Stephen S. Wu-- SL: Legal Writer,, (408) 573-5737, 50 W. San Fernando St., Ste. 750, San Jose, CA 95113

Privacy Policy Topics

Let’s say that you are developing a privacy policy for your company. What kinds of topics do you need to cover? And where do you get ideas on what to say?
One useful source of information on privacy policy content is the Federal Trade Commission. In particular, the FTC published “Fair Information Practice Principles,” which provide ideas on topics to cover and content. The key items in the FTC’s Fair Information Practice Principles are:
• Notice/Awareness
• Choice/Consent
• Access/Participation
• Integrity/Security
• Enforcement/Redress

I will cover each of these topics in turn. Using the example of a business with an online service and privacy policy, the idea behind notice and awareness is for the business to notify its customers, from whom it is collecting information, about who will collect the information, what is the information used for, who else might receive access to the information, what kinds of information are collected, and how the business will protect the information. The idea is for the business to provide customers with enough information to make an informed choice about the service and whether they want to give the business their information.

Choice and consent concern the ability for the customer to agree to the collection and use of information per the notification provided. Some services say they will not collect the information unless the customer opts-in and assets to the collection. Other businesses say they will collect the information unless the customer takes steps to avoid or stop the collection. Today’s online services frequently allow users to make fine-grained choices about privacy settings and controls.

Access and participation refer to the customer viewing the information held by the business about him or her. The idea is to allow the customer to update, change, delete, or even challenge information held by the business. Businesses typically want up-to-date contact, financial, and other user information and so provide a mechanism for access and information updates.

Integrity and security relate to the practices of the business to protect the confidentiality, integrity, and availability of information held by the business. The business typically explains at a high level what security controls it uses to secure the information. These controls may be administrative (personnel and procedural security safeguards), physical (protecting against break-ins, thefts of devices or media, and the like), or technical (using technology to protect information).

Finally, the FTC recommends some kind of enforcement mechanism. This is perhaps the topic businesses least want to cover, since businesses don’t want to open themselves up to complaints. Many businesses in the U.S. skip this topic. However, some privacy policies may refer to dispute resolution mechanisms or an ombudsman program to facilitate the resolution of privacy complaints.