A privacy policy is a statement of a business or website’s policy on visitor data collection and how they use that data. This includes what’s kept confidential, what’s shared, and what’s sold to other organizations. A privacy policy is required by law for any business that has a website or a mobile app. Writing one may seem intimidating if you’ve never done it before, but follow this step by step guide and you’ll have a good privacy policy in no time.
The legal requirements for website privacy policies vary by country and age of target audience. Here are a few notable ones:
Countries of jurisdiction: The European Union
Year implemented: 2018
The GDPR is currently one of the strictest and most broadly reaching privacy laws in the world. It applies to any business in the world that interacts with EU citizens.
If your business is required to comply with the GDPR, your Privacy Policy needs to inform users of their GDPR-granted rights, your lawful basis for processing the data your website collects, and your contact information.
The GDPR also requires privacy policies to be written in plain language and easy to locate on your website.
Country of jurisdiction: The United States (California)
Year implemented: 2004
At the moment, the US doesn’t have a federal privacy law like some countries do. CalOPPA is a state law in California, but it’s the gold standard of working with US businesses since it’s nearly impossible as an online business to work with the United States and have no users from California.
To comply with CalOPPA, you’re required to create a privacy policy and display a conspicuous link to it on your website.
Country of jurisdiction: The United States
Year implemented: 2000
COPPA is a U.S. law regarding privacy practices for websites and apps directed at children under 13. COPPA-compliant privacy policies are more complex than privacy policies. For example, they must grant children’s parents the right to verify consent, review personal information, make requests, and deny future data access. This is why many social media companies have age limits to avoid COPPA requirements.
Country of jurisdiction: The United States
Year implemented: 2018
The CCPA is the most comprehensive data privacy law to be passed by a US state. It was intended to give California residents more control over the information that businesses collect on them. It has many similarities to the GDPR, except it’s not as strict about cookie collection.
Country of jurisdiction: Canada
Year implemented: 2000
PIPEDA affects all businesses with users in Canada that collect, use, and store customers’ personal information.
To comply with PIPEDA, you must:
Country of jurisdiction: The United Kingdom
Year implemented: 1998
The DPA applies to anyone who does business with the UK. To comply, you’re required to make sure:
Country of jurisdiction: Australia
Year implemented: 1988
This privacy act only applies to Australian businesses except for health service providers. Foreign health services that interact with Australian citizens are required to comply with the requirements, including:
This is where you state what personal data you collect from your users or visitors, including but not limited to
You are required to inform users how you collect data about them. This includes geographical location tracking, partnerships with any third-party services, et cetera.
You’re also required to include what your visitors’ private information is used for after you collect it. Some examples of uses include:
Even if children aren’t the target audience of your website, your privacy statement is required to include a clause that addresses the privacy of children under 13.
If your website targets adults, then a simple statement in your policy should suffice. But if children or teenagers are part of your target audience, you’ll need to include more information to comply with COPPA.
At some point, you will probably want to get in touch with your customers, and they may want to contact you. Because contact information includes personal information, it's necessary to include a communications clause.
A business transfer clause lets users know that their personal information will be transferred to a new owner if your business is acquired by another entity. Even if you don’t plan to sell your business, including a business transfer clause is still a good idea. This clause can limit your liability if you do sell your business in the future.
This clause is what it sounds like: a description of measures your business takes to resolve privacy-related disputes. Your terms and conditions should include a more detailed outline of governing law, but it’s a good idea to include a short dispute resolution clause in your privacy policy.
This section should inform users of your right to make changes to the Privacy Policy at any time, and of their right to know about it. It should let users know that they will be notified of any changes at the time the changes occur and which method of communication you will use for notifications.
Your privacy policy should clearly state the rights of users to delete, make changes to, and review data.
The GDPR and some other privacy laws include specific rights you are required to give users. Before you write your user rights clause, read up on those for the laws that are applicable for your business.
This is where you provide a list of ways users can contact you if they have any questions or concerns about their privacy. If you can point them to a specific email address or department for privacy, this will show that you are committed to protecting their privacy.
Depending on the products and services you provide, the types of information you collect, and you use the information, you may need to include some of the following clauses:
Cookies can be a lengthy topic, so it’s a good idea to give them a separate policy. Even if your business doesn’t use cookies to gather user information, a third party software or plugins on your website or mobile app might use them.
Make sure your cookies policy includes:
Most websites and mobile apps use third party services for some tasks. If you use any third party affiliates, you’ll need a Third Party Access to Information clause to inform users who these third parties are and why they need access to their data.
A data retention clause is necessary for any websites with subscriptions or user accounts. The purpose is to let users know their rights to delete their subscriptions and accounts, and inform them of any information that the database will save after they delete their accounts.
Website Privacy Policy Best Practices
You are not required to hire a lawyer to write your privacy policy. It could still be a good idea to hire an attorney who is familiar with data privacy laws to review it with you, especially if you have complex data collection needs, do business in multiple countries, or need to be COPPA-compliant.
There are several great privacy policy templates and free privacy policy generators for all kinds of business needs that can help you draft a privacy policy without legal advice.
Here at Sav, we’re dedicated to creating and protecting your digital identity from your domain to your website to the products and services you sell. Create an account today to get started.