Even if you already have a policy in place you can extend your brand value by making yours more accessible - as in both easy to find and easy to understand.
This might not be the easiest "little thing", but the opportunity to show your respect for those that support your mission can be invaluable. So the first step is to have a page devoted to your policy and link to it on all pages (usually in the footer) with additional prominent links on any forms you might have on your site.
You might have to do a bit of footwork to find out exactly what your policy is and state it clearly, but its that sort of consideration that your potential supporters and donors will really appreciate and associate with the integrity of your organization.
Of course in order to clearly state what your data collection and security policy is you will need to know what your site's software (and email or donation provider's) actually does. If you don't have the in-house technical knowledge about this, you'll want to contact support at your vendor or ask your contractor what information is collected and how it's stored. Donation providers, at least, should have information about how they secure the transactions and personal information somewhere on their own website.
Also - although I have listed a couple of free online policy generators to get you started they are very obviously geared toward e-commerce sites and full of technobabble that visitors won't understand. Obviously this is pretty out of sync with the tone with most nonprofits need. It would fantastic if someone created an online generator for nonprofit website privacy policies that didn't include so much customer and order language and explain policies in plain English.
Do you even need one?
Yes, if you:
* Collect information - email lists, donations and registrations
* Use Google Adsense (its required)
* Share user information with other sites or organizations
Even if you don't have user sign-ups for email or other forms you might want to include a policy to disclose that your site places cookies on the user computer (but doesn't collect or store any identifiable information from them) just to show that you understand and respect their privacy. Especially if transparency is part of your brand, you'll want to let those anxious about privacy know that you have taken the time to make them comfortable.
What should be in it?
There is a great article on Wild Apricot's Blog that goes into far more depth about this topic that is well worth a quick read.
A couple samples to get started.
One good resource to get started is the Creative Commons Sharealike licensed policy from Wordpress/Advocmatic. How nice is that?
And another sample policy from the Better Business Bureau
There are a couple of free online generators but honestly they are so convoluted, legal sounding and full of non-applicable issues that I hesitated even listing them here. If you take the time to reword the generated text and keep the input simple, they might be helpful though, so here they are.
(you will need to sign up for a free web visitor account though)
Possibly more useful is their set of "do the right thing" guidelines on privacy
And there is another at OECD.org
How to make it useful
Translate whatever you can into plain English with common words. One example (from a webmaster forum user ) that I like is:
Instead of "This information is collected in a database and used--in an aggregated, anonymous manner--in our internal analysis of traffic patterns within our web site.
Why not write:
"We collect this information and use it to compile general statistics such as how many people visit which parts of the site. We do not use this information to track you personally."
Here's an article that makes the case a bit more strongly and includes some other tips for writing policies.
Keep it as short as possible. One of the problems with the online generators above is that they cover a zillion possible technologies and uses that you probably don't even know abut let alone use on your site. And including a bunch of unrelated tech speak will freak out your users unnecessarily. Be thorough and truthful about how you obtain and use information but don't bring up anything that doesn't directly apply to your site.
Break up the sections with informative subheadings and include a table of contents with jump-links to the sections at the top if its more than 3 or 4 sections long. Consider formatting the page as an FAQ, which is a familiar format for visitors with questions.
Include whether forms will be submitted securely (https) and how that data will be used and protected. This is a primary concern among donors and others providing you with their personal information. So make it obvious that you take their concerns seriously.
Invite comments and questions with contact information. Here is your chance to engage your supporters in a friendly way if they still have concerns or issues with your policy - make it easy for them.
Have it written by a lawyer or leave it in legal speak
If your legal team demands that you must include the legalese consider putting it behind a "summary or simple version" with a link to see complete details.
Skip it altogether if you have forms that ask for personal information.
Unbelievably I came across a fairly large Arts Council site that not only didn't have a policy for newsletter sign ups, but also didn't have one available for site registrations or even donations! I'm sure I am not the only person that would think twice before giving them my information or money.
A few examples
Perhaps because this isn't the most straightforward task for a webmaster, I really had a hard time finding examples that take advantage of brand extending possibilities, but here are a few.
Genocide Intervention policy is well thought out based on their mission (note the geographic security concerns):
Pew Internet keeps it short and sweet
And EFF.org's policy is very thorough as you might expect:
I'd love to see some more examples of how nonprofits approach their privacy policies, so please leave them in the comments or email mail me links if you can.
The bottom line