A Privacy Policy is used to how your website collects, uses, shares, and sells the personal information of site visitors. Learn what should be included in a privacy policy and download a privacy policy template in PDF or Word format below.
What is a Privacy Policy?
A Privacy Policy is a document or statement that describes how a company gathers, uses, manages, and releases the information of customers or visitors to its website. By accessing the company’s website, users accept to have their information collected and disclosed in accordance with the company’s Privacy Policy.
A Privacy Policy may also be called:
- Privacy Statement
- Internet Privacy Policy
- Website Privacy Policy
- Privacy Notice
- Privacy Page
- Privacy Information Policy
Who Needs a Privacy Policy?
If you have an online presence, you should have a privacy policy in place. Just about every website needs to have a privacy policy that specifies the information you collected from your users and how you use it. A few examples of who else needs a privacy policy include:
- Blogs
- E-commerce stores
- Mobile apps
- Social media apps
Why You Need a Privacy Policy
There are several significant reasons why you need a privacy policy. Some of the biggest reasons include:
A Privacy Policy is Required by Law
One of the first reasons why you need to have a strong privacy policy is that it is required by law in many places. Privacy laws have been instituted by numerous countries all over the world. They include:
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): This act requires all websites in Canada to specify how information is circulated and exchanged online while also establishing rules that govern the collection and disclosure of personal information by websites.
- Europe’s General Data Protection Regulation (GDPR): Anyone who goes to Europe and visits a website will immediately see a pop-up prompting someone to specify the cookies they are comfortable with. This law is designed to place users in control of how their information is collected and used.
- Australia’s Privacy Act: Australia also has a similar privacy act and place that requires websites to disclose how they collect and use the personal information of their visitors.
- The UK’s Data Protection Act: This app is very similar to the act in mainland Europe, and it requires websites to place users in control of how cookies are used on their computers, how their personal information is collected, and how their personal information can be used. The goal is to make sure all information is used lawfully and transparently.
- The California Online Privacy Protection Act (CalOPPA): This law was passed in 2004 and amended in 2013. It requires all commercial websites to have a privacy policy on their websites.
- The California Consumer Privacy Act (CCPA): This act applies to most businesses operating for profit in California. It gives users the right to know, the right to delete, and the right to opt-out of the selection or sale of their personal information.
A Privacy Policy is Required by Third-Party Services
You should also have a privacy policy on your website because there are many third-party services that require you to have one. If you want your website to have access to valuable third-party services, you must have a privacy policy in place. There are plenty of examples of third parties that require you to have a privacy policy before they will let you use their services.
Some of the top examples include:
- The Google Play Store
- Google Analytics
- Google AdSense
- Amazon Associates
- Google AdWords
- The Apple App Store
There are plenty of reasons these third-party services might require you to have a privacy policy. The biggest reason is that they will place cookies on the computers of your visitors. Cookies allow them to track the online behavior of your visitors, but they need to make sure that they comply with federal rules and regulations as well.
Therefore, if you use their services, and they place cookies on the computers of your visitors, but your visitors are not aware of it, they could also be held liable. Therefore, by having a privacy policy in place, you will let your visitors know that your third-party services could place cookies on their computers. Ideally, you should also give your visitors an opportunity to opt out of this process. It is critical for you to review your privacy policy to make sure it complies with any third-party services you might use.
Increased Transparency
Finally, you should also have a strong privacy policy in place because it leads to increased transparency. Today, consumers are more aware of how their information is collected and used. They are less likely to use a website that appears to be dishonest, opaque, or untrustworthy. If you have a privacy policy in place, you show that you are open and transparent with your visitors, and you can develop a stronger relationship with them.
Already, there are web browsers popping up that promise not to collect or use any personal information. One of the most popular options DuckDuckGo, and another one is Brave. While some people might be okay with you collecting some information, you need to make sure they know that they are in control. The best way to do so is to be open and honest with a comprehensive privacy policy in place.
What is Included in a Privacy Policy?
There are a number of elements you should include in your privacy policy:
1. Information
A Privacy Policy will describe what information a website or app collects. In general, websites collect two types of information – personally-identifying information and non-personally-identifying information.
- Personally-identifying information is any information that on its own can be used to identify a specific person. Some examples of personally-identifying information include a person’s name, date of birth, address, email address, marital status, financial records, and medical history.
- Non-personally identifying information is information that, without the aid of additional information, cannot be directly associated with a specific person. Some examples of non-personally identifying information include a person’s internet protocol (IP) address, browser type, and location of other websites viewed before arriving at the website.
2. Collection
The Privacy Policy will also describe how the company collects both personally-identifying information and non-personally-identifying information. This information can be collected by the website in a number of ways. The most common ways are:
User input: If a website requires users to register, users will usually have to provide personally-identifying information, such as their name, address, telephone number, email address, age, and/or credit card number. In addition, a website might ask for other information from the user, such as interests, gender, user name, and other demographic information.
Derivative data: Most websites collect non-personally identifying information that web browsers make available, including the user’s IP address, operating system, browsing history, and statistical data.
Web cookies: Web cookies are small text files that are stored on a user’s computer. Each time the user submits a query to the website, the user’s web browser sends the text file back to the website, allowing the website to keep track of users, remember important information and customize web pages.
Web beacons: A web beacon is a small file embedded in an email or web page that allows websites to invisibly monitor a user and see if the user has viewed their content.
Social media: If users can connect their social media accounts to the website, certain information may be disclosed by the social media network to the website.
3. Use
A Privacy Policy must also disclose how the company uses the information that it has collected. Some of the ways websites use the information of their customers include:
General use: In general, websites will use the information it collects to help provide and deliver the services of the website and manage and maintain the website.
Email communications: Companies will often use their customers’ names and email addresses to deliver notices and announcements to those customers.
Analytics: A helpful tool for companies is to be able to track and analyze the activities of their users and the traffic on their website. Companies can use third-party vendors to allow such tracking data on their websites.
If your company uses Google Analytics to track and report website activity and traffic, you are required by Google to have specific disclosures in your Privacy Policy explaining the use of these services.
4. Disclosure
Lastly, a Privacy Policy must state how the company discloses any information of its customers, including, but limited to:
By law: Companies will have to disclose personal information if it is required by law.
Marketing: Sometimes companies will sell or give their customers’ email addresses to third parties who may send emails about additional products and services.
Business partners and affiliates: Personal information can also be shared with business partners and affiliates.
Third-party service providers: Companies will sometimes need to share personal information with third-party service providers that help them with the business, such as credit card processors.
Your Privacy Policy should also disclose the methods being used to keep your customer’s information safe.
Privacy Policy Sample
Here’s what a typical privacy policy looks like:
Example Privacy Policies
There are plenty of websites that have strong privacy policies in place.
The New York Times
The privacy policy from The New York Times, has several sections, including:
- What Information Do We Gather About You?
- What Are Your Rights?
- What About Links to Third Party Services?
- How Do You Protect My Information?
These sections have very clear questions that the privacy policy then answers. These are designed to be common questions that people might ask The New York Times about their data collection methods. Even though the privacy policy is very in-depth, the sections make it easy for people to find the information they are looking for.
Another privacy policy example is from Reddit. You can find the Reddit privacy policy at the bottom of their homepage, and it is also broken up into several sections. They include:
- What We Collect
- What We Collect (and How it is Used and Shared)
- Your Choices
- Your Rights
They decide not to phrase their sections in terms of questions, but the privacy policy is still laid out very clearly. It is significantly shorter than many other privacy policies, but it still contains the most important information people care about. The headers are very clear, making it easy for people to find the information they need.
Does My Website Need a Privacy Policy?
While there is no federal law in the United States requiring that websites establish a Privacy Policy, many states, and most other countries, require a website that collects and stores any personal information from its users to have one.
In the United States, the Federal Trade Commission (FTC) regulates laws and policies regarding the privacy practices of businesses and the protection of their customers’ personal information. The FTC also helps to enforce federal laws concerning the privacy of customers’ information, including the following:
- Fair Credit Reporting Act (FCRA), limits how companies can obtain and use a customer’s credit and background reports.
- Gramm-Leach-Bliley Act, requires financial institutions to clearly explain their information-sharing practices and also restricts the sharing and use of specific financial information.
- Health Insurance Portability and Accountability Act (HIPAA) created a “Privacy Rule” that establishes a national set of standards of how health care service providers can use an individual’s protected health information.
- Children’s Online Privacy Protection Act (COPPA), requires websites that target and/or collect information from children under the age of 13 to post a Privacy Policy that complies with the COPPA requirements and also implements certain parental notice and consent requirements.
In 2012, the FTC released a report with guidance on Privacy Policy best practices for websites.
Even if your company or website is not in a jurisdiction that requires a privacy policy, the reach of your website may subject it to the laws of other states and countries. For example, California has enacted the California Online Privacy Protection Act of 2003 (CALOPPA) which requires any website collecting personal information to have a Privacy Policy posted on its website that is easily accessible to its users. Even if your website is not run in California, CALOPPA applies to any website that collects personal information from a California resident. Therefore it is likely that your website will be subject to the CALOPPA regulations.
The European Union has more established laws regarding privacy protection, including the Data Protection Directive (95/46/EC) and the E-Privacy Directive (2002/58/EC). These directives state that the personal information of European Union residents can only be transferred to countries outside of the European Union that have policies with an adequate level of protection.
Therefore, if you are a website that gathers, stores, or uses personal information and data from clients and users, you should have a Privacy Policy for your website. You also need to make sure that you adhere to the promises and disclosures set forth in that policy.
Consequences of Not Having a Privacy Policy
If you are a company without a Privacy Policy on your website, you risk violating various laws regarding privacy disclosure and maintenance requirements and may be subject to civil and criminal lawsuits and hefty fines.
If you are a website user or client who chooses to access a website that does not have a Privacy Policy or who fails to read the posted policy about how that website will handle your private information, you risk sharing and exposing personal information and having it end up in the hands of complete strangers. Financial and social consequences can be severe if things like your credit card or social security number are leaked and circulated.
A Privacy Policy can help prevent the following for both companies and users:
| Company | User |
|---|---|
| Paying hefty fines or having your website shut down | Having your financial information shared and used for fraudulent transactions |
| Being sued by users for improper disclosure of personal information | Having your social information posted online and used for illegal activity, character assassination, or unapproved use |
| Compromising a user’s personal safety | Having your location data posted online and receiving unwanted visitors |
| Lack of trust and credibility | Skepticism and apprehension about doing continued business with a company |
Privacy Policy FAQs
How often should Privacy Policies be updated?
You should review and update your privacy policy at least once a year to make sure it’s in line with your current data management practices.
An outdated privacy policy can risk big lawsuits if a customer discovers their data is being used, shared, or sold differently from what your existing privacy policy outlines.
Review your privacy policy regularly, notify your customers of any changes that could impact their privacy, and ensure you stay compliant with all data privacy regulations.
Can I copy a Privacy Policy?
No you should not copy a privacy policy and use it as your own. You need to ensure your privacy policy is compliant with data privacy regulations and should be specific to your website’s data-handling practices.
You can use a privacy policy template to avoid copying one, this way you just need to fill in the blanks.
Where do I display my Privacy Policy?
You should have a separate page on your website that is dedicated to your privacy policy, but you need to make it as easy as possible for your visitors to find it. For example, you may want to have a link to your privacy policy from your website menu. You may also want to provide links to your privacy policy on your sign-up forms, at the bottom of most of your pages, and on the checkout page if you run an eCommerce business. There are plenty of privacy policy examples that will give you ideas about where to display your privacy policy.
Is a Privacy Policy required by law?
Yes, a privacy policy is required by law under guidelines that have been published by the federal government. The federal government requires websites to inform their visitors about how they collect, share, use, and protect their personal information. You need to be open, honest, and transparent about the information you protect, in addition to following all federal guidelines regarding how your website uses personal information. It can be helpful to take a look at a free privacy policy template to make sure your business is compliant with all rules and regulations in your industry.
Is a Privacy Policy required by third-party services?
A privacy policy is required by many third-party services, but not every third-party service. For example, if you are using an email newsletter service to distribute information to people on a subscription list, they may require you to have a privacy policy before you are allowed to use their service. Because a privacy policy is typically required by the federal government, third-party services should be fine with the privacy policy you have in place as long as it is compliant with all federal rules and regulations.
Do I need a Privacy Policy even if I don’t collect personal information?
Even if you do not collect personal information from your visitors, you still need to have a strong privacy policy in place. A privacy policy will make it easier for you to encourage customer loyalty because they will know that your brand cares about their personal information. A privacy policy can also help your business appear more professional and trustworthy. If you don’t collect any personal information, it does not have to be that long or complicated.
Do I need a Privacy Policy even if I don’t collect personal information?
Even if you do not collect personal information from your visitors, you still need to have a strong privacy policy in place. A privacy policy will make it easier for you to encourage customer loyalty because they will know that your brand cares about their personal information. A privacy policy can also help your business appear more professional and trustworthy. If you don’t collect any personal information, it does not have to be that long or complicated.
How do I make my Privacy Policy enforceable?
To make your privacy policy enforceable, there are a few steps you should follow. First, you need to make your privacy policy easy to understand. That way, there’s no room for debate regarding what the privacy policy covers. You should also update your privacy policy regularly to reflect changes in your business, your protocols, and the law. Then, do not forget to notify your users of these updates, and make sure you put an effective date on the policy.
How often do I need to update my Privacy Policy?
You should review your privacy policy at least once per year to make sure it still matches the products and services you provide. If there are big changes in federal rules and regulations, review your privacy policy to make sure it is still accurate. If you plan on launching a new product or service, or if you change the way you use visitor data, you need to update your privacy policy accordingly.
Can I download a sample Privacy Policy template?
Yes, you can download a sample privacy policy template with Legal Templates. A privacy policy template can act as a strong skeleton for your own privacy policy. Do not forget to review your privacy policy from time to time to make sure nothing is overlooked.