Skip Navigation

[Original post published April 21, 2015, updated with relevant information for 2023. The content presented is not legal advice and should be used solely as a general guide]

Hypotheically speaking, you’re a well-meaning organization seeking to do good in the world with a straightforward website. You’d never intentionally do anything mean or sell user information. Is a privacy policy even necessary? Does it even matter what’s in there? Can you just copy one from another website?

Why do I need a privacy policy?

A privacy policy protects by informing – protects the goodwill and trust your organization fosters with your audience, and protects your users from surprises.

If you ask for, track, or retain information about a user visiting your website, you need to tell them. This includes Google Analytics, blog commenting function, a Contact Us form, online donations, an email subscribe form, etc. Your privacy policy communicates what you will and will not do with the information they entrust to you.

Asking for information is asking for trust. People are more willing to give their information if they know why it’s needed and how it will be used for their benefit. Clear communication about what they can expect – just like in a face-to-face conversation – is valuable. This transparency and clarity bolsters trust between you and your supporters. As Brene Brown tells us ‘clear is kind.’

*In many, and a growing number of, cases privacy policies are required by law. Privacy policies focus on where the website user is located, meaning your website needs. To comply with privacy laws from jurisdictions outside your county/state/country. Please check with your friendly neighborhood Juris Doctor for more information.

Can I copy my privacy policy from another website?

Sort of, and not quite. Your website is unique, so is the information you collect and what the people who have access to it use it for. Define what information your website collects from your users, then determine what promises your organization makes about how you will and will not use that information. Consider

  • What information do we collect?
  • How do we collect the information?
  • Can the information be used to identify an individual or is it generalized/cumulative?
  • Where is the information stored and for how long?
  • Who has access to the information? (staff, consultants, third-parties, etc)
  • What measures do we have in place to protect information? How are these measures enforced/verified?
  • Who can be contacted if a user has questions about the policy?

You are making commitments – it matters that you say what you mean, and mean what you say. For example, saying “We will not share information with any third parties” but collecting donations, means you are sharing information with the third party processing system, as well as any database vendors that information feeds into.

How do I write my own Privacy Policy?

  • Be honest. Know what you collect and what happens to the information. This may mean checking with various departments in and external to your organization – do you track Google Analytics? Where do email signups go? What about event RSVP’s? What third-party vendors store information? Who processes credit card donations? What partners or other stakeholders have access to information?
  • Write in your own voice, and in a way people can understand. Some aspects require legal jargon, but where possible, make this information accessible. While a small page, your privacy policy is part of your website, so make sure your content and voice align with your brand.
  • Make it Visible. The easiest way to promote your policy is to include a link in your website’s footer so it is universally accessible on any page a user is exploring. Consider using a cookies consent popup, particularly if you target visitors who access your site from California and/or the EU.
  • Consider Special Categories. For example, if your website expects to track the online behavior of children, or you solicit health-related information, or financial questions, ensure your internal policies adhere to COPPA, HIPPA, and laws governing the SEC.
  • Rely on experts. Consult your organization’s legal resources, and follow further guidance available from BBB.

Information exchange is how we know and trust each other. It benefits your relationships to communicate what information you collect and how you use it in order to build relationships and serve users. What you do with that knowledge matters, so instill trust and confidence by providing your relationships with clear commitments via a written Privacy Policy.

Need help on your next great website project? Contact your friendly neighborhood openbox9 team!

Claire Kennedy headshot
Claire Kennedy
Claire values context, creativity, and joy. She uses these skills to help causes invest in the good of others.