Privacy Policies for Municipal Web Sites
(from Maine Townsman, August/September 2001)
by Jeri Holt, Resource/Web Manager, MMA

If your municipality maintains a web site, you have a new obligation under the provisions of LD 1681, now PL 321, "An Act Relating to Personal Privacy and Governmental Information Practices." This new law adds to Title 1 MRSA by requiring that a "Privacy Policy" be developed and posted on municipal (among other) Internet sites: 

"Each public entity that has a publicly accessible site on the Internet associated with it shall develop a policy regarding its practices relating to personal information and shall post notice of those practices on its publicly accessible site on the Internet." 

The goal of the Blue Ribbon Commission to Establish a Comprehensive Internet Policy, the group that proposed this legislation, was to "improve citizen comfort with doing government business over the Internet." Furthermore, they wanted government sites to serve as "role model(s) for private websites."

The use of privacy policies on e-commerce sites is not very large - 25% according to a study by an online privacy watchdog, enonymous.com. However, privacy policy links are now appearing on more and more of the e-commerce web sites. It is now considered "good policy" to have one of these on any commercial site in order to make the customer feel more secure when doing online business. 

Enonymous.com also reports privacy policies of 14% on organization (.org) sites, 15% on network (.net) sites, and only 3% on education (.edu) sites. The government (.gov) sites, mostly federal, reported 69% with privacy policies posted. With this new law, Maine is following this trend in requiring the posting of these policies on government sites. 

Privacy policies must reflect the services and structure of individual web sites. Municipal sites that only post meeting agendas and office hours will have a very different privacy policy than one that posts assessment records and collects taxes and parking tickets online. In the following section, since one policy will not fit all, I will try to give enough information and samples to allow municipalities to tailor their own policy language. Many of the samples will be taken from various State of Maine web sites. The following sample language is ONLY presented as a sample, not as wording to be used verbatim.

Just what is in a privacy policy?
The policy should include the following information if appropriate: 1) notice of what information is collected, 2) who collects it, 3) what is the purpose for collecting it, 4) give a choice about collection and consequences if not collected, 5) note access and/or security for information collected, 6) notice of change policy, and 7) contact information.

The notice of information collected can function as an introductory paragraph for the policy.

"Individuals who visit the ___ web site are important to us. Because visitors to our site are important, we do not capture personal information about them without their permission. We endeavor to collect only the minimum amount of information needed to meet the purposes for which the site was created."

If the "purposes for which the site was created" isn't clear, be sure to explain what you mean.

Public Disclosure:
Since this is a municipal government site and is subject to Maine's Freedom of Access Act specified in 1 MRSA Chapter 13, you will need a statement about public disclosure.

"All information collected on the State of Maine website will be treated the same as any written communication and is subject to the confidentiality and public disclosure provisions of 1 MRSA Chapter 13."

Privacy Statement
A definition of personal information in this section will also allow the policy to cover the points about choice in whether to submit the information.

"Personally identifiable information" is information about a person that is readily identifiable to that specific individual. It includes, for example, an individual's name, street address, e-mail address, or phone number."

Specify that you don't collect information, or if you do, tell what, how, and why.

"Personally identifiable information will not be collected unless you voluntarily send an e-mail message, fill out and send an online form, or fill out personal information and send in a survey. Your choice not to participate in these activities will not impair your ability to access certain information or obtain a service online."

Or from another state site:
"Your choice not to engage in these activities will not impair your ability to browse our Web site. However, it may impair your ability to utilize some of our online services."

If you do collect this information, tell them how it is stored and who has access.

"When personal information is stored by Maine Revenue Services, it is kept in a secure location where it is accessible only to authorized employees and agents of Maine Revenue Services."

E-Mail/Forms:
Also discuss e-mail and how it will be handled. E-mail is subject to any of the laws that pertain to written correspondence to a municipal office. Retention of documents schedules are set out in the disposition of local government records rules from the Maine State Archives, Department of the Secretary of State, at http://www.state.me.us/sos/arc/recmgmt/localgov/localatt.htm.

"E-mail messages, sent to any Maine State Government address, will be treated the same as any other written communication. They may be subject to public inspection or legal disclosure and may be saved for a period of time before they are destroyed. E-mail or other information requests sent to the state website may be maintained in order to respond to the request, forward that request to the appropriate agency, or to provide the web designer with valuable customer feedback to assist in improving the site." 

"E-mail addresses obtained as a result of a request to the state site will not be sold or given to private companies for marketing purposes."

If you do surveys or as the visitor to fill in any forms online, tell them what you will do with that information. This could be similar to the e-mail above, but this section on the State's page is also good to have as part of your policy.

"Any other information provided by a visitor at the request of an agency of Maine State Government, such as the completion and electronic filing of a form, will be considered to be voluntarily provided by the visitor and will be treated in the same manner as information provided in written form or in person during a visit to the agency. Information provided may be subject to public inspection and legal disclosure and may be saved for a period of time before it is destroyed. It may be shared with another state agency for appropriate action."

Statistics:
If your web host or ISP (Internet Service Provider) collects statistics on visitors to the site, you will need to discuss this information in your privacy policy. If you don't know, you will need to contact your site host or administrator and ask about what is being collected and what is being done with it. The following is a sample from the State's policy that details common information that a server will/can collect:

Cookies:
Cookies are another area that needs to be discussed in a policy. If you don't use cookies, state that you don't. If you do, you will need to explain what a cookie is and how you use that to interact with people who access the site. The explanation of cookies from the State (see next page) is a good model; note that it explains what they use cookies for and what are the advantages to the visitor in using them. If you don't offer services that need cookies, you won't need to talk about this aspect. Please check with your web host about cookies; some processes may use them without your really being aware of it. Before you write a policy, be sure you know what is going on in the background on your site so that you can be accurate.

Changes in Policy:
You should state the procedure if there are changes made in this policy. Some policies state that notification of changes will be posted on the homepage thirty days before taking effect, some promise to post a notice that there have been changes for a certain time, others may just say that changes will be made to the policy at the discretion of the site owner. The following is a sample from an e-commerce site:

"We will post any substantive changes in this privacy policy at least 30 days prior to the change taking effect. Any information collected under this current policy will remain bound by the terms of this privacy policy. After the changes take effect, all new information collected, if any, will be subject to the revised privacy policy."

Contact:
Provide information about who to contact and a method of contact for anyone with questions about the policy. You can also use this as a method to allow people to inquire about and gain access to any of their own personal information.

"If you have questions about this policy, please contact [e-mail address] or call [name] at [telephone number] or write to [name & address]."

The State sites also have a legal disclaimer as part of their privacy policies. This shouldn't be part of a privacy policy, but you should have one on any site that you maintain. Check out the state sites or MMA's for a sample "Disclaimer." It should be linked prominently from the homepage and other appropriate pages.

Parting Advice:
A "Privacy Policy" can be as simple as saying that you don't collect any information, or it could be quite complicated depending on the types of activities and services offered on your site. The purpose of a policy is to allay fears and instill confidence in doing business on your site; so try to be as brief and clear as possible. Review it as activities change on the site and keep notifications of changes current. It is now a legal requirement to have a privacy policy on your municipal site, but as Martha Stewart would say, "It's [also] a good thing."

(from State policy regarding collecting visitors' statistics)

"We may collect some or all of the following information about visitors who view or download information from our websites:

Information  Definition
Date  Date the visit occurred.
Time  Time the visit occurred.
Client IP Unique Internet Protocol (IP) address of the website visitor. The IP address recorded is normally that of the visitor's Internet service provider, e.g., aol.com if the visitor connects from an America Online account.
Server IP Unique Internet Protocol (IP) address of the State of Maine web server accessed.
HTTP Status Hyper Text Transfer Protocol (HTTP) error code. E.g., "404 Requested Page Not Found."
HTTP Request URL Identifies the web page or file requested by the website visitor.
Bytes Sent Amount of data sent from the web server to website visitor during that connection.
Bytes Received Amount of data sent from website visitor to the web server.
User Agent Type of web browser or other client software that made request to the web server.
Referrer Uniform Resource Locator (URL) that referred to the requested file.
Protocol Version Version of HTTP used by the visitor's web browser software. The information we collect is used to improve the content of our web services and help us understand how people are using our services. We analyze our website logs to continually improve the value of the materials available on our site.

The information in our website logs is not personally identifiable, and we make no attempt to link it with the individuals that browse our website.

Some of this statistical information, such as a running count of the number of visitors, may be displayed on the website or shared with other state governments to aid in the provision of better service to the public."

(from State policy on "cookies")

"In order to better serve you, the user, we use cookies for certain types of online transactions. 

Cookies are small text files that a web server may ask your web browser to store, and to send back to the web server when needed. Cookies may be used to store a transaction identifier or other information a user may provide. We use cookies in the following ways:

Complex transactions: Cookies are used to store and retrieve unique transaction identifiers or other server-generated or user-provided information in complex, multi-page web applications. This allows us to distinguish between different users, and to use information provided at one stage of an application at a later time (for instance, items placed in a 'shopping cart' might need to be displayed on a later 'check-out' screen). When we use cookies in this way, the cookie is stored on your web browser only temporarily; the cookie is destroyed at the end of the transaction or at the end of the browser session. 

Customized Services: Cookies may also be used to automatically identify a particular user to the system, in order to provide a customized service, such as a personalized web page. In this case, a cookie containing a unique user identifier will be permanently stored on your web browser. We do not store sensitive information in such cookies; only a unique user identifier or generic preference values are stored. Personal information you give us for processing a transaction or using one of our personalization features, may be stored on our secure web server. 

We do not use cookies in order to track your visit to our website.

The "help" portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies or how to disable cookies altogether. However, cookies allow you to take full advantage of many of the Information Resource of Maine's eGovernment services, and we recommend that you set your web browser to accept cookies.

You can refuse the cookies or delete the cookie file from your computer by using any of the widely available methods."