A Privacy Policy determines how your website collects, uses, shares, and sells the personal information of site visitors.
Learn what should be included in a privacy policy and download a privacy policy template in PDF or Word format below.
What is a Privacy Policy?
A Privacy Policy is a document or statement that describes how a company gathers, uses, manages, and releases the information of customers or visitors to its website.
By accessing the company’s website, users accept to have their information collected and disclosed by the company’s Privacy Policy.
A Privacy Policy may also be called:
- Privacy Statement
- Internet Privacy Policy
- Website Privacy Policy
- Privacy Notice
- Privacy Page
- Privacy Information Policy
Who Needs a Privacy Policy?
If you have an online presence, you should have a privacy policy.
Every website needs a privacy policy specifying the information you collect from your users and how you use it. A few examples of who else needs a privacy policy include:
- Blogs
- E-commerce stores
- Mobile apps
- Social media apps
Why You Need a Privacy Policy
There are several significant reasons why you need a privacy policy. Some of the biggest reasons include:
A Privacy Policy is Required by Law
One of the first reasons you need to have a strong privacy policy is that it is required by law in many places. Privacy laws have been instituted by numerous countries all over the world. They include:
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): This act requires all websites in Canada to specify how information is circulated and exchanged online while also establishing rules that govern the collection and disclosure of personal information by websites.
- Europe’s General Data Protection Regulation (GDPR): Anyone who goes to Europe and visits a website will immediately see a pop-up prompting someone to specify the cookies they are comfortable with. This law is designed to place users in control of how their information is collected and used.
- Australia’s Privacy Act: Australia also has a similar privacy act and place that requires websites to disclose how they collect and use the personal information of their visitors.
- The UK’s Data Protection Act: This app is very similar to the act in mainland Europe, and it requires websites to place users in control of how cookies are used on their computers, how their personal information is collected, and how their personal data can be used. The goal is to make sure all information is used lawfully and transparently.
- The California Online Privacy Protection Act (CalOPPA) was passed in 2004 and amended in 2013. It requires all commercial websites to have a privacy policy on their websites.
- The California Consumer Privacy Act (CCPA) applies to most businesses operating for profit in California. It gives users the right to know, the right to delete, and the right to opt out of the selection or sale of their personal information.
A Privacy Policy is Required by Third-Party Services
It would be best if you also had a privacy policy on your website because many third-party services require you to have one. If you want your website to have access to valuable third-party services, you must have a privacy policy in place.
There are plenty of examples of third parties that require you to have a privacy policy before they will let you use their services.
Some of the top examples include:
- The Google Play Store
- Google Analytics
- Google AdSense
- Amazon Associates
- Google AdWords
- The Apple App Store
There are plenty of reasons these third-party services might require you to have a privacy policy. The biggest reason is that they will place cookies on your visitors’ computers.
Cookies allow them to track the online behavior of your visitors, but they need to make sure that they comply with federal rules and regulations as well.
Therefore, if you use their services, and they place cookies on your visitors’ computers, but your visitors are not aware of it, they could also be held liable.
Therefore, having a privacy policy will let visitors know that your third-party services could place cookies on their computers. Ideally, allowing visitors to opt out of this process would be best.
You must review your privacy policy to make sure it complies with any third-party services you might use.
Increased Transparency
Finally, it would be best to have a strong privacy policy because it increases transparency. Today, consumers are more aware of how their information is collected and used.
They are less likely to use a website that appears to be dishonest, opaque, or untrustworthy.
If you have a privacy policy, you show that you are open and transparent with your visitors and can develop a stronger relationship with them.
Web browsers that promise not to collect or use personal information are already popping up. One of the most popular options DuckDuckGo, and another one is Brave.
While some people might be okay with you collecting some information, you must ensure they know they are in control. The best way to do so is to be open and honest with a comprehensive privacy policy in place.
What is Included in a Privacy Policy?
There are several elements you should include in your privacy policy:
1. Information
A Privacy Policy will describe what information a website or app collects. In general, websites collect two types of data – personally-identifying information and non-personally-identifying information.
- Personally-identifying information is any information that, on its own, can be used to identify a specific person. Some examples of personally-identifying information include a person’s name, date of birth, address, email address, marital status, financial records, and medical history.
- Non-personally identifying information cannot be directly associated with a specific person without additional information. Some examples of non-personally identifying information include a person’s internet protocol (IP) address, browser type, and location of other websites viewed before arriving at the website.
2. Collection
The Privacy Policy will also describe how the company collects personally and non-personally identifying information.
The website can collect this information in several ways. The most common methods are:
User input: If a website requires users to register, users will usually have to provide personally-identifying information, such as their name, address, telephone number, email address, age, and/or credit card number.
In addition, a website might ask for other information from the user, such as interests, gender, user name, and additional demographic information.
Derivative data: Most websites collect non-personally identifying information that web browsers make available, including the user’s IP address, operating system, browsing history, and statistical data.
Web cookies: Web cookies are small text files stored on a user’s computer.
Each time the user submits a query to the website, the user’s web browser sends the text file back to the website, allowing the website to keep track of users, remember important information and customize web pages.
Web beacons: A web beacon is a small file embedded in an email or web page that allows websites to monitor users invisibly and see if they have viewed their content.
Social media: If users can connect their social media accounts to the website, certain information may be disclosed by the social media network to the website.
3. Use
A Privacy Policy must also disclose how the company uses its collected information. Some of the ways websites use the information of their customers include:
General use: In general, websites will use the information it collects to help provide and deliver the services and manage and maintain the website.
Email communications: Companies will often use their customers’ names and email addresses to deliver notices and announcements to those customers.
Analytics: A helpful tool for companies is to track and analyze the activities of their users and the traffic on their websites. Companies can use third-party vendors to allow such tracking data on their websites.
If your company uses Google Analytics to track and report website activity and traffic, you are required by Google to have specific disclosures in your Privacy Policy explaining the use of these services.
4. Disclosure
Lastly, a Privacy Policy must state how the company discloses any information about its customers, including, but limited to:
By law: Companies will have to disclose personal information if it is required.
Marketing: Sometimes, companies sell or give their customers’ email addresses to third parties who may send emails about additional products and services.
Business partners and affiliates: Personal information can also be shared with business partners and affiliates.
Third-party service providers: Companies sometimes need to share personal information with third-party service providers, such as credit card processors, that help them with the business.
Your Privacy Policy should also disclose how to keep your customer’s information safe.
Privacy Policy Sample
Here’s what a typical privacy policy looks like:
Privacy Policy Examples
There are plenty of websites that have strong privacy policies in place.
The New York Times
The privacy policy from The New York Times has several sections, including:
- What Information Do We Gather About You?
- What Are Your Rights?
- What About Links to Third Party Services?
- How Do You Protect My Information?
These sections have obvious questions that the privacy policy then answers. These are designed to be common questions people might ask The New York Times about their data collection methods. Even though the privacy policy is very in-depth, the sections make it easy for people to find the information they seek.
Another privacy policy example is from Reddit. You can find the Reddit privacy policy at the bottom of their homepage, and it is also broken up into several sections. They include:
- What We Collect
- What We Collect (and How it is Used and Shared)
- Your Choices
- Your Rights
They decide not to phrase their sections in terms of questions, but the privacy policy is still laid out very clearly.
It is significantly shorter than many other privacy policies but still contains the most essential information people care about. The headers are very clear, making it easy for people to find the information they need.
Does My Website Need a Privacy Policy?
While no federal law in the United States requires that websites establish a Privacy Policy, many states and most other countries require a website that collects and stores any personal information from its users to have one.
In the United States, the Federal Trade Commission (FTC) regulates laws and policies regarding the privacy practices of businesses and the protection of their customers’ personal information. The FTC also helps to enforce federal laws concerning the privacy of customers’ information, including the following:
- Fair Credit Reporting Act (FCRA) limits companies’ ability to obtain and use a customer’s credit and background reports.
- Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices clearly and restricts the sharing and use of specific financial information.
- Health Insurance Portability and Accountability Act (HIPAA) created a “Privacy Rule” that establishes national standards for how healthcare service providers can use an individual’s protected health information.
- Children’s Online Privacy Protection Act (COPPA) requires websites that target and/or collect information from children under 13 to post a Privacy Policy that complies with the COPPA requirements and implements specific parental notice and consent requirements.
In 2012, the FTC released a report with guidance on Privacy Policy best practices for websites.
Even if your company or website is not in a jurisdiction that requires a privacy policy, the reach of your website may subject it to the laws of other states and countries.
For example, California has enacted the California Online Privacy Protection Act of 2003 (CALOPPA), which requires any website collecting personal information to have a Privacy Policy posted on its website that is easily accessible to its users.
Even if your website is not run in California, CALOPPA applies to any website that collects personal information from a California resident. Therefore, your website will likely be subject to the CALOPPA regulations.
The European Union has more established laws regarding privacy protection, including the Data Protection Directive (95/46/EC) and the E-Privacy Directive (2002/58/EC).
These directives state that the personal information of European Union residents can only be transferred to countries outside of the European Union with policies with adequate protection.
Therefore, if you are a website that gathers, stores, or uses personal information and data from clients and users, you should have a Privacy Policy for your website. You must also adhere to the promises and disclosures outlined in that policy.
Consequences of Not Having a Privacy Policy
Suppose you are a company without a Privacy Policy on your website. In that case, you risk violating various laws regarding privacy disclosure and maintenance requirements and may be subject to civil and criminal lawsuits and hefty fines.
Suppose you are a website user or client who chooses to access a website that does not have a Privacy Policy or who fails to read the posted policy about how that website will handle your private information. In that case, you risk sharing and exposing personal information and having it end up in the hands of strangers.
Financial and social consequences can be severe if things like your credit card or social security number are leaked and circulated.
A Privacy Policy can help prevent the following for both companies and users:
| Company | User |
|---|---|
| Paying hefty fines or having your website shut down | Having your financial information shared and used for fraudulent transactions |
| Being sued by users for improper disclosure of personal information | Having your social information posted online and used for illegal activity, character assassination, or unapproved use |
| Compromising a user’s personal safety | Having your location data posted online and receiving unwanted visitors |
| Lack of trust and credibility | Skepticism and apprehension about doing continued business with a company |
Frequently Asked Questions
How often should Privacy Policies be updated?
You should review and update your privacy policy at least once a year to ensure it aligns with your current data management practices.
An outdated privacy policy can risk big lawsuits if a customer discovers their data is being used, shared, or sold differently from what your existing privacy policy outlines.
Review your privacy policy regularly, notify your customers of any changes that could impact their privacy, and ensure you comply with all data privacy regulations.
Can I copy a Privacy Policy?
No, you should not copy and use a privacy policy as your own. You must ensure your privacy policy complies with data privacy regulations and should be specific to your website’s data-handling practices.
You can use a privacy policy template to avoid copying one. This way, you have to fill in the blanks.
Where do I display my Privacy Policy?
You should have a separate page on your website that is dedicated to your privacy policy, but you need to make it as easy as possible for your visitors to find it.
For example, you may want a link to your privacy policy from your website menu. You may also want to provide links to your privacy policy on your sign-up forms, at the bottom of most of your pages, and on the checkout page if you run an eCommerce business.
Plenty of privacy policy examples will give you ideas about where to display your privacy policy.
Is a Privacy Policy required by law?
Yes, a privacy policy is required by law under guidelines that the federal government has published. The federal government requires websites to inform visitors about how they collect, share, use, and protect their personal information.
It would be best to be open, honest, and transparent about the information you protect and follow all federal guidelines regarding how your website uses personal data.
It can be helpful to look at a free privacy policy template to ensure your business complies with all rules and regulations in your industry.
Is a Privacy Policy required by third-party services?
A privacy policy is required by many third-party services, but not every third-party service.
For example, suppose you are using an email newsletter service to distribute information to people on a subscription list. In that case, they may require you to have a privacy policy before you are allowed to use their service.
Because the federal government typically requires a privacy policy, third-party services should be fine with the privacy policy you have in place as long as it is compliant with all federal rules and regulations.
Do I need a Privacy Policy even if I don’t collect personal information?
Even if you do not collect personal information from your visitors, you still need a strong privacy policy.
A privacy policy will make it easier to encourage customer loyalty because they will know that your brand cares about their personal information.
A privacy policy can also help your business appear more professional and trustworthy. It does not have to be long or complicated if you don’t collect personal information.
How do I make my Privacy Policy enforceable?
To make your privacy policy enforceable, you should follow a few steps.
First, you need to make your privacy policy easy to understand. That way, there’s no room for debate regarding what the privacy policy covers. You should also update your privacy policy regularly to reflect changes in your business, protocols, and the law.
Then, do not forget to notify your users of these updates, and make sure you put an effective date on the policy.
How often do I need to update my Privacy Policy?
You should review your privacy policy at least once yearly to ensure it matches your products and services.
If there are big changes in federal rules and regulations, review your privacy policy to ensure it is still accurate.
If you plan on launching a new product or service or changing how you use visitor data, you must update your privacy policy accordingly.
Can I download a sample Privacy Policy template?
Yes, you can download a sample privacy policy template with Legal Templates.
A policy template can be a strong skeleton for your privacy policy. Do not forget to review your privacy policy from time to time to make sure nothing is overlooked.