Conversely, I find interesting the fact that other technicalities have transpired the realm of implementation details to become “mandates”, such as SEO and SSL certificates (TLS). Nowadays, both are acronyms that are thrown around even on executive meetings. In non-techies lingo SEO means “More visitors and conversions” and SSL certificates mean (very far from the truth) “Our site/app is secure”.
Per Business Dictionary:
Statement that declares a firm’s or website’s policy on collecting and releasing information about a visitor. It usually declares what specific information is collected and whether it is kept confidential or shared with or sold to other firms, researchers or sellers.
However, at least in my experience so far, I have never been asked to implement one. There’s a real problem, and we have a solution that the vast majority of websites ignore:
According to Microsoft:
Web users are increasingly concerned that Web sites can locate them in the physical world, profile them in the virtual world, and correlate this information to form a “complete” identity. Web users also express concerns over Web sites sharing their personal data with other parties, such as marketing contacts, for unexpected purposes such as online behavior analysis. The problem is exacerbated by the fact that many users are often unaware of such data collection practices.
Cookies are widely used in data collection. Simply disabling cookies, however, is not a workable solution, because many applications depend on them. Similarly, prompting the user for each cookie download is not feasible because users are typically annoyed with such interruptions.
There are many solutions, such as preferences expressed through HTTP headers like P3P, Do Not Track and even extensions such as NoScript and Ghostery. So far most of these have failed in their purpose.
I believe that some of that responsibility lies in us, the technical teams, to address the endemic aspect of ignoring privacy policies. It is our duty to define the subset of information from our users that is absolutely required to do our job and fulfill the business requirements, and make it a standard practice to send the details to the appropriate people for approval.
Don’t forget to add that time to your estimates :)