Gaming Strategy
Featured Stories
Legal News Financial News Casino Opening and Remodeling News Gaming Industry Executives Author Home Author Archives Search Articles Subscribe
Newsletter Signup
Stay informed with the
NEW Casino City Times newsletter!
Recent Articles
Mark Grossman

Privacy Policies Online

21 October 1999

Business to consumer e-commerce is exploding. It would grow even faster if consumers weren't hearing things like, "Don't use your credit card online," "Don't give out your personal information when Web surfing," and "When you're online, you leave a data trail of personal information that websites collect and sell."

The simple fact is that people are a bit paranoid about buying online. They don't quite understand the way it works, the press loves to hype the negative and the result is that people are often not willing to give you any information about themselves. No information usually means no sale.

I don't have a panacea for this problem, but the starting point is to post a comprehensive and well-written privacy policy on your site. It's right up there with apple pie and motherhood. The United States Federal Trade Commission, the Better Business Bureau and just about every responsible commentator on e-commerce says that websites should post privacy policies.

In the past, I've discussed the need to post "Terms and Conditions of Website Use" on your site. It's a basic contractual document, which governs the use of your website. It can do things like limit your liability for things like orders lost in cyberspace (or lost to a crashed computer), force web surfers to sue you in your home state if you have a dispute and eliminate the risk of class actions by disgruntled users.

If you're online doing business without a custom created agreement, you're playing with fire. And sorry, but the one you "borrowed" from another website wasn't custom tailored for your needs and probably doesn't work for you. (Often, the real irony is that the party you're "borrowing" from "borrowed" it from somebody else.) Of course, you won't know that until you're in court relying on it and then find out that it's lacking. It's a little like finding out that your parachute was made for a different sized person after you've left the comfortable confines of that perfectly good airplane.

In some ways, it's just as important to post a "Privacy Policy" on your website as it is to post the "Terms and Conditions of Website Use" on your site. You should consider them the one-two punch of a well-done website.

If you don't believe that these documents are important, then look at the terms and conditions at and and the privacy policies at and The Microsoft's and E-Bay's of the world have these documents and you should too.

If you dream of being successful online, then you need to do the things that successful website do. In one recent study by Georgetown University, they found that 94% of the 100 most popular websites had privacy policies posted on their site. Earlier this year, IBM announced that it would pull its ads from websites that didn't post a clear privacy policy.

What It Should Say

It's not possible for me to give you "one-size fits all" advice about what you should have in your privacy policy. For one thing, different businesses will use digital information differently. Your privacy policy must accurately state what you do with the information.

As for what it should say, let's start with how it should say it. A well-done privacy policy is easy to find (a link at the bottom of your home page is usually appropriate) as well as easy to read and understand. This isn't the place for a lawyer to use a "witnesseth, whereas, heretofore" exercise. The policy should be in plain English.

It should tell web surfers what information you're collecting. You should also explain why you collect it and how you use it. Do you sell it or share it? If you do, say so. If you don't, it's probably a competitive advantage, so make this point extra prominent.

Let the Web surfer know if she has any choices that she can make regarding privacy. For example, can they "opt out" of third party use of their data? It's usually a good idea to allow for "opt out." With sensitive data like medical, racial, political and religious information, you should probably set it up as an "opt in." This way, if they don't specifically give you consent to disclose this information to third parties, you won't.

Your privacy policy should include a statement that when you do transfer information to a third party, you'll only do it only if they agree to comply with your privacy policy.

Next, you should include some information about the security measures that you have in place to insure that private information isn't stolen. Here, your policy would discuss your password procedures and your use of encryption and firewalls. (A "firewall" is any of many ways to protect a network from unwanted access. Essentially, it consists of mechanisms to decide what network traffic gets in and what gets rejected as a possible unauthorized entry.)

One item that commentators always mention is the issue of "data integrity." Simply, the issue is what you do to ensure that the data you have is complete and accurate.

A closely related issue is "access." Your privacy policy should describe what the web surfer can do to verify your data integrity and then correct any misinformation, if necessary.

If you have a membership site where users get a user name and password, you might have a link where they see all the information you've collected. Depending on what type of business you have, you might then give them a chance to correct any information online or send you an e-mail requesting a correction.

Privacy Seal Programs

Besides having a good privacy policy, you should also consider assuaging concerns by your possible customers by applying for a privacy seal of approval from a trusted third party organization. The idea is that by having a seal from one of these organizations, you have met their self-regulatory requirements concerning privacy.

Probably the two most significant programs today are the BBBOnLine ( and Truste ( programs. You can learn about their eligibility requirements by visiting their sites.

While a seal of approval may be desirable, a good privacy policy is essential. If you don't have a privacy policy up, then get one done immediately.

Privacy Policies Online is republished from
Mark Grossman
Mark Grossman