Does my web site collect information?

It is not surprising that quite a few web site owners claim they are collecting no information. However, that is rarely the case even if they do not realize the data that is collected. The simple reason is that servers are set up to collect logs of activity if for nothing else than to track activity for security purposes. So even if the web site is hosted and the owner has no use for the data, it is still collected and used by the host (who is defined as an agent of the owner).

The following illustrates other questions to ask to see if data is collected.

• Is an item ordered and paid through a 3rd party payment processor that provides information about the person making the transaction
• Do any pages contain forms
• Do any href's have a querystring attached (a ? followed by a string)
• Is an image or javascript file retrieved from another domain as a page loads (src attribute is set to another domain) where you can obtain the data
• Does any vbscript or javascript reference another domain in the code
• Does the web site set a cookie
• Does the web site use a session object
• Does the web site have a database
• Does the web site obtain information from the the referer page when an individual enters the web site (such as ad number, search term, or previous page)
• Does the web site receive information from objects such as images/javascript while individuals browse another domain
• Do other web sites reference your web site using a querystring or form post

Organization information.

Organization information is data that describes the web site owner or entity.

The Domain name must be in the format http://site.com or https://site.com.

The policy must contain enough information to allow individuals to contact the organization about privacy issues. The 3 methods are email, mail and telephone.

The information you supply will appear in the Xml policy and the Html policy.

Disputes and remedy element.

A dispute is a complaint by a web site visitor against the organization regarding how data is collected and used.

Remedies are the actions the organization will take to fix the dispute.

The method of handling the dispute is contained in the policy as well as the Url to do it.

Some web sites may pay an independent monitor to handle privacy disputes and allow customers to view a certificate supplied by the monitor. A good example of an independent monitor is TRUSTe.

What does profile and tailor mean?

Profiling and tailoring are terms related to the purpose of data collection.

Tailoring is changing the design of the site or the content based on previous information collected from the individual or from the browser. In P3P terms tailoring is limited to information collected over one visit.

Profiling is modifying content or design using information collected from an individual over more than one visit. If the information is used without combining it with identifying information then it is 'fictitious' or 'pseudo-anonymous' profiling. If combined with identifying information then it becomes 'individual' profiling.

Recipient element.

Recipients are entities receiving the collected information. They may receive it by you allowing them to place objects (such as scripts or images) on your web site, through a querystring embedded in a link, or you allow them access using server-side technologies.

Some examples of disclosing data shared with other recipients include:

• Transmitting customer data as part of an order-fulfillment or billing process
• Leasing or selling mailing lists
• Placing personal information in URIs when redirecting requests to a third party
• Placing personal information in URIs which link to a third party

The first selection under recipients (Ours) should apply to all data collected since it is information that would be collected for use by the web site. The rest of the selections deal with how accountable the other entities with whom you share information are to your organization and how well you know their privacy practices.

Public forums are a special case of recipients because the information is posted to anyone viewing the web site. For this reason you cannot determine how long someone will keep the information so retention will be indefinite.

Purpose element.

Admin and Develop: Almost 100% of web sites will select that data is collected for 1) web site administration and 2) research and development. The reason is that these are the two primary purposes for collecting server access logs and for collecting information in general.

Current: If information is collected using forms then most likely 'collecting data to complete an activity' should also apply.

Tailoring, Pseudo-Analysis, Pseudo-Decision, Individual-Analysis and Individual-Decision: Tailoring and Profiling apply if you are changing what the individual sees depending on information collected.

Contact and Telemarketing: Applies if you contact the individual for any reason other than to answer a question they asked.

Historical: Historical purposes are expected to apply to very few web sites since this purpose is for research of social history.

Definitions.

Url or Uri: A Uniform Resource Identifier used to locate Web resources. The form is http://website.com or https://website.com.

Xml Policy: Extensible Markup Language (Xml) describes a class of objects called documents that can be read by special programs able to parse the language. The privacy policy comprises an Xml document that can be read by the browser to determine how the web site will treat data collected.

Compact Policy: A special privacy policy that summarizes the practices of the web site using tokens to represent each element. The summary is loaded in the browser using the Http Response Header.

Session Cookie: A cookie that is removed as soon as the browser is closed.

Persistent Cookie: A cookie that remains on the hard drive after the browser is closed by using an expiration date.

Identifying Information: Data that could reasonably provide the identity of an individual and consists of Name, Address, Email Address, Phone Number, Financial Information, Government Issued Identifiers, and IP address. It is frequently labeled PII or personally identifying information.

Opt-In: The individual requests an action to be taken. An example is requesting to be added to a mailing list by selecting a checkbox that was previously unselected .

Opt-Out: The individual requests an action not be taken. An example is requesting not to be added to a mailing list by deselecting a checkbox that was selected by default.

Where can I found out about compact policies?

Compact Privacy Policy website contains information about how the compact policy works and a validator to help you find out if your policy is working.