	              
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #12 - Article 7 of 18
           '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

Privacy Policy Introduction by cxi (cxi@compulsive.org)

Recent studies have shown that the majority of websites do not have privacy 
policies. Many of us who run our own websites may have at some point tried 
to build a privacy policy  and a very popular way to do this is to use 
templates or look at established websites privacy policies and using what is 
in there. While creating at least some policy for how you protect user 
privacy and personally identifiable information (PII), it is very important 
that you adhere to a set of guidelines for what your policy should include, 
and you word the policy very clearly to try and leave as little grey areas 
as possible. It is our responsibility as website administrators to let users 
know exactly how we deal with privacy and what exactly we do with any 
information they provide us (as well as the information they may not be aware 
they are providing through click-stream data, clear-gifs, and cookies).

	In the United States, the current set of guidelines, as outlined by 
the Federal Trade Commission, for privacy policies is known as Fair 
Information Practices (FIP). FIP includes 5 sections:

Notice: What does the policy cover, what information is collected, how the 
	information is used, what PII is collected, notice about 
	cookies/clear-gifs. 

Choice: If PII is collected and is used for any reason other than one given 
	at the time of collection, you must provide a reasonable opportunity 
	to choose to allow it (opt-in or opt-out).

Access: If PII is collected you must allow reasonable access for users to 
	view or correct errors in the information your site collected. 

Security: Is the PII protected during storage and transmission? 

Enforcement: Is there a way to make sure you do what you say? Do you have a 
	     privacy seal or at least give contact information for people to 
	     address questions, comments, or concerns about your privacy policy. 
	     This section also includes how you will notify users about policy 
	     changes. 

If you look at most privacy policies on the web, youll find that, unfortunately, 
they do not follow FIP. While they may include some or most of the aspects, 
it is all of these criteria combine the make for a good privacy policy that 
users should feel confident about. To analyze a current privacy policy, go 
through each part of FIP and look whether or not each part is included. There
are a few other aspects that are very important to privacy policies that are 
not explicitly included in FIP  readability, and ability to find policy 
easily. While a privacy policy that includes all of FIP is a great thing, if 
its all legalese, its not exactly giving good Notice; and if you dont give
an obvious link to the privacy policy, how will users know what your 
practices are at all? 

Website administrators may also be interested in implementing Platform for 
Privacy Preferences Project (P3P  full documentation at http://www.w3.org/p3p/) 
P3P was developed by the W3C, who finalized V1.0 in April 2002. It is a 
machine-readable (XML) privacy policy that new web browsers (such as IE v6 
and Mozilla v1.0) read and determine, based on user settings, whether or not 
a website has good privacy practices. The XML policy reference files that 
indicate which policy applies to which part of the site. Check out the w3c site 
for more information on how to build a p3p policy. 

While there are no current US laws that demand websites to include privacy 
policies (unless youre a financial, government, or some health institutions), 
but most users are becoming more aware of privacy concerns and expect websites 
to disclose their privacy practices. By developing a good privacy policy and 
making users aware of privacy concerns on your website through your policy, 
you can help spread the standard for websites to adhere to FIP  which would 
encourage more companies to develop good policies with the fear that people 
will not use their websites without a good privacy policy in place. 
