From the September 2008 issue of Startups

Question: Some friends and I just launched a fairly successful social networking website, and we're starting to hear from advertisers. One of them wants access to our member database. I looked at our privacy policy, and it says we can't give out any of our members' information. Is there any way to fix this?

Answer: When it comes to privacy policies, many websites are faced with a Catch-22. Make it too restrictive, and you won't attract advertisers. Make it too liberal, and you'll scare away visitors. Here are some basic tips for staying out of trouble:

  1. Don't do it yourself or "borrow" from other websites. There are no boilerplate privacy policies. Tell your attorney what you want to accomplish and let him or her search the web for the right language.
  2. Make a precise list of all the information you collect from visitors.
  3. State clearly to whom visitor information will be disclosed. If you plan to sell customer data to advertisers, say that information will be disclosed to "our partners and affiliates."
  4. Give visitors the opportunity to exclude their information from disclosure, and tell them how. You might say, for example, to send an e-mail to privacy@whatever.com .
  5. If children under 13 are visiting your website, tell them they need a parent or guardian's consent (and provide the consent form for them). If you find out certain users are lying about their age, boot them off the site immediately.
  6. State clearly that you can change your privacy policy anytime without notifying subscribers via e-mail.
  7. Have your policy approved by Truste , a "Good Housekeeping Seal" for privacy policies. But be careful: They'll check your site periodically to make sure you're still following the rules.

Finally, check with your attorney at least once a year--and whenever you change your data collection forms--to see if your policy needs to be changed or updated.