Often long, boring and overly technical, website privacy policies of the past generally didn’t warrant much attention. If anything, people ignored and avoided that small privacy policy link buried at the bottom of webpages near the copyright notice. But expectations have changed. Today’s website visitors are much more likely to care about how their data is being collected, shared, and stored. In fact, a privacy policy is one of the more important pages on your website. If you don’t have one, it is time to write one. And if you have a privacy policy but aren’t regularly reviewing it to make sure it complies with current requirements, we encourage you to revisit it. Doing this yearly is the way to go.
Why do I need a privacy policy?
There are a number of important reasons why you need a privacy policy included on your website. First, new data privacy regulations and lawsuits are popping up regularly. A transparent, well-written policy helps protect you from these types of threats, including lawsuits.
One example: The General Data Protection Regulation (GDPR). This new EU regulation took effect in May 2018. If your organization needs to adhere to the GDPR regarding data and user protections (many do, even outside the EU), a privacy policy is a necessity. Without it, you or your business could face hefty fines.
Additional examples of regulations that require a privacy policy include:
- Children’s Online Privacy Protection Rule
- California Online Privacy Protection Act (CalOPPA)
- Gramm-Leach-Bliley Act
- Privacy Shield
- EU Cookies Directive
- State-specific laws and regulations
Bottom line: A privacy policy can keep you in compliance with regulations and protect you and your organization from lawsuits.
A second reason why your organization needs a privacy policy is to fulfill third-party requirements. Many companies, including Google and Facebook, require privacy policies if you collect user information and run any type of campaign through their service. Other organizations — like the BBB — require it for membership or accreditation.
For example, if you use Google Analytics, you agreed to their terms of service when you first started using the service, which includes the requirement that your site will have a privacy policy. In, “4 Reasons You Need a Privacy Policy,” Termsfeed points out, “Google Analytics requires a privacy policy because it stores cookies on a user’s PC, which are then used to collect data about the user. Because of this, both CalOPPA and the EU Cookies Directive would require you to disclose your usage of Google Analytics and its cookies usage.”
Thirdly, a privacy policy helps you build trust with your customers. When a visitor sees that you have a privacy policy, especially a well-written, easy to understand one, you build credibility. For people who care about how you will use their personal data, your privacy policy will provide peace of mind.
Failing to protect your site visitor’s data, or clearly articulate how you intend to do so, can cause a host of issues, including fines, penalties, bans, and a lack of customer trust. No doubt these are all things you want to avoid.
What is a privacy policy?
Now that you understand the importance of a privacy policy, what exactly is it?
In simple terms, it is a legal document that lets your customers know what type of data you’re collecting, how you are collecting that data, and then, what you intend to do with that information. If you plan to share the data with other companies, you need to let your customers know. Additionally, include how you plan to store user data and the actions you have taken to keep it safe.
What should I include in my privacy policy?
As you think about your privacy policy, keep in mind the exact information required will depend on the applicable laws in your country, state and industry. The basics generally include informing users of:
- Your name (or business name), location and contact info.
- What information you’re collecting when someone visits your website (e.g., their name, email address, their location, or IP address).
- How you are collecting the visitor’s information and how you will use the data in the future.
- Storage details such as where data will be stored and how you plan to keep it safe.
- Consider including whether or not they can opt-out from having their information being collected, and if so, the consequences of doing so.
Any tips on how I can write a good privacy policy?
Take note that your privacy policy doesn’t need to be boring or full of terms the average user would never understand. One of the clearest privacy policies we’ve read comes from Paul Boag of Boagworld: https://boagworld.com/privacy/. His policy uses easy-to-understand words and phrases, and it’s immediately clear that he wrote this for his actual users’ comprehension. It uses clear, concise language that the customer can understand.
Another example of a privacy policy written for actual human consumption comes from Canva: https://about.canva.com/privacy-policy/. Give extra attention to the column on the right. Sentences like, “Welcome, here is our policy on privacy. Our privacy policy, if you will,” as well as, “Your mobile device can give us information about where you are. We’ll try and use this to offer you better service,” are easily understood and again written for the actual site visitor. It makes it clear how data will be collected and used, and immediately builds trust with the user.
Additionally, one last example we’ll share is our own privacy policy. We’ve written it to be easily understood. Site visitors know what we are collecting, how we are using the information, and how we store their data. Notice in each of these examples a key theme is the fact people can actually understand them. Write for your users using words and insights they will understand.
The article, “Nobody reads privacy policies – here’s how to fix that,” provides some additional great tips for writing policies that people actually want to read.
- Break up your policy into smaller sections and deliver them at times that are appropriate for users. For example, when a visitor signs up for email updates, share a short privacy notice at that time about how the information they are about to share with you will be used and stored.
- Focus on the consumer by writing policies that are relevant to the user’s activity, understandable and actionable.
- Lastly, write like a human, for humans. You don’t need to go on and on with big terms and fancy language. Plainly state how you intend to collect and use the data and leave it at that.
Once complete, where should I place the link to my privacy policy?
The standard practice is to link to the privacy policy in the footer of every page of your website. The idea is to not bury it. Make it easily accessible. It is also a good practice to place an extra link to your privacy policy near the submit button of any form that collects user data.
One last word of caution: While we encourage you to keep it simple, we must note that you can’t just pull together a few sentences and call it good. A privacy policy is a legal document. Get legal advice prior to publishing it. As a starting place, there are privacy policy generator tools available online. We have experience with termsfeed.com, and while not free, the service generates nice documents that serve as a good starting point. If you do not have your own in-house legal team or business lawyer on retainer, generating a document from a service like this before having your lawyer take a look might expedite the process and could potentially save you a bit on legal fees.
Disclaimer: This information is offered as background information and does not constitute legal advice. You should not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider.
