Privacy Policy Meaning: What Is A Privacy Policy

Do you sell products or services on your website? Collect emails? How about encouraging visitors to download free gifts, white papers, or PDFs after entering an email address?

If you do any of these activities or others that lead visitors to share their personal information on your website, you need a Privacy Policy.

Why?

  • Google and Facebook won't let you run ads without one
  • Payment processors won't do business with your website without one
  • The EU's General Data Protection Regulation (GDPR) requires it
  • The State of California, through its California Consumer Privacy Act (CCPA), requires it
  • Countries around the world with similar privacy requirements could fine you for not having one

Perhaps the best reason is that visitors now expect to see a Privacy Policy on your website. Some will leave if they don't find one, as it will make your website and business seem untrustworthy.

A Privacy Policy protects both your business and your website's users. It describes clearly what information your website will collect, why, and what you'll do with the data collected. And it's essential that your Privacy Policy tells users how you'll protect their information.

Let's look at what you need to know about drafting, displaying, and getting consent to your Privacy Policy.

Laws in many countries require a Privacy Policy any time a website collects personal information. Examples of these laws include:

  • The European Union's General Data Protection Regulation (GDPR)
  • The California Consumer Privacy Act (CCPA)
  • The California Online Privacy Protection Act (CalOPPA)
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

These laws were passed in response to consumer fears about being tracked online and having no control over the personal information collected about them.

What is Personal Information?

Privacy laws define personal information as anything that can personally identify visitors to your website. It includes but isn't limited to the following data pieces:

  • Name
  • Email address
  • Phone
  • Billing or shipping address
  • Credit card information
  • Computer IP address and the time they visited
  • GPS location (collected from mobile phones)

The problem is visitors to your site often share personal information without realizing they're doing so. For example, when a customer purchases, your site might collect each of the types of data in our list.

Have you ever asked visitors to sign up for a newsletter, white paper, or free recipe to generate leads or build an email list? At a minimum, your site collected responders' email address and probably their name.

Do you offer chat or live support services? Anyone who uses these tools to solve a problem provides their name, email address, and other information requested during the chat.

Privacy laws say that your visitors have a right to know what's collected, who will see it, and what will be done with it.

Here's an example of how HubSpot explains its data collection:

HubSpot Privacy Policy: How We Collect, Use and Share your Personal Information clause

Notice that in the last paragraph, HubSpot promises to explain the business and commercial purposes for collecting this information. Most privacy laws require this. Let's look at what else needs to go into your Privacy Policy.

8 Questions to Answer in Your Website's Privacy Policy

Including these eight clauses fulfills the main requirements of your Privacy Policy.

1. What information are you collecting?

This is pretty basic. People want to know what you're learning about them while they're on your site. Google, for example, shares a lengthy list of the information it collects. Here's an excerpt:

Google Privacy Policy: Information we collect as you use our services clause

2. Why are you collecting this information, and how do you intend to use it?

The GDPR requires that you include specific information about how you'll use the data you're collecting. As noted in Article 5(1)b, personal data can only be:

"Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."

Here's how email marketing platform GetResponse addresses this:

GetResponse Privacy Policy: Why do we process your Personal Information clause - To provide the Service or Platform section

The CCPA requires a business and commercial purpose for the information you collect. And the GDPR adds that you must have a legal basis for processing it. According to this, GetResponse collects the personal information it needs to create customers' accounts and give them access to the software.

3. How are you collecting this information?

Cookies. That may not be the only means you use, but it's almost certainly at least one. What is a cookie? According to online security company Kaspersky:

"Cookies are text files with small pieces of data - like a username and password - that are used to identify your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify specific users and improve your web browsing experience."

A cookie is a tracking file that attaches to your visitors' browser when they arrive on your website. It follows them around the site and can even tell where they go when they leave your website. That's powerful! You need to make users aware of this and comfortable with what you're collecting.

Here's a detailed discussion of how tracking works for businesses and users on websites.

A company's Cookies Policy may be separate from the main Privacy Policy. One business that uses a separate Cookies Policy is The Walt Disney Company. Here's an excerpt:

Disney Cookies Policy: What are cookies clause

Notice that the policy begins with a description of browser cookies. Later, it describes several other types of cookies that Disney uses.

Visitors want to know, specifically, how you're learning about them. Tell them if you use other methods to learn more about them. Examples might be:

  • Surveys
  • Quizzes
  • Analytics
  • Webinar or event registrations
  • Lead generation email signup forms
  • Contact forms
  • Purchases

Customers might assume much of this, but spell it out. This protects them and your business.

Using Google as an example, again, the Privacy Policy discloses that the following are just some of the visitor activities being tracked:

Google Privacy Policy: Information about your activity that we collect clause

The value of a Privacy Policy is to protect your business by letting visitors know that they can make choices about what they want to share.

4. Who will have access to the information collected, and how will it be used?

So, who gets access to all this information? Will you share it? Sell it? These are normal questions, and the Privacy Policy is the place to address them.

Tell visitors whether any third-party trackers will get access to their information. This might include, for example, ad media or social media sites like Facebook or Twitter.

In Article 13(1)f, the GDPR specifically requires that you inform users whether any customer data will be transmitted overseas. If so, you need to explain the measures taken to ensure the safety of this information.

5. How is user information protected?

Where will you store the data collected? How long will you keep it? Given the frequency of data breaches online and offline, visitors want to know.

Here's how Neil Patel handles the question:

Neil Patel Privacy Policy: How we secure your data clause

Users aren't looking for a detailed explanation of how your security works, and the privacy laws don't require it. However, they do want to know that you're taking reasonable precautions.

6. How long do you keep personal information?

This information is required by the GDPR in Article 13(2)b. Tell users how long you'll keep their information, your criteria for deciding, and what you'll do with it at the end of that period.

Here's how G/O Media, publisher of LifeHacker.com, addresses this in its Privacy Policy:

G O Media Privacy Policy: How long we keep personal data - Data retention clause

What this says is, "It depends," and these are the factors that will determine the retention period. According to the GDPR, data may be:

"Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (Article 5(1)e)"

The regulation (Article 14) also makes it clear that individuals have the right to:

  • Request access to their information
  • Seek correction for data that is incorrect
  • Have data transferred to another company or deleted

Here's how the Thrive Themes Privacy Policy informs its visitors of these rights:

Thrive Themes Privacy Policy: Your Right to View and Delete Data sections

Notice that the Thrive Themes clause links to the support team where users can see their data and request changes.

7. How will users be informed if you change your Privacy Policy?

If you change any main clause within your Privacy Policy, you need to inform users. Often, websites handle this by requiring users to read the updated policy before logging into their account.

Another method is to inform users by email, explaining what has changed and linking them to the updated version for further reading.

In your Privacy Policy, tell readers how you'll inform them if you make changes.

Here's how online business magazine Business Insider handles this:

Business Insider Privacy Policy: Changes to this Privacy Policy clause

8. How can visitors with questions about your Privacy Policy contact you?

Have a designated person in your business who handles these kinds of questions. They probably won't come up very often, but if they do, someone with an understanding of data protection and your policies needs to interact with users.

Here's how HubSpot refers users who have privacy concerns:

HubSpot Privacy Policy: Contact clause

If your company markets to users in the European Union, you also might need a designated Data Protection Officer (DPO).

Where to Display Your Privacy Policy

Now that you have a better idea of what to include in your Privacy Policy, how do you make it easy for users to find it? Most websites display the Privacy Policy in the footer where users can access it on any page in the website.

Here's the footer for online technology magazine, The Verge:

The Verge website footer with Privacy Notice, Cookie Policy and Do Not Sell links highlighted

Notice that it features a Privacy Policy, separate Cookie Policy, and Do Not Sell My Personal Info link as required by California's CCPA regulation.

But Privacy Policies often appear in many other places. For example, it's common to link to the Privacy Policy on email signup forms. This screenshot shows the newsletter signup form for deals site, Mighty Deals:

Mighty Deals email subscribe form with Privacy Policy link highlighted

If you own an ecommerce store, the checkout section is another important place for a Privacy Policy link.

Amazon places a link to its Privacy Notice right near the "Place your order" button, which ensures shoppers will see it before finalizing their order and thus sending their personal data (mailing address, credit card information, etc.) to Amazon:

Amazon checkout page with Privacy Notice link highlighted

Does your site require signup by members? The signup page is another important place for the Privacy Page link. Here's where Pinterest places its link:

Pinterest Create Account page with Privacy Policy link highlighted

Anywhere you're asking visitors to share their personal information probably needs a Privacy Policy reminder.

How to Ask for Consent to Your Privacy Policy

According to Article 7(1) of the GDPR,

"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."

Further:

"The data subject shall have the right to withdraw his or her consent at any time. (Article 7(3))"

These two points are essential:

  • Consent must be explicit, not implied
  • Users must be able to withdraw their consent

Generally, having users check a box is a clear way to demonstrate consent. It requires a conscious action by the user. In this case, you want to leave the box unchecked by default.

It's fitting that the European Commission's website demonstrates the explicit consent policy required in the GDPR:

European Commission survey form with consent checkbox and Privacy Statement link highlighted

Some businesses have found creative ways to demonstrate consent. For example, with the checkout page for the Mozilla VPN, users agree to a subscription, Terms of Service, and the Privacy Policy all with one click:

Mozilla Submit Payment form with checkbox and Privacy Notice link highlighted

What's important is that it's clear to users that they're agreeing to the Privacy Policy and that they have to take a deliberate action, like ticking a box, to accept.

Conclusion

Does your website need to comply with the GDPR if you only sell to the United States? If you market to people in the European Union or monitor their activities on your website (even if they are not targeted), you need a Privacy Policy that meets the standards of the GDPR.

The same is true of California requirements and those of Canada and other nations. You may not always be in control of who visits your site, so it's just safe to include a detailed Privacy Policy. In this article, we've shown you the main clauses to include.