Privacy Policy
A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. Personal information can be anything that can be used to identify an individual, such as name, address, date of birth, marital status, contact information, identification details and expiry dates, financial records, credit information, medical history, travel history, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares how it collects, stores, and releases personal information. It informs the client what specific information is collected and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment of information handling, as opposed to data use statements, which tend to be more detailed and specific.
The exact contents of a privacy policy depend on the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions. Most countries have their own legislation and guidelines on who is covered, what information can be collected, and what it can be used for. In general, data protection laws in Europe cover both the private and public sectors. These laws apply not only to government operations but also to private enterprises and commercial transactions.
California law (CalOPPA) mandates that websites collecting personally identifiable information from California residents must conspicuously post their privacy policy.
In 1968, the Council of Europe began to study the effects of technology on human rights, recognizing the new threats posed by computer technology that could link and transmit information in ways not widely available before. In 1969 the Organisation for Economic Co-operation and Development (OECD) began to examine the implications of personal information leaving the country. This led the council to recommend that policy be developed to protect personal data held by both the private and public sectors, leading to Convention 108. In 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was introduced. One of the first privacy laws ever enacted was the Swedish Data Act in 1973, followed by the West German Data Protection Act in 1977 and the French Law on Informatics, Data Banks and Freedoms in 1978.
In the United States, concern over privacy policy starting around the late 1960s and 1970s led to the passage of the Fair Credit Reporting Act. Although this act was not designed to be a privacy law, it gave consumers the opportunity to examine their credit files and correct errors and placed restrictions on the use of information in credit records. Several congressional study groups in the late 1960s examined the growing ease with which automated personal information could be gathered and matched with other information. One such group was an advisory committee of the United States Department of Health and Human Services, which in 1973 drafted a code of principles called the Fair Information Practices. The work of the advisory committee led to the Privacy Act in 1974. The United States signed the OECD guidelines in 1980.
In Canada, a Privacy Commissioner of Canada was established under the Canadian Human Rights Act in 1977. In 1982, the appointment of a Privacy Commissioner was part of the new Privacy Act. Canada signed the OECD guidelines in 1984.