The document summarizes best practices for privacy policies based on FTC guidelines. It discusses four key principles: notice, choice, access, and security. Under notice, organizations must disclose what data they collect and how it will be used. Choice means giving users options for how their data can be used, such as opt-in vs opt-out models. Access refers to users' ability to view and correct data about themselves. Security means protecting user data from unauthorized access.

1. Privacy Policy Recommendations
Privacy Policies:
Summary of Best Practices
I. Summary of Relevant Best Practices
Most statistical research regarding consumer attitudes toward online
privacy were completed before the beginning of the new millennium. The results
are what you might expect: the Federal Trade Commission in 1999 reports that
92 percent of consumers are concerned about the misuse of their personal
information online, and 76 percent fear privacy intrusions on the Internet. 1 Data
further suggested that there would be $18 billion in lost e-commerce revenue by
2002 because of privacy concerns. 2 However, this research was conducted during
a different era of online privacy. The main concern then was tracking cookies
embedded deep into the code of a webpage; they acted like a sponge on the sea
floor, passively but completely absorbing intimate details from oblivious users.
The user information was then complied and usually sold to the highest bidder. 3
Today, however, the issue is control over information that is voluntarily and
actively shared by users. See, for instance, the recent uptick in news and
commentary about the evolution of Facebook privacy controls. 4 Consumers
increasingly expect fine-tuned and nuanced control over the information they
1 Federal Trade Commission, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO CONGRESS, July
1999 [hereinafter “1999 FTC Report”]. Available online at http://www.ftc.gov/os/1999/07/
privacy99.pdf.
2 1999 FTC Report, supra.
3 Grant Gross, Privacy Groups File FTC Complaint on Behavioral Advertising, PCWorld, April 8, 2010
(“Online advertising platform providers are able to sell user data in real time, then the bidder can add its
own data about the user . . . “). Available online at http://www.pcworld.com/article/193789/
privacy_groups_file_ftc_complaint_on_behavioral_advertising.html.
4 See Jenna Wortham, Facebook Glitch Brings New Privacy Worries, THE NEW YORK TIMES, May
5, 2010. Available online at http://www.nytimes.com/2010/05/06/technology/internet/
06facebook.html.
1 of 7

2. Privacy Policy Memo 2 of 7
share online5, and that expectation should factor into any privacy policy analysis
as an overarching principle.
Since the late 1990s, the Federal Trade Commission has held a series of
forums, roundtables, and hearings on the topic of consumer privacy online. In
1998, the Commission released a key report that highlighted four guiding
principles in crafting privacy policies: notice, choice, access, and security. 6 These
principles are not new to government policy; instead, they stem from a meta-
analysis of a variety of seminal governmental reports and non-governmental
information privacy codes, both foreign and domestic. The principles were first
summarized in this form by a U.S. Department of Health, Education, and Welfare
report in 1973 7, and have been incorporated into privacy policy doctrine by the
Trade Commission in 1998 8 and 2001 9. The remainder of this section explains in
detail the Commission’s fair information principles outlined above.
a. Notice
Notice requires organizations to disclose their privacy practices to
consumers before any information is actually collected. 10 The Commission
expects privacy policies to be binding and enforceable: organizations must
5 Barbara Ortutay, Study finds young do care about online privacy, THE ASSOCIATED PRESS, April
15, 2010. Available online at http://www.msnbc.msn.com/id/36561309.
6 See, generally Federal Trade Commission, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO
CONGRESS, June 1998. [hereinafter “1998 FTC report”] Available online at http://www.ftc.gov/
reports/privacy3/priv-23a.pdf.
7 Department of Health, Education, and Welfare, RECORDS, COMPUTERS AND THE RIGHTS OF
CITIZENS, July 1973. Available online at http://aspe.hhs.gov/datacncl/1973privacy/
tocprefacemembers.htm.
8 1998 FTC report, supra, at n. 1.
9 Federal Trade Commission, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC
MARKETPLACE, May 2000. Available online at http://www.ftc.gov/reports/privacy2000/
privacy2000.pdf.
10In practice, it occasionally may not be possible to notify the user first: many third-party
analytics applications collect usage information before a user could view the privacy policy. The
FTC has not yet addressed this issue.
10/14/10 2

3. Privacy Policy Memo 3 of 7
comply with their privacy policies such that they refrain from using personal
information in any way that is not explicitly mentioned. 11 Notice is the most
essential principle expounded by the Commission: without it, the other principles
are rendered ineffective because consumers lose the ability to make an informed
decision about precisely how their information is used. 12
Notice requires a laundry list of disclosures to users about the data and the
entities that collect it. Here are the relevant inquires as laid out by the
Commission in their 1998 report:
• Who is collecting the data?
• What data is collected?
• How is the data being collected?
• What is the collected data being used for?
• Is any third-party receiving the collected data?
• What happens if the user chooses not to provide the requested data?
In order for notices to be effective, the policy document or other relevant
information must be placed in a clear and conspicuous manner in a prominent
location on both the home page of the website as well as any other page where
information is collected. 13 The document should be clear in identifying the
purposes for which data are to be used. While the organization is free to make
later changes, such freedom also implies that the changes are not arbitrary or
incompatible with the original purpose. 14 If changes create inconsistent policies
that are applied to the original document, it may undermine consumer
confidence in the rest of the policy. 15
11 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980),
para. 10.
12 1998 FTC report, pg. 7.
13 OECD Guidelines, para. 9.
14 OECD Guidelines, Explanatory Memorandum, para. 54.
15 FTC 2000 Report, pg. 26.
10/14/10 3

4. Privacy Policy Memo 4 of 7
Changes to a privacy policy are considered unfair and deceptive by the
Commission when they are retroactively applied to data collected under previous
policies without notification to users, or when they are made without notification
in violation of a promise to notify. 16 In in re Gateway, Gateway Learning, the
organization that created Hooked on Phonics, changed their privacy policy to
allow them to communicate information user information to third-parties for
marketing purposes. Because they applied the policy to preexisting data collected
under the old policy without notifying those users, the Commission ruled
Gateway Learning’s actions as unfair. Organizations are required to notify users
of both the existence of and the content of material changes to the policy before it
can be applied to retroactive data.
b. Choice
Choice means giving consumers options about how their information is
used. 17 When data is collected from users by primary means, such as a form field,
it is generally quite easy to object to the collection by merely refusing to provide
the information (with the exception being tracking cookies, which are much more
clandestine than forms). An issue, though, exists for secondary data usage and
collection, whereby information is used for a purpose other than what it was
originally collected for. This often arises in the context of sharing information to
third-parties for marketing purposes; in fact, the Europeans have gone as far as
defining a standalone right to object to third-party marketing in their privacy
policy directive. 18
16 In re Gateway Learning Corp., 138 F.T.C. 443, File No. 042-3047 (2004); FTC 2000 Report, pg. 26.
17 1998 FTC Report, pg. 8-9.
18Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data
[hereinafter “EU Policy”], art. 14. Available online at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?
uri=CELEX:31995L0046:EN:HTML.
10/14/10 4

5. Privacy Policy Memo 5 of 7
The Trade Commission outlines three different models for consent over
data usage: opt-in, opt-out, and “nuanced control” 19. With opt-in, the user
affirmatively grants permission to an organization to use their information for a
secondary purpose. Opt-out is the reverse: the user must affirmatively tell the
organization that it does not want its information to be shared.
As of the key 1998 FTC report, the Commission did not explain which
consent regime is preferred. Instead, they reference a U.S. Department of
Commerce report in a footnote that suggests that the selection of regime should
be based on the “sensitivity” of the information, such that opt-in is required
before collecting organizations can use sensitive information for a secondary
purpose. 20 The Commission never defines “sensitive information” in the triad of
reports on fair information use. However, they do describe it in the context of
online behavioral advertising, which shares the same issue of secondary sharing.
In a 2009 staff report, the Commission defines sensitive information as
information about children and adolescents, medical information, financial
information and account numbers, Social Security numbers, sexual orientation
information, government-issued identifiers, and precise geographic location. 21
Another important concern raised in the 2000 report is the prevalence of
organizations that ambiguously call their policy opt-in when it is really opt-out.
For instance, it is not an opt-in regime when users are considered to have opted-
in when as soon as they provide information requested by the collecting
organization. Furthermore, pre-filled checkboxes buried at the bottom of the
page that allow third-party marketing communications also do not count as opt-
in. Consumers may mistakenly assume that their information will not be shared
19 As of the 1999 FTC Report, the Commission had not yet provided a name for non-binary consent
options. They only mention that there are “possibilities to move beyond the opt-in/opt-out paradigm.” This
is an extrapolation of that idea.
20U.S. Department of Commerce, SAFEGUARDING TELECOMMUNICATIONS-RELATED PERSONAL
INFORMATION, October 1995. Available online: http://www.ntia.doc.gov/ntiahome/
privwhitepaper.html#CONSENT.
21Federal Trade Commission Staff Report, Self-Regulatory Principles For Online Behavioral Advertising,
February 2009, pg. 42. Available online at www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
10/14/10 5

6. Privacy Policy Memo 6 of 7
because they were told that they did not need to do anything to prevent the
further use of information, when in reality, the pre-filled checkbox missed by the
user signs away all privacy rights in the data.
The 1998 Commission report also suggests the use of consent controls that
extend beyond limited opt-in or opt-out regimes. The shortcoming with these
methods is that they merely let the user assert whether they want to allow
secondary uses or not; they generally do not have the ability to allow secondary
uses in some cases and contexts but not in others. In many ways, the nuanced
approach is something between the opt-in/opt-out methods and a case-by-case
analysis. This method is used currently by a variety of social networking sites who
utilize a social graph to control access throughout a database of content. 22
Currently, the Trade Commission has not yet passed judgment on these models.
Europe, though, seems to be getting more conservative on privacy, and are
currently advocating a full opt-in model for all user content and interactions on
social media. 23
c. Access
Access refers to an individual's ability both to access data about him or
herself -- i.e., to view the data in an entity's files -- and to contest that data's
accuracy and completeness. 24 User access to information should be incorporated
as a routine and regular part of organizational data management. 25 That is, it
should not require to complicated procedure or legal process for users to be able
to see, correct, and challenge information that is stored about them.
In order to minimize the burden of data access requirements to
corporations, the Trade Commission recently empanelled the Advisory
Committee on Online Access and Security. The Committee’s main task was to
22Facebook, for instance, has a very nuanced consent system. Unfortunately, it comes close to being a case-
by-case analysis, and makes for a very overwhelming sea of selections for an end-user. See, for example,
http://graphics8.nytimes.com/packages/images/newsgraphics/2010/0512-facebook/gif1.jpg
23 http://www.crn.com/security/224701767;jsessionid=IFTGK15GBXBODQE1GHRSKH4ATMY32JVN
24 1998 FTC Report, pg. 9.
25 OECD, Explanatory Memo, para. 59.
10/14/10 6

7. Privacy Policy Memo 7 of 7
agree on a definition for “reasonable access.” There was significant disagreement,
and instead of reconciling differences, the Commission merely blessed all of the
approaches that emerged. The two most viable options are the “access for
correction” approach and the “default to consumer access” approach.
The absolute minimum definition of reasonable access is the “access for
correction” approach outlined in the 2001 report. Users would be granted access
to information only when it is used to grant or deny significant benefits to the
user. Examples are “credit reports, financial qualifications, and medical records.”
A potentially better option is the “default to consumer access” approach,
whereby users could access information that is also normally retrieved by the
organization. This follows the “unreasonably burdensome” approach; therefore,
the organization would not have to create new database tables, nor would it have
to disclose information that it does not possess and retrieve itself.
Data access protocols are not only required of the primary data collection
organization, but also apply to any third-party agent or partner that information
is shared with. 26 Therefore, users have both the right to access data stored by the
original organization as well as any organization that has received the
information or used it for a secondary purpose.
26 2000 FTC Report, pg. 31.
10/14/10 7