University at Buffalo Crest.

Policy Information

Date Established: 3/19/2003
Date Last Revised: 7/22/2024
Category: Information Technology
Responsible Office: Vice President and Chief Information Officer
Responsible Executive: Vice President and Chief Information Officer

Policy Contents

Print

Website Privacy Policy

Summary

This policy explains the university’s operational practices with respect to visitor information collected from official University at Buffalo websites and associated third-party web applications.

Policy Statement

The University at Buffalo (UB, university) is committed to protecting visitors’ privacy when navigating through official University at Buffalo websites and associated third-party web applications. Visitors navigate through a majority of official UB websites and associated third-party web applications without providing personal information. However, the university implements operational practices to enhance the ease and efficiency with which visitors interact with official UB websites and associated third-party web applications.

Information Collected

UB collects information for various purposes including, but not limited to providing requested services and analyzing web traffic. Some information is collected automatically as website visitors navigate through and interact with UB websites. Other information is voluntarily provided by website visitors as they interact with UB websites. This may involve the website visitor providing information, including personal information, through various means including, but not limited to sending emails; filling out webforms, surveys, and applications; or completing financial transactions.

Automatically Collected Visitor Information

As visitors navigate through and interact with official UB websites and associated third-party web applications, the university automatically collects and stores information about visitors’ equipment, browsing actions, and patterns including:

  • User client hostname; the hostname or internet protocol address (IP address) requesting access to the university website
  • Type of browser and operating system used
  • Date and time the site was visited
  • Web pages or services accessed
  • Website visited prior to visiting UB’s website
  • Website visited after visiting UB’s website
  • If information was downloaded from UB’s website, as well as what the information was

None of the forgoing information is deemed to constitute personal information.

Additionally, the university may automatically collect the following personal information:

  • UBITName is logged when accessing a page on official UB websites or associated third-party web applications requiring authentication
  • Client username, if not blocked from the web browser or computer

Beacons, Cookies, and Tracking Codes

The university installs tracking codes or beacons on official UB websites and associated third-party web applications.

Cookies

The university uses session and persistent cookie technology on official UB websites and associated third-party web applications. Refusing or deleting cookies may limit features of official UB websites and associated third-party web applications.

In some cases, third-party advertising and marketing providers capture visitor information on behalf of the university. Examples of information captured by third-party service providers include:

  • Content viewed during the website visit
  • Date and time of the website visit
  • Amount of time spent on the website
  • Visitor geographic location based on IP address
  • Demographic information
  • Search terms entered on the UB websites

Use of Automatically Collected Visitor Information

Automatically collected visitor information is used to:

  • Improve the content and function of UB’s websites
  • Analyze visitor engagement
  • Conduct statistical analysis of website traffic and usage
  • Analyze visitor interests and behaviors
  • Detect attempts to damage or gain unauthorized access to the website and UB’s associated computer systems
  • Identify candidates and profiles for re-engagement and outreach efforts; this may include more targeted advertising and remarketing programs, performing troubleshooting and root cause analysis, and offering relevant information about services, events, research, and educational offerings to better connect with UB’s constituent audiences and the global community

The university is not authorized to sell or otherwise disclose the information collected from the website for non-university commercial marketing purposes.

Visitor Provided Information

When interacting with the university’s website, visitors may be asked to provide information for certain articulated purposes, such as when responding to a survey, registering for a program, or completing other similar transactions. A visitor may choose not to complete such actions. Not completing these actions may prohibit the ability to receive specific services or products through official UB websites or associated third-party web applications. The choice to not complete these actions does not adversely affect a visitor’s ability to take advantage of other features of a website, including some browsing and downloading, or from accessing requested information by other means.

Information Collected

Website Transactions

Website transactions include visitor-initiated actions such as filling out and submitting:

  • Survey responses
  • Registration or application forms
  • Financial or business transactions
  • Requests for authenticated file access
Email

Visitor email addresses may be used to send information, respond to inquiries and/or other requests or authorizations. UB will not share, sell, or otherwise authorize any third party to use a visitor’s email address for commercial purposes without prior permission.

While navigating through official UB websites and third-party web applications associated with the university, a visitor may send an email to UB. The visitor’s email address and message content (including attachments) are collected. This information is used to:  

  • Respond to the email
  • Address issues identified in the email
  • Forward the information to another State University of New York or State agency for appropriate action
  • Improve official UB websites and third-party web applications associated with the university

Visitor email addresses are not collected for non-university commercial purposes.

Use of Visitor Provided Information

Voluntarily provided information, including personal information, is used for operational and business functions. Functions include the provision of goods, services, and information. UB retains the right to disclose voluntarily provided information to third parties for purposes reasonably ascertained from the nature and terms of the transaction in which the information was submitted. Additionally, visitor provided information may be used for analytical and statistical purposes, including improving the quality of the website.

The university is not authorized to sell or otherwise disclose the information collected from the website for non-university commercial marketing purposes. Visitor collected information is retained only for as long as required by university policy or as required by law.

Disclosure of Information Collected Through UB Websites

UB only collects and discloses personal information collected through official UB websites or associated third-party web applications if the visitor consents to the collection or disclosure of this information. A visitor’s voluntary disclosure of personal information, whether solicited or unsolicited, constitutes consent to UB’s collection and disclosure of the information for the purposes for which the visitor disclosed the information to UB.

UB retains the right to collect or disclose personal information without consent if the collection or disclosure meets one of the following criteria:

  1. Necessary to perform the statutory duties of the university, or necessary for UB to operate a program authorized by law, or authorized by state or federal statute or regulation;
  2. Made pursuant to a court order or by law;
  3. For the purpose of validating the identity of the visitor; or
  4. Of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.

Disclosure of information, including personal information, collected through UB websites, or associated third-party applications is subject to the provisions of the New York State Freedom of Information Law and the New York State Personal Privacy Protection Law

Records Retention

UB internet service logs are automatically produced electronic files which monitor access and use of the university’s website services. UB retains automated log data collected in accordance with university policy. Log data is retained only for as long as required by university policy or as required by law. Access to automated log data is restricted. 

Access To and Correction of Personal Information Collected Through UB Websites

Visitors to official UB websites or associated third-party web applications may submit a request to the university’s privacy compliance officer to determine if personal information was collected while navigating UB websites. Requests must be made in writing to the Privacy Compliance Officer and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification.

Within five business days of receipt of a proper request, the privacy compliance officer will:

  • Provide access to the personal information;
  • Deny access to the personal information in writing with an explanation of why the request is denied;
  • Acknowledge receipt of the request in writing, stating the approximate date when the request will be granted or denied, provided that the date specified will not be more than 30 days from the date of the acknowledgement. If UB determines that it has collected personal information pertaining to a user through UB websites and that information is to be provided to the user pursuant to the user’s request, the privacy compliance officer will inform the user of their right to request that the personal information be amended or corrected under applicable law.

Information Protection

UB is committed to protecting personal and private information against unauthorized access, use, or disclosure. UB monitors system traffic to identify unauthorized attempts to upload or change information or attempts to damage official UB websites and associated third-party web applications for website security purposes. UB limits employee access to personal and private information collected through its websites to employees who need access to perform their official duties. Employees with access to such information follow appropriate university procedures and adhere to applicable university and State information security policies.

The university has implemented reasonable security measures to safeguard the integrity of its information technology assets, including, but not limited to, authenticating, monitoring, auditing, and encrypting. Security procedures have been integrated into the design, implementation, and day-to-day operations of UB websites and associated third-party applications as part of the university’s continuing commitment to the security of electronic content as well as the electronic transmission of information under UB control. However, no method of transmission over the internet or method of electronic storage is one-hundred percent secure.

Children Under 13

UB does not knowingly collect personal information from minors or create profiles of minors through official UB websites or associated third-party web applications. Visitors are cautioned that the collection of personal information will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access. UB strongly encourages parents, guardians, educators, and teachers to be involved in a child’s internet activities and to provide guidance whenever children are asked to provide personal information online.

Background

This policy informs visitors to official UB websites and associated third-party web applications about the technical information collected during their session. This policy also identifies and describes how personal information may or may not be collected while navigating on official UB websites and associated third-party websites.

Growth of privacy-related regulations and personal interest among visitors drive the increased demand for such policies, particularly on free consumer-oriented websites where visitors may not be aware their information is collected and used or sold for profit. Some examples include free web search portals, social media platforms, and personal email services. However, university websites typically do not engage in such behavior because individuals are not visiting for consumer-aimed free services.

This policy is focused on technical or mechanical aspects of information being exchanged to render website content. Other types of website privacy notices may include pop-ups about cookies, personal privacy policies, and notices of other privacy practices. These notices may detail additional information sharing or disclosure. 

Applicability

This policy applies to:

  • Information the university collects on its websites and associated third-party web applications
  • Information visitors provide to UB through its website and associated third-party web applications
  • Information collected by UB offline or through other means, including on any other website operated by UB or any third-party, or to any third-party applications or content that may link to or be accessible from or through UB’s website

This policy is to be observed in conjunction with any future or previously existing departmental privacy policies.

Definitions

Cookies

A small file stored on a visitor’s device, either temporarily for that session (session cookie) or permanently on the hard disk (persistent cookie). Cookies provide a way for the website to recognize visitors and keep track of the visitor’s preferences.

Official University at Buffalo (UB) Websites

Online content, both publicly accessible as well as material behind an authentication layer, owned or controlled by the university's formal academic and administrative units. These sites typically reside in, or resolve to, the buffalo.edu domain (though some may not, examples of such websites include but are not limited to, ubbulls.com, ubcfa.org, myubcard.com) and may serve any (or all) of the university's stakeholders.

Personal Information

Personal information means any information concerning a natural person which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person.

Third-Party Web Applications

Vendor-created, -provided, or -hosted technology solution that conducts official business for, or provides official service(s) to, the university or its constituents through an explicit contractual relationship.

Tracking Codes or Beacons

An often-transparent graphic image, usually no larger than 1-pixel x 1 pixel, placed on a website or in an email that is used to monitor the behavior of the user visiting the website or sending the email. Tracking codes or beacons do not contain personally identifiable information. Tracking codes collect traffic data and click information. This information is used to prioritize tasks, record visitor-specific web traffic, and associate web traffic history with unique visitors. A tracking code is a snippet of JavaScript code that tracks the activity of a website user by collecting data and sending it to Google Analytics to inform effectiveness of website performance. A beacon is another form of tracking that confirms content has been accessed by a user.

Visitor

Natural person who uses the internet to access official UB websites and third-party websites associated with the university. 

Responsibility

Enrollment Management

  • Provide the link to this policy in all Enrollment Management website and application footers.

Privacy Compliance Officer

  • Make decisions about records disclosure in accordance with applicable laws.
  • Respond to the UB community about inquiries or complaints.

University Communications

  • Promote awareness of this policy through established university communications channels, and demonstration of best practices.
  • Provide a link to the Website Privacy Policy in all UB website footers.

Procurement

  • Determine that all contracts (purchases) with third-party platform providers include verbiage about compliance with this policy. This may include specific language that addresses vendor practices with respect to additional data collection, including financial data.

Visitor

  • Report practices that seem to be contrary to this policy to the Privacy Compliance Office.
  • Control security settings on the device(s) used to visit official UB websites and third-party applications associated with the university; this includes, but is not limited to cookie settings to allow, refuse, or delete cookies. 

Vice President and Chief Information Officer

  • Oversee all components of UB information technology.

Contact Information

Contact An Expert
Contact Phone Email
Information Security Office - Privacy Contact 716-645-6997 privacy@buffalo.edu
Privacy Compliance Officer
  ubfoil@buffalo.edu
Vice President and Chief Information Officer
716-645-7979 cio@buffalo.edu

Related Information

University Links

Related Links

History

Policy Revision History
July 2024 Full review. Updated the policy to:
● Revise the following sections:
   ▫ Automatically Collected Visitor Information - update the list of automatically collected visitor information and clarify that this is not personal information
   ▫ Tracking Codes or Beacons - add examples of information captured by third-party service providers
   ▫ Records Retention - specify that log data is retained in accordance with university policy and law
   ▫ Information Protection - specify that UB limits employee access to personal and private information and requires employees to follow appropriate security procedures
● Add the following sections:
  ▫ Use of Automatically Collected Visitor Information
  ▫ Visitor Provided Information
● Specify the process for submiting a request to determine if personal information was collected while navigating UB websites (Access To and Correction of Personal Information Collected Through UB Websites section)
● Revise the Applicability section to provide additional details about the information this policy applies to and remove the reference to mobile applications
● Revise the definition of Cookies to include details about session cookies and persistent cookies
January 2020 Full review. Updated the policy to:
● Change the policy name from Privacy Policy to Website Privacy Policy
● Revise the policy statement to confirm the university's commitment to protecting visitor privacy when navigating through official UB websites and associated third-party web applications
● Add information about tracking codes or beacons
● Revise the retention period of automated log data from 180 days to a minimum of 92 days
● Add the Background section
● Revise the Applicability section to specify that the policy:
   ▫ Applies to visitors navigating official UB websites and associated third-party applications
   ▫ Excludes mobile applications
● Add definitions for Cookies, Official University at Buffalo Websites, Third-Party Web Applications, Tracking Codes or Beacons, and Visitor
● Delete the definition of User
● Add the Responsibility section and specify responsibilities for Enrollment Management, Privacy Compliance Officer, University Communications, Procurement, Visitors, and the Vice President and Chief Information Officer

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President

7/22/2024