Privacy Policies and Consent Forms for Therapy Websites

Every therapy website that collects any user information, whether through contact forms, analytics, cookies, or scheduling widgets, needs a privacy policy. Beyond legal compliance, a clear privacy policy demonstrates your commitment to protecting the people who visit your website, which is especially important given the sensitive nature of mental health services. This guide covers what your privacy policy should include and the consent mechanisms your website needs.

What to Include in Your Privacy Policy

Your privacy policy should cover what personal information you collect (names, email addresses, phone numbers, IP addresses, browsing data), how you collect it (forms, cookies, analytics), why you collect it (to respond to inquiries, to improve your website, to deliver advertising), who has access to the information (your staff, your hosting provider, analytics platforms, advertising networks), how long you retain the information, what security measures protect the information, and how users can request access to or deletion of their data. Write in plain, accessible language rather than dense legal jargon.

Cookie Consent

If your website uses cookies, including analytics tracking, advertising pixels, or social media embeds, you should implement a cookie consent banner. For GDPR compliance (relevant if any visitors could be in the EU), consent must be obtained before non-essential cookies are loaded. For CCPA compliance (California visitors), users must be informed about cookie usage and given the option to opt out. A compliant cookie consent banner explains what cookies your site uses, categorizes them (necessary, analytics, marketing), allows visitors to accept or reject non-essential cookies, and actually prevents non-essential cookies from loading until consent is given.

GDPR Considerations

If your website is accessible to visitors in the European Union, GDPR applies regardless of where your practice is located. Key GDPR requirements include obtaining explicit consent before collecting personal data, providing a clear privacy policy explaining data processing, enabling users to access, correct, and delete their personal data, reporting data breaches within 72 hours, and appointing a data protection officer if processing large amounts of sensitive data. While most solo therapy practices in the US have minimal GDPR exposure, telehealth practices serving international clients should take GDPR seriously.

CCPA and State Privacy Laws

California’s Consumer Privacy Act and its successor, the California Privacy Rights Act, give consumers the right to know what personal information businesses collect about them, request deletion of their data, opt out of the sale of their information, and not be discriminated against for exercising their privacy rights. Other states including Virginia, Colorado, Connecticut, and Utah have enacted similar laws. If you serve clients in any of these states, ensure your privacy practices comply with the applicable laws.

Distinguishing Website Privacy from Clinical Confidentiality

Your website privacy policy covers how you handle information collected through your website. Your clinical confidentiality policies, outlined in your informed consent and Notice of Privacy Practices, cover how you handle protected health information in the therapeutic relationship. These are separate documents with different legal foundations. Make this distinction clear so that visitors understand which policies apply to their website interaction versus their clinical relationship. Your website privacy policy should not be confused with your HIPAA Notice of Privacy Practices, and your site should make both documents accessible where appropriate.

Legal Review and Updates

Have your privacy policy reviewed by a healthcare attorney who understands both general privacy law and HIPAA. Update your privacy policy whenever you add new functionality to your website that collects data, change analytics or advertising platforms, expand to new states or countries, or become aware of new privacy regulations. Date your privacy policy so visitors can see when it was last updated. A current, comprehensive privacy policy protects your practice legally and builds trust with the people visiting your website during some of their most vulnerable moments.