Limitations and intentions
This article is intended to provide tips, suggestions and examples as a courtesy to our clients. It is neither intended to provide legal advice nor professional direction. It is intended to give you a starting point when thinking about how to communicate your policies to your users.
Cookie and Privacy Policies are important things. You should tell your users how you collect and use their information. There are two general categories that need to be addressed, information that is knowingly submitted and information that is automatically gathered.
If your website uses a SSL, meaning that the browser shows it is "Secure" and the site forces all traffic to use https (this should be the case for any site we host or assist with hosting) then user data is encrypted when it is sent from the user's browser to the receiving application. This means that the data is reliably secure in transit.
Emailed form data
Responsibility in requesting information
While individual users have a personal responsibility to safeguard their information. However, website managers should never ask for data of a sensitive nature without the appropriate security. Neither the Sitewrench forms page part (excluding payment form fields) nor any WordPress site has the appropriate security. It is up to you to determine what qualifies as data of a sensitive nature. However, you should NEVER request that credit card numbers, social security numbers, passwords, financial or medical information. This is not an exhaustive list.
You should also be mindful when requesting combinations of personally identifiable information. For instance asking for first name, last name, date of birth, address and mother's maiden name is bad practice (this is not an exhaustive list). If the data collected was compromised, a bad actor would have a significant head start creating a new, unaware victim. A good rule of thumb is to keep it minimal, only request what you need.
(There are laws governing knowingly requesting and storing contact information for persons under the age of 13. Information about such laws is outside the intended scope of this article. However, the best advice is just don't do it.)
How you intend to use form data
Special purpose forms
It is important to note that there are special purpose forms through which credit card numbers, social security numbers and other highly sensitive data can safely be submitted. They should be part of an application developed and maintained by a qualified, certified institution. They could be embedded in your website (by iframe or other method) or you could link a user to the application's website.
When Sitewrench forms are configured to accept payments, a set of fields for personal and credit card data are automatically included. This feature was developed with Stripe's resources and these fields are safe for their specified use. However, you will not add form fields for credit card number, et al, they are automatically added by the forms page part when the payment feature is enabled.
Gathered information (including cookies)
For the purposes of this article, gathered information refers to any information that software collects about a user. This information could be stored in something like a 3rd party database or browser cookie.
Sitewrench stores minimal data about a user. It is fair to say something like: Our CMS stores user limited user information in cookies for application user experience purposes. No attempt is made to use cookie data for any other purposes.
If your website is a WordPress website, it is an amalgamation of a large number of different, unrelated developers' work (Plugins plus Wordpress plus any other developers who have worked on your site). Your disclosure will need to include references to any and all 3rd parties (see Third Parties below).
You should also know what the developers who have worked on your site have done regarding cookies and information collection. If Speak built your site for you, it is fair to say something like: Our website uses a custom WordPress theme that stores limited user information in cookies for application user experience purposes. No attempt is made to use cookie data for any other purposes.
If other developers have worked on your website, you will want to be aware of any other uses of cookies or user data collection they may have created.
If you use 3rd party services on your site, you will want to reference their privacy policies. Most every site we build or assist with hosting or management uses Google Analytics. Other 3rd party services could include (this is not an exhaustive list):
- Facebook pixels
- Ad tracking services
- Chat features
- Language translation features
- Email list subscription features
- Google analytics
Other thoughts & questions
Should you consult an attorney?
Yes, you should consult a legal professional. We are not legal experts and these helpful tips are not intended to replace actual qualified council.
Do you have a template we can use?
No, we do not offer this as a service. You should consult a qualified professional resource.
We are happy to read it and give you thoughts. Any feedback we supply will be of the same nature as this article. It will not be legal council or professional direction, but rather helpful tips or suggestions for you and your legal professional to consider.
What about GDPR (aka the cookie law)?
GDPR is a law governing anyone doing business with people in the EU. If you do not do business in the EU, you're likely (again not legal advice) not under its jurisdiction. However it is likely to become a template for other privacy legislation, so it is good to be familiar with its concept. You can read more about it: https://gdpr.eu/what-is-gdpr/
- Better Business Bureau article about writing privacy policies
- UC Berkley article about writing privacy policies
- Information about the EU’s data protection law