Limitations and intentions
This article is intended to provide tips, suggestions and examples as a courtesy to our clients. It is neither intended to provide legal advice nor professional direction. It is intended to give you a starting point when thinking about how to communicate your policies to your users.
Cookie and Privacy Policies are important things. You should tell your users how you collect and use their information. There are two general categories that need to be addressed, information that is knowingly submitted and information that is automatically gathered.
Submitted information
This is pretty easy to identify. If you have a form on your website, then you use it to allow users to submit information to you. A user knows what that they are providing you with information, it's an intentional act on their part. Your privacy policy should explain to users how you intend to use the information collected and how it is stored. Cookies
If your website uses a SSL, meaning that the browser shows it is "Secure" and the site forces all traffic to use https (this should be the case for any site we host or assist with hosting) then user data is encrypted when it is sent from the user's browser to the receiving application. This means that the data is reliably secure in transit.
Emailed form data
If your forms feature emails form data with submission notifications, and most do, that should be disclosed in your privacy policy. It is fair to say something similar to: Form data may be transmitted by email and thereby should not be considered secure in transit. Please keep that in mind when submitting information.
Responsibility in requesting information
While individual users have a personal responsibility to safeguard their information. However, website managers should never ask for data of a sensitive nature without the appropriate security. Neither the Sitewrench forms page part (excluding payment form fields) nor any WordPress site has the appropriate security. It is up to you to determine what qualifies as data of a sensitive nature. However, you should NEVER request that credit card numbers, social security numbers, passwords, financial or medical information. This is not an exhaustive list.
You should also be mindful when requesting combinations of personally identifiable information. For instance asking for first name, last name, date of birth, address and mother's maiden name is bad practice (this is not an exhaustive list). If the data collected was compromised, a bad actor would have a significant head start creating a new, unaware victim. A good rule of thumb is to keep it minimal, only request what you need.
(There are laws governing knowingly requesting and storing contact information for persons under the age of 13. Information about such laws is outside the intended scope of this article. However, the best advice is just don't do it.)
How you intend to use form data
Your privacy policy should disclose how you intend to use form data. Do you intend to keep it and only use it within your organization? Do you plan to share it or sell it or use it with a third party service? Any of those, and similar (this is not an exhaustive list), intentions should be disclosed.
Special purpose forms
It is important to note that there are special purpose forms through which credit card numbers, social security numbers and other highly sensitive data can safely be submitted. They should be part of an application developed and maintained by a qualified, certified institution. They could be embedded in your website (by iframe or other method) or you could link a user to the application's website.
When Sitewrench forms are configured to accept payments, a set of fields for personal and credit card data are automatically included. This feature was developed with Stripe's resources and these fields are safe for their specified use. However, you will not add form fields for credit card number, et al, they are automatically added by the forms page part when the payment feature is enabled.
Gathered information (including cookies)
For the purposes of this article, gathered information refers to any information that software collects about a user. This information could be stored in something like a 3rd party database or browser cookie.
Sitewrench
Sitewrench stores minimal data about a user. It is fair to say something like: Our CMS stores user limited user information in cookies for application user experience purposes. No attempt is made to use cookie data for any other purposes.
WordPress
If your website is a WordPress website, it is an amalgamation of a large number of different, unrelated developers' work (Plugins plus Wordpress plus any other developers who have worked on your site). Your disclosure will need to include references to any and all 3rd parties (see Third Parties below).
You should also know what the developers who have worked on your site have done regarding cookies and information collection. If Speak built your site for you, it is fair to say something like: Our website uses a custom WordPress theme that stores limited user information in cookies for application user experience purposes. No attempt is made to use cookie data for any other purposes.
If other developers have worked on your website, you will want to be aware of any other uses of cookies or user data collection they may have created.
Third parties
If you use 3rd party services on your site, you will want to reference their privacy policies. Most every site we build or assist with hosting or management uses Google Analytics. Other 3rd party services could include (this is not an exhaustive list):
- Facebook pixels
- Ad tracking services
- Chat features
- Language translation features
- Email list subscription features
- Google analytics
- Stripe
WordPress Note: You will want to include references to any plugins used by your website, each developer should have a privacy policy.
Other thoughts & questions
Should you consult an attorney?
Yes, you should consult a legal professional. We are not legal experts and these helpful tips are not intended to replace actual qualified council.
Do you have a template we can use?
No, we do not offer a template for you to use. There are services that make them available. Your privacy policy is a disclosure about your organization's practices, be mindful if you select a template.
Do you offer privacy policy writing services?
No, we do not offer this as a service. You should consult a qualified professional resource.
Will you review my privacy policy for me?
We are happy to read it and give you thoughts. Any feedback we supply will be of the same nature as this article. It will not be legal council or professional direction, but rather helpful tips or suggestions for you and your legal professional to consider.
What about GDPR (aka the cookie law)?
GDPR is a law governing anyone doing business with people in the EU. If you do not do business in the EU, you're likely (again not legal advice) not under its jurisdiction. However it is likely to become a template for other privacy legislation, so it is good to be familiar with its concept. You can read more about it: https://gdpr.eu/what-is-gdpr/
Resources
- Better Business Bureau article about writing privacy policies
- Google's Privacy Policy
- Speak's Privacy Policy
- Stripe's Privacy Policy
- UC Berkley article about writing privacy policies
- Information about the EU’s data protection law
Comments
0 comments
Article is closed for comments.