Internet Privacy Policies

By Eric Goldman, Esq.

Cooley Godward LLP, Palo Alto, CA


1.                What is a Privacy Policy?

·        A privacy policy is a statement of a company’s practices with respect to the collection, use and disclosure of user information

·        User agreement vs. marketing representations

2.                Why Do a Privacy Policy?

·        Best practices in the industry

·        Overcome an obvious privacy issue with your product/site

·        Comfort users with third party validation

·        Required by a potential advertiser (e.g., IBM, Microsoft, Intel) or site where you advertise (e.g., Disney)

·        You deal with kids under 13

·        You have European operations

3.                Why Are Privacy Policies Such a Pain To Do?

·        The three-headed hydra of marketing, engineering and legal

·        There are no “off-the-shelf” forms

·        Policies are difficult to amend, so plan for the future

·        Multiple audiences: users, reporters, investors, judges, plaintiff lawyers, government enforcement agencies

·        FTC and TRUSTe rules are out of sync with state-of-the-art business practices

·        Companies actually get busted (GeoCities, Real Networks, Liberty Financial, ReverseAuction) and the remedies can REALLY hurt!!

4.                The FTC’s Latest: COPPA

·        Takes effect April 21, 2000

·        Applies to sites (or portions thereof) that market to kids 12 and under or know that they are collecting information from kids 12 and under

·        The summary: don’t do it if you don’t have to!!

·        Requirements:

(1)  Post a privacy policy on the site

(2)  Obtain verifiable parental consent.  If you are collecting personal information for internal marketing, you can use unauthenticated email.  Otherwise, you need consent through mail, fax, toll-free phone number, credit card authentication, or authenticated email.

(3)  Allow parents to review the personal information collected

(4)  Give parents the opportunity to restrict collection/use of their kids’ information

(5)  Not condition participation in an activity on the kid disclosing more info than necessary

(6)  Have reasonable security procedures

·        Bottom line: compliance is likely to require significant changes to existing business practices.

5.                European Union Privacy Directive.

·        The directive took effect in October 1998, but not yet implemented in all member states. 

·        The general rule: obtain express consent for use and disclosure of personal information [not limited to Internet collection]

·        Some states require registration, so you cannot comply merely through your privacy policy.

·        If you have no presence in Europe, do you need to comply?

·        Data sharing with EU-based companies is tricky.

6.                Grandma Goldstein’s 15 Step Recipe for Deploying Privacy Policies.

Step 1: Determine why you are doing a policy and which audience is most important

Step 2: Determine if COPPA applies.  If so, sell!!!

Step 3: Determine if the EU Directive applies.  If so, call European counsel.

Step 4: Determine if you are going to use one or more third party validators

·        Options include TRUSTe, BBBOnline and PWC’s BetterWeb

·        These validators all have their own substantive rules

Step 5: Review your site

·        Look for existing data collection points, and consider future ones

·        Look for existing privacy policy-like language

Step 6: Review existing practices

·        Look at existing obligations to turn data over to third parties

·        Look for other places where personal data is turned over anyway (e.g., email delivery outsourcing)

·        Look at ISP/hosting agreements

·        Look for situations where you have voluntarily agreed to limit your use/disclosure of information (e.g., distribution agreements or sponsorships)

Step 7: Determine how the policy will become a binding user agreement

Step 8: Determine how the policy will be amended in the future

Step 9: Draft the policy and get internal/external blessing

Step 10: Train employees about the privacy policy

Step 11: Scrub the site to remove all contrary statements

Step 12: Upload the policy

Step 13: As applicable, follow the procedures to amend the existing policy

Step 14: Keep archives of prior policies and segregate databases as necessary

Step 15: Establish a procedure for handling site changes


About the Speaker: Eric Goldman (formerly Eric Schlachter) is an attorney practicing cyberspace law with Cooley Godward LLP, Palo Alto, CA.  He also is an adjunct professor of Cyberspace Law at Santa Clara University School of Law.  Cooley Godward’s web page is located at, and Eric’s personal home page is located at   Eric can be reached at