Last year, privacy became mainstream news when the new EU privacy law came into effect on 26th May 2011 across all EU member states – see my previous posts on this subject. In short, the EU law states that you need to seek your visitor’s permission before you can track them. Exactly what permission is required (implied or explicit consent), and when this needs to be asked for (only when collecting personal information, or even to track visitors anonymously) is still a hot topic of debate in the industry, that I will return to in my next post.

Whatever the impact of the EU Privacy law, the key to any organisation’s privacy strategy is it’s privacy policy document – your communication with your visitors about what you do with their data. I have therefore put down my guidelines for writing a best practice privacy policy that will stand you in good stead if you are using Google Analytics in the UK and elsewhere in the Europe

Three guiding principals for writing a privacy statement

  • Put your customers first – not your legal team
    Don’t allow your legal team to write your privacy policy. Seriously! Let them review and provide input of course. However, a privacy policy is there to encourage trust between you and your potential new customers. Therefore it needs to be written for them to easily understand and not full of verbose legal jargon. The marketing team is the best place to start with this.
  • Keep it simple
    Write your privacy policy in plain English (or preferred language). Don’t try to write the Magna Carta! The important points are to be succinct, open and transparent. My privacy policy is less than 600 words – I recommend a hard limit of 1000 as an absolute maximum.
  • Don’t mix up anonymous concerns with personal ones
    This is a very common mistake. What you do with anonymous data is very different to what you do with personal data. The vast majority of your visitors – typically 97% of them will not be your customers. They are your potential customers. Before they sign up or transact with you, they are simply anonymous visitors. Don’t mix up what you do with such benign information with what you do with customer information that is a small proportion of your traffic.

So with these principals in place, how does this look in practice? Below I have reproduced what I consider my best practice privacy policy with the key points emphasised for a website operating in the UK.

What a best practice privacy policy should look like

The screenshot of my privacy policy is shown below. You can also go straight to the text of my privacy policy (new window).

A] Firstly, declare that Google Analytics is your tracking tool of choice, though if you also use other tools (e.g. Clicktale, Kampyle, Uservoice etc.) you may wish to add “and associated tools” here. Google Analytics is a well known product and many visitors trust the Google brand with their privacy. Note that for UK websites, stating that Google Analytics is being used is a requirement of the Terms of Service (see section 8.1). Even if you are not based in the UK, which means you do not have to state you use Google Analytics, I still recommend you do so – just for transparency.

B] and C] emphasise that all collected data is anonymous by default. Personal info is only collected if explicitly asked for. That is, nothing sneaky is happening in the background and the visitor always has a choice when asked.

D] Adding a personal commitment form the CxO, Managing Director or Website owner is a nice touch to show how important the organisation takes privacy.

E] Separate out anonymous collected data from collected personal information. These are very different situations – no point scaring the vast majority of your visitors with statements about personal information if it is not relevant to them.

F] Make it easy and clear to understand how people can have their personal information removed if they wish to do so.

G] Google has some excellent documentation on its approach to privacy when Google Analytics is used. The link shown allows visitors to read more information without you getting bogged down in it (definitions of a cookie, data sharing options, opt-out browser add-on etc.) – it is not needed in your privacy policy.

I would love to hear your feedback on this approach to online privacy.