Privacy Policy for User Comments

It is easy to overlook user comments when it comes to privacy practices. Since users often post comments through third party platforms (like Facebook) and submit the information voluntarily, there are few developers who realize privacy protection laws apply to these exchanges.

The laws protecting privacy generally apply to any entity that collects personal information, including that submitted through user comments. If you allow user comments, it is likely you need to have a Privacy Policy for your page. Even if you have one already, it is a good idea to review it and make sure it addresses user comments.

Protection of personal information

Most jurisdictions have passed laws protecting personal information. This is data that can be used to identify an individual online. Also called personally identifiable information, it includes but isn't limited to:

• Full names
• Email addresses
• Location information, including cities and shipping addresses
• Identifying numbers like social security and driver's license numbers
• Screen names

You must comply with these laws even if you only collect and share one type of personal information, such as email addresses or screen names.

Canada, Australia, the E.U., and the U.K. all have comprehensive privacy protection laws.
The U.S. does not have a federal law, but many states have their own laws. California, Delaware, and Nevada enacted online privacy protection acts and Illinois has one regarding location tracking.

One way these laws assure the protection of personal information is to require websites that collect this data to post a Privacy Policy. This serves as notice to consumers so they can review privacy practices before submitting data to a website or app.

Current laws are similar in their requirements for Privacy Policies. Every policy must include provisions describing:

• What data is collected
• How it is collected
• How (and why) it is used
• Any third parties who receive the information
• How the data is kept secure

Once you draft your Privacy Policy contents, you must also provide a clear link to it on your website and distribution platform for your app. Google Play and the Apple App Store require Privacy Policies before distributors are allowed to sell their apps. This helps protect them from legal liability.

Even if you operate from a jurisdiction without privacy laws, it is still advisable that you draft a Privacy Policy. If you transact business in the U.S., it is impossible to trade in some states and avoid others. Also, most websites and digital products are available freely throughout the world. There is a good chance that you will have users who live in jurisdictions with privacy protection laws.

Current privacy laws contain harsh penalties for noncompliance. Many website owners provide a Privacy Policy to err on the side of caution and be prepared for the possibility of stricter privacy laws.

Comments and personal information

Since user comments are voluntarily submitted, many developers fail to see commenting as collecting personal information. However, even when users willingly give information, you still have obligations to inform them that data becomes public and take measures to protect it.

User comments collect several types of personal information including names, email addresses, and even pictures. This places user comments firmly within the bounds of collecting personal information and makes website owners responsible for disclosing that fact and complying with legal requirements. That includes maintaining a Privacy Policy.

Other information that may be considered personal is IP addresses. Since this number is unique to each device connected to the Internet, it has the potential of identifying individual users. IP addresses can also reveal the general geographic location of a device and that also makes them a form of protected information.

Taking a look at a comment on the Wordpress platform reveals the amount of personal information involved in commented. In this example, the commenter's name, email address, and IP address is all known to the developer.

Basically, inviting and accepting user comments is enough to require a Privacy Policy for your website or app. If you already have a Privacy Policy available on your website, it needs to contain language that addresses these user comments.

Privacy Policy content

Unless you do not have a Privacy Policy, you do not need to start from scratch. You can address user comments and the personal information you collect from them in a few brief provisions. If user comments are a large part of your website, you may wish to give the issue a separate section in your policy.

Notice to users

Any Privacy Policy addressing user comments must first provide notice that these comments, and the information connected to them, are available to public view. Blogs and news sites are the most common online resources to require this notice.

This part is often included with the list of information collected by the website. It may also stand alone along with other policies affecting user comments.

The best way to start with this section is to explain that comments are publicly viewed and anything a user shares can be seen by others. Include a list of the information that could be released.

The New York Times allows comments on its news articles. It explains that when users disclose a screen name, image or email address, that information will be in public view.

This is true whether a user comments through Facebook or Google+ or responds directly to the story through the New York Times website.

The Washington Post takes a similar approach. It indicates in its Privacy Policy that it collects information provided to it. The paper also reserves the right to request additional information and offers users a link to its discussion and submission guidelines.

Many developers do not create and maintain their own discussion and comment forums. They often borrow the services of Facebook, Google, and Disqus so they do not have to request new profiles from users. Even then, the website owner is not excused from the responsibility of following privacy laws.

Third party comment managers

Disqus, Facebook, and Google offer plugins and free code so users can post comments to a website through those platforms. Even with the use of these resources, developers must still address comments in their Privacy Policies.

For example, YouTube uses Google profiles when it comes to user accounts and comments. It extends the same notice to users explaining that information in a Google profile can publicly identify a user.

This is nearly identical with Google's Privacy Policy. It also makes it clear that profile information may be publicly visible through Google+ but also any third party apps that use that profile information.

Disqus exists to allow users to comment on many websites without opening multiple profiles. It explains that using its service allows for tracking of comment patterns and social media use. There is also notice that usernames and email addresses are saved.

Facebook offers a comment plugin that allows users to comment on sites using their Facebook profile. The Privacy Policy explains that comments made using this plugin are public and others can trace profile information once the comment is posted.

Current privacy laws require that you provide notice to consumers any time you collect their personal information, including any data given to you voluntarily. That extends to user comments as well as the information users give to put together an account.

User comments may be the only way your website or app collects personal information. That is enough to require a Privacy Policy. Even if you have one drafted and posted online already, now is a good time to review it and make sure it addresses information shared through user comments.