Privacy and cookies policy (social networking)
A website privacy and cookies policy can have more than one purpose. From a lawyer's perspective, the primary concern is compliance with disclosure of data protection legislation, such as the Data Protection Act 1998. However, there are also marketing and user relations aspects to the formulation of a policy.
Users expect website privacy policies and practices to be fair. For some users, unfair policies and practices may be enough to turn them away from a website or service. This is particularly true in the case of social networking websites and services, which process lots of personal information. This privacy and cookies policy template has been created with social networking websites specifically in mind. It is an adapted version of our standard privacy and cookies policy template, and contains many of the same provisions.
The template is divided into three sections. The first covers disclosures relating to personal data; the second covers cookie-related disclosures; and the third covers disclosures relating to the identity of the website operator.
The key provisions of the section covering personal data disclosures are as follows.
Collection: what personal data are collected by the website? Typically, social network operators will collect, store and process usage data, profile information, information submitted in the course of using website services such as friendship data and private messaging data, and information imported from third party services such as Facebook and LinkedIn.
Use: for what purposes will the personal data be used? In addition to the obvious purposes such as enabling the operation of the website and the provision of website services, an operator may wish to use personal data for marketing and other potentially less-welcome activities. Where marketing activities require specific consent, a consent statement buried in the legal documentation will not be sufficient.
Disclosure: to whom may personal information collected through the website be disclosed? For instance, will it be disclosed to subcontractors, suppliers, professional advisors or other group companies? Personal information published on the website may, of course, be disclosed to the entire world.
Transfer: to which countries outside the EEA may personal data be transferred? The rationale for providing this information is that countries outside the EEA may not have data protection laws equivalent to those within. Again, however, consent to extra-EEA transfers (where required) cannot be obtained with a statement hidden away in a website's legal documentation.
Retention: for what period or periods will personal data be retained by the operator? Some information may be required for so long as the website continues to operate, while other information may quickly lose its usefulness.
Security: what security measures will the website operator put into place to protect users' personal information? Examples of security measures typically used on a website include: SSL/TLS encryption; firewall and password protected web servers and databases; and password-protected logins for users.
In addition to these "core" provisions, the section concerning personal data disclosures also covers amendments to the policy, data subjects' statutory rights and third party privacy policies.
The section concerning cookies is designed to aid compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as subsequently amended). In this section, the website operator should disclose information about the cookies used on the website, including analytics cookies and third party cookies. You will also need to consider how to comply with the consent requirements introduced into the 2003 Regulations in May 2011 and subject to enforcement from May 2012.Ask about this document
Privacy and cookies policy (social networking) contents
- Collecting personal information: personal information collected (social networking); disclosure of third party personal information.
- Using personal information: general uses of personal information; specific uses of personal information (social networking); publication of personal information on website; privacy settings; no third party direct marketing.
- Disclosing personal information: persons to whom personal information may be disclosed; disclosure to group companies; legal and regulatory disclosures; no other disclosures of personal information.
- International data transfers: transferring data to operating countries; transferring data outside the EEA; publication of personal data on internet; consent to international data transfers.
- Retaining personal information: data retention introduction; personal data retention default rule; personal data retention specific rules; personal data deletion exception.
- Security of personal information: personal data: technical and organisational security measures; personal information stored on secure servers; security of electronic financial transactions; data sent over internet is insecure; keeping password confidential.
- Amendments: amendment by publication; check for changes to policy; notification of changes to policy.
- Your rights: subject access requests; subject access: withholding personal information; no marketing instructions; consent to marketing communications.
- Third party websites: hyperlinks to third party websites; no responsibility for third party privacy policies.
- Updating information: correcting or updating personal information.
- About cookies: what are cookies?; persistent and session cookies; cookies and personal information; cookie tracking.
- Our cookies: types of cookies used; cookies used on website and purposes.
- Third party cookies: use of third party cookies; google AdSense cookies; third party cookie details.
- Blocking cookies: how to block cookies; negative impact of blocking cookies; effects on website use of blocking cookies.
- Deleting cookies: how to delete cookies; effects of deleting cookies.
- Cookie preferences: managing cookie preferences.
- Data protection registration: registered with ICO; data protection registration number.
- Our details: website operator name; company registration details; place of business; contact information.