Every website needs to have a statement that provides detailed information on how website owners and those who run the site will collect, use, protect, and store individual user's data.
That statement is a website's Privacy Policy (also sometimes known as a Privacy Notice).
The Privacy Policy defines what personal information the website collects. For example, data can include:
A Privacy Policy will also include specifics on how the company behind the website will ensure that legal obligations are met. Additionally, it will detail how website users can obtain a legal remedy if there is a failure by the company to uphold its end of the agreement.
There are a few reasons why you'll need to post a Privacy Policy on your website.
Just about every country on the globe requires that a website have a Privacy Policy. If that website collects any personal information, it must have a Privacy Policy. That's true even if the site merely tracks a user's location or behavior through cookies, etc.
Many companies now make it standard practice to have users signify that they've read and understood the site's Privacy Policy. Most often, this is when a user gives personal data for the first time.
Over 132 countries have enacted data and privacy protection laws as of 2020. While African and Asian countries are lagging in this area, 55 percent of nations in those regions have drafted legislation to deal with privacy protection online.
Companies must bear in mind that individuals anywhere on the planet might access and use their websites. Therefore, website owners must ensure that their Privacy Policies adhere to major standards, such as those held by the United States and Europe.
Many governments worldwide require companies to meet their privacy protection standards, and users now expect to see a Privacy Policy. Besides, online transparency has become a dominant issue with demographics such as Millennials.
Consequently, companies that include a Privacy Policy are not only meeting legal requirements; they are building trust with a segment of the population that's expected to spend $1.4 Trillion in 2020.
Conversely, suppose a company fails to include a Privacy Policy on its website. In that case, users might believe website owners are collecting personal data and simply not disclosing that fact. This would lead to distrust for businesses that don't provide a Privacy Policy.
Website owners need to be transparent about what personal data is collected from users. Additionally, companies need to be forthcoming about why they collect this information. For example, just a few reasons a company might collect user information are:
With that said, the website and its purpose are what define a Privacy Policy's precise content. It will also identify what information is collected and how that data is then used. Every Privacy Policy has basic elements that should be included.
It should be pointed out that some kinds of websites are required to include more information than others. For instance, sites that use third-party advertising platforms such as Facebook or Google must notify users about third-party advertisers, links, and cookies.
Additionally, E-commerce sites need to inform users about how it obtains, uses, and stores payment information. These sites must be transparent about who manages the data since storing that information may require the use of a third-party (such as a credit card processing company) to handle transactions.
Here are the basic sections that every Privacy Policy should include.
The name of the section is self-explanatory. However, it's critical to note that how a website collects and uses personal information is an essential section of the Privacy Policy. It cannot be left out.
Here's how Barnes&Noble, self-described as the Internet's Largest Bookstore, informs users how it collects and uses their information:
Barnes & Noble's Privacy Policy lets users know that it collects information when users make a purchase or place an order. The company also takes a user's information when that person creates an account or joins a membership program, applies for a Barnes & Noble MasterCard, contacts customer service, and more.
This section describes the ways in which a user's data is used after it is collected.
For example, CNN's WarnerMedia News and Sports Privacy Policy says the news network uses information in the following manner: To provide and market products and services, to communicate with users and others, to improve the design and functionality of its websites, and to "detect, investigate, and prevent activities on our Sites that may violate our terms of use."
Here's an excerpt from the multi-paragraph clause:
Website owners may wish to include information about how long they plan to keep a user's data. This is in keeping with principles outlined by organizations such as the United Kingdom's Information Commissioner's Office (ICO).
Not all companies have a clause that outlines the length of time personal information is held. However, a generally held rule is that sites should not keep information any longer than is justifiable. Obviously, this depends on a company's purpose in collecting the data in the first place.
An example of a company that does include a storage limitation clause is Apple Inc. Here's how the company informs its users how long it keeps data:
As in everything else in a Privacy Policy, the website's genuine security practices ought to match what's written in the agreement. A security clause is essential because, like transparency, it helps build trust with end-users by letting them know that security is vital to the company.
Here's an example of a clause from Apple's Privacy Policy that addresses both its security measures as well as how users can help keep their own information secure:
User rights, as outlined in a Privacy Policy, vary between nations. For example, a user rights clause in the United States of America is just a collection of principles based on the Federal Trade Commission's Fair Information Practice.
In essence, this is nothing more than a statement of best practices. In contrast, Europe outlines eight guaranteed rights under the EU Commission's GDPR in chapter 3.
For example, the UK's Information Commission lays it out simply as follows:
It's usually a good practice to include contact information on a business website. Clients and customers who cannot contact customer service, or otherwise get in touch with the relevant party, may quickly grow frustrated. These individuals may choose to skip over to a competitor's site where they can easily find that information.
However, when it comes to Privacy Policies, multiple nations require contact information by law.
For example, all of the following require that a website's Privacy Policy have a Contact clause:
Depending on who accesses your website or platform, you may have to comply with requirements of specific countries or states. Here are a few examples.
If a company collects personal information from residents of the EU through its website, it must follow these conditions regarding what information is included in its Privacy Policy:
As with the EU's GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) states that companies must include the following in their Privacy Policies:
PIPEDA requirements apply to any organization that collects and processes the personal data of Canadian residents.
Many organizations that operate in the United States of America have a few customers or clients that live in the State of California. The California Online Privacy Protection Act (CalOPPA) is a law that applies to any company doing business in the state. It has only one stipulation when it comes to contact information, and that is:
"If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information collected through the Web site or online service, provide a description of that process."
Website owners can achieve this by giving users a Web portal to see their data, make changes, or delete personal data. Alternatively, companies can provide a contact form or email address to request changes or data deletion.
Laws demand that a company's Privacy Policy be accessible. That means that end-users need to be able to easily find the Policy on an organization's website.
Certain things, such as the website's feel and design, may affect precisely where a company places the Privacy Policy. However, take into account that there are legal considerations.
Following are just a few common places to place a Privacy Policy that are easily accessible.
A customary place website owners place Privacy Policies is within the website's footer section, which is positioned at the bottom of every page.
Users know to look here for important information and legal agreements. It will also be available on every webpage to maximize accessibility.
For example, Amazon places its Privacy Notice in the footer of its website, as seen below:
Suppose a company asks users to provide information, sign up for a newsletter, create a new account (such as on a log-in screen), or register for an app. In that case, the company should place a link to the Privacy Policy in the form or close to it.
Here's how Birkenstock does this when new users are creating accounts:
Another common location, especially with E-commerce sites, is to place a Privacy Policy within a checkout page, like "H&M does here:
It's better to make your Privacy Policy available in many spots than it is to not make it be available enough or difficult to locate. This will not only upset your users but may violate privacy laws.
It's crucial to acquire explicit acceptance of your company's Privacy Policy. First, the E.U.'s GDPR requires it. Secondly, even if a company doesn't do business in the E.U., it's still a best practice. With that said, two methods are used to signify acceptance by the user.
These methods are known as browsewrap and clickwrap.
The browsewrap method incorporates statements indicating that the user understands that by creating, accessing, using, or browsing a site, he or she has accepted the website's agreement. However, it is important to note that because this method is generally not considered prominent, it usually isn't enforceable in many courts.
The second method uses checkboxes. As noted above, the E.U.'s GDPR requires explicit acceptance of a company's Privacy Policy. Known as the clickwrap method, it forces users to click a linked button, a checkbox, etc. which shows clearly and affirmatively that the user has agreed to the website's Privacy Policy.
Here's an example from Under Armour UK:
Some additional benefits of using the clickwrap method as opposed to the browsewrap method are:
Website owners don't have to use a checkbox specifically when it comes to the clickwrap method. They can also use a simple "click to accept" button and clear text and links to the Privacy Policy. A company can let users know that by clicking that button and proceeding forward and using the website, they agree to the terms of the contract.
For example, Pinterest lets users know that "By continuing, you agree to Pinterest's Terms of Service, Privacy Policy," as seen below:
In conclusion, a Privacy Policy includes information that a website owner must deliver to the end-user by law in most countries.
Specific sections to include in a Privacy Policy are:
These Privacy Policy sections let users know:
Remember that the common areas to display links to the Privacy Policy are:
Finally, it is important to get users' clear acceptance of the company's Privacy Policy. The best way to achieve this is through the use of the clickwrap method, which includes the use of checkboxes or the "click to accept" button along with clear text that describes what the user is accepting by clicking.