\Grandma Goldsteinís 16 Step Recipe for Deploying Online Privacy Policies

By Eric Goldman

Marquette University Law School

eric.goldman@marquette.edu

 

Step 1: Determine why you are doing a policy and what audience(s) you are trying to address

 

Step 2: Determine what statutory regulations you are required to comply with:

 

Step 3: Determine if you are going to use one or more third party validators such as TRUSTe, BBBOnline or PWCís BetterWeb

 

Step 4: Do a site audit

 

Step 5: Review your companyís existing business practices and obligations

 

Step 6: Determine if the policy will be a marketing representation or a contract

 

Step 7: Consider how the policy will be amended in the future if the policy is a contract, or how data will be segregated between user classes if the policy is a marketing representation

 

Step 8: Draft the policy and get internal and external blessing

 

Step 9: Train employees about the policy

 

Step 10: Scrub the site to remove all privacy-related language that isnít in the policy

 

Step 11: Publicly post the policy

 

Step 12: If you want to P3P-enable your site, implement your policy in a P3P-compliant XML file and upload to your website

 

Step 13: If you are doing an amendment, notify users of the amended terms using the protocol described in the previous policy

 

Step 14: Keep archives of prior policies if you have any data from users who are not legally upgraded to the new policy

 

Step 15: Establish a procedure for examining if new site features require changes to the policy

 

Step 16: Put into place a contingency plan in case things go wrong