments, manage newsletter subscriptions, or to share with advertisers.”
For more information on privacy-law compliance including GDPR and CUP, the BBB authors suggest checking out the National Cyber Security Alliance’s tips for businesses. In addition, check out these cybersecurity resources from the BBB.