If you’re a typical nonprofit, you probably collect a significant amount of sensitive information from your users—even if it’s simply the IP addresses gathered by your site statistics package. And after last year’s Target debacle and frightening data breach, millions of users are more skittish than ever about providing personal information to both businesses and organizations. Suddenly information that users have considered private and protected seems all too vulnerable.
First, let’s talk about why this is so important.
It helps you plan ahead. A well thought out policy will help your visitors know what to expect, yes. But it will also help you think through what information you routinely collect and how you plan to keep that data safe. Planning ahead can help you avoid difficult situations down the road.
Now let’s address the “how” question.
- Make it complete. In a nutshell, you want to lay out exactly what information is collected from users, how it’s collected and for what purpose. Of course, update your policy if these details change.
- Make your policy visible. You could include it in the footer of each page of your website so readers won’t have to hunt for it. Maybe place it prominently on your homepage or donation pages. Most people may never read the fine print, but it’s still crucial for you to display it in a way that shows you’re not trying to hide anything.
- Be mindful of specific laws. There may be extraneous laws that apply to you even if your nonprofit doesn’t operate in a specific sector. For example, if you ask health-related questions, laws like HIPAA (Health Insurance Portability and Accountability Act) may apply to how you collect and retain information. When it comes to financial questions, laws governing the SEC may apply. Avoid unnecessary fines by making sure you’re in compliance with all rules and regulations. Of course, don’t ignore the FTC or state laws that provide minimum standards.
And finally, what you need to include.