Search TXNP

< More Articles

Thursday, January 18, 2018

Share: facebooktwitterdigg

For a Good to Great Privacy Policy Ask Questions
Erin McClarty

August, 2016

A few years ago I did a podcast on the importance of having a privacy policy. Now, with cyber attacks as regular as the sunset the topic is more relevant than its ever been.

Thankfully, organizations are heeding the calls to put something in place. Unfortunately, what’s put in place doesn’t always fit their needs or reality. I attribute this to understanding the “why” and the “how” of a privacy policy, but being hazy on the “what.”

So I’m pulling together a few points from my podcast and framing them as guided questions. I frame them as questions to get you thinking about what your model policy looks like, rather than what a model policy might be. Because policies are nothing more than a memorialization of what you need to do day to day. And by asking yourself these questions, you create the curiosity and inquisitiveness needed to draft a solid policy.  

Privacy Policy Pre-Game

Naturally, my depth is limited with a few pages. But an exhaustive discussion would leave you bored and (justifiably) angry. So this discussion is just long enough to get your wheels turning.

But before we get there, let’s agree to a few preliminary assumptions. So we’re all on the same page:

·      Using an unaltered template won’t cover all your exposures, no matter how magical it purports to be.

·      Thoughtful policies are effective policies. If a policy isn’t reflective of who you are and what you do it won’t be a helpful tool. This is especially the case with a privacy policy because it depends heavily on practices; which are unique to each organization.  

·      Speaking of helpful, “book-shelf” policies are not our friends. These are the policies you draft and finalize but end up shelved under promotional stress balls.  Develop your policy with implementation already in mind. Have a roll-out plan ready to go for the website, internal staff and the Board.

Important Privacy Policy Considerations

Now, for those questions:

  • What promises can we comfortably make? Many templates include  language like, "we never disclose information to third parties." Don’t get me wrong, this sounds nice. But is it true? What about website developers working on a contact database? Is this true if local authorities reach out about a transaction? And does Google Analytics count as a disclosure? I say all this to say carefully use hard-line language. Think through your process and don’t be afraid to make qualifiers. People just want honesty. 
  • What laws apply to the information we collect?By way of example, COPPA (Children’s Online Privacy Protection Act) applies to websites that collect, or might collect, information from children 13 or younger. It mandates certain requirements like parental contact, opt-outs, etc. If this law applies to you, you’ll want to cover these logistics (changing parental contact information, sending opt-out notices) in the policy. The same is true if you collect health or financial information, both of which have specific requirements under Federal and/or State law. 
  • Should the policy have an international flavor? If the organization has an international presence, or audience, you might touch on key concepts around privacy in other applicable countries. For example, the collection and use of information under European law. Because requirements can and will work differently than those in the U.S. In fact, they might be the exact opposite (i.e. Canada requires “opt-in’s” whereas the U.S requires “opt-out’s” in some instances). The FTC (Federal Trade Commission) has really good resources on this.
  • How will we update the terms? Things change and, in the case of the cyber world, they change rapidly. Is it clear terms aren’t static? If not, make sure it is and outline how you plan to make changes. How will people know when a change has been made? Internally, how will you keep track of versions? As a head’s up, tread lightly with the, “You should probably check the site sometimes” language. Consider emailing changes where they’re major. Or possibly requiring users agree to the changes the next time they log on to your site.
  • Can people find the policy? Last but not least, is the link leading to the policy strategically placed? It shouldn’t hide in a corner. Make sure people can see it, that it is prominent and that their attention is brought to it as soon as they enter your site.


As I mentioned, the list of potential questions to ask could go on. The point isn’t to be perfect, but to be thorough and thoughtful. Have the Board and the staff take a few minutes to think up more questions by asking themselves, “What would I want to know about how my information is treated?”

If you do decide to use a template, do yourself a favor.  Break the template down into a secondary outline and draft something from scratch. Pulling from that outline when you need. That way, inaccuracies don’t slip in and you’ve created another avenue of being thoughtful.

Erin McClarty blogs on legal issues impacting charities and causes at Notations on Nonprofits. She's also the principal of Erin McClarty, PLLC. Where she marries her legal, business and third sector expertise to grow charities and causes.

ph.            832-305-6417


Your TXNP Weekly E-Newsletter is made possible by the generosity of:

FROST in many Texas cities

TXNP Professional Members Are Dedicated to Texas and Texans.

Aurora Grants & Consulting |Dawson Murray Teague Communications | ELITE Research | FOR THE PHILANTHROPIST | Graystone Consulting | J A Churchill Associates | John F. Lewis PC | McConnell & Jones LLC

Sign up for your personal TXNP E-Newsletter

at-t Meadows Foundation express news HOBLITZELLE FOUNDATION v greenly zachry foundation w b h b bank of america southwest airlines Sid W. Richardson Foundation forst