A privacy policy outlines how your website collects, uses, shares, and sells the personal information of your visitors. If you collect personal information from users, you need a privacy policy in most jurisdictions. Even if you aren’t subject to privacy policy laws, being transparent with users about how you collect and handle their data is the best business practice in today’s digital world.
What Is a Privacy Policy?
A basic privacy policy outlines your website’s relationship with users’ personal information.
To succeed online and avoid legal turmoil, your website needs a privacy policy agreement. The first step to creating a compliant and comprehensive privacy policy is understanding exactly what that is.
Privacy Policy Definition
A privacy policy is a legal document that informs your site’s users about how you collect and handle their personal information. You may also hear privacy policies referred to by the following names:
A general privacy policy explains a platform’s interactions with the personal information and personally identifiable information (PII) of its users; PII is information that can be used by itself, or combined with other information, to identify an individual.
Specific platforms or services may require a unique privacy policy template. Examples include:
However, a standard privacy policy template will likely satisfy user demands and legal requirements for your website.
Standard Privacy Policy for Website
We’ll dive into details later on in What to Include in a Boilerplate Privacy Policy, but a basic privacy policy outlines the following:
Privacy policies should be clear, thorough, and easy for internet users to find on any given site.
Is a Privacy Policy Required by Law?
If your website uses personal information (e.g, collected names, email addresses, or credit card information), most legislation around the world requires that you have a privacy policy.
If you run a website, mobile app, or desktop app, you are likely legally required to have a privacy policy somewhere on your site. You must display links to your policy clearly, prominently, and conspicuously, so that users can navigate to it quickly and easily.
As data collection and processing becomes more ubiquitous across the internet, privacy laws in the US and around the world set strict requirements for privacy policies. Here are the major laws that affect your website privacy policy:
GDPR
If you target users in the European Economic Area (EEA), you’re subject to comply with the General Data Protection Regulation (GDPR).
The GDPR is one of the world’s most comprehensive privacy laws, setting international standards for appropriate data handling. Article 12 of the GDPR grants users the right to transparent information about how their data is collected and handled. For business and website owners, this means that transparent privacy policies are mandated by the GDPR.
COPPA
If your website markets to children, strict rules and regulations apply. Most notably, the Children’s Online Privacy Protection Act (COPPA) governs websites that market specifically to kids.
If the target audience of your site is children under the age of 13, federal law requires you to include a company privacy policy that covers very specific information about your business.
CalOPPA
The California Online Privacy Protection Act (CalOPPA) was the original privacy law in the US which mandated that websites make privacy policies available to users. The act also outlines what information needs to be made available regarding data handling — including what data is collected, where from, and whether it’s shared or sold.
CCPA
Currently, the most comprehensive data privacy law based in the US, the California Consumer Privacy Act (CCPA) builds on the online privacy policy requirements of CalOPPA. It builds on CalOPPA’s privacy policy standards, demanding that businesses and websites implement even more transparent and comprehensive policies.
In effect since January 1, 2020, the CCPA sets an annual update requirement for privacy policies. Therefore, you will need to update your CCPA privacy policy every year.
PIPEDA
For businesses operating in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) outlines ten fair information privacy practices and principles, including “openness.”
In action, complying with this principle means website operators need to make transparent privacy policies available to their users.
Other Notable Laws
Depending on where your website is based, who your audience is, and what data you collect, there are various laws that may apply to you and your privacy policy.
For example, if you send marketing emails or newsletters, you’re subject to comply with the CAN-SPAM Act, which requires a clearly posted privacy policy.
If your website is “significantly engaged” in financial activities, you may be subject to the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act, which requires the publication of “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
There are over one hundred privacy laws around the world and new internet laws coming out each year. Creating and maintaining a good privacy policy is essential to legally run your website or business.
What Should I Include in a Boilerplate Privacy Policy?
A basic privacy policy template includes the what, when, who, why, and how of your data collection practices. While every website and business should have a policy tailored to its own operations, even the most simple privacy policy will include the following information:
What Information You Collect
At the heart of your website’s privacy policy is a disclosure of what data you collect from users.
Some common types of data that you’ll find in website privacy policy templates are:
Both the GDPR and CCPA state that privacy policies should disclose what types of information a website collects. The above are only some basic examples of what types of information may mean for your site.
You can find a privacy policy template here