Introduction

Privacy concerns the collection and use of personal information by a business or their websites. Most websites collect information from their visitors, sometimes even without realising it! Apart from the obvious collection of email addresses for an email marketing list, or login details for controlled content, it could be collected by less obvious means such as third-party adverts that you display on your webpages, or by webserver logs.

The European Union has well developed laws covering the privacy rights of an individual which was enshrined within the European Convention of Human Rights (EHCR) drafted in 1950. Article 8 within the EHCR defines a right to privacy of family life, home and communications. On 1st December 2009, the EU signed the Treaty of Lisbon which is European Law and contains within it the EHCR principles (and new ones) in the "Charter of Fundamental Rights". Within this Charter, Chapter 2 (Freedoms) Article 7 refers to "Respect for Private and Family Life" where "Everyone has the right to respect for his or her private and family life, home and communications." Article 8 is titled "Protection of personal data" and states:

• 1. Everyone has the right to the protection of personal data concerning him or her.
• 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
• 3. Compliance with these rules shall be subject to control by an independent authority.

Nn 1995, the EU issued the "Data Protection Directive" which was an attempt to harmonise data protection laws across all the countries within it and meets the aims of the EHCR. This Directive already meets the requirements set out in the Charter of Fundamental Rights. A "Directive" provides a set of requirements and conditions that the individual countries should meet without dictating directly how they do it. For example, in the UK the Data Protection Act is a law which tries to comply with the European Data Protection Directive.

The Directive regulates the processing of personal data and contains a broad definition of what that personal data is. Any data that allows a person to be identified (even if it can't be done directly by the person holding the data) is personal data.

The Directive states that personal data should not be collected unless the conditions of transparency, legitimacy and proportionality are met. But what does this mean?

Transparency describes how someone needs to be informed of your use of personal data. You have to supply your contacts details, why you want to process the data, who has access to it and any other relevant information. The person that you are collecting personal data from has to be able to access all personal data being held, and can demand that data that is incorrect or being incorrectly used be deleted, corrected or blocked. The data can only be processed:

• when the person has given their consent
• when it is necessary to acheive a contract
• when it is necessary to comply with law
• when it is necessary to protect the interests of the person
• if necessary for doing something in the public interest or for an official authority
• if necessary for the legitimate use of the collector or third parties unless overridden by the interests of the person data is being collected from

Legitimacy means that data can only be processed as described and not further or in different ways.

Proportionality refers to the fact that only necessary data to perform a task can be obtained. This data must be kept current and can only be held for as long as is necessary. Sensitive personal data has extra restrictions (see the section below for examples). If the data is to be used for direct marketing then the person has the right to object at any time.

In the EU, each member state also has to have an independent body to monitor the application of data protection. In the UK, this role is performed by the Information Commissioner's Office which has a good website describing their role and giving advice to businesses. It also has an excellent section describing the UK Data Protection Act in detail and how to comply with it.

It should be noted that the Directive technically applies whenever equipment within the EU is used to process personal data. In the case of websites this could constitute the client computer. The Directive also deals with the export of personal data from the EU and states that data may only be exported to countries that have similar data protection levels. This has caused EU / US tension as the US generally has lower levels of protection, especially for non-US citizens. US companies wishing to transfer personal data should use the US-EU Safe Harbour framework.

At around the same time as the EU Data Protection Directive, the US Federal Trade Commission published the Fair Information Principles. These are broadly similar to the EU Directive, but are guidance rather than federal law with the US favouring commercial self-regulation and existing trading standards laws. There are some aspects of the FIP such as part B, "Application of Fair Information Practice Principles to Information Collected From Children" which are supported by specific laws such as the Children's Online Privacy Protection Act (COPPA) which will be described later in this Guide. The State of California also has The California Online Privacy Protection Act of 2003 - Business and Professions Code sections 22575-22579 which requires web sites that collect personal information on California residents to post a conspicuous compliant Privacy Policy.

Why does it affect my website?

As described above, if you are a UK business (even if you host your website outside of the UK) and you collect personal data, then you will have to comply with the Data Protection Act. There are similar laws throughout EU member states. As part of this compliance, you will have to have a Privacy Policy, which is a legal document, available.

If you advertise on your site then the advertising agent may insist that you mention it in your Privacy Policy. An example of this is Google Adsense.

How do I add a Privacy Policy?

Your Privacy Policy should describe:

• what data is collected: make sure users of your website are aware when personal data is being collected;
• how that data is collected: for example, is it automatically linked to IP address, or is it an HTML form? Also mention if cookies are being used and how long they remain active for;
• how it is used and disclosed: remember that unless you have agreement, then the personal data cannot be used in any other way or disclosed;
• how it is managed: personal data must be transferred over a secure link (SSL site) and stored securely at your host. Also you have a duty to protect that data. For example, don't send out mailshot e-mails that enable each recipient to see e-mail addresses of others;
• how it can be accessed, corrected or removed: you are obliged to supply a copy of any personal data you hold to the person concerned.

It should also confirm that data will only be used for the purposes stated and that it will be deleted when that purpose has been completed.

To meet the requirement that personal data may be accessed, contact details must be provided. However, this can be done using an "About Us" page or similar.

As mentioned in the introduction, some types of sensitive personal data collection or particular uses of personal data will mean that extra measures are required. In the UK you must register with the Information Commissioner if you are not just using the data for your own marketing purposes but intend to sell it on, are collecting sensitive information such as credit card details, or want to use the information for research. The registration fee is small.

What goes into your specific Privacy Policy depends very much on what data you collect in your website. There are lots of websites that provide templates, policies for a particular purpose or even policy generators. For England or Wales in the UK, www.website-law.co.uk allows use of their policy for free if a link is retained and for a small fee this link can be removed.

If you only use Google Adsense adverts, you could consider using the Adsense policy provided by JenSense.

Children's Privacy Concerns

If you host (or plan to host) a website that collects personal data from children under 13 years of age, then there may be considerably stricter limitations on privacy. This applies if your website is targeted to children in this age range, or knowingly collect personal data from children in this age range even if the site is not explicity targetted at them.

If your website collects data from children in the US, it will have to comply with the Children's Online Privacy Protection Act (COPPA) of 1998. There are very large financial penalties (up to $11000 per penalty) if your website falls foul of this act! You can find out more information at the FTC's Children's Privacy page and their COPPA FAQs page. COPPA usually requires parental consent before collecting any personal data from children and also places restrictions on how things like email can be handled.

COPPA contains a provision for "Safe Harbor" by external groups to encourage industry self-regulation (see FTC's list of approved bodies). These groups tend to be very pro-active in seeking out offending websites and ensuring they comply. We have dealt with CARU in the past and they proved very helpful and professional, however it is much better to become compliant before they have to find you!

Even if you are not based in the US, if your website collects personal information from US children under 13 then you MUST comply with COPPA. As most websites are global, we strongly recommend that you comply.

Although the EU does not have a similar Act, however it is treating the issue of online child privacy seriously recently. For example, social networking sites were recently asked to improve privacy practices, especially for children. It may not be long until a COPPA-style law appears from the EU...