Skip Navigation

[Original post published April 21, 2015, updated with relevant information for 2023. The content presented is not legal advice and should be used solely as a general guide]

You are a well-meaning organization seeking to do good in the world with a straightforward website. Why do we need a privacy policy? Does it even matter what’s in there? Can I just copy one from another website? After all, you would never intentionally do anything mean or sell your user’s information. Is this even necessary?

Why do I need a privacy policy?

If you ask for, track, or retain any information about a user visiting your website, you need to tell them. This includes Google Analytics, blog commenting function, a Contact Us form, online donations, an email subscribe form, etc.

The goal of your privacy policy is to protect by informing. Even a brief policy protects the goodwill and trust your organization fosters with your audience, and protects your users from surprises. The policy communicates what you will and will not do with the information they entrust to you.

Asking for information is asking for trust, therefore a good way to ask is by including a privacy policy on your website. People are more willing to give their information if they know why it’s needed and how it will be used for their benefit. Clear communication about what they can expect – just like in a face-to-face conversation – is valuable. This transparency and clarity bolsters trust between you and your supporters.

*In many, and a growing number of, cases privacy policies are required by law. Privacy policies focus on where the website user is located, meaning your website needs. To comply with privacy laws from jurisdictions outside your county/state/country. Please check with your friendly neighborhood Juris Doctor for more information.

Does it matter what’s in my privacy policy and can I copy it from another website?

Sort of, and not quite. Your website is unique, and so is the information you collect and what the people who have access to it will use it for. Define what information your website collects from your users, then determine what promises your organization wants to make about how you will and will not use that information. Consider

  • What information do we collect?
  • How do we collect the information?
  • Can the information be used to identify an individual or is it cumulative?
  • Where is the information stored and for how long?
  • Who has access? (staff, consultants, third-parties, etc)
  • What measures do we have in place to protect information?
  • Who can be contacted if a user has questions about the policy?

You are making commitments – it matters that you say what you mean, and mean what you say. All the reassuring in the world means nothing if it’s not true. For example, saying “We will not share information with any third parties” but collecting donations, means you are sharing information with the third party processing system, as well as any database vendors that information feeds into.

How do I write a privacy policy?

  • Be honest. Know what you collect, and figure out what you are doing with that information. This may mean checking with various people in your organization – do you track Google Analytics? Where do email signups go? What third party vendors store information? Who processes credit card donations? What partners or other stakeholders have access to information?
  • Write in your own voice, and in a way people can understand. Some things require legal jargon, but where possible, make this information accessible. If no one understands what you are committing to, it’s hard for them to trust you. While a small page, your privacy policy is part of your website, so make sure you own the content and the voice in a way that is authentic to your brand.
  • Make it Visible. The easiest way is to include a link in your website’s footer so it is universally accessible on any page a user is exploring. Consider using a cookies consent popup, particularly if you target visitors who access your site from California and/or the EU.
  • Consider Special Categories. For example, if your website expects to track the online behavior of children, or you solicit health-related information, or financial questions, ensure your internal policies adhere to COPPA, HIPPA, and laws governing the SEC.
  • Rely on experts. Consult your organization’s legal resources, and follow further guidance available from BBB.

Information exchange is how we know and trust each other. It benefits your relationships to communicate what information you collect and how you use it in order to build relationships and serve users. What you do with that knowledge matters, so instill trust and confidence by providing your relationships with clear commitments via a written Privacy Policy.

Need help on your next great website project? Contact your friendly neighborhood openbox9 team!

Claire Kennedy headshot
Claire Kennedy
Claire values context, creativity, and joy. She uses these skills to help causes invest in the good of others.