Most websites, apps, and businesses collect some form of user data in order to do business online. If you collect information from or about your users, you most likely need a privacy policy.
Learn what a privacy policy is, whether you need one, and what a privacy policy should include by reading our guide.
What Is a Privacy Policy?
A privacy policy is a document that details how your website, app, or business collects and handles user information.
User information can include such details as:
- Names
- Phone numbers
- Email addresses
- IP addresses
- Locations
- Credit card numbers
- Device information
This kind of data is usually collected through means such as:
- Cookies
- Signup pages
- Contact forms
- Checkout pages
- Third-party services (such as analytics software)
Privacy policies include information about what data you collect, why it’s collected, how it’s gathered, with whom it may be shared, and what rights users have over their information.
Links to your privacy policy should be prominently displayed and easily accessible on your site.
Do I Need a Privacy Policy?
Privacy policies are required by many laws around the world. In addition to being a legal necessity, privacy policies are required by many third-party service providers.
Furthermore, similar to legal documents like terms and conditions, having a privacy policy is viewed as a best business practice, and helps build trust with your users.
Here are some of the most important laws and service providers that require privacy policies:
The General Data Protection Regulation (GDPR)
The GDPR is a law based in the EU that applies to any business that collects information about users in the European Economic Area (EEA).
Considered the most important data privacy law today, the GDPR emphasizes transparency from websites, and mandates that sites and apps have easily-accessible privacy policies.
The California Consumer Privacy Act (CCPA)
Known as the California GDPR, the CCPA is similar to the GDPR, especially in its rules regarding privacy policies. This California law applies to businesses that collect information about Californian users while meeting other thresholds (such as annual income or amount of data collected).
Like the GDPR, the CCPA focuses on transparency between websites and users, and requires privacy policies that are easy to find and understandable to the average user.
California Online Privacy Protection Act (CalOPPA)
CalOPPA is the first law to make privacy policies mandatory for businesses that collect information from Californian users, and remains in effect today.
The law states that any website that collects information from or about a Californian user:
shall conspicuously post its privacy policy on its Web site
Google Analytics
Google Analytics is one of the most commonly used tools by digital business owners. This software tracks user behavior, which requires the use of cookies and the collection of data.
In order to limit its own liability, Google Analytics requires that any website that uses its services post a privacy policy. Here’s an excerpt from Google Analytic’s Terms of Use:
Notice how this policy requires you to state your use of cookies. If you use cookies, it’s important that you address your cookie use in your privacy policy, and link to a dedicated cookie policy.
Google Analytics is just one example of a third-party service that requires its users to post privacy policies.
If you own or operate a website, you most likely have users in California or the EEA, or you use third-party services like Google Analytics. If any of these apply to you, you need a privacy policy.
What Clauses Does a Privacy Policy Include?
Although the length and content of your privacy policy will vary based on your data practices, a basic privacy policy includes the following information:
What Data You Collect
Your privacy policy needs to state what types of data you collect, such as contact information, device data, and payment details.
Check out Target’s privacy policy for an example of how to list what information you collect from users:
As you can see in the image, Target keeps their description about what information they collect brief and straightforward, making it clear to users what information may be collected.
How You Collect Data
Your privacy statement needs to briefly outline what means you use to collect data.
Here’s how Pinterest’s privacy policy talks about how the site collects data:
Pinterest explicitly lists what means they use to collect data and at what points users give their data (such as when they log in using a Google or social media account).
Why You Collect Data
Once your privacy notice includes the what and how of your data collection, you need to let users know why that data is being collected and for what it may be used.
Shopify’s privacy policy keeps this section short and very clear in language:
Note that Shopify’s policy specifically says that they process data “to fulfill a contractual obligation.” This is one of the legal bases for data processing established by the GDPR.
Who You Share Data With
If you share data with partners, affiliates, other users, or third parties, you need to make this very clear in your privacy policy.
Facebook’s privacy policy dedicates a section to explaining how data is shared and who it’s shared with:
This is an example of only one of the sections on data sharing in Facebook’s privacy policy. As they famously share information across multiple platforms and with many third parties, this section is notably long. However, a boilerplate privacy policy will likely have a much shorter section on sharing information.
What Rights Users Have Over Their Data
Your privacy policy needs to tell users what their rights are over their data, and how they can act on those rights.
Here’s an example from Slack’s privacy policy:
You’ll notice that Slack first has a section about users’ rights, and then the following section is specifically for users from California.
Due to the CCPA, many companies are choosing to include specific sections for California users, that focus on their unique data rights.
These are only the most essential clauses that your website privacy policy should include. Depending on where your users are located, what data you collect, and how you use that data, your privacy policy will be unique to your business practices.
How to Create a Privacy Policy
Now that you know what a privacy policy is, why you need one, what it includes, and how other companies write their privacy policies, you need to create your own.
To draft your privacy policy, you can consult with an attorney, draft one on your own, or use our free privacy policy generator to create a custom policy in minutes.