\Grandma Goldsteinís 16 Step Recipe for Deploying Online Privacy Policies

By Eric Goldman

Marquette University Law School



Step 1: Determine why you are doing a policy and what audience(s) you are trying to address


Step 2: Determine what statutory regulations you are required to comply with:


Step 3: Determine if you are going to use one or more third party validators such as TRUSTe, BBBOnline or PWCís BetterWeb


Step 4: Do a site audit


Step 5: Review your companyís existing business practices and obligations


Step 6: Determine if the policy will be a marketing representation or a contract


Step 7: Consider how the policy will be amended in the future if the policy is a contract, or how data will be segregated between user classes if the policy is a marketing representation


Step 8: Draft the policy and get internal and external blessing


Step 9: Train employees about the policy


Step 10: Scrub the site to remove all privacy-related language that isnít in the policy


Step 11: Publicly post the policy


Step 12: If you want to P3P-enable your site, implement your policy in a P3P-compliant XML file and upload to your website


Step 13: If you are doing an amendment, notify users of the amended terms using the protocol described in the previous policy


Step 14: Keep archives of prior policies if you have any data from users who are not legally upgraded to the new policy


Step 15: Establish a procedure for examining if new site features require changes to the policy


Step 16: Put into place a contingency plan in case things go wrong