Privacy Policies are Legally Required

Last updated on 19 September 2019
Privacy Policies are Legally Required

Privacy laws around the world dictate that if you collect personal information from your website visitors, then you need to have a Privacy Policy posted to your site and available with your mobile app (if applicable).

Many third-party services used to enhance website performance (like payment processing tools, analytics suites and advertising plug-ins) also require you to have a Privacy Policy.

This article will discuss some of these laws and third-party requirements while showing examples of some of the most important clauses that your Privacy Policy should have. By the end you'll know why you need one and have a start on creating your own.

What is a Privacy Policy?

What is a Privacy Policy?

A Privacy Policy is a legal agreement that explains what kinds of personal information you gather from website visitors, how you use this information, and how you keep it safe.

Examples of personal information might include:

  • Names
  • Dates of birth
  • Email addresses
  • Billing and shipping addresses
  • Phone numbers
  • Bank details
  • Social security numbers

A Privacy Policy generally covers:

  • The types of information collected by the website or app
  • The purpose for collecting the data
  • Data storage, security and access
  • Details of data transfers
  • Affiliated websites or organizations (third parties included)
  • Use of cookies

To get an idea of what a Privacy Policy might include, here is an example of an informative introduction to one from Etsy:

Screenshot of Etsy Privacy Policy Statement

A summary introduction like this is a good way to let readers know what exactly they can expect to find in the rest of the agreement.

Let's take a look at some specific laws and their requirements.

Privacy Laws in the US

Flag of US

CalOPPA is one of the strictest privacy laws in the US. It affects anyone who collects personal information from people residing in California, which means its reach goes far beyond state borders.

While CalOPPA is strict, it isn't overly complicated to comply with. Having a Privacy Policy is its key requirement.

CalOPPA

CalOPPA's purpose is to provide protection of personal data collected from California residents. While CalOPPA is a state law and not a federal law, it very likely affects your website regardless of where you operate from because of the chance your website will attract California residents.

CalOPPA requires websites and apps to have a clearly visible and accessible Privacy Policy. Here's how the Consumer Federation of California Education Foundation describes CalOPPA:

Consumer Federation of California Education Foundation: Who does CalOPPA apply to?

CalOPPA classifies "personally identifiable information" as:

  • First and last names
  • Physical addresses
  • Email addresses
  • Telephone numbers
  • Social Security numbers
  • Any other contact information shared with a business either physically or online
  • Birthdates
  • Details of physical appearance (height, weight, hair color)
  • Any other information stored online that may identify an individual

How a Privacy Policy Can Comply with CalOPPA

In order to comply with CalOPPA, a Privacy Policy must include the following information:

  • Details of exactly what types of personal data are collected through the website or app
  • Any affiliated organizations this data may be shared with
  • A clear explanation of how users can request amendments to any personal data that is collected
  • The process for informing users of any changes to the Privacy Policy
  • The effective date of the Privacy Policy
  • What happens if a user makes a "Do Not Track" request
  • Details of third parties who collect personal data through the website or app

Include a "Do Not Track" Clause

"Do Not Track" - DNT for short - is a setting that can be activated on certain browsers to block behavioral tracking from third party services like Google Adwords.

Under CalOPPA, it is not mandatory for a website or app to follow a DNT request. However, websites must inform users if their website or app will respond to a DNT request or not.

Here's how Whole Foods lets users know that DNT requests will not be honored and provides a link to additional information about the topic:

Whole Foods Privacy Policy: DNT (Do Not Track) clause

If you have to comply with CalOPPA, don't forget this clause.

How to Display a CalOPPA-Compliant Privacy Policy

In order to comply with CalOPPA, a Privacy Policy must:

  • Be clearly visible and easily accessible for visitors to your website or users of your app
  • Contain the word "privacy" in the display link

Here is an example from Amazon where a Privacy Notice is clearly linked in the website footer:

Amazon Website Footer Screenshot

This requirement helps make it easy for people to find your Privacy Policy, which helps with transparency.

Privacy Laws in the EU

On May 25, 2018, the General Data Protection Regulation (GDPR) replaced the existing EU Data Protection Directive which had been enforced since 1995.

The EU Data Protection Directive regulated the gathering and handling of personal information in the EU and protects it from misuse.

It demanded that all companies operating from an EU country must have a Privacy Policy.

GDPR

Flag of EU

The GDPR requires all companies operating in the EU as well as foreign companies that handle personal data of people located in the EU to have a Privacy Policy. This is part of its goal to make sure personal information is both obtained and processed fairly.

Data Protection Commissioner's Guide for Data Controllers: Obtain and Process Information Fairly - GDPR

The GDPR applies to both EU businesses as well as international businesses collecting personal data from users located within the EU.

The GDPR requires that:

  • All personal data must be processed in an ethical manner.
  • Data should be collected for predetermined reasons only, and the data must be used for these reasons alone.
  • Data must be accurate and updated when requested.
  • With the exception of specific circumstances, such as scientific research data, the user must be identified only for as long as needed.
  • The business collecting data is responsible for monitoring its own adherence to GDPR regulation through the appointment of a Data Protection Officer, if applicable.
  • The user must be able to contact the business collecting the data and its Data Protection Officer (if there is one).
  • Users must be made aware of the reasons why their data is being gathered and the length of time that it will be stored.
  • Users must be advised of their 8 rights under the GDPR including the right to access, update or request removal of their personal data.
  • There will be a supervisory body to deal with users' complaints and the contact information for this body must be provided.
  • Users must be informed if their data is to be shared with any third parties or affiliated organizations, or if it will be transferred outside of the EU.
  • Any other information the user needs to know to ensure fair processing of their personal data.

While there are a number of factors to consider for your GDPR compliance plan, one of the things you'll absolutely need is a compliant Privacy Policy.

Your Privacy Policy needs to be easily accessible and you must obtain active consent from users before collecting any of their personal data.

Here's a good example of how IKEA gets consent to collect personal information. Users must check a box when creating a profile that says they agree to having their personal information saved:

IKEA Create an account: I agree to Privacy Policy checkbox

The GDPR represents a big change for data protection. This is true for both EU-based and non-EU businesses that collect personal data from EU citizens.

The enforcement of the GDPR is much stricter than with previous regulations and carries greater penalties for non-compliance.

Privacy Laws in Canada

Flag of CA

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal data belonging to Canadian citizens and requires companies operating online in Canada to have a Privacy Policy:

Privacy Commissioner of Canada: PIPEDA in brief intro

If you fall under the scope of PIPEDA, you'll need to become familiar with its requirements and make sure your Privacy Policy is up to standards.

Privacy Laws in Australia

Flag of AU

The Australian Privacy Act of 1988 requires all businesses collecting personal information online in Australia to have a Privacy Policy.

One of its key features is a list of 13 Privacy Principles that govern the gathering and processing of personal data.

All businesses are required to be open and transparent about their data collection activities, and they must disclose these in an up-to-date Privacy Policy.

OAIC, Privacy fact sheet 17: Australian Privacy Principles - APP Privacy Policy clause

Privacy Laws in the UK

Flag of UK

Personal data is protected in the UK by the Data Protection Act (DPA). Like Australia's Privacy Act, at its heart are 8 Core Principles of Data Protection which all companies collecting personal data online in the UK must adhere to:

ICO UK Data Protection Principle 1: Fair and lawful processing of personal data

Privacy Policies Required by Third-party Services

Many third-party services commonly used by website and apps also require that a Privacy Policy be made available.

For example, email newsletter service providers generally require a Privacy Policy in order to use their service.

Campaign Monitor's Terms of Service includes this clause covering personal information:

Campaign Monitor Terms of Service: Personal Information clause

The best way to satisfy this requirement of informing customers is with a Privacy Policy.

You also need to make a Privacy Policy available on your website or app if you use third-party services that track user browsing behavior or that use location data, like Google Analytics or Google Adsense.

SendPilot discloses all the categories of third-party services that it may use to collect or process user as follows:

SendPilot Privacy Policy: Third Party Recipients clause

Google Analytics

Logo of Google Analytics - 02

If your website or app uses Google Analytics, then you need to update your Privacy Policy to meet the Google Analytics Terms of Service. Because Google Analytics uses cookies to track user behavior and cookies collect personal information, a Privacy Policy is required.

Privacy Policy Requirements for the Standard Features of Google Analytics

According to Google Analytics, if you are using the standard features of Google Analytics to track user behavior on your website or app, then your Privacy Policy must:

  • State that you use Google Analytics to track user behavior
  • Explain how data is collected and processed
  • Inform the user of the use of cookies

The Privacy Policy should be displayed in a prominent location, such as a website footer or in the main menu of an app.

Here's an example from the footer of the BBC's website:

BBC Website Footer Screenshot

Additionally, you should have a pop-up or banner Cookie Consent Notice that alerts users to the use of cookies on your website and allows users to block this if they wish.

Here's an example of a cookie banner from the University of Brighton:

University of Brighton Cookies Consent notice with Cookie Policy and Cookie Settings

Privacy Policy Requirements for Google Analytics Advertising Tools

If you use Google Analytics Advertising tools in addition to the standard features, there are further Privacy Policy requirements.

The advertising features covered by these additional requirements include:

If you use these tools, Google Analytics requires you to inform users of this fact by including the following information in your Privacy Policy:

  • The Google Analytics Advertising tools that you use, and how and why you use these features.

  • A notice that cookies are used by third-parties to display relevant advertising to the user.

  • Instructions on how users can opt-out of the Google Analytics Advertising features through Google's Ad Settings.

Google does not provide guidance on the exact language to use in your Privacy Policy. However, it should always be written in plain English and in a way that is easy to understand.

Google Adsense

Logo of Google AdSense 02

If your website or app uses Google AdSense, then you need to update your Privacy Policy in line with the Google AdSense Terms and Conditions.

You must provide a Privacy Policy that discloses your use of Google Adsense, including:

  • A statement that third-parties, including Google, use cookies to display relevant advertising to a user based on previous browsing behavior.
  • Information on Google's DoubleClick cookies.
  • Instructions on how users can opt-out of the use of DoubleClick cookies through Google's Ad Settings.

Google also requires that you use "commercially reasonable efforts" to make sure you get consent to use cookies on a user's device.

This is generally done by using a pop-up or banner that alerts users to the use of cookies on your website and allows users to block this if they wish, as mentioned earlier in the article.

Additional Requirements for EU Businesses

The above points apply to all websites and apps that use Google AdSense. However, there are additional requirements for EU-based companies that use this service.

Users must be alerted to your website or app's use of cookies, and give their informed consent, before any cookies may be placed on that user's device.

This includes:

  • The different types of cookies that are used
  • Details of any cookies from third parties that may be used
  • Why cookies are used and how they are placed on devices

As with other cookie alerts, this is usually done through a pop-up or banner that clearly explains that cookies are in use and directs the user to further information on this matter.

Consent to place cookies must be obtained from the user actively, meaning users must click a button or check or box or take some other action to confirm they consent.

Active consent, also called informed consent, involves requiring the user to confirm consent with a checkbox or an "I agree" button.

Here is an example of active consent for cookies from Wembley that includes a user-friendly explanation of the type of cookie used and why. The blue "I'm Happy With This" button is what distinguishes this type of consent from passive consent.

Wembley: Cookies notification in the footer as example of user active consent

Passive consent to place cookies on a user's device is no longer allowed. Here is an example of passive consent for cookies from Calvin Klein's website:

Calvin Klein: Cookies notification banner in header of website as passive user consent example

Now that you know why you need a Privacy Policy according to laws and third party services, let's get more into what your Policy should look like.

What to Include in a Privacy Policy

What should be inside my Privacy Policy?

The content of Privacy Policies varies from one business to another. How a website collects and manages information, and how it interacts with third parties is unique to every company. Additionally, where a website's users live can impact the company's Privacy Policy because of international laws protecting global consumers.

At minimum, your Privacy Policy should cover the following points:

Business Name and Contact Details

Your Privacy Policy needs to contain your official business name and contact information.

Here is an example from Whole Foods:

Whole Foods Privacy Notice: General clause with contact information highlighted

This information is commonly seen at the very beginning or very end of a Privacy Policy and users know to look there, so that's the best practice recommended placement.

Types of Personal Data You Collect

You are required to disclose the various types of personal data you collect from users both directly and indirectly.

Budweiser provides a nice example:

Budweiser Privacy Policy: Information We Collect clause excerpt

Note that the clause lists how the data may be collected as well as examples of specifics like email addresses, zipcodes and "precise locations." Remember: the more thorough you are, the better.

Why You Collect Personal Data

Privacy laws require you to collect only the personal data you need, and to explain why you need it.

Here's an example from Nestle:

Nestle Privacy Policy: Excerpt of Use of Personal Data chart

This chart format isn't necessary but it definitely helps with readability and organization. Note that it not only tells users why the information is used, but for what specific reason. It also addresses legitimate interests for using personal data, which helps with GDPR compliance.

How the Data is Used

How you use the data you collect is another important component of every Privacy Policy.

Here's how Airbnb does this:

Airbnb Privacy Policy: How We Use Information clause - improve and develop platform section

Using a list format helps you convey a lot of information in a more organized way, which is important in order to keep your Privacy Policy easily readable by a general audience. Make sure to include as many specific ways as possible that you use the data.

How You Share Data with Third Parties

Most websites use one or more third party tools to enhance site performance and user experience. Examples might include Google Analytics to understand website visitors, or AdSense for personalized advertising.

Most sites also use cookies, which are technical tools that record user behavior to personalize their web experience.

All instances of third party data sharing must be explained in your Privacy Policy, and you should provide links to those third party companies' policies as well.

Take a look at how Instagram does this:

Instagram Data Policy: Sharing with Third-party Partners clause excerpt

Breaking up the information into paragraphs to address separate types of third-party sharing, like advertising and analytics, is very helpful and makes the information easier to digest.

How to Opt Out of Data Collection

Your Privacy Policy must include instructions for opting out of ongoing data collection, as well as for getting a copy of any data already collected.

Nike clearly provides this information in its Privacy Policy:

Nike Privacy Policy: Opting Out of Direct Marketing clause

If you have multiple different ways that users can opt out of multiple different things (like email newsletters, text messages, conventional mail, etc.), make sure to include all the ways available.

How to Create Your Privacy Policy

PrivacyPolicies.com: Privacy Policy Generator - How to Create your Privacy Policy

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy."
  2. Select the platform/s where your Privacy Policy will be used.
  3. PrivacyPolicies.com: Privacy Policy Generator - Create your Privacy Policy - Step 1

  4. Answer the questions related to your entity type and location.
  5. PrivacyPolicies.com: Privacy Policy Generator - Answer questions - Step 2

  6. Answer the questions relating to what type of information you collect from your users.
  7. PrivacyPolicies.com: Privacy Policy Generator - Answer questions about type of information you collect - Step 3

  8. Select all the ways you wish to allow your users to contact you with questions regarding your Privacy Policy.
  9. PrivacyPolicies.com: Privacy Policy Generator - Select ways you wish to allow your users to contact you - Step 4

  10. Select what kind of Privacy Policy you want to create.
  11. PrivacyPolicies.com: Privacy Policy Generator - What kind of Privacy Policy you want - Step 5

  12. Enter your email address where you'd like your Privacy Policy sent and click Create Privacy Policy.
  13. PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 6

  14. Now you can copy or link to your hosted Privacy Policy.
  15. PrivacyPolicies.com: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 7

Remember

Laws around the world require websites to have a Privacy Policy in place. From California's broad CalOPPA law, to the EU's new General Data Protection Regulation and other laws in Canada, the UK and Australia, there is much to understand about privacy laws and compliance.

The various laws share essential goals centered around protection and proper use of private consumer data. They vary in some ways but one thing is certain: if you own or operate a website anywhere in the world, you likely need a Privacy Policy in place that complies with the laws in the jurisdictions where your website users live.

You also need to be aware of requirements of third party services you use, such as analytics or advertising services. Always check the Terms of Use for these services to find out what you need to do.

By having a thorough, easy to read Privacy Policy that's clearly displayed, you'll be on a great path to complying with every privacy law and Terms agreement that comes your way.

Article categories