In this paper we argue that policies are an increasing concern for organizations that are operating a web site. Examples of policies that are relevant in the domain of the web address issues such as privacy of personal data, accessibility for the disabled, user conduct, e-commerce, and intellectual property. Web site policies--and the overarching concept of web site governance--are cross-cutting concerns that have to be addressed and implemented at different levels (e.g., policy documents, legal statements, business processes, contracts, auditing, and software systems). For web sites, policies are also reflected in the legal statements that the web site posts, and in the behavior and features that the web site offers to its users. Both policies and software tend to evolve independently, but at the same time they both have to be kept in sync. This is a practical challenge for operators of web sites that is poorly addressed right now and is, we believe, a promising avenue for future research. In this paper, we discuss various challenges that policy poses for web sites with an emphasis on privacy and data protection and identify open issues for future research.