Where do I start?
- What will be the scope of this policy?
- Who is the intended audience?
- What types of personal information will be gathered?
- How will this information be used?
- To what extent will I be informed of the collection and use of my personal information?
- Am I granted rights to review this information?
- Am I given the option to opt-out of this information collection?
Depending on how in-depth you want your policy to be, it can take anywhere from a couple of hours to a couple of days.
You should plan on spending at least a couple of days to ensure that you’ve covered all the bases and that no loopholes have been exploited.
Once you have your finalized policy, you should consider reviewing it at least once per week to ensure that it still makes sense and that no mistakes have been made. You can also ask members of your legal team to review it periodically for effectiveness.
Above all else, make sure that you’re comfortable with the policy you’ve created. If you’re not, it’s possible that you’ve created a policy that doesn’t serve your organization well. In that case, you can request a free revision with your webhost and re-write the entire policy from scratch.
As a general rule of thumb, the more detailed your policy is, the more likely it is that you’ll need a lawyer’s help in drafting it. However, even a short policy can be tricky to enforce if you don’t have a written contract with your email marketing provider.
- Identification of the organization
- Contact information
- An explanation of the purpose of the policy
- The types of personal information collected
- How the information will be used
- The security measures in place to protect the data
- Who will be given authorization to access the information
- How the information will be kept private
- How long the information will be kept
An identification of the organization is an absolute must. This can be tricky if you’re not sure where you stand legally or if you’re not comfortable revealing your company’s name. However, it’s important to have a way to identify your organization when referenced in a legal document. If you don’t provide an identification, it is assumed that you are the owner of the organization and all rights to the data that you collect. This makes it easier for a third party to take you to court over the data if you ever violate someone’s privacy.
It’s also important to include your physical address and a contact phone number in your policy. In the event that you’re not registered with the IRS or if you use a different type of mail service, you may need to include a physical street address in addition to a contact phone number. Alternatively, you can register your email marketing service with the USPS as a business and use their physical address as your mailing address.
An explanation of the purpose of the policy should follow the identification of the organization. This will assist the reader of your policy in understanding what you’re trying to accomplish with the documentation. While it’s not required, it’s considered best practice to provide a little bit of explanation in the introduction of your policy. It would be wise to provide a short, bulleted list of the purposes for which you’re collecting the information. Doing this will make it easier for the reader to understand and follow your directions easily.
The types of personal information collected should be straightforward and easy to understand. Depending on the type of business that you are operating, you may want to limit the amount of personal information that is collected. For instance, if you’re a non-profit organization, you may only want to collect an email address and demographic information. If you’re a pharmaceutical company, you may want to collect a whole lot more information about your customers, including their financial records. Having a clear idea of what type of information you’re going to collect can make it easier to create a policy that’s specific to your needs. As a general rule, the less information that you have, the easier it will be for someone to violate your privacy.
In the context of your email marketing policy, you’re dealing with individuals’ personal information. Therefore, it’s important to keep in mind that you must comply with all the security and privacy requirements of the FTC’s guidelines for protecting consumer data. These guidelines were first published in 2016 and were updated in 2018. Among other things, they state that you must take reasonable steps to protect the security of the data that you collect and maintain.
If you are collecting any health or medical information about your patients/customers, then you must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This law not only applies to your organization’s handling of patients’ personal data, but also to the data that is collected by you or your employees during the course of providing healthcare services. HIPAA sets a lot of specific security and privacy requirements for healthcare providers, including:
- How long the data must be kept
- The rules for disposing of patient data
- How to handle electronic billing and payments
- How to protect against cybersecurity attacks
- How to handle protected health information (PHI)
- What security measures will be in place to ensure the confidentiality of the data
It’s also wise to be mindful of what constitutes personal information. For instance, if you are collecting a whole lot of data about customers, you might want to consider whether or not their addresses are considered personal information. While you don’t need to obtain the customers’ permission to collect their information, you should be careful not to include anything that could be considered personal in your data sets. The less information that is available for distribution or sale, the easier it will be for someone to violate your privacy.
What are some good examples of Privacy Policies?
Here’s a short list of some good examples of privacy policies: