Home » Forum topics » DFNH

Privacy and consent

Charlie Friou brought up the issues of member privacy and consent on the dfanh-org mailing list. This goes to the heart of something I've been thinking about for several days: What privacy guarantees should we make to DfNH members, and what permissions should we ask for when they sign up?

Here's an outline of the privacy policy and permissions I propose.

Privacy Policy

We collect personally-identifable information about members and Web site visitors in three ways: voluntary submission, cookie technology, and traffic data.

We use personally-identifiable information to communicate with members, and to maintain the Web site and make it more responsive to users' needs.

We will use our best efforts to keep such information secure by electronic, contractual, and other procedures designed to prevent unauthorized use.

We will not share personally-identifiable information about a member or Web site user with any other person or organization, including Democracy for America or regional DfNH affiliates, without explicit consent, except under extraordinary circumstances:

We will release personally-identifiable information about a member or Web site user in order to comply with any valid legal process, such as a search warrant, subpoena, statute, or court order.

We will also release specific information in special situations, such as an attempt to breach the Web site's security, or an imminent physical threat to any person.

We may release certain aggregate information about members, the Web site, or its users for promotional, technical, or other purposes. For example, we may release the total number of registered members, the average number of users who visit the site each week, or the percentage of pages viewed by different kinds of Web browsers.

If DfNH ever changes any provision of this Privacy Policy to make it less strict, we will not apply the more lenient Policy retroactively to any personally-identifiable information collected under the stricter Policy.

If DfNH ever merges with another organization, we will require that the new organization continue to maintain personally-identifiable information collected under this Privacy Policy using a policy at least as strict as this one.

Privacy of children (needed to comply with Federal law)

We understand that children require special safeguards and privacy protection because they may not fully understand our Privacy Policy, or be able to make thoughtful decisions about the choices that are available to adult users of the Web site. We urge parents to participate in their children's exploration of the Internet, and to teach their children about protecting their personal information while online.

Users under 13 may not register with the Web site on their own. A user under 13 may be registered only by a parent or guardian.

A user under 13 may not submit information to the Web site without the consent of his or her parent or guardian.

No personally-identifiable information concerning users under 13 will be used or made available by DfNH for any marketing or promotional purposes.

To the extent that it is technically feasible to do so, we will remove from our records personally-identifiable information concerning a user under 13 if asked to do so by his or her parent or guardian.

Acceptance

By using the Web site, you signify your acceptance of this Privacy Policy. If you do not accept this Policy, please do not use the Site. Your continued use of the Site following the posting of changes to this Policy will signify your acceptance of such changes.

Permissions

I propose the following permission requests on the Web site's signup form, and on any paper form we use to sign people up at events.

  • Subscription to low-volume membership mailing list (default: yes)
  • Subscription to action alert network mailing list (default: no)
  • Share information with DFA (default: no)
  • Share information with regional DfNH affiliate (default: yes)

If you get the impression from the above that I'm a privacy Nazi, you're right. I'm happy to debate and discuss this stuff. All I ask is that we agree to adhere to both the letter and the spirit of whatever promises we make to our members in perpetuity. Every member of the Board of Directors should be required to agree in writing to uphold the Privacy Policy.

-- Roger

By roger at 05/14/2004 - 07:41 | DFNH | Privacy | Web site | login or register to post comments | previous forum topic | next forum topic

Comment viewing options

Select your preferred way to display the comments and click 'Save settings' to activate your changes.

Rethinking permissions

I've thought about this a bit more and this time I've come to somewhat different conclusions.

I think we ought to combine the initial permission requests for the low-volume membership newsletter and the action alerts. Then the alerts can say, "If you'd rather not receive these alerts, click here" and we can still send the newsletter. I'm sure this will make Jocelyn's day. Any privacy fanatics in the building have a serious problem with it?

I also don't see the need to offer an opt-out on sharing contact information with our regional groups. They are us. If "we" (state-wide DfNH) can use someone's email address to invite them to a meeting, then so can, say, the Nashua Meetup group. Of course, if someone subsequently tells us to go away, Nashua should honor that request as well.

In the other direction, I want to forget about sharing our lists with DFA. Their privacy policy says in part, "we may share your information with other like-minded Democratic candidates and organizations." Uh-uh. No way. I'm appalled.

— Roger
By roger at Wed, 05/19/2004 - 8:03pm | login or register to post comments

re-thinking permissions

sorry, I am being dense...maybe just tired...but I don't get the mechanics. User #1 signs up on the paper form at the democratic convention, or a meetup, or somewhere else, but it's on paper. Is the permission statement on that form, to which signature indicates that the privacy statement has been read and consent given? User #2 signs up at the website. Do they check a box as they fill out their webform that indicates they too have read the privacy statement and given their consent? And presumbly both have the option of opting out via email or the website at anytime....
By pglenshaw at Wed, 05/19/2004 - 8:31pm | login or register to post comments

One permission

I put a single permission on the latest form:

_____Check here if you DO NOT wish to receive email communications from Democracy for New Hampshire.

I'll put something similar on the Web site's signup form.

I don't ask people to acknowledge the privacy policy on the Web site or on the paper form. It doesn't seem necessary to me. On the paper form I said, "We will not share your personal information with other organizations without your consent." On the Web site I'll say something similar and will provide a link to the full privacy policy.

-- R.
By roger at Thu, 05/20/2004 - 11:52am | login or register to post comments

solution?

instead of having the privacy permission on the membership form on Saturday, we could send an e-mail to those people who sign up (welcoming them to the group, inviting them to visit the website, etc.) and include the privacy information there?

I just don't want to clutter the membership form too much...
By KarenLH at Thu, 05/20/2004 - 10:47am | login or register to post comments

Why default no on email action alert?

This will be a very powerful tool - If its a receive only list, then no one can spam the list and privacy is protected. Moveon.org is a recieve only list. If I send Move.on an email - it only goes to the administrator not all 2 million members. Let's set the email list up this way.
Can we set it up as default yes and make it easy for someone to unsubscribe by clicking an icon at the bottom? Many groups have this - seems to work.
For ease of use, I think all the defaults should be the same - its less confusing. Either check what you want, or check what you don't want.
By jocelyndemuth at Sun, 05/16/2004 - 8:14pm | login or register to post comments

default yes on email alert

i agree that the default should be yes on the email action alerts
- andthat users who sign up should immediately be presented with checkboxes to check or uncheck.

peace and blessings,
nancy
By ntobi at Wed, 05/19/2004 - 8:33am | login or register to post comments

privacy

roger,

i am a privacy fanatic as well. what you've got here sounds good to my untrained ear, but i totally defer on this stuff to website experts. i know there are some standard sorts of privacy policies - did you use something as a reference?

I've heard of P3P - but when i went to look that up it was pretty scary looking these days! (http://www.w3.org/P3P/)

in any case, i'd just like to be sure that we are in compliance with some sort of norms and standards.

peace and blessings,
nancy
By ntobi at Fri, 05/14/2004 - 7:41pm | login or register to post comments

Progenitors

Nancy,

I based this privacy policy on others I've written before, along with provisions lifted from policies I've admired elsewhere. (I've always suspected that this is how attorneys write contracts.)

The bits about what happens if the policy changes or the organization merges with another organization are relatively new provisions. The need for these has become clear over time. During the dot-com bust, for example, bankruptcy courts threatened to treat Web site account information as just another asset to be sold off to pay debts. Needless to say, privacy Nazis were not happy about this development and pressed for additional safeguards in privacy policies.

P3P is a can of worms I'd prefer not to open. See, e.g.:

Pretty Poor Privacy: An Assessment of P3P and Internet Privacy by the Electronic Privacy Information Center

The blather about "users under 13" came about because of the Children's Online Privacy Protection Act of 1998.

-- Roger
By roger at Fri, 05/14/2004 - 8:17pm | login or register to post comments

Cookie Technology Question

Herb Moyer

Roger, this is an exemplary outlibe of privacy and consent. The only question I have is "How might you envision DfNH would use cookie technology associated with our members" ?
By HMoyer at Fri, 05/14/2004 - 9:19am | login or register to post comments

Cookies

Herb,

There are lots of ways we might use cookies. Here are a few off the top of my head.

We could allow a user to choose to remain permanently logged into the site (a "remember me" option on login) on a non-public computer.

If we decided to sell DfNH-branded merchandise on the site we could maintain a shopping cart ID in a cookie so that users without an account on the site could build a merchandise order.

We could use a cookie to remember theme (color, font, graphics) preferences or implied interest in particular political issues for users without an account. Then when that user returns to the site we could use the chosen theme and emphasize content concerning those issues. (I'll have more to say shortly about targeting information on political issues to users who've expressed particular interests.)

-- Roger
By roger at Fri, 05/14/2004 - 3:30pm | login or register to post comments