Components of a Privacy Policy

It seems that privacy policies, notices and statements are everywhere these days. Given the increased public interest and more stringent legislation on information security and privacy protection, these privacy-friendly mechanisms are becoming more and more important on websites and online services. Generally, privacy policies, privacy notices and privacy statements tend to follow a specific format, use the same vocabulary and style.

It’s important to ensure that website privacy policies correctly address specific legal issues and technical implications of the company. There are numerous types of privacy policies out there, some of which apply to online data; others apply to data collected by financial institutions; others that deal with the collection of information from children under the age of 13; and other policies that apply to individuals protected under foreign laws. There is no ‘one size fits all’ approach to developing a sound privacy policy.

Enterprise Privacy Programs

Developing and maintaining enterprise-wide privacy programs require top-down cooperation and collaboration of the different individuals in an enterprise.

According to United States privacy legislation, all companies involved in obtaining, maintaining, using and/or disclosing personal information about consumers ought to adopt a privacy policy. Privacy policies are documents in which companies state their information practices. Such documents keep organizations accountable to a set of formal privacy policies. Companies may be the subject of an FTC action or a lawsuit if their privacy practices do not accurately reflect those stated in their privacy policy.

Standardization of enterprise privacy programs is becoming more and more of an issue in recent years. Even though the primary objective of enterprise privacy policies is for internal use, standardization of such policies brings numerous advantages:

  • Technical parts of regulations could be encoded into a standardized language
  • Enterprises with heterogeneous repositories of personal data could develop consistent enforcement tools to ensure compliance with internal privacy practices

Components of a Privacy Policy

There are three main categories of information in a privacy policy:

  1. 1. Policy Identification Details

This section defines the policy name, version and description.

  1. 2. P3P-Based Components

This defines policy attributes that would apply if the policy is exported to a P3P format. Such attributes would include: policy URLs, organization information, PII access and dispute resolution procedures.

  1. 3. Policy Statements and Related Elements: Groups, Purposes and PII Types

Policy statements define the individuals able to access certain types of information, for certain pre-defined purposes.

Another way to classify the components of a privacy policy is outlined below.

  • Notice – Companies should provide consumers with clear, conspicuous notice that accurately describe their information practices.
  • Consumer Choice – Companies should provide consumers with the opportunity to decide (in the form of opting-out) if it may disclose personal information to unaffiliated third parties.
  • Access and Correction – Companies should provide consumers with the opportunity to access and correct personal information collected about the consumer.
  • Security – Companies must adopt reasonable security measures in order to protect the privacy of personal information. Possible security measures include: administrative security, physical security and technical security.
  • Enforcement – Companies should have systems through which they can enforce the privacy policy. This may be managed by the company, or an independent third party to ensure compliance. Examples include BBBOnLine and TRUSTe.

Consumer’s Point of View

From a consumer’s point of view, just because a website has a privacy policy doesn’t necessarily guarantee the security of the personal information. No privacy policy can definitely ensure the security of your information, or bind a company to those specific practices; however, there are certain policies that are better than others. A privacy policy should provide the consumer with a sense of transparency regarding the company.

Some important things that a consumer should consider when looking for good privacy policy include:

  • What personal information is being collected?
  • How will your personal information be used?
  • How will your personal information be stored?
  • Are there security measures protecting your personal information?
  • How long will your personal information be kept by the company?
  • Will your personal information be shared with others?
  • How can you contact the company?


This article takes a look at the importance of an enterprise privacy policies and privacy programs. While policies alone cannot prevent data breaches or misuse of personal information, they are a good step in ensuring transparency and privacy-friendly practices. A privacy policy should contain the following key components: notice; consumer choice; access and correction; security; and enforcement. The article also lists some considerations consumers should take when assessing the reliability of a company’s privacy policy.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Personally Identifiable Information (PII) (I.A.a.)
  • Consumer privacy concerns (II.A.a.)
  • Organizational privacy practices (II.A.b.)
  • Prominent notice and opt-in consent (II.B.b.)
  • Privacy mechanisms – privacy by policy (III.A.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>