Web Site Privacy Notices
Frequently Asked Questions
Who is responsible for developing, posting, and maintaining the privacy notice?
The policy stipulates that web site content owners and site managers have a shared responsibility for the privacy notice. This means that functional people or groups who own and/or direct the content for a site should work with the person or group that technically implements the site.
To what web sites does the policy apply? Does my web site need a privacy notice?
The policy applies to university web sites and web applications that are:
- created or maintained either by or for academic, administrative, or auxiliary units of Indiana University,
- and are accessible by individuals who are not university employees, students, or affiliates,
- regardless of whether or not the sites are hosted on university servers or external servers.
This includes the web sites of professional associations and publications that are formally hosted, maintained, or operated by faculty or staff of the university.
However, some web sites are not included in the scope such as personal home pages and student organizational web sites. Additionally, a web site is not included in scope if it requires authentication for access (i.e. a username and password) such that it cannot be accessed by someone who is not a university employee, student, or affiliate.
Although sites outside the scope of the policy are not required to have a privacy notice, they are encouraged to adhere to the terms of the policy.
Where do I put the notice on my site?
The policy requires that the privacy notice be accessible from at least the home page of the site, and on any page that actively solicits/collects visitor information, such as a page with a form on it. Some sites simply have a link to the notice in the footer of all pages.
When do I need to have this done?
The policy has a compliance date of January 28, 2012.
What's the difference between passively and actively collected visitor information?
Passively collected visitor information refers to information that is collected automatically when people visit the site. Web server log information is an example of passively collected information.
Actively collected visitor information refers to information that site visitors voluntarily provide, such as through a form, or creating a profile, or choosing account settings.
As a content owner, even if you don't actively collect visitor information, you should talk with your technical person (i.e. site manager) to see what information, if any, is collected automatically by the web server.
What should be in my privacy notice?
With respect to collected visitor information, the general principle is that you should, "say what you do and do what you say." Regardless of the actual language you use, the privacy notice should accurately reflect your practices regarding the collection and use of information from/about visitors to your site. We have developed a privacy notice generator tool to assist you in this process.