[Original post published April 21, 2015, updated with relevant information for 2023. The content presented is not legal advice and should be used solely as a general guide]
If you ask for, track, or retain any information about a user visiting your website, you need to tell them. This includes Google Analytics, blog commenting function, a Contact Us form, online donations, an email subscribe form, etc.
*In many, and a growing number of, cases privacy policies are required by law. Privacy policies focus on where the website user is located, meaning your website needs. To comply with privacy laws from jurisdictions outside your county/state/country. Please check with your friendly neighborhood Juris Doctor for more information.
Sort of, and not quite. Your website is unique, and so is the information you collect and what the people who have access to it will use it for. Define what information your website collects from your users, then determine what promises your organization wants to make about how you will and will not use that information. Consider
- What information do we collect?
- How do we collect the information?
- Can the information be used to identify an individual or is it cumulative?
- Where is the information stored and for how long?
- Who has access? (staff, consultants, third-parties, etc)
- What measures do we have in place to protect information?
- Who can be contacted if a user has questions about the policy?
You are making commitments – it matters that you say what you mean, and mean what you say. All the reassuring in the world means nothing if it’s not true. For example, saying “We will not share information with any third parties” but collecting donations, means you are sharing information with the third party processing system, as well as any database vendors that information feeds into.
- Be honest. Know what you collect, and figure out what you are doing with that information. This may mean checking with various people in your organization – do you track Google Analytics? Where do email signups go? What third party vendors store information? Who processes credit card donations? What partners or other stakeholders have access to information?
- Make it Visible. The easiest way is to include a link in your website’s footer so it is universally accessible on any page a user is exploring. Consider using a cookies consent popup, particularly if you target visitors who access your site from California and/or the EU.
- Consider Special Categories. For example, if your website expects to track the online behavior of children, or you solicit health-related information, or financial questions, ensure your internal policies adhere to COPPA, HIPPA, and laws governing the SEC.
- Rely on experts. Consult your organization’s legal resources, and follow further guidance available from BBB.
Need help on your next great website project? Contact your friendly neighborhood openbox9 team!