(FORTUNE Small Business) – Are the words "Internet privacy" an oxymoron? Some folks think so--including Scott McNealy, CEO of hardware giant Sun Microsystems. In January, the notoriously motor-mouthed McNealy told a group of reporters, "You have zero [Internet] privacy anyway. Get over it." That off-the-wall comment--made by the head of a corporate member of the Online Privacy Alliance, an industry coalition that advocates self-regulation of the Web--set privacy watchdogs howling. One of the howlers was Jodie Bernstein, director of consumer protection for the Federal Trade Commission in Washington, D.C.

Subsequently, the FTC began cracking down on Internet privacy violators. In August, GeoCities, a popular online-community site, settled a case with the commission involving privacy-violation charges. The FTC claimed that GeoCities had passed customers' personal information, collected from online membership forms, to third parties without the customers' knowledge or consent.

Indeed, Internet privacy is high on the congressional agenda, and it's likely that laws governing e-commerce will soon clamp down on operators of sites that disregard cybersurfer rights. Here's how to put a policy in place to avoid the FTC's radar:

Take inventory of client data. List all the personal information about customers that your company collects, stores, and transmits. Then ask yourself: What kind of information do I really need? How is it being collected? Why am I using it? Is that use different than what the visitor thinks it is? If so, how do I ask permission to use it in a different way? Model your policies on the internationally agreed-upon standards of fair-information practices issued by the Organization for Economic Cooperation and Development, an international policy group (see www.junkbusters.com/fip.html#oecd for a copy).

Develop a privacy statement. You don't need a law degree to do this. Sites such as Microsoft's LinkExchange (www.linkexchange.com), which provides marketing and other services for small Web businesses, and TRUSTe (www.truste.org), an online-privacy-services company, have so-called "privacy wizards"--automated questionnaires that ask you about your business practices. The wizards help you develop specific language for telling customers how you plan to use their personal information. Make sure your privacy statement is free of jargon. Be sure you can stand behind it, and have a lawyer look over the final product.

Post it prominently. Your policy statement should have its own page on your site, and your home page should have a "privacy statement" link to that page. If necessary, add subsequent links by which visitors can locate more detailed information--where they can send e-mail inquiries, learn more about how you use the technical information stored in Web logs, and so on.

Get a seal of approval. Organizations such as TRUSTe and the Better Business Bureau's BBBOnLine (www.bbbonline.com) offer a credential no Website should be without: a privacy seal. Like the Good Housekeeping Seal of Approval, such a logo verifies that you won't share customer information. It's a great flag to post on your home page. Afterward, make sure you abide by your policy. Otherwise, the FTC may come knocking. And no one, not even Scott McNealy, relishes that prospect.

www.fortunesb.com Need help writing an Internet privacy statement? Go to fortunesb.com/articles/0,2227,359.00.html for links to resources in this story.