In 1970, political and social activist Abbie Hoffman self-published Steal This Book, his guide for the counter-culture on the ways to fight the government and corporations. Most readers, it seems, had not taken his titular advice: the book sold more than a quarter of a million copies within the first few months of publication. So likewise, I suggest that you do not take the advice of the title of this blog post, as tempting as it might be to appropriate another organization’s website privacy policy. Putting aside any ethical concerns and potential copyright infringement claims, this practice is ill-advised for a number of reasons which I explain below.
With the massive expansion of the Internet, privacy is a real concern these days. Your organization’s privacy policy is the first step in an overall approach to responsibly collecting, sharing and safeguarding the information you obtain: it is a pledge to your donors and supporters to maintain their confidentiality.
While it may seem that all nonprofit sites deal with the same issues regarding privacy, the reality is no two organizations are identical. On the surface, another organization may appear to engage in similar activities as yours, but the truth is that the way the information is processed, shared and utilized will certainly differ.
The Federal Trade Commission advises that when drafting your privacy policy “say what you mean and mean what you say.” The first part is easy – you need to have a global understanding of what your organization does with the information it collects. For example, do you share information with third parties, use cookies and other web tracking technologies, or send promotional emails? Whatever the practices, they need to be clearly described in your privacy policy.
The second part, “do what you say”, is more of a challenge. Simply stating the policy is not enough – you must adhere to the policies and procedures as described. Your organization will be held accountable for any failure to meet its own written standards, thus it’s imperative that everyone in the organization understand what they should be doing – and equally important, what they should not be doing.
Finally, your privacy policy must keep pace with your practices. Web technologies, marketing strategies and other internal practices change regularly. If the marketing department concludes that a monthly e-newsletter to donors is essential, that’s fine, but make sure that this is addressed in the privacy policy. Unfortunately, many organizations do not routinely update their privacy policies to keep pace with such changes.
The goal is to avoid a Federal Trade Commission enforcement action, potential lawsuits, negative publicity and loss of supporter trust. So you want to follow best practices when it comes to the privacy policy, and in future posts I will provide such guidelines. In the meantime, if you have a professionally drafted privacy policy, make sure that it is reviewed, followed and updated on an annual basis. And for those who may have taken the short cut, I recommend working with an attorney familiar with these issues to review and revise your privacy policy to be sure it truly reflects your intended practice. The investment today will go a long way in honoring the commitment to the privacy your supporters expect and deserve.
