Creating a Privacy Policy for Your Website

5 min read

Transparency Builds Trust

If you visited a website today, you probably were served up some wording about accepting the Privacy Policy. It happens so often, it seems routine. But why does your website need a privacy policy? Trust, transparency, and compliance are the main answers. Having a privacy policy on your website informs visitors how their personal information is collected, used, and protected.

This transparency builds trust and ensures compliance with data protection and child protection laws, safeguarding an organization from potential legal issues. Here are three ways to think about it:

  1. It gives users peace of mind. Having a privacy policy web page can help users understand why you collect and use their information and how you keep it secure. It lets users know what information you collect, how it will be used, and who will be able to access it.

  2. It’s the law. Many states have consumer privacy laws that require organizations to maintain a privacy policy that describes how consumer data is collected, used, and shared. Most of these states also allow consumers to reach out to the organization to request access, correction, or deletion of their personal information. These laws typically apply to organizations that collect personal information from a certain number of individuals in the state each year, and only some states exempt nonprofits from the requirements. Consult with a locally licensed attorney for specific advice.

  3. It protects children. Special rules apply to content for kids. If your ministry’s website, or even a portion of it, is directed to children under the age of 13, the Child Online Privacy Protection Act (COPPA) likely applies to your website. COPPA protects the personal information of children under 13 by requiring website owners to post a compliant privacy policy and obtain parental consent before collecting information. The Federal Trade Commission’s resource, “Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan” includes helpful information on complying with COPPA.

Components of a Privacy Policy

The content that appears on the privacy policy web page will be unique to that organization. When creating a privacy policy for your website, think through the following questions with your web manager, communications team, and IT staff, for example, or anyone on your team who is designated and trained regarding collecting and storing data from the website:

  • • What information do you collect? Does your website ask users to share personal information such as their name, address, phone number, and email address? What about financial information, including debit and credit card numbers? Your privacy policy should specifically state each type of information you collect.

  • • How do you collect information? Is information collected automatically when users visit the site, or do they fill out a form with their information? Do you maintain information received in other ways, such as insurance information provided by a member on a paper version of an activity participation agreement? Instead of developing multiple privacy policies addressing various operational activities, many organizations decide to adopt one comprehensive policy that encompasses all of their operations.

  • Why do you collect information? Why does your ministry collect personal information from users? Some states require organizations to provide the business or commercial purpose for collecting personal information. For example, your ministry may collect contact information in order to connect individuals with the ministry’s prayer team or collect financial information in order to process donations. In some cases, your answer may be as simple as “to further the purpose of the ministry by facilitating communication between the user and others who attend.” However, if you are collecting medical or financial information, your policy should be more specific about how this information will be used.

  • How do you share information? Beware of well-intentioned but inaccurate policy statements, such as “we will not share your information with any third party.” Does your ministry share information with a related organization such as a school or camp that has access to your ministry’s data? Do you use outside vendors to handle a user’s information for your ministry? If you answer yes to either of these questions, state law may require your ministry to describe each type of third party that your ministry shares information with, and for what purpose.

  • How can individuals contact your ministry to exercise their consumer rights? Users may want to contact your ministry with questions about how their information is used, maintained, or shared. In some states, they may also have the right to contact your ministry to request correction of inaccurate information or deletion of information that is no longer relevant to their relationship with your ministry. Your ministry may need to include within the policy a phone number and email or mailing address for these purposes.

  • How does your organization secure information? Do you work with networking and website programming professionals to ensure that the ministry’s website uses industry-standard security protocols, firewalls, and encryption programs? Ensuring that these safeguards are in place is important, especially if your ministry handles financial information.

It is important to make it clear whether your privacy policy applies only to use of your ministry’s website, or whether it also applies to “offline” interactions (information collected through in-person activities or phone calls). It is also helpful to state that the privacy policy does not apply to other websites that you may link to from your site.

Being Transparent about “Cookies”

It’s a good idea to describe the functions that cookies perform on your website within the privacy policy. This section might also note that a user can change his or her web browser settings to refuse cookies. A cookie is a small piece of data a website stores on a user's device that contains information about the user’s activity on the website. This type of cookie generally helps websites run more efficiently by performing tasks such as remembering the user’s log-in information or preferences.

Additionally, a pop-up “cookie notification” banner is becoming the norm for websites and can play an important role in protecting your ministry. Following are elements of a cookie notification banner:

  • It appears the first time someone visits your site and should reappear if users clear their cookies or if the cookie expires.

  • The cookie notification (about two or three sentences) immediately informs visitors about how cookies and other technologies are used for functions like user analytics, advertising, chat, or to personalize the website experience.

  • The banner should also require users to click “Accept” to consent to the use of cookies as described in your ministry’s privacy policy and ideally should include a link to it.

December 2024
The information provided in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.

Related Resources

There's more to read on the this topic, including sample policy language you can use to get started.

New Legal Threat to Ministries with Websites
Data, Internet & Privacy

New Legal Threat to Ministries with Websites

Website Wording: Privacy Policy and Cookie Notification
Data-Tech-Web

Website Wording: Privacy Policy and Cookie Notification