|
Guardian eCommerce - 10 Point Online Privacy Guide And Principles (Please note: This online privacy guide has been designed for those seeking guidance on effective Internet privacy policy implementation and personal information protection. Use of this online privacy guide as a reference for personal information protection and effective privacy policy implementation is recommended by Guardian eCommerce.) Online Privacy Principles - Categoric Breakdown 1. Online Privacy Principle One - Accountability 2. Online Privacy Principle Two - Identify The Purpose For Personal Information Collection 3. Online Privacy Principle Three - Getting Consent 4. Online Privacy Principle Four - Personal Information Collection Limits 5. Online Privacy Principle Five - Personal Information Use, Disclosure, & Storage Limits 6. Online Privacy Principle Six - Personal Information Accuracy 7. Online Privacy Principle Seven - Personal Information Protection 8. Online Privacy Principle Eight - The User Availability Of Policy And Procedure Information 9. Online Privacy Principle Nine - Personal Information And User Access 10. Online Privacy Principle Ten - Handling Complaints And Disputes Online Privacy Principles - Explained 1. Online Privacy Principle One - Accountability An ideal opening section of an Internet privacy policy should address accountability in the handling and collection consumer personal information. Web sites are responsible for personal information collection and personal information protection under their control. Web sites are also responsible for any personal information transferred to third parties for processing on their behalf and should use contractual or other means to provide a comparable level of personal information protection. Web sites should designate one or more persons to be accountable for compliance with personal information protection and personal information management. Web sites should establish an Internet privacy policy that complies with its stated Web site privacy policy procedures for personal information protection, collection, handling, storage, and destruction. Train staff so they can deal with complaints and explain more about their site's privacy policy or online privacy practices, on demand. 2. Online Privacy Principle Two - Identify The Purpose For Personal Information Collection This online privacy principle is recommended as the subject matter for the second segment of an effective Web site privacy policy. Web sites should identify the purposes of collecting personal information, if applicable, before or at the time the personal information is collected. Web sites may collect personal information for any purpose, provided it's clearly specified in this area of the Web site's privacy policy or statement. Generally, Guardian eCommerce recommends Web sites should limit personal information collection to the following purposes:
Web sites should identify their purposes for personal information collection and disclosure of personal information electronically, in writing or verbally, and in a language that consumers can easily understand. Web sites should not use or disclose personal information for any new purpose beyond that for which it was originally collected, without first identifying and documenting the new purpose and obtaining consumers' consent. 3. Online Privacy Principle Three - Getting Consent This online privacy principle is recommended as the subject matter for the third segment of an acceptable Web site privacy policy. To ensure personal information protection, the knowledge and consent of users are required before the commencement of personal information collection, use, or disclosure of personal information, except where inappropriate. In certain circumstances, however, Web sites may collect, use, or disclose personal information without the user's knowledge and consent. For example: a) when it is clearly in the interest of the user and consent cannot be obtained in a timely manner, such as in a medical emergency; b) when the life, health or security of another individual is threatened; c) if seeking consent might defeat the purpose, such as for the investigation of a breach of an agreement or law; d) when disclosure is to the Web site member's lawyer, to collect a debt, to comply with a court order, or as may otherwise be required by law. To provide consumers with the assurance of personal information protection, Web sites should make reasonable efforts to inform users how the personal information collected will be used and disclosed. Generally, a Web site should seek consent to use and disclose personal information at the same time it collects it. Sometimes, however, a Web site may identify a new purpose and seek consent to use and disclose personal information after it has been collected. Consumer or user consent can be express, implied, or given through an authorized representative. In determining the appropriate form of consent, the Web site should take into account the sensitivity of the personal information and the reasonable expectations of users. Web sites should provide full and fair disclosure of its collection use and disclosure pursuant to this online privacy principle and will not deceive a user into giving consent. A user can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Web sites should inform users of the implications of withdrawing consent and how to do so through this segment of the Internet privacy policy. 4. Online Privacy Principle Four - Personal Information Collection Limits This online privacy principle is recommended as the subject matter for the fourth segment of an effective Web site privacy policy. Web sites should identify the amount and type of personal information needed for the purposes they have identified. Web sites should collect personal information using procedures that are fair and lawful to consumers. When a Web site collects clickstream data that will be linked with other personal information about a user, the Web site should advise users of what information is being collected and how it will be used. Otherwise, the collection, use or disclosure of clickstream data is not restricted. Although Web sites will collect personal information primarily from users, it may also collect personal information from other sources including credit bureaus, or other third parties that represent that they have the right to disclose the personal information, and this should be disclosed in this segment of the Internet privacy policy. 5. Online Privacy Principle Five - Personal Information Use, Disclosure, & Storage Limits This online privacy principle is recommended as the subject matter for the fifth segment of an acceptable Web site privacy policy. Web sites should use or disclose personal information only for the purposes it was collected, unless a user gives consent or as required by law. A Web site may disclose personal information without consent when required to do so by law, e.g. subpoenas, search warrants, other court and government orders, or demands from other parties who have a legal right to personal information, or to protect the security and integrity of its network or system. In such circumstances, a Web site should protect the interests of its users and consumers by making sure that:
A Web site may notify users that an order has been received, if the law allows it. Only a member Web site's employees, or designated person(s)-whose duties so require, should be granted access to users' personal information. Web sites should keep personal information only as long as necessary to fulfill the identified purposes. Depending on the circumstances, personal information used to make a decision about a user, such as when a user's account has been rejected, should be kept long enough to allow the user access to the information after the decision has been made. Web sites should keep reasonable controls, schedules and practices for information and records retention, and should destroy, erase or make anonymous within a reasonable period of time any personal information no longer needed for its identified purposes or for legal requirements. 6. Online Privacy Principle Six - Personal Information Accuracy This online privacy principle is recommended as the subject matter for the sixth segment of an effective Web site privacy policy. In this portion of the Internet privacy policy, Web sites should keep personal information as accurate, complete and up-to-date as necessary for the purposes for which it is to be used. Web sites may rely exclusively on the representations provided by their users in determining the completeness, accuracy, and timeliness of the personal information. This online privacy principle does not imply any obligation on the Web site to seek independent verification of any personal information supplied by the user. 7. Online Privacy Principle Seven - Personal Information Protection This online privacy principle is recommended as the subject matter for the seventh segment of an effective Web site privacy policy. Web sites should ensure personal information protection with safeguards appropriate to the sensitivity of the personal information. Web sites should use appropriate personal information protection safeguards against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification, and/or destruction. 8. Online Privacy Principle Eight - The User Availability Of Policy And Procedure Information This online privacy principle is recommended as the subject matter for the eighth segment of an acceptable Web site privacy policy. A member Web site should be open about their Internet privacy policy and online privacy procedures used to manage personal information. Users should be given access to information about such Internet privacy policy and online privacy procedures, and the information should be easy to understand. A Web site should make reasonable effort so that consumers are made aware of the existence and location of its Internet privacy policy. Such effort may include posting an Internet privacy policy online (recommended) or providing a brief privacy statement, with a link on how to obtain this information, on demand. A Web site should make available information on how to access and correct personal information. 9. Online Privacy Principle Nine - Personal Information And User Access This online privacy principle is recommended as the subject matter for the ninth segment of an effective Web site privacy policy. When users request it, Web sites should tell them what personal information the Web site has about the user, what it is being used for, and to whom it has been disclosed, and will give them access to their information. In certain situations, however, Web sites may not be able to give users access to all personal information they hold about the user, e.g.: a) if it might reveal personal information about another user or could threaten the life or security of another individual; b) if it might reveal confidential commercial information; c) if the personal information is protected by solicitor-client privilege; d) if the personal information was generated in the course of a formal dispute resolution process; e) or if the personal information was collected in relation to the breach of an agreement or a law. Web sites should explain the reasons for denying personal information access when users ask. In providing an account of the use and disclosure of personal information, Web sites should state the source of the personal information where reasonably possible. Web sites should provide a list of the third parties to which it may have disclosed the user's personal information when requested. In responding to a user's request, Web sites should provide personal information in an understandable form, within a reasonable time and at no cost to the user. Users will be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Web sites should keep records of any unresolved challenges regarding a user's personal information. Web sites should ensure that all subsequent transmissions of personal information shall include any amended information or the existence of any unresolved challenges. Where appropriate, Web sites will transmit to third parties having access to the personal information in question any amended information and the existence of any unresolved challenges. 10. Online Privacy Principle Ten - Handling Complaints And Disputes This online privacy principle is recommended as the subject matter for the tenth and final segment of an effective Web site privacy policy. Consumers have the right to challenge compliance with a Web site privacy policy. Web sites should have a policy or procedure to receive, investigate, and respond to user complaints and questions. Alternatively, Web sites participating in the approval and privacy seal program may use the third party services of Guardian eCommerce, (or another trusted third party privacy seal program) to handle complaints and disputes from consumers or other Internet users. Web sites should contact Guardian eCommerce should more information about this online privacy guide or the approval and privacy seal program be required. Web sites can also visit the Guardian eCommerce privacy page, where an acceptable Web site privacy policy can be viewed and even used as a privacy policy sample. Home About Contact For Consumers Privacy Policy Copyright ©2002-2007. Guardian eCommerce International. All Rights Reserved. |
