For it to be a policy, you must decide on a set of rules to follow. You may or may not share this policy with your visitors. Most sites don't, but perhaps most of them haven't formulated a policy either.
If you like, you can create a page that says things like: "Anyone revealing their email address to us will be mercilessly spammed. Any personal information we get our hands on will be made public in the most humiliating way possible."
I believe that one of the major affilate marketing organisations insists on this.
As Corwings says, its just a page with some writing on. I just say that my mailing list is kept confidential and is not made available to third parties. Of course I then have to keep my word, which includes understanding how to use the bcc function on my email program when sending out newsletters.
If you are involved in affiliate marketing then it is also important to make clear that the customer is entering a contract with the seller not with you.
There are TWO types of privacy statement that can be associated with a web site.
The first sort is an ordinary web page that describes your privacy policy. It can say what you want, be set out how you want, and the page name can be whatever you want - privacy.html or similar will help let people know what the page is.
The second type of privacy statement is one that is readable by web prowsers and other automated processes (such as anti-spyware programs). It is written in XML using specific tags that have to contain particular content in a particular order. It then has to be uploaded to your site with a particular name. The simplest way to create this type of privacy policy is to use one of the several generators available on the web.