10 User Privacy Considerations for Your Website
In designing your website, consider not only the content, functionality, web marketing, and user experience, but also these 10 privacy concerns:
- Collect only those personal data that are absolutely necessary to run your business. Convey exactly what personal information is collected and why.
- Explain how personal information is collected – via forms (e.g., registration), automated collection (e.g., “we capture your IP address and device characteristics”), or cookies (e.g., “we install cookies to remember your cart”).
- Reassure users that you do not sell or provide personal data to third parties, if that is the case (if not, disclose exactly what you provide and to whom, and how to opt-out).
- When a feature or setting can offer varying degrees of privacy, make the one preserving the most privacy the default.
- Provide a clear way for users to request deletion or correction of personal data.
- Provide users easy access to their data.
- Explain for how long the personal data are retained.
2. Enforce strict authentication
Nothing can shatter a user’s faith in privacy more than compromised login credentials or a data breach. To minimize the probability of account piracy or identity theft, we suggest the following:
- Ensure your registration enforces creation of strong passwords
- Offer two-factor authentication. In addition to passwords, this requires logins to have a secondary authentication. A popular one is to text a one-time code that the user must enter. This technique makes it vastly more difficult to hijack an account.
- Ensure that personal data are safeguarded through state-of-the-art data security (see next item).
3. Data security
Users want the reassurance that their user data will not be compromised. Sample measures include:
- Secure your server: if you use a hosting company, refer to its security provisions, such as attack prevention, firewalls, physical security, data redundancy, backup and recovery, and upgrades.
- Safeguard sensitive personal data; e.g., encrypt sensitive fields, such as social security numbers, birth date, address, or credit card numbers. Consider encrypting comments and contact messages.
- Safely dispose of personal data when no longer needed.
- Be sure your site uses the HTTPS protocol and has a valid SSL certificate to enable encryption of data in transit.
4. Honest communication
Privacy is enhanced with transparency and honesty, particularly in two areas:
- In describing products or services features that are privacy-related. (For example, recently, a video conferencing website falsely claimed “end-to-end” encryption, revealed when there was significant compromise).
- If there is a privacy breach, admit it and convey measures you will take to minimize the pain (e.g., pay for identity theft insurance) and prevent re-occurrence.
5. Disclose business relationships
6. U.S. sites’ children’s privacy
In the US, if you know children use your website, then be sure to comply with COPPA with respect to the collection, use, or disclosure of personal information from children.
7. Industry-specific requirements compliance
Your industry or your state/country may have its own privacy regulations. For example, US financial institutions are governed by Gramm-Leach-Bliley regulations; US healthcare organizations, by HIPAA.
8. Sites offering products and services in European Union (EU) countries
The EU requires compliance with GPDR stipulations. Key provisions are that persons on whom data are collected have privacy rights, including:
- Know what, how, and why data are collected and used
- Have access to their personal data and ability to port it
- Have a procedure for making corrections or deletions
- Can dispute or suspend data collection
- Can opt out of automated decision-making or profiling
9. Sites offering products and services in California:
They must comply with CCPA, whose major provisions include the following rights:
- Request a copy of personal data collected
- Prevent the sale of personal data
- Request that personal data be deleted
- Gain special protections for children
10. Sites that transfer data from the European Union or Switzerland to the US
Such sites may need to comply with Privacy Shield, a framework for “data protection requirements when transferring personal data from the European Union and Switzerland to the United States.”
When designing your website, we suggest you consider these privacy-protective measures as integral to your website design on par with content, functionality design, web marketing, and the user experience. Also know the privacy regulations that govern your industry or location.
Disclaimer: Nothing in this post should be construed as legal advice, but rather as general educational information. Consult your lawyer for guidance specific to your needs.