If you run a commercial site, there isn't a law requiring that you post a statement, but it is a good business practice to describe your procedures. There is, however, some risk-- if you don't abide by your privacy statement you could be exposed to civil or even criminal liability.

Unfortunately, because of this risk, many privacy statements are full of legal language and difficult to for the layman to understand. In general, a good privacy statement should be easy to read, easy to understand and easy to find on your Web site. It should contain information on the four widely-accepted Fair Information Practices: Notice, Choice, Access, and Security.

Notice is accomplished by placing a privacy statement on your website that fully describes how you manage data. Choice will detail how your business permits consumers to opt-in or out of certain types of data collection or direct marketing contact. Access describes your policy towards consumer access of their data, such as viewing, editing, or deleting. Finally, the security section of your statement should, in general terms, state that you are taking reasonable steps to protect sensitive customer data.

This is just a beginning, and you should use the resource links below to help you along. A privacy statement is a good vehicle to begin a discussion of privacy practices at your business. As such, don't forget to promote your policy internally to your employees, and make sure to change the policy if your business model changes.

Direct Marketing Association (DMA) Privacy Policy Generator
Trust-E Privacy Wizard
Microsoft's bCentral Privacy Statement Generator