Sample Privacy Policy Template

Every website needs to have a statement that provides detailed information on how website owners and those who run the site will collect, use, protect, and store individual user's data.

That statement is a website's Privacy Policy (also sometimes known as a Privacy Notice).

The Privacy Policy defines what personal information the website collects. For example, data can include:

  • E-mail addresses
  • Physical addresses
  • Telephone numbers
  • Names
  • Date of birth
  • Financial information (credit card details, etc.)
  • I.P. addresses

A Privacy Policy will also include specifics on how the company behind the website will ensure that legal obligations are met. Additionally, it will detail how website users can obtain a legal remedy if there is a failure by the company to uphold its end of the agreement.

Why is a Privacy Policy Needed?

There are a few reasons why you'll need to post a Privacy Policy on your website.

Privacy Policies are Legally Required

Just about every country on the globe requires that a website have a Privacy Policy. If that website collects any personal information, it must have a Privacy Policy. That's true even if the site merely tracks a user's location or behavior through cookies, etc.

Many companies now make it standard practice to have users signify that they've read and understood the site's Privacy Policy. Most often, this is when a user gives personal data for the first time.

Over 132 countries have enacted data and privacy protection laws as of 2020. While African and Asian countries are lagging in this area, 55 percent of nations in those regions have drafted legislation to deal with privacy protection online.

Companies must bear in mind that individuals anywhere on the planet might access and use their websites. Therefore, website owners must ensure that their Privacy Policies adhere to major standards, such as those held by the United States and Europe.

Users Expect to See a Privacy Policy

Many governments worldwide require companies to meet their privacy protection standards, and users now expect to see a Privacy Policy. Besides, online transparency has become a dominant issue with demographics such as Millennials.

Consequently, companies that include a Privacy Policy are not only meeting legal requirements; they are building trust with a segment of the population that's expected to spend $1.4 Trillion in 2020.

Conversely, suppose a company fails to include a Privacy Policy on its website. In that case, users might believe website owners are collecting personal data and simply not disclosing that fact. This would lead to distrust for businesses that don't provide a Privacy Policy.

What to Include in Your Privacy Policy

Website owners need to be transparent about what personal data is collected from users. Additionally, companies need to be forthcoming about why they collect this information. For example, just a few reasons a company might collect user information are:

  • To help make existing services better
  • To develop and grow new services
  • To send users reports about new services, special offers, or other information
  • To offer users relevant, timely, personalized and tailor-made content

With that said, the website and its purpose are what define a Privacy Policy's precise content. It will also identify what information is collected and how that data is then used. Every Privacy Policy has basic elements that should be included.

It should be pointed out that some kinds of websites are required to include more information than others. For instance, sites that use third-party advertising platforms such as Facebook or Google must notify users about third-party advertisers, links, and cookies.

Additionally, E-commerce sites need to inform users about how it obtains, uses, and stores payment information. These sites must be transparent about who manages the data since storing that information may require the use of a third-party (such as a credit card processing company) to handle transactions.

Here are the basic sections that every Privacy Policy should include.

How You Collect Personal Information

The name of the section is self-explanatory. However, it's critical to note that how a website collects and uses personal information is an essential section of the Privacy Policy. It cannot be left out.

Here's how Barnes&Noble, self-described as the Internet's Largest Bookstore, informs users how it collects and uses their information:

Barnes and Noble Privacy Policy: How do we collect your personal information clause

Barnes & Noble's Privacy Policy lets users know that it collects information when users make a purchase or place an order. The company also takes a user's information when that person creates an account or joins a membership program, applies for a Barnes & Noble MasterCard, contacts customer service, and more.

How You Use Personal Information

This section describes the ways in which a user's data is used after it is collected.

For example, CNN's WarnerMedia News and Sports Privacy Policy says the news network uses information in the following manner: To provide and market products and services, to communicate with users and others, to improve the design and functionality of its websites, and to "detect, investigate, and prevent activities on our Sites that may violate our terms of use."

Here's an excerpt from the multi-paragraph clause:

CNN WarnerMedia News and Sports Privacy Policy: Using information for communicating with you and others clause

How Long You Retain Personal Information

Website owners may wish to include information about how long they plan to keep a user's data. This is in keeping with principles outlined by organizations such as the United Kingdom's Information Commissioner's Office (ICO).

Not all companies have a clause that outlines the length of time personal information is held. However, a generally held rule is that sites should not keep information any longer than is justifiable. Obviously, this depends on a company's purpose in collecting the data in the first place.

An example of a company that does include a storage limitation clause is Apple Inc. Here's how the company informs its users how long it keeps data:

Apple Privacy Policy: Integrity and Retention of Personal Information clause

Security Clause

As in everything else in a Privacy Policy, the website's genuine security practices ought to match what's written in the agreement. A security clause is essential because, like transparency, it helps build trust with end-users by letting them know that security is vital to the company.

Here's an example of a clause from Apple's Privacy Policy that addresses both its security measures as well as how users can help keep their own information secure:

Apple Privacy Policy: Protection of Personal Information clause

User Rights

User rights, as outlined in a Privacy Policy, vary between nations. For example, a user rights clause in the United States of America is just a collection of principles based on the Federal Trade Commission's Fair Information Practice.

In essence, this is nothing more than a statement of best practices. In contrast, Europe outlines eight guaranteed rights under the EU Commission's GDPR in chapter 3.

For example, the UK's Information Commission lays it out simply as follows:

ICO UK: GDPR Rights list

Contact Clause

It's usually a good practice to include contact information on a business website. Clients and customers who cannot contact customer service, or otherwise get in touch with the relevant party, may quickly grow frustrated. These individuals may choose to skip over to a competitor's site where they can easily find that information.

However, when it comes to Privacy Policies, multiple nations require contact information by law.

For example, all of the following require that a website's Privacy Policy have a Contact clause:

  • The European Union
  • Canada
  • The USA's State of California

Location-Specific Requirements

Depending on who accesses your website or platform, you may have to comply with requirements of specific countries or states. Here are a few examples.

The EU's GDPR

If a company collects personal information from residents of the EU through its website, it must follow these conditions regarding what information is included in its Privacy Policy:

  • The physical location where consumer information is stored and processed must be listed
  • If applicable, the data controller and processor's names and contact information must be clearly stated
  • If applicable, the contact details of the Data Protection Officer (DPO) must be posted
  • If applicable, the contact details of the European Representative must be posted

Canada's PIPEDA

As with the EU's GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) states that companies must include the following in their Privacy Policies:

  • Contact details, including the name and title of the individual who is responsible for the company's practices and Privacy Policy
  • Contact details, including the name and title of the individual to whom access requests ought to be sent

PIPEDA requirements apply to any organization that collects and processes the personal data of Canadian residents.

The State of California (USA)

Many organizations that operate in the United States of America have a few customers or clients that live in the State of California. The California Online Privacy Protection Act (CalOPPA) is a law that applies to any company doing business in the state. It has only one stipulation when it comes to contact information, and that is:

"If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information collected through the Web site or online service, provide a description of that process."

Website owners can achieve this by giving users a Web portal to see their data, make changes, or delete personal data. Alternatively, companies can provide a contact form or email address to request changes or data deletion.

Where to Display Your Privacy Policy

Laws demand that a company's Privacy Policy be accessible. That means that end-users need to be able to easily find the Policy on an organization's website.

Certain things, such as the website's feel and design, may affect precisely where a company places the Privacy Policy. However, take into account that there are legal considerations.

Following are just a few common places to place a Privacy Policy that are easily accessible.

Website Footer

A customary place website owners place Privacy Policies is within the website's footer section, which is positioned at the bottom of every page.

Users know to look here for important information and legal agreements. It will also be available on every webpage to maximize accessibility.

For example, Amazon places its Privacy Notice in the footer of its website, as seen below:

Amazon website footer with Privacy Notice highlighted

Sign-Up Forms and Checkout Pages

Suppose a company asks users to provide information, sign up for a newsletter, create a new account (such as on a log-in screen), or register for an app. In that case, the company should place a link to the Privacy Policy in the form or close to it.

Here's how Birkenstock does this when new users are creating accounts:

Birkenstock create account form with Privacy Statement highlighted

Another common location, especially with E-commerce sites, is to place a Privacy Policy within a checkout page, like "H&M does here:

H and M checkout page with Privacy Notice link highlighted

It's better to make your Privacy Policy available in many spots than it is to not make it be available enough or difficult to locate. This will not only upset your users but may violate privacy laws.

How to Get Users to Agree to Your Privacy Policy

It's crucial to acquire explicit acceptance of your company's Privacy Policy. First, the E.U.'s GDPR requires it. Secondly, even if a company doesn't do business in the E.U., it's still a best practice. With that said, two methods are used to signify acceptance by the user.

These methods are known as browsewrap and clickwrap.

The browsewrap method incorporates statements indicating that the user understands that by creating, accessing, using, or browsing a site, he or she has accepted the website's agreement. However, it is important to note that because this method is generally not considered prominent, it usually isn't enforceable in many courts.

The second method uses checkboxes. As noted above, the E.U.'s GDPR requires explicit acceptance of a company's Privacy Policy. Known as the clickwrap method, it forces users to click a linked button, a checkbox, etc. which shows clearly and affirmatively that the user has agreed to the website's Privacy Policy.

Here's an example from Under Armour UK:

Under Armour UK create account form with checkboxes and Agree to Privacy Policy

Some additional benefits of using the clickwrap method as opposed to the browsewrap method are:

  • Forms can be embedded directly into the website
  • Many customers can check the box and signify agreement with the Privacy Policy without the company having to go over terms with each individual, one-on-one
  • Allows the company to save the electronic signature
  • Allows the company to incorporate conditions and terms, which may not be covered by the law

Website owners don't have to use a checkbox specifically when it comes to the clickwrap method. They can also use a simple "click to accept" button and clear text and links to the Privacy Policy. A company can let users know that by clicking that button and proceeding forward and using the website, they agree to the terms of the contract.

For example, Pinterest lets users know that "By continuing, you agree to Pinterest's Terms of Service, Privacy Policy," as seen below:

Pinterest create account form with Privacy Policy and Continue button highlighted

Summary

In conclusion, a Privacy Policy includes information that a website owner must deliver to the end-user by law in most countries.

Specific sections to include in a Privacy Policy are:

  • How you collect personal information
  • How you use personal information
  • How long you can retain personal information
  • A security clause
  • A user's rights clause
  • A contact clause

These Privacy Policy sections let users know:

  • What data is collected and why
  • How personal information is used
  • How long personal information is kept
  • Where personal data is kept
  • How the company keeps the data secure
  • Who is in charge of managing the data
  • How the user can change, update, or delete data

Remember that the common areas to display links to the Privacy Policy are:

  • The footer of a website
  • Sign-up forms (create accounts, sign up for emails, etc.)
  • Checkout pages for ecommerce sites

Finally, it is important to get users' clear acceptance of the company's Privacy Policy. The best way to achieve this is through the use of the clickwrap method, which includes the use of checkboxes or the "click to accept" button along with clear text that describes what the user is accepting by clicking.