Does Your Nonprofit Website Need a Privacy Policy?

If your organization collects information from the users of your website — and the odds are that it does, if little more than the IP addresses scooped up by your site statistics package — have you posted a site privacy policy? Should you do so?

In the service of those web users who are increasingly concerned with issues of
data protection, a clear and simple nonprofit privacy policy posted on your organization’s website can go a long way to building trust.

Who Cares about Protecting Personal Data?

A new study from the Pew Internet and American Life Project — “Digital Footprints: Online Identity Management and Search in the Age of Transparency” (December 2007) — reports that a staggering 60% of internet users are “not worried” about how much of their personal information is available online, and feel no need to limit it. In fact, most internet users are not sure exactly what personal information is available online, which may account for the apparent widespread lack of concern about “digital footprints” left behind on the web.

Yet, the same study found that 19% of adult internet users have searched online for information about co-workers, professional colleagues or business competitors; 11% have “googled” someone they are thinking about hiring or working with; and 9% have used the internet to check out their partners in romance.

This isn’t the first research to identify a “disconnect” between what web users say is important and the way we actually behave when on the internet. It’s been widely attributed to a lack of consumer education to create an understanding of the issue — consumers may believe that privacy protection is desirable, but may not be fully prepared to sacrifice convenience for caution when dealing with “trusted” sites online.

Whatever the cause of the disparity, the number of adult internet users who are
concerned about privacy issues is significant, and it’s a number that seems to be growing.

In a survey of the adult online population, conducted by the Customer Respect Group in February 2004, one in six respondents said that their primary reason for choosing to abandon a website was because they were not comfortable with the company’s privacy policy or with the transparency of its business practices.

Eurobarometer survey data, released in conjunction with Data Protection Day in the European Union, January 2008, indicated that almost 75% of respondents
were worried about leaving their personal information on the Internet. Although EU privacy standards are notably strict, the Commission that oversees data protection in the EU is currently debating even stronger measures. Meanwhile,
leading American corporations such as Microsoft, Proctor & Gamble, Hewlett Packard and others are voluntarily adopting the stricter European standards for privacy protection in their own operations.

Online privacy issues, clearly, are not simply going to fade away.

Given the obvious importance of the issue to online business, it follows that privacy protection cannot be overlooked by nonprofit organizations that rely on reputation and relationships in order to raise funds, to build membership, to spread the word about their activities, or to carry out other basic functions of their missions.

How to Create a Nonprofit Privacy Policy

The first step is to know what your organization’s data collection practices are:

• What personal information do we collect?
• How do we collect it?
• Why?
• How is the information used?
• Who has access to the information?
• Do we share the information we collect?
• If so, with whom and under what conditions?
• How long do we keep the information?

Hammering out those details may call for a meeting between board members, website administrators, marketing people, and volunteer coordinators — or, in a smaller organization, it may be as simple as a conversation among a few colleagues. Whichever is the case, do be sure you have a clear picture of the current situation (and of any changes that are likely to emerge in the short and medium term) before moving on to craft a written statement of your policy.

If the budget allows, certainly the first choice would be to ask your group’s lawyer to draft a privacy policy for your website. Check the text for an appropriate and accessible reading level and purge it of ‘legalese’ and unnecessary jargon, then pass it by your lawyer once more to ensure that the meaning has not changed.

As an alternative, however, you can create a privacy policy for your website with the aid of the Direct Marketing Association’s Privacy Policy Generator. Fill in your association’s name and mailing address, and tick off the appropriate check boxes in the online form. The Privacy Policy Generator will deliver your customized privacy policy in plain text or HTML format, ready to add to your website. (Those outside the United States, in particular, may want to pass this form-generated draft text to a lawyer, just to check that it meets all the legal requirements for data protection in your jurisdiction. )

Tips for a User-Friendly Nonprofit Privacy Policy

• Make the language as clear and simple as possible. Too many privacy policies are written by in dense legal terms that are beyond the average reading level — or at least will make the average reader’s eyes glaze over.
• Make the privacy policy complete. In simple terms, lay out exactly what information is collected, how, and for what purpose.
  Be prepared to revise the policy if your practices change — and decide how to handle any information that has already been collected, if your information-sharing practices, for example, do change. (In fact, a statement of this might be a very useful addition to your privacy policy!)
• Keep the door open. If you plan to use your visitors’ information for marketing purposes or even just to send out an occasional simple update, do make that intention clear in your privacy policy.
  Provide an opt-out option (or several) on the site itself, within the privacy policy, and as a link in every email message. This is especially critical if your organization shares or plans to share information with other organizations or companies.
• Link to your privacy policy in a very visible way, perhaps in the footer of each page, so readers won’t have to hunt for it.
  A percentage of people may never read the “fine print,” but the truly user-centred website will make every reasonable effort to display the privacy policy where it will be noticed.

Sometimes a nonprofit privacy policy may serve as no more than a disclaimer for
information gathering or sharing that may be carried out, rather than as a real aid to informed use of the website. If the goal is to establish a climate of trust with your website users, however, your privacy policy will be designed first and foremost with the best interests of website visitors in mind.

Additional Resources:

• The 22 Features Every Top Nonprofit Website Has
• The 50 Best Nonprofit Websites To Get You Inspired