Table of Contents
- Download a Free Privacy Policy Template
- The Basics: What is a Privacy Policy?
- When Do I Need One?
- The Consequences of Not Using One
1. Download a Free Privacy Policy Template
Click here to download your free document
2. The Basics: What is a Privacy Policy?
A Privacy Policy is a document or statement that describes how a company gathers, uses, manages, and releases the information of customers or visitors to its website. By accessing the company’s website, users accept to have to having their information collected and disclosed in accordance with the company’s Privacy Policy.
A simple Privacy Policy will identify the following basic elements:
Company: The name of the company that owns the website collecting information from its users.
Website: The URL address of the company’s website that the user will be browsing and accessing.
User’s Information: A description of the type of information that the website collects and discloses.
Collection, Use, and Disclosure: What information the company will collect , how they will collect and use the information, and when and to whom they will disclose the information.
A Privacy Policy may also be called:
- Privacy Statement
- Internet Privacy Policy
- Website Privacy Policy
- Privacy Notice
- Privacy Page
- Privacy Information Policy
Here are some helpful tips from the U.S. Small Business Administration on crafting a Privacy Policy.
What is described in a Privacy Policy?
INFORMATION
The Privacy Policy will describe what information the website collects. In general, websites collect two types of information – personally-identifying information and non-personally identifying information.
- Personally-identifying information is any information that on its own can be used to identify a specific person. Some examples of personally-identifying information include a person’s name, date of birth, address, email address, marital status, financial records, and medical history.
- Non-personally-identifying information is information that, without the aid of additional information, cannot be directly associated with a specific person. Some examples of non-personally-identifying information include a person’s internet protocol (IP) address, browser type, and location of other websites viewed before arriving at the website.
COLLECTION
The Privacy Policy will also describe how the company collects both personally-identifying information and non-personally-identifying information. This information can be collected by the website in a number of ways. The most common ways are:
User input: If a website requires users to register, users will usually have to provide personally-identifying information, such their name, address, telephone number, email address, age, and/or credit card number. In addition, a website might ask for other information from the user, such as interests, gender, user name and other demographic information.
Derivative data: Most websites collect non-personally-identifying information that web browsers make available, including the user’s IP address, operating system, browsing history, and statistical data.
Web cookies: Web cookies are small text files which are stored on a user’s computer. Each time the user submits a query to the website, the user’s web browser sends the text file back to the website, allowing the website to keep track of users, remember important information and customize web pages.
Web beacons: A web beacon is small file embedded in an email or web page that allows websites to invisibly monitor a user and see if the user has viewed their content.
Social media: If users can connect their social media accounts to the website, certain information may be disclosed by the social media network to the website.
USE
A Privacy Policy must also disclose how the company uses the information that it has collected. Some of the ways websites use the information of their customers include:
General use: In general, websites will use the information it collects to help provide and deliver the services of the website and manage and maintain the website.
Email communications: Companies will often use their customers’ names and email addresses to deliver notices and announcements to those customers.
Analytics: A helpful tool for companies is to be able to track and analyze the activities of its users and the traffic on its website. Companies can use third-party vendors to allow such tracking data on its website.
If your company uses Google Analytics to track and report website activity and traffic, you are required by Google to have specific disclosures in your Privacy Policy explaining the use of these services.
DISCLOSURE
Lastly, a Privacy Policy must state how the company discloses any information of its customers, including, but limited to:
By law: Companies will have to disclose personal information if it is required by law.
Marketing: Sometimes companies will sell or give its customers’ email addresses to third parties who may send emails about additional products and services.
Business partners and affiliates: Personal information can also be shared with business partners and affiliates.
Third party service providers: Companies will sometimes need to share personal information with third party service providers that help them with the business, such as credit card processors.
Your Privacy Policy should also disclose the methods being used to keep your customer’s information safe.
3. When Do You Need One?
While there is no federal law in the United States requiring that websites establish a Privacy Policy, many states and most other countries do require a website that collects and stores any personal information from its users to have one.
In the United States, the Federal Trade Commission (FTC) regulates laws and policies regarding the privacy practices of businesses and the protection of their customers’ personal information. The FTC also helps to enforce federal laws concerning the privacy of customers’ information, including the following:
- Fair Credit Reporting Act (FCRA), which limits how companies can obtain and use a customer’s credit and background reports.
- Gramm-Leach-Bliley Act, which requires financial institutions to clearly explain their information sharing practices and also restricts the sharing and use of specific financial information.
- Health Insurance Portability and Accountability Act (HIPAA) created a “Privacy Rule” that establishes a national set of standards of how health care service providers can use an individual’s protected health information.
- Children’s Online Privacy Protection Act (COPPA), requires websites that target and/or collect information from children under the age of 13 to post a Privacy Policy that complies with the COPPA requirements, and also implements certain parental notice and consent requirements.
Even if your company or website is not in a jurisdiction that requires a privacy policy, the reach of your website may subject it to the laws of other states and countries. For example, California, has enacted the California Online Privacy Protection Act of 2003 (CALOPPA) which requires any website collecting personal information to have a Privacy Policy posted on its website that is easily accessible to its users. Even if your website is not run from California, CALOPPA applies to any website that collects personal information from a California resident. Therefore it is likely that your website will be subject to the CALOPPA regulations.
The European Union has more established laws regarding privacy protection, including the Data Protection Directive (95/46/EC) and the E-Privacy Directive (2002/58/EC). These directives state that personal information of European Union residents can only be transferred to countries outside of the European Union that have policies with an adequate level of protection.
Although the United States is not currently on the “approved list” of countries, the EU-U.S. Privacy Shield provides a framework for U.S. companies to receive transfer of personal information from the European Union.
Therefore, if you are a website that gathers, stores, or uses personal information and data from clients and users, you should have a Privacy Policy for your website. You also need to make sure that you adhere to the promises and disclosures set forth in that policy.
A mobile application also collects personal information, and should have a Privacy Policy as well. In 2012, the California Attorney-General brought a claim against Delta Airlines seeking to impose upwards of $38 million dollars in fines after Delta failed to include a Privacy Policy in its mobile application.
4. The Consequences of Not Using One
If you are a company without a Privacy Policy on your website, you risk violating various laws regarding privacy disclosure and maintenance requirements, and may be subject to civil and criminal lawsuits and hefty fines. If you are website user or client who chooses to access a website that does not have a Privacy Policy or who fails to read the posted policy about how that website will handle your private information, you risk sharing and exposing personal information and having it end up in the hands of complete strangers. Financial and social consequences can be severe if things like your credit card or social security number are leaked and circulated.
A Privacy Policy can help prevent the following for both companies and users:
| Company | User |
|---|---|
| Paying hefty fines or having your website shut down | Having your financial information shared and used for fraudulent transactions |
| Being sued by users for improper disclosure of personal information | Having your social information posted online and used for illegal activity, character assassination, or unapproved use |
| Compromising a user’s personal safety | Having your location data posted online and receiving unwanted visitors |
| Lack of trust and credibility | Skepticism and apprehension about doing continued business with a company |
In 2012, the FTC released a report with guidance on Privacy Policy best practices for websites.
