Privacy Policies For Non-Profits: Sample & Resources
A few weeks ago, I did a podcast on privacy policies. Ironically, I’ve come across dozens of articles and posts on privacy law since then, addressing the logistics of implementing a privacy culture to companies getting popped for privacy violations. So it seems the topic is definitely a timely one.
I must admit, I had a little trepidation posting the sample. The one trap I don’t want non-profits to fall into is the belief that printing a legal document off the internet will magically solve all of its problems. Cause let me tell you, it won’t. In fact, it could make your problems much, much worse.
But as is the case in real life, you can’t use this band-aid until its gross, discolored, its adhesive is gone and effectively useless (sorry for the graphic picture folks but making a point.) It has got to be a temporary measure. There are a tremendous amount of firms out there doing pro bono work, legal groups doing pro bono work and non-profits doing pro bono work that lack of money is quickly becoming an outdated excuse.
So feel free to use the sample for what it is; advice and a starting point. A reference to get you thinking about what your organization does and what type of provisions need to be thought about. But never fall into the trap of thinking this is enough. And if you ever need assistance finding an association that offers free to low-cost legal services please don’t hesitate to reach out. After all, that’s what I’m here for. Now….for the resources.
General Best Practices
- Make sure the policy is tailored to your specific organization. All the policies and procedures addressed should be actual policies and procedures your non-profit has implemented and used.
- Avoid or limit definite guarantees. Though it sounds nice, language like “we never disclose information to third parties” or “we never allow for third parties to have access” can cause trouble. In the age of the hacker and Facebook you can never know for certain what third parties will be able to access or what employees might disclose. And there are many instances in which information MUST be shared with a third party (for example where the website is hosted by someone else, to authorities when requested, Google Analytics, etc.) Where guarantee’s are made, qualify them and make the appropriate disclaimers.
- Be aware of COPPA (Children’s Online Privacy Protection Act.) The law arguably applies where a website actually collects, or anticipates collecting, information from children 13 years of age or younger. There are certain protections that must be put in place such as contacting the parents, allowing for parents to opt out of having information collected by their children, etc. If you’re a non-profit that anticipates collecting information from children, then I would definitely advise you to meet with an attorney to discuss further. The FTC has been actively penalizing sites that improperly collect that type of information (I wrote on one such case here.) For those organizations that don’t anticipate collecting information from children, it doesn’t hurt to still have a provision addressing this. Perhaps you could make it clear that children must get consent from their parents before using the site? And clearly state your intent not to collect information from children 13 years of age or younger.
- If yours is an international organization (with a predominantly international audience) then you might want to address European laws on privacy. They’ve been particularly hard-core on privacy the last few years, and there may be additional protections that need to be put in place if information is collected from someone based, or living, in Europe. The FTC has more information on this and the Department of Commerce has safe-harbor language that assists organizations with compliance. Note, the collection and dissemination of information falling under these laws in the United States is technically a violation, which is why it’s important to visit the Department of Commerce’s website.
- There may be extraneous laws that will apply to you even though your nonprofit doesn’t operate in a specific sector. For example, where you ask health related questions laws like HIPAA ( Health Insurance Portability and Accountability Act) may apply to your collection and retention of information. Where questions are asked about one’s finances the SEC may come into play. Which means you could possibly be fined under these laws even though your organization operates largely independent of health or finances.
- Along these lines, you’ll want to be aware of the federal AND states laws that may govern privacy on your website (this is also where an attorney comes in handy).
- Address how terms may be amended. Some websites use language stating that the terms may be amended at anytime and will be considered to bind the user. Others require that users periodically check the website for changes. I’m not caught up on some of the recent cases addressing this the past year, but I can tell you that type of language makes me slightly nervous. For one, its unilateral (or one-sided). And depending on what the rest of the language says, you might end up with a situation where your terms allow for provisions to be changed and don’t provide an avenue for the user to express their non-agreement. So they effectively bind the user to something they 1) don’t agree to; and 2) arguably don’t know about. My preference would be to email users when the policy changes. Or, require that users agree to the new language the next time they log on to the site. Where changes are substantial consent will probably be that much more important.
- Last but not least, ensure that the link leading to the policy is strategically placed. It shouldn’t be hiding in the corner. Make sure people can see it, that it is prominent and that their attention is brought to it as soon as they enter your site.
Best Practices from the FTC
The Federal Trade Commission is the federal organization you’ll find is often popping businesses and nonprofits for privacy violations here in the US. Consequently it is of tremendous benefit for an organization to visit their website for guidance. Some of the best practices I found were:
- Hyperlinks should be provided at least on every page in which personal information will be obtained.
- The policy must actually adhered to and disseminated among employees
- The FTC also provides a bunch of best practices gleaned from cases it opened up against Upromise and Facebook
- Both TRUSTe (a nonprofit) and the Direct Marketing Association have resources that help organizations draft privacy policies.
- The International Association of Privacy Professionals has good resources
- PrivacyChoice is a really cool website that scans your webpage and shows you which ad companies collect on your website and their privacy policies.
- For more information on how to comply with COPPA the FTC has a great paper on it here
- The steps, and resources provided at each step, are helpful on the OECD website
- Very interesting article on what Google Privacy Policies you may be violating by not having a policy in place.
- FTC cases on the subject matter
Definitely a working document but here it is never the less…..
Posted by Erin | 1 comments