Do you sell products or services on your website? Collect emails? How about encouraging visitors to download free gifts, white papers, or PDFs after entering an email address?
If you do any of these activities or others that lead visitors to share their personal information on your website, you need a Privacy Policy.
Why?
Perhaps the best reason is that visitors now expect to see a Privacy Policy on your website. Some will leave if they don't find one, as it will make your website and business seem untrustworthy.
A Privacy Policy protects both your business and your website's users. It describes clearly what information your website will collect, why, and what you'll do with the data collected. And it's essential that your Privacy Policy tells users how you'll protect their information.
Let's look at what you need to know about drafting, displaying, and getting consent to your Privacy Policy.
Laws in many countries require a Privacy Policy any time a website collects personal information. Examples of these laws include:
These laws were passed in response to consumer fears about being tracked online and having no control over the personal information collected about them.
Privacy laws define personal information as anything that can personally identify visitors to your website. It includes but isn't limited to the following data pieces:
The problem is visitors to your site often share personal information without realizing they're doing so. For example, when a customer purchases, your site might collect each of the types of data in our list.
Have you ever asked visitors to sign up for a newsletter, white paper, or free recipe to generate leads or build an email list? At a minimum, your site collected responders' email address and probably their name.
Do you offer chat or live support services? Anyone who uses these tools to solve a problem provides their name, email address, and other information requested during the chat.
Privacy laws say that your visitors have a right to know what's collected, who will see it, and what will be done with it.
Here's an example of how HubSpot explains its data collection:
Notice that in the last paragraph, HubSpot promises to explain the business and commercial purposes for collecting this information. Most privacy laws require this. Let's look at what else needs to go into your Privacy Policy.
Including these eight clauses fulfills the main requirements of your Privacy Policy.
This is pretty basic. People want to know what you're learning about them while they're on your site. Google, for example, shares a lengthy list of the information it collects. Here's an excerpt:
The GDPR requires that you include specific information about how you'll use the data you're collecting. As noted in Article 5(1)b, personal data can only be:
"Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
Here's how email marketing platform GetResponse addresses this:
The CCPA requires a business and commercial purpose for the information you collect. And the GDPR adds that you must have a legal basis for processing it. According to this, GetResponse collects the personal information it needs to create customers' accounts and give them access to the software.
Cookies. That may not be the only means you use, but it's almost certainly at least one. What is a cookie? According to online security company Kaspersky:
"Cookies are text files with small pieces of data - like a username and password - that are used to identify your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify specific users and improve your web browsing experience."
A cookie is a tracking file that attaches to your visitors' browser when they arrive on your website. It follows them around the site and can even tell where they go when they leave your website. That's powerful! You need to make users aware of this and comfortable with what you're collecting.
Here's a detailed discussion of how tracking works for businesses and users on websites.
A company's Cookies Policy may be separate from the main Privacy Policy. One business that uses a separate Cookies Policy is The Walt Disney Company. Here's an excerpt:
Notice that the policy begins with a description of browser cookies. Later, it describes several other types of cookies that Disney uses.
Visitors want to know, specifically, how you're learning about them. Tell them if you use other methods to learn more about them. Examples might be:
Customers might assume much of this, but spell it out. This protects them and your business.
Using Google as an example, again, the Privacy Policy discloses that the following are just some of the visitor activities being tracked:
The value of a Privacy Policy is to protect your business by letting visitors know that they can make choices about what they want to share.
So, who gets access to all this information? Will you share it? Sell it? These are normal questions, and the Privacy Policy is the place to address them.
Tell visitors whether any third-party trackers will get access to their information. This might include, for example, ad media or social media sites like Facebook or Twitter.
In Article 13(1)f, the GDPR specifically requires that you inform users whether any customer data will be transmitted overseas. If so, you need to explain the measures taken to ensure the safety of this information.
Where will you store the data collected? How long will you keep it? Given the frequency of data breaches online and offline, visitors want to know.
Here's how Neil Patel handles the question:
Users aren't looking for a detailed explanation of how your security works, and the privacy laws don't require it. However, they do want to know that you're taking reasonable precautions.
This information is required by the GDPR in Article 13(2)b. Tell users how long you'll keep their information, your criteria for deciding, and what you'll do with it at the end of that period.
Here's how G/O Media, publisher of LifeHacker.com, addresses this in its Privacy Policy:
What this says is, "It depends," and these are the factors that will determine the retention period. According to the GDPR, data may be:
"Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (Article 5(1)e)"
The regulation (Article 14) also makes it clear that individuals have the right to:
Here's how the Thrive Themes Privacy Policy informs its visitors of these rights:
Notice that the Thrive Themes clause links to the support team where users can see their data and request changes.
If you change any main clause within your Privacy Policy, you need to inform users. Often, websites handle this by requiring users to read the updated policy before logging into their account.
Another method is to inform users by email, explaining what has changed and linking them to the updated version for further reading.
In your Privacy Policy, tell readers how you'll inform them if you make changes.
Here's how online business magazine Business Insider handles this:
Have a designated person in your business who handles these kinds of questions. They probably won't come up very often, but if they do, someone with an understanding of data protection and your policies needs to interact with users.
Here's how HubSpot refers users who have privacy concerns:
If your company markets to users in the European Union, you also might need a designated Data Protection Officer (DPO).
Now that you have a better idea of what to include in your Privacy Policy, how do you make it easy for users to find it? Most websites display the Privacy Policy in the footer where users can access it on any page in the website.
Here's the footer for online technology magazine, The Verge:
Notice that it features a Privacy Policy, separate Cookie Policy, and Do Not Sell My Personal Info link as required by California's CCPA regulation.
But Privacy Policies often appear in many other places. For example, it's common to link to the Privacy Policy on email signup forms. This screenshot shows the newsletter signup form for deals site, Mighty Deals:
If you own an ecommerce store, the checkout section is another important place for a Privacy Policy link.
Amazon places a link to its Privacy Notice right near the "Place your order" button, which ensures shoppers will see it before finalizing their order and thus sending their personal data (mailing address, credit card information, etc.) to Amazon:
Does your site require signup by members? The signup page is another important place for the Privacy Page link. Here's where Pinterest places its link:
Anywhere you're asking visitors to share their personal information probably needs a Privacy Policy reminder.
According to Article 7(1) of the GDPR,
"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."
Further:
"The data subject shall have the right to withdraw his or her consent at any time. (Article 7(3))"
These two points are essential:
Generally, having users check a box is a clear way to demonstrate consent. It requires a conscious action by the user. In this case, you want to leave the box unchecked by default.
It's fitting that the European Commission's website demonstrates the explicit consent policy required in the GDPR:
Some businesses have found creative ways to demonstrate consent. For example, with the checkout page for the Mozilla VPN, users agree to a subscription, Terms of Service, and the Privacy Policy all with one click:
What's important is that it's clear to users that they're agreeing to the Privacy Policy and that they have to take a deliberate action, like ticking a box, to accept.
Does your website need to comply with the GDPR if you only sell to the United States? If you market to people in the European Union or monitor their activities on your website (even if they are not targeted), you need a Privacy Policy that meets the standards of the GDPR.
The same is true of California requirements and those of Canada and other nations. You may not always be in control of who visits your site, so it's just safe to include a detailed Privacy Policy. In this article, we've shown you the main clauses to include.