The Internet enables website operators to collect, store, analyze, and distribute vast quantities of information about the site's users and visitors. Information can be accumulated either with or without the assistance and knowledge of the user. Indeed, most visitors may even be unaware of the data collection or the ease with which collected information can be analyzed and disseminated. The extent to which businesses collect and use personal information from visitors to their websites raises legal concerns regarding the privacy rights.

On May 15, 2000, the Federal Trade Commission (FTC) issued a final regulation governing the privacy of consumers' financial information. The regulation applies to a wide range of entities that come within the definition of "financial institution." The regulation becomes effective November 13, 2000, but full compliance will not be required until July 1, 2001.

The regulation requires financial institutions to give the following:

• Initial notice. Specifically, the institution is required to provide its customers with an initial notice that is clear, conspicuous, and accurate about its privacy policies and practices. The notice must describe the conditions under which a financial institution may disclose nonpublic personal information to nonaffiliated third parties as well as to affiliates.

• Annual notice. An institution must provide its customers with annual notices of its privacy policies and practices.

• Opportunity to opt out. An institution must provide its customers with a reasonable opportunity and means to "opt out" of disclosures of their nonpublic personal information to nonaffiliated third parties.

The FTC regulation applies only to financial institutions. The industry regulates itself with respect to privacy policies and nonfinancial institutions. Two private groups provide extensive voluntary regulation programs. TrustE (www.truste.org) and the Council of Better Business Bureaus (www.bbonline.org) provide:

• Sample privacy policies
• Assistance in drafting a privacy policy
• Registration for businesses that participate in their programs
• A dispute resolution process for participating businesses

What makes for a good privacy policy? Among other things it should be conspicuous, unambiguous, and written in plain, easy-to-understand English. It should also do the following:

• Offer the user an "opt-out" option.
• Provide the user with an effective mechanism to review any information collected about the user and correct mistakes.
• Employ effective security measures to prevent the unintended disclosure of collected information.
• Identify the personal information of the user that is being collected.
• Identify the collecting organization.
• State the purpose for which the information is collected.
• Identify any other parties, affiliated or nonaffiliated, that will receive the information.
• Inform the user if the information is being distributed, and if so, to whom.
• Inform the user of the choices he or she has regarding the collection, use, and distribution of the information.
• Incorporate the privacy policy into the terms and conditions of use.
• Identify the security procedures that are in place to protect the privacy of the information and prevent the loss, misuse, or alteration of information.
• Inform the user how to correct any inaccuracies regarding the information.