Monday, 17 August 2009

Not yer average privacy policy (& what about third party cookies / web beacons?)

Hot on the heels of starting a couple of new blogs (A Health Experience, A Human Experience) on topics not related to consumer technology in order to keep this blog more targeted, I decided I ought to revamp my privacy policy and extend it to all 3 blogs, and make the link much more prominent (see the right sidebar).

Here's my new privacy policy.

It's a bit tongue in cheek but hopefully more readable for non-techies and non-lawyers than most, and hopefully it's also accurately compliant with both English and US requirements.

If anyone thinks otherwise or has any other comments, please let me know.

In fact I think it's more compliant than most because I decided I needed to factor in the use of blog widgets, in my case MyBlogLog and Delicious tagometer, as well as Google AdSense, Google Analytics and Statcounter of course. And the use of Google / Blogger for search, and logging in for comments.

(With thanks to Out-Law's cookie laws and data protection guides, the ICO's privacy notices code of practice and privacy policy, and the EFF privacy policy - I figured if anyone has tight privacy policies, the ICO and EFF will!)

The third party widgets issue - cookies / web beacons

It's an interesting question how you can write a proper privacy policy or privacy notice for your blog or site when you include third party widgets / Javascript which plant cookies or web beacons on your visitors' computers.

Your privacy policy needs to cover their cookies or web bugs. But - you can't control what their scripts do!

Some of them provide enough information about what info their widgets collect and what use they make of that information, but others don't, or don't do enough - e.g. Google AdSense is fine (except for being unclear about web beacons - do they or don't they?), but Yahoo only give info about MyBlogLog's Recent Readers widget, not the click tracking, and nothing at all about the Delicious Tagometer. For more details about this lack of clarity, see my new privacy policy. (If anyone from Google or Yahoo! is reading this, maybe you could get it looked at?)

If the third party widget provider doesn't give you, the blog owner, enough info about their data collection, all you can do is refer your visitors to the third party's own privacy policy. But if theirs is incomplete, who is responsible by law, who gets lumbered with the swingeing fine?

Hopefully it'll be them, the third party widgeteer, not you, the mere blog owner. But if you voluntarily chose to include their widgets on your blog, could you be held responsible?

Maybe the safest, least risk-averse approach would be simply not to include third party widgets from any site that doesn't properly explain their widgets' personal data collection and use, even though that would really limit the features on your blog.

I really don't know the answer to that. If enough bloggers ask Google, Yahoo etc to clarify their widget usage, maybe they will? We can but hope.


Anonymous said...

I must say that's the most entertaining privacy notice I've ever read. :)

Marcella Hughes said...

What are the boundaries for the third party cookies, where we consider the first party's data protection?