Internet Law

Online Privacy Policies

If you operate a business over the Internet, you have an obligation to protect sensitive consumer-provided personal information. If this sensitive data falls in the wrong hands, it can lead to fraud, identity theft and other harms. It makes good business sense to safeguard personal information to keep the consumers' trust and to prevent lawsuits.

In creating an online privacy policy, a business should consider five key principles:

  • Know what personal information you have in your files and on your computers
  • Keep only what you need for your business
  • Protect the information that you keep
  • Properly dispose of information that you no longer need
  • Create a plan to respond to security incidents

The online privacy policy should be easy to read and should be readily available to consumers, customers and others before any personal information is collected or transmitted. The policy must clearly state:

  • What information is being collected
  • How it will be used
  • Whether it will be shared with others
  • Your commitment to personal information security
  • What steps you are taking to protect personal information
  • What alternatives can be taken if a customer opts out of providing personal information
  • Who should be contacted in your business for security questions or complaints

Assessing Existing Personal Information

You need to take stock of the personal information that you already have and identify who has access to it. This will help you to pinpoint security vulnerabilities in order to determine the best way to secure the information. Steps you should take in your assessment include:

  • Inventory all computers, laptops, flash drives and disks used in your business to find out what sensitive information you have and where it is being stored
  • Track the flow of personal information between your employees
  • Review federal statutes, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade Commission Act, to determine what security requirements you must provide for sensitive information

Keep What You Need

If you have no legitimate business need for personal information, don't collect it and don't keep it.

  • Use Social Security numbers only for required and lawful purposes
  • Don't retain credit card information unless you have an essential business need to do so
  • Check your software that reads credit card information and make sure it doesn't permanently retain that information
  • Develop written retention policies to identify what information must be kept, how to secure it, how long to keep it and how to dispose of it

Safeguarding Personal Information

The most effective personal information privacy policies address four elements:

Physical security. This addresses the physical storage of personally identifiable information and establishing procedures controlling the access, security, storage and transmission of personal information by employees.

Electronic security. You should create a data security plan that includes the use of security software, firewalls, secure connections, data encryption and password activated screens to protect the storage and transmission of information through your computers and servers and over the Internet.

Employee training. Your data security plan is only as strong as the employees who must implement it. Your employees need to be thoroughly trained in data security practices to identify data breaches and security threats and to safeguard personal information.

Contractors and service providers. If you rely on contractors to operate a part of your business or service providers to maintain your computers, servers or data systems, you must ensure that their data security standards and privacy policies are consistent with yours and that they will keep you informed of security problems.

Disposing of Personal Information

Your privacy policy must address how you will dispose of sensitive personal information to ensure that it cannot be read or reconstructed.

  • Implement reasonable information disposal practices
  • Dispose of paper records by shredding, burning, or pulverizing before discarding
  • Dispose of sensitive information stored on old computers, hard drives and other portable storage devices by using wipe utility programs


Establish a plan to investigate and respond to security incidents. The plan should ensure that data breaches will be investigated immediately and should identify when and consumers, law enforcement, and other outside organizations affected by a breach should be contacted.

Have a internet law question?
Get answers from local attorneys.
It's free and easy.
Ask a Lawyer

Get Professional Help

Find a Internet Law lawyer
Practice Area:
Zip Code:
How It Works
  1. Briefly tell us about your case
  2. Provide your contact information
  3. Connect with local attorneys

Talk to an attorney

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you