Skip to Content
Main Content

Hiker Looking Out Over Mountains

Jim Brophy

Jim Brophy

Group Director, Digital

Jim provides digital marketing integration insight and direction to all of the firm’s clients. Specialties include: B2B web strategy, project team management, e-business consulting, SEO/PPC and content strategy, conversions, responsive and optimized mobile site strategies.

Website Policy Best Practices: Privacy, Terms & Conditions, and Accessibility

July 5, 2022 | Jim Brophy, Group Director, Digital

7 Minute Read

We users of websites, social media, apps, financial portals, ecommerce websites and blog articles – pretty much all things internet – must deal with growing waves of policy statements, permissions and consent forms in order to proceed to the content.

Annoying? Yes, for both users and site owners. Bad? Not necessarily. Most of these barriers protect either the business’ rights and IP, the users’ rights, or both. Some of these policies are passive, meaning they are present but don’t require explicit user agreement. What happens when we encounter one that does? You most likely click “I Agree” without even reading the legalese on a policy statement or updated terms of use (and you’re not alone)!

Site owners are inconsistent on these policies. At Northwoods, we’ve created, developed and updated many websites over the years, and found that some clients post policies and some don’t. We’ve seen policies that are out of date.

So what policies should a site owner post? Let’s focus on the policy pillars – the bare minimums:

  • Privacy Policy
  • Terms and Conditions, or Terms of Use
  • An Accessibility Statement

Here we’ll clarify these policies and try to explain the intent behind them.

Privacy Policy 

Privacy is the oldest and most ubiquitous policy. The large majority of websites have some form of privacy policy. But are they the right policies? And are they properly constructed?

Policies are not one size fits all. Don’t simply copy a privacy policy from another website and paste it on yours. (We do see this from time to time.)

What’s wrong with this practice?

Every organization uses data in different ways. No matter whether the data comes from Google Analytics, cookies, trackers, form submissions, or third party tools such as HubSpot, a privacy policy is required to inform users about how your business collects and processes their behavior data.

Site owners must consider the following basic questions and disclosures:

  • Who owns the website? The business name, address, etc. Basic contact information.
  • What data does the site collect? How is it collected?
  • What is the legal basis for the collection of data? Cookie consent, for example, might relate to data necessary for your service offering, for legal obligations, etc. This is more related to the GDPR and EU Law. But even if you fall outside GDPR obligations, under many other jurisdictions, you’ll probably need to say why you’re processing the personal data of users.
  • What is the purpose of the data collection? Are you collecting data in Google Analytics or other tracking services to improve the user experience? Are you collecting data for a marketing automation campaign?
  • From what category of sources do you collect consumers’ personal information? This, too, relates especially to the California Consumer Privacy Act, or CCPA.
  • Which third parties will have access to information? Will any third parties collect data through widgets and/or integrations? Think social media, Facebook Connect, etc.
  • Will there be data transfer? Where applicable, details of cross-border/overseas data transfer and measures to facilitate this in a safe and compliant way should be transparent. EU and Australian laws explicitly require this disclosure. Additional requirements apply to cross-border transfers in the EU’s GDPR and Australia’s Privacy Principles, or APPs.
  • What rights do users have? Can users request to inspect the data you have collected from them? Can they request to rectify, erase, or block their data? Under European regulations most of this is mandatory.
  • What is the process for notifying users of any change to the policy? Through what channels of communication will you notify users of updates to the privacy policy?
  • What is the effective date of the policy? When was the policy published or updated?

If you don’t have a privacy policy, or it’s been a while since an update, examine your current policy. Two tips:

  • Use this wizard to create a free privacy policy to see whether your policy is up-to-date.
  • Have your legal team review your current policy or the updated policy you create. Use the privacy policy generator to create free policies for websites/blogs, mobile apps, eCommerce, third party tools, and more.

Terms and Conditions (or Terms of Use)

Also known as Terms of Use, this policy isn’t as prevalent as privacy policies. But depending on your organization, it can be just as important. A privacy policy protects users. Terms and Conditions protect organizations.

All who offer goods and services online should have a Terms and Conditions agreement on their website. Terms and Conditions agreements set out exactly what you'll offer your customers and what you expect from them in return.

Some basic functions of a Terms and Conditions policy:

  • Limit your liability. Especially important if you offer warranties, returns, exchanges, etc.
  • Regulate user behavior. Example: prohibition of user reuse of imagery, content, etc., without express written permission of your organization.
  • T&C agreements make it easier to prove deliberate copyright or trademark infringement and easier to favorably resolve intellectual property disputes.
  • Termination of a user’s account for abuse. No one likes to cut off a customer, but bad actors are out there.
  • The right to withhold service. Again, bad actors.
  • User trust factors. If you were buying at a site without Terms and Conditions, would you trust the site? User perception matters.

If you want to protect your brand assets and your content, explore a Terms and Conditions policy. Again, though, check with your legal department. Visit this site to see how to write terms and conditions.

Accessibility Statements

One in five Americans live with a disability, according to a variety of published reports, including the Centers for Disease Control and the U.S. Census. Why is this important in our field?

Those with disabilities often rely on assistive technologies to fully access the internet. These technologies include mouse alternatives, screen readers and unique browser preferences. Organizations that receive any federal funding, including public schools, must have accessible assistive technologies and meet other criteria, such as proper color contrast between text and background colors. International websites that target Canadians and Europeans, among other nationalities, typically must be built with accessibility in mind. Such countries often require websites to pass accessibility audits.

Recently, internet trolls have started searching for websites that are not fully compliant with WCAG 2.1 Level AA guidelines. Targeted businesses have faced lawsuits; settlements have ensued, even for entities that receive no federal funding.

The lack of a prominent Accessibility Statement attracts these trolls. Regardless of legal ramifications, it’s just good practice to make your website content accessible for all users to the best of your ability.

A challenge here is the many levels of compliance within the Website Content Accessibility Guidelines. Some of them demand significant computing power, and thus are more difficult and expensive to achieve.  Furthermore, many of the guidelines have more to do with how content is maintained. Still, accessibility statements are worth it. Such a statement on your site implies good intent. It demonstrates a commitment to providing accessible content for all.

Let’s assume you have at least tried to make your website accessible. (If you’re not sure, you can always contact us for a free evaluation.)

Your accessibility statement should be prominently displayed – perhaps in the footer of your website so it can be easily seen across your site. Even if you are unsure about your current level of compliance, this statement tells users that if they can’t access or consume content for any reason, they can easily contact you for assistance. It’s a good idea to at least provide users with a dedicated email address, such as, as well as a phone number.

A public policy on your website shows your company’s commitment to universal access. This simple statement creates confidence with users. It tells them that they are an important part of your target audience.

Reference the W3C Web Accessibility Initiative website for more information on developing organizational policies on web accessibility.

Final Thoughts

Many policies beyond the three policy pillars discussed here matter to site owners and users. But this basic knowledge will go a long way to ensure protection of both your organization and your users. If both parties understand their rights and responsibilities, both can enjoy peace of digital mind.