- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. What is a Privacy Notice?
- 3. What is a Privacy Statement?
- 4. Does it Matter What I Call My Privacy Document?
- 5.1. Introduction
- 5.2. Data Processing
- 5.3. Consumer Rights
- 5.4. Contact Details
- 6.1. Areas Where You Collect Personal Data
- 6.2. Pop-up Banners
- 6.3. Website Footer
- 7. Summary
What is a Privacy Notice?
A Privacy Notice tells people who visit your website how you process their personal data, and how they can limit your access to personal data.
Fitness brand Gymshark, for example, calls its privacy document a Privacy Notice:
Women's Health also uses the term "Privacy Notice" for its privacy document:
Must you call this document a Privacy "Notice," though? The answer is no. For example, some businesses call this notice a Privacy "Statement" or "Policy," and for the most part, they're all taken to mean the same thing.
The law doesn't offer much guidance, either. For example, Article 12 of the EU's General Data Protection Regulation (GDPR) states that businesses must set out their privacy practices in writing, but there's no mention of the word "notice."
Similarly, the California Consumer Privacy Act (CCPA/(CPRA) requires businesses to provide a "Notice at Collection," but again, this is not the same term as "Privacy Notice." That said, you'll note from the example above that Women's Health does refer to its statement as both a Privacy Notice and Notice at Collection.
Here's another example. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires businesses to be transparent about what personal data they collect and how it's processed. As per Section 4 of Schedule 1 though, businesses only need to make this information available in an easily accessible format.
Here's what we can take from all this so far:
- A Privacy Notice sets out a company's privacy practices so website visitors can understand them.
- There's no clear legal requirement to name this document a Privacy Notice. However, you may choose to do so.
If you don't want to use the term "Privacy Notice," here's a look at whether you can call the document a "Policy" or "Statement" instead.
These documents serve the same purpose as the Privacy Notices mentioned above. The only difference is in the name. Both terms include the word "privacy" so customers know the document covers their privacy rights.
This tends to be the standard, default way of naming these legal agreements and the way most commonly used.
Whether you call your privacy document a notice or policy, just make sure it contains the word "Privacy" somewhere in the title.
What is a Privacy Statement?
A Privacy Statement is what it sounds like: A statement of your privacy practices.
Here's an example from Microsoft. It covers the same types of clauses as the other documents; namely, how the company handles personal data and why. Again, the only difference is in the name:
Netflix also uses the phrase "Privacy Statement" to mean its core privacy document. From the introductory clause, it's clear that this statement sets out how the company processes personal data, and what choices people have regarding the sharing of this data:
As with the other examples, if you choose to call your document a Privacy Statement, ensure it's clear what the document is and why visitors should read it.
Does it Matter What I Call My Privacy Document?
In practical terms, no.
It all comes down to your visitors' expectations. So long as it's clear that your document refers to your privacy practices, your visitors will understand the meaning of the document and what it's intended to communicate, regardless of what it's called.
Now we're clear on the naming of these agreements, let's briefly cover what you should include within it.
Names aside, every Privacy document should include the following points of information:
- What personal data you collect
- Why you collect it
- How you collect it
- Who you share it with
- What rights a person has regarding their personal information
- Your business contact details
You may need additional clauses, depending on the services you offer and which privacy laws apply.
Covering how to write Privacy Policies in any detail goes beyond the scope of this article. However, let's briefly break the most common clauses down.
Here's an example from McDonald's. It's only a few sentences long but that's all that's needed to make it clear what the document covers:
Explain what type of data you collect, why you need it, how you use the data, and who you share it with.
It then sets out why it collects the data:
Disclose what rights people have regarding what data they share with you. Use simple language so it's easy for people to understand.
American Eagle has a clause that addresses some rights granted under the CCPA (CPRA):
Or, you can follow the McDonald's example and list the rights in bullet-point style, for extra clarity:
Whatever you call your Privacy document, it's crucial that it's easy to understand and user friendly.
Help customers reach you to exercise their privacy rights by providing contact details. At least one option should be free, such as sending you an email.
American Eagle has multiple different methods of contact, as well as separate contact information for credit card inquiries versus privacy inquiries:
Now that you have an idea of what to include in your Privacy document, let's look at methods of displaying your document, regardless of what you title it.
Website visitors must be able to view your Privacy document before they use your services. There are a few places where you should display your Privacy document:
- Anywhere users are asked to share personal data (sign-up forms, email subscribe forms, etc.)
- Pop-up banners (e.g. Cookie Notices)
- Your website footer
Here are some examples.
Areas Where You Collect Personal Data
Before visitors hand over any personal data, such as when they open an account or complete their shopping cart order, give them a clear opportunity to review your Privacy document. This way, you can ensure they've had a chance to read and understand your privacy practices before sharing personal information with your company.
No matter how you name your Privacy document, make sure you make it available to people before they share any personal data with your website.
McDonald's has a similar banner. Visitors can click "Privacy Statement" or "California Privacy Notice" to read the relevant document before proceeding:
You'll notice it's also called a Privacy "Statement" in this banner, as these terms can be used interchangeably, as we've noted.
You can find Amazon's Privacy Notice, for example, beside its Conditions of Use:
Alternatively, you can link to your Privacy document in a sidebar or your website header, if it fits better with your website layout.
Finally, if you have a mobile app or website, make sure your Privacy document is somewhere clearly visible e.g. the page footer or app menu.
- Includes the word "Privacy" in the title
- Sets out your privacy practices clearly
- Establishes what rights people have regarding their personal data
- Complies with your legal obligations
Make sure you display your document somewhere visible, including your website footer and places where customers share personal data, such as when they register for an account or complete their shopping transaction. It's also a good idea to display your Privacy document in your Cookie Notice so visitors can read it before agreeing to cookies.