Internet users are becoming increasingly concerned about their personal information being collected and used by Web service providers. Since the privacy policies are mainly developed and maintained separately from the business process that collects and manipulates data, it is hard to perform analysis and management of the processes in terms of privacy policies. We propose a formal technique with which Web service providers describe the use and storage of requesters’ personal data. The description is integrated with a Web service protocol using an extended state machine model. Having such a conceptual model will enable model-driven development and management of Web service protocols with respect to their privacy aspects such as collection, disclosure, and obligation.