A little more than two years ago, we took some time to review the type of website policies your organization should maintain and since then, the topic of online personal data collection and related policies has exploded. Everything from sweeping reforms such as the European Union’s (EU) new General Data Protection Regulation (GDPR) regulations and data breach policies in the wake of massive corporate hacks mean it is more important than ever to have your policy ducks in a row.
Fortunately, everything from the original 2017 article is just as applicable today as it was then.
- Disclaimer Policy: Indicates a site owner is not responsible for advice or information and limits liability. If your site includes content of a technical or legal nature, this is a must-have policy. Interestingly enough, this is one of the policies you’ll often find embedded into individual page alongside the respective content in addition to a general policy page or section.
- Return/Refund Policy: If your site has an ecommerce component, you need a refund policy. Even if you don’t offer refunds, that’s still a policy and it needs to be made clear to users.
- Delivery/Shipping Policy: Informs users about related details via how you ship your goods and products (this includes printed tickets) along with related costs. This policy is not required by law in most areas but strongly recommended.
In addition to those items, you can include the following:
- Cookie Consent Banners: While not strictly a mutually exclusive policy, it is a shorter version that displays on your website upon the visitor’s arrival. It includes a call to action (link or button) the visitor uses to acknowledge and accept the policy.
- Data Breach Policy:
- Data Breach Notice Letters: The first cousin to the policy, the letter is a template you would use in the event of a data breach. It’s a required element of GDPR and an overall smart thing to have on hand regardless if GDPR compliance is necessary for your website or not.
First and foremost, if your organization has the resources to consult with an attorney who specializes in website legal agreements, that’s awesome and you should absolutely go that route first and foremost.
Having said that, most nonprofits will need to explore other options and to that end, online policy generators are a great option.
They’ve come a long way since 2017. They are far more comprehensive and consider the broader range of privacy issues.
One provider I recommend to clients frequently is websitepolicies.com.
Self-described as an “attorney-level legal policies generator to make your websites and apps compliant with the law.” They have some of the most inclusive generators around. There’s enough detail that we often warn clients beforehand to schedule time so we can be available to provide some of the tech info they’ll need to complete the policies.
Additional resources include:
If you’re a WordPress user, you have a host of new integrated tools at your disposal.
You can locate a comprehensive guide, by selecting the “Check out our Guide” link on the above Privacy Settings admin panel or by going to /wp-admin/tools.php?wp-privacy-policy-guide#wp-privacy-policy-guide-introduction (just add your primary domain name to the beginning of that URL).
A large part of GDPR compliance is making personal data available to users upon request and to erase it from your system. To that end, WordPress offers to dedicated tools for those tasks located at Tools -> Export Personal Data and Tools -> Erase Personal Data admin panels.
WordPress provides a thorough overview of each tool at their documentation page. It will walk you through the entire process an end user experiences along with providing instructions on how to use both tools.
Disclaimer: What is a blog post about a legal topic without a disclaimer? This is not legal advice. You should not be getting your legal advice from a blog post. The purpose of this post is to give you things to think about. Speak to a lawyer about specifics.