u1.net - Privacy Policy


	Privacy Statement

	Educational Information

	Guidelines

	Resource Center

Guidelines

Purpose:

u1.net developed it's privacy policy in accordance with these IAB guidelines.

The IAB, in furtherance of its mission to promote Internet Advertising and Commerce, seeks to establish guidelines for member organizations that set minimum acceptable standards for protecting the privacy of online users. These standards will serve as guidelines by which IAB member organizations can establish individual privacy policies while ensuring the privacy of users is uniformly protected.

Members of the IAB will be required to establish, post and conform to an online privacy policy. These policies will be designed to protect information that can be associated with an individual (personal identifiable information) in an online or electronic commerce environment. The policies, to conform to the IAB standards, will address the following elements.

Adoption and Implementation of a Privacy Policy
Notice and Disclosure
Choice and Consent
Data Quality and Access
Limited Use
Data Security
Trans-border Data Flows

The specific member policies can be customized and enhanced as appropriate for each sites particular needs. However, with respect to the elements listed above, all policies will meet the minimum standards established by the IAB. These minimum standards are described below.

Adoption and Implementation of a Privacy Policy

An organization engaged in online activities or electronic commerce has a responsibility to adopt and implement a policy for protecting the privacy of personal identifiable information (PII). Organizations should also take steps to foster the adoption and implementation of effective online privacy policies by the organizations with which they interact, which includes sharing best practices with business partners and/or advertising customers. IAB members are required to undertake the following

Post privacy policies prior to the collection of PII, as well as ensuring policies are provided to users at the time of collection of such information.
Organizations that do not currently have a privacy policy in place must develop a policy that is in compliance with these guidelines.
Develop and incorporate awareness programs to educate business partners and site visitors on privacy and the IAB Privacy Guidelines. For
example, including a summary explanation of the IAB and its Privacy Guidelines within the privacy policy, in addition to providing a link to the IAB
Web site and/or providing additional Frequently Asked Questions (FAQs) to further educate business partner and site visitors.
Take steps to ensure corporate privacy policy is consistent with online privacy statement.

Notice and Disclosure

An organization must provide a clear and conspicuous link to the privacy policy from the Web site home page and any page that collects PII. In addition, a link to the Privacy Statement should be clearly identifiable from the home page i.e. first or second frame, and subsequently referenced to as a link in the Web site footer throughout the Web site. On pages collecting PII, it is recommended that prior to information collection a brief notice of the purpose of collection is disclosed including a link to the most relevant disclosure section of the privacy statement (e.g., Notice and Disclosure).

An organization must provide notification of when their privacy policy was last amended by posting an "as of" date at the top of the policy to reflect the last time it was changed.

The policy must state clearly:

What information is being collected and the purpose for this information collection
All of the methods of how this information is collected. For example, via a registration process, sweepstakes and/or a feedback form
The use of that information and how the organization will use the PII collected for future marketing to the individual
Possible third-party distribution of that information. In the event information is being disclosed to third parties, the policy should make reference to
what information is disclosed, why this disclosure takes place, and the relationship of the organization to the third party
The choices available to an individual regarding collection, use and distribution of the collected information and how to exercise these choices
The consequences, if any, of an individual's refusal to provide information
What steps the organization takes to ensure data quality and access
A statement of the organization's commitment to data security
Whether the organization supplements the PII collected with their own data or information sourced from third parties, including the use of
aggregated data. For example, the use of third party acquired demographic or marketing based data
What accountability mechanisms the organization uses. For example, measures such as internal or external reviews, or privacy audits that the
organizations takes to assure compliance with their privacy policy
How and whom to contact within the organization with privacy related questions or concerns
All sites using a third party ad server provide information regarding the privacy policy and practices of that third party ad server. This should be
done via a link to that company's privacy policy that should adhere to the forthcoming Online Privacy Alliance (OPA) and Network Advertising
Initiative (NAI) guidelines

Cookies and Log Files

The IAB member organizations privacy policy should make reference to the use of technologies such as cookies and log files, and explicitly state what this technology is, what information it collects and how this information is used by the organization. The policy should also provide site users with guidance on how they can opt-out of the use of this technology. If information such as click stream data is collected and it is to be associated with an individuals PII, this should be disclosed in the privacy policy. The organization should also take steps to educate site visitors about how this will occur and how they can opt-out.

Choice and Consent

Individuals must be given the opportunity to exercise choice regarding how PII collected from them online may be used. IAB members should provide users with the ability to opt-out of the following circumstances:

Where information is to be used for a purpose unrelated to that which the information was originally collected for
The collection of information, such as click stream data, that could be associated with their PII
The use of an individuals PII for future marketing initiatives
The sharing of an individuals PII with third parties

To ensure users the greatest flexibility, each site, and or IAB member organization that is gathering online information, should offer the user the ability to disable a sites cookie or other information gathering system.

The IAB recognizes that certain information is especially sensitive and would encourage Web sites and online organizations with access to such sensitive information to get explicit approval from a user prior to the redistribution or use of this information. Sensitive information would include but not be limited to financial and medical information. Organizations must provide an "opt-in" to users in order to collect and/or redistribute sensitive information In an effort to ensure appropriate use of e-mail for marketing purposes, the IAB would establish as a minimum standard an opt-in policy for the redistribution or use of e-mail addresses.

Recognizing the need to protect minors, IAB members must comply with the requirements set forth by the Childrens Online Privacy Protection Act (COPPA). Organizations should adopt a minimum standard requiring parental consent before a Web site or organization knowingly collects, uses, or redistributes information gathered on or from a minor, that is, an individual under the age of 13. Organizations privacy policies should make a statement about the organizations compliance with COPPA requirements.

Data Quality and Access

Organizations creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete, relevant and timely for the purposes for which they are to be used.

Organizations should take reasonable steps to provide users with the appropriate processes or mechanisms to access PII they have provided to the Web site in order to correct inaccuracies in material information, such as account or contact information. In addition, these processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. These processes should be documented in the privacy policy.

Organizations should take other reasonable steps to assure the quality of the data collected. This includes obtaining it from reliable and reputable sources, providing reasonable and appropriate consumer access and correction mechanisms, and developing protections against accidental or unauthorized alteration.

Organizations should disclose within the policy the length of time which PII will be stored. This timeframe should be long enough for individuals to access the information and make any necessary changes, while not too excessive so that the information may no longer be valid or current. Information should not be retained when it is no longer being used.

Limited Use

Organizations privacy policies must make reference to why PII is being collected, and how it will be used. The use of PII should be limited to the original purpose specified for its collection.

If information is to be used for a purpose not originally specified at the time of collection, or the use of the information changes over the course of time, individuals should be clearly notified of this. Individuals should also be provided with a clear and easy way to opt-out of this additional information use.

The organizations privacy policy should also make a statement in relation to the use and disclosure of information if it is required by law through a subpoena, search warrant or other legal process. In this instance, this disclosure may take place without the individuals consent.

Data Security

Organizations creating, maintaining, using or disseminating individually identifiable information should take appropriate measures to assure its reliability and should take reasonable precautions to protect it from loss, misuse or alteration. The organization should make use of industry standard security procedures, such as the use of secure socket layers for the transmission of sensitive information. A disclosure to this effect should be made in their privacy policy.

Organizations should take reasonable steps to assure that third parties to which they transfer such information are aware of these security practices, and that the third parties also take reasonable precautions to protect any transferred information.

Trans-border Data Flows

Any organizations involved in the flow of PII with European- based countries should ensure they are in compliance with the Department of Commerce International Safe Harbor Principles. The IAB Privacy Guidelines have been developed in compliance with the principles, however, there are additional steps that the organization must take to ensure they are in compliance. Any organization that provides PII to third parties must verify that the third party is either governed by the European Directive, or is in compliance with the International Safe Harbor Principles and provides the same level of privacy protection as required by the principles.

These guidelines are not intended to apply to proprietary, publicly available or public record information, nor to supersede obligations imposed by statute, regulation or legal process.