We’ll start this post with a warning. And several key points.
I am not a lawyer and don’t profess to be one, I suggest contacting a lawyer before making any decisions based on this information.
I am in Australia. I have no idea how this will affect designers in the US, UK or anywhere else in the world.
With that out of the way…..

As a webmaster(and in many cases) a web designer, you have a responsibility to your site users. In regards to their privacy and information.
The 3 main areas of this are Disclosure, Security, Legality.

Disclosure
Simply put, tell people what you are doing with their information. Simply, this can be done with a privacy policy. Any business that collects personal information has an obligation to disclose what information they maintain or gather and how it is stored and shared with who.
This applies to many web designers using systems such as pre-built shopping carts and blogging or cms systems.
Many shopping carts automatically store a users details when a purchase is made.
For many people this would include shipping details, contact numbers. My personal address.
A single purchased book or painting, or swimsuit does not give you the automatic right to store someone’s details indefinitely. Or to use them to sell to others or to contact them again.

A sample privacy policy is written below, this is one I have written for a client previously. It covers some basic points including the capture of their information and that some of this information may be personally identifying. It also references web traffic, which will for many of you reside on a server outside of Australia. On a cheap hosting package overseas, is your customers’ data secure?

Privacy Policy
<BUSINESS NAME>, like other companies operating in Australia, is bound by the National Privacy Principles as set out in the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 Our collection, use and disclosure of personal information is set out below:

What Information does <BUSINESS NAME> Collect:

<BUSINESS NAME> collects two types of information from you.

Personally identifiable information supplied by you during a purchase, this includes but is not limited to your name, address, telephone number, email address, size purchased, gender etc.
This information is never sold, offered or shared with any third parties. <BUSINESS NAME> uses this information in order to provide a sales service to you. It may also use this information to contact you in regards to limited offers, promotions and specials, you may contact us to opt out of receiving further contact regarding these promotions.

Non Personally Identifiable information gathered from our website, this includes but is not limited to pages visited, duration of stay, search terms and URI referalls and destinations.
This information is gathered and collected in order to maintain the website. This information is never given out, shared or sold to any third parties and remains the property of <BUSINESS NAME> and it’s partners.

Your information will be used by us in order to provide you with the service. It will also be used by us in any method which you would reasonably expect us to use your information, including but not limited to contacting you regarding your purchase, authorising returns, future purchases or discounts.

We will not use your information for any purpose other than the above unless we have your prior permission to do so or there are specified reasons relating to law and order or public safety.

We will take reasonable steps to ensure the safety of all information collected, ensuring limited access to our data and servers.
At any time you may contact us to request a copy of the information we have regarding you, sufficient proof of your identity will be required.

Contact Us
You may contact us via this website at any time, <BUSINESS NAME> is an Australian Business and only available during normal Australian business hours.

There is an obvious need to edit out and replace the <BUSINESS NAME>. Again, this is not provided by a lawyer, but it is a cursory Privacy Policy and is a reasonable starting point.

Security
Security is very important. This is your customers’ personal data and you have responsibilities to protect it.
This extends beyond the obvious. https security for payment details, secure password requirements, captcha based logins, traffic monitoring, password expiry.
Physical limited access to your server and data.
Have you considered the consequences of having your personal computer stolen? Do you save your passwords and logins for websites, including your webhost?
Could these saved logins be used to copy your entire customer database in minutes?
Conscious security steps you can and should take with your website. And this goes for clients as well as designers.

  1. Check for updates to any pre-built systems you use.
    You need to ensure security patches and fixes are applied as often as possible.
  2. Only store relevant data. If you are offering a postal service, consider only keeping details until dispatches are done.
  3. Secure your own passwords. Do not save passwords in your browser and use strong passwords (combinations of letters, numbers and punctuation)
  4. Implement a Captcha based login to prevent automated dictionary attacks to enter your system.
  5. Change passwords and limit access only to those who need it. Has your designer finished building your website? Change the password.
  6. Check your webhosts control panel. Disable any excess user accounts, disable features such as “Remote mySQL”, do not create files with the CHMOD 777.
  7. Ask your web designer/developer questions about SQL injection, input cleaning, .htaccess and https security, mod_rewrite, Register_Globals.
    Specifically if your website uses any PHP your designer should be able to answer these and explain how they are being used or prevented to protect your and your customers’ data.

These are not complete, but these tips will help keep you from doing anything completely dangerous and potentially stupid with yours or your clients data. Keeping in mind, that privacy breaches in Australia can result in fines, jail time or litigation.

Legality
You have legal obligations to protect and preserve peoples information. This includes supplying all information upon request and acknowledging requests to be removed from mailing lists etc.
Some points to consider that you may need to prepare for.

  1. Are you able to supply a privacy profile? This is a detailed account of all information you hold on someone. Invoices, web logs, user accounts and other information.
  2. Are you able to respond to requests for no further contact? If your business does not require an ongoing relationship you could be breaking the law by contacting someone who no longer wishes to hear from you. Selling a book to someone 12 years ago does not mean you may contact them monthly about your new book.
  3. Do you use opt in conditions for mailing lists? Are people able to unsubscribe?

There is a lot more that needs to be read and I strongly advise discussing this with your lawyer, business mentor or other informed representative.

Links
Federal Privacy Act
Commonwealth Privacy Act (direct link)
Australian Privacy Foundation

Spread the word: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • StumbleUpon
  • bodytext
  • del.icio.us
  • Facebook
  • Google
This entry was posted on Wednesday, May 14th, 2008 at 10:25 pm.
Categories: Articles, Spinning the Web.

No Comments, Comment or Ping

Reply to “Privacy and your Customers”