by Ariel Silverstone

How to Create a Privacy Policy Part 2

Sep 10, 2009

How to create a privacy policy, part II.

In the previous article, we discussed items that you should collect in order to start creating a privacy policy.

Today, we will take the next step: deciding what, how, when and where to collect.

Create A Privacy Policy – Less is More

One of the basic principles of privacy policy, and one that is sometimes missing from our daily life is the notion that aggregation creates risk.    For example, one person’s credit card, while to that person is significant, is a small risk to an organization compared to the collections of hundreds, or hundreds of thousands, credit card and their accompanying personally-identifying information (PII).

When you look at my previous blog entry, you will see that one of the steps I defined (step ) states the following:

Analyze what data you need to collect and what you intend to do with it!

I cannot emphasize this point too much: 

Ariel’s Privacy Rule #1:  Do NOT collect, nor store, information you do not need.

You can also find a related, but not exact, Principle in the AICPA Generally Accepted Privacy Principles:

Principle 4: Collection

…Communicate to individuals that personal information is collected only for the purposes identified in the notice (see Criterion 4.1.1)

ˇ Communicate to individuals types of personal information collected and the methods of collection used (see Criterion 4.1.2)…

(You can find the GAAP in my Privacy Resources Page at

Ariel’s Privacy Rule #2:  In most cases, it is better to ask for private information again, than to store it.

Further, even if some private information is divulged to you, and you do not need it, why keep it?  Generally, I suggest you follow this rule:

Personally-identifying information is not only sensitive when stored, it also “turns off” a certain number of your customers.   I, for example, would loathe to provide my social security number to the great plurality of sites that request it of me.  I care about my privacy.

So, let’s continue….

Internal Versus External Use

In most jurisdictions, as an employer, you have a right to know certain things about your employees that normally you would not have.  For example, in the USA it is generally ok, and even required, for you to know the employee’s social security number.  It might be even ok for you (or to a particular subset of your employees) to know whether employee Y has kids, a car, or even a certain health condition.   Those fields, however, fall into the category of “obviously don’t have a right to know” if you are just a run-of-the-mill website.  So: know your audience.

Knowing your audience leads to the first part of your information privacy policy.  This is the part called “applicability”, or, “purpose” by some.   This section appears just underneath the title.  Let’s build a sample together, for my website.

Sample Privacy Policy

Purpose:  To define privacy expectations of visitors to the website.

As you can see above, this policy does apply to my visitor, but NOT to any of my admins, authors, or such personnel.  You also note that the statement is quite short….  There is no particular need to make it long, convoluted or complex. 

Ariel’s Privacy Rule #3:  Keep It Simple

How to Collect

Most of us would be astonished to find out just how much personally-identifying information is collected about us.   This also holds true when you talk about the average website.   Let me show you a real life example:

alt=”Visitor Detailed Information ” width=”589″ height=”320″ align=”middle” />

From this simple screenshot, you see that the website operator, for example can gather ALL this information, even when NOT using cookies.  Here is just a brief list:


  1. Visitor IP address
  2. The location of that visitor in the world
  3. What operating system the visitor used
  4. What browser he/she used
  5. What screen resolution was used
  6. When they visited
  7. Where they came from
  8. What language they had their browser configured to use
  9. Whether or not they enabled Javascript
  10. What pages in my site they visited
  11. Oh, and by the way – everything showing in blue-and-underline is, of course, a link which, when followed, gives a ton more information.

While most of this information above is not considered PII, you may agree that the IP address IS.  Likewise, item #7 might be revealing and telling-all.   In this case, they came from Professor’s Gene Spafford’s own blog.   I am honored to be mentioned there.

So, at the bare minimum, we should inform people in our Privacy Policy that we collect such information.   I prefer something simple, again:

Sample Privacy Policy

Purpose:  To define privacy expectations of visitors to the website.

What We Collect

We respect the privacy of our visitors.   We generally do not collect personally-identifying information on this website.   We do, however:

a) Employ certain automated tools that collect statistical information visitors to our site.

b) Provide you with the option to leave comments, or contact us, by entering your email address and, optionally, other contact information as you may choose to share with us.

In the next article on How to Create a Privacy Policy, I will talk further on the How and discuss cookies.

See you soon!