Your First Privacy Policy? Start with These Clauses

Your First Privacy Policy? Start with These Clauses

You know your business. Whether it be baking donuts, creating software, or breeding hedgehogs, you are the end-all expert in that field. What you may not know are the legal intricacies of managing your business online.

Have no fear. Below we'll explain the basics of building your online Privacy Policy.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

What Is a Privacy Policy?

What Is a Privacy Policy?

To put it simply, a Privacy Policy is a public document that outlines exactly what types of information you are gathering from your users and/or customers, as well as how you use the information, and how you will keep the information private.

This is an example of the intro and table of contents of a standard Privacy Policy from WebMD:

WebMD: Screenshot of Privacy Policy Introduction

Does your website or mobile application need a Privacy Policy? Absolutely. Here are just a few reasons why:

  1. It's the law. Throughout the United States, Europe, and most of the developed world, many laws exist to protect the privacy of internet consumers.

    In the United States in particular, there is a complicated network of laws and guidelines that make it easy for agencies like the Federal Trade Commission to enforce penalties on any business that seems to be abusing the privacy rights of its users.

    And you've surely heard of the GDPR out of the EU that really ups the requirement of not only having a Privacy Policy but what content you include in it if you have any customers or users in the EU.

    When it comes to legal liability, you are always better safe than sorry, and with all the laws requiring a Privacy Policy, you're likely violating a law that applies to you if you don't have one.

    Logo of FTC

    An excerpt from the Federal Trade Commission website:

    "The FTC has brought legal actions against organizations that have violated consumers' privacy rights, or misled them by failing to maintain security for sensitive consumer information. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce."

  2. And many businesses have already been hit with fines for violating different aspects of the GDPR since its inception in 2018.

  3. It may be required by third-party services. Many of the services that you may need to use on your website, such as a shopping cart, Google Adsense, Amazon Associates, or other software, require a Privacy Policy in place before you can legally use their services.

    Google AdSense requires a Privacy Policy in its Terms of Service:

    Google AdSense - AdMob Terms of Service: Privacy clause with Privacy Policy requirement

  4. It establishes trust with users. Providing privacy and transparency for your customers goes a long way with earning their trust and confidence.

    It's also considered to be a standard best practice for any online business. In short, it's the right thing to do.

Which Clauses Should You Include in Your Privacy Policy?

Now that you know why a Privacy Policy is necessary, you may be wondering how to go about building one.

Below are the clauses that are basic to a thorough Privacy Policy.

Types of Information Collected

Types of Information Collected

First and foremost, you must clearly identify which types of personal information are being collected through your website or mobile app.

Personal information is any data that can be used to contact, identify, or locate an individual. This may include:

  • Email address
  • First and last name
  • City or town plus country
  • Shipping or billing address
  • Social security number
  • IP address
  • Profile picture
  • Credit card number
  • Birthplace
  • Telephone number
  • Username

Here is Twitter's "Information Collection and Use" clause in its Privacy Policy:

Twitter's Privacy Policy: Information Collection and Use clause

As you can see, even seemingly anonymous information may be used in combination with other data to identify an individual and so is also defined as personal information. Any such information must remain confidential and protected.

As long as your Privacy Policy clearly lists any type of personal information that is being collected, you will be protected in case anyone claims you used their information without authorization.

Here's the "What Types of Information We Collect About You" clause from T-Mobile's Privacy Policy:

T-Mobile's Privacy Policy:  What types of personal information we collect clause

Be as clear and detailed as possible so that your users actually can understand exactly what information you're collecting from them. Transparency and readability are key here.

How Information Is Collected and Used

How Information Is Collected and Used

Another important clause to include in your Privacy Policy describes how your website or mobile app is collecting the personal information, and how it is being used.

The first step is a simple description of how you are collecting the information. Some data may be provided directly by the user while other information is gathered automatically by website software on the backend.

Here's a good example from Iberia Airlines of how this can be laid out:

Iberia Airlines Personal Data Protection Policy: Excerpt of What types of personal information do we collect and retain clause

The examples provided here make it easier for a user to really understand how and why the data is collected.

The ways in which personal information is used may differ greatly depending on the type of business and website you are setting up. An e-commerce website will have different uses for personal information than a financial advisory institution, for example.

Make sure you lay out this summary carefully, for liability's sake. You'll want to be very thorough in this section to ensure that you cannot be accused of using the personal information of your users improperly.

Let users know how their information is protected, and if the data is being shared with a third party, explain why.

Here's an example from WebMD:

WebMD Privacy Policy: How Information About You is Used Clause

Note how it discloses that the information collected may in some cases be shared with some third parties for customized advertising purposes.

A Cookies Clause

A Cookies Clause

While there are many different types of cookies and functions for them to perform, they are all stored in the browsers of your users.

It's important to explain to your users why the cookies are there and how they are being used.

Here's an example from the UK University of Law's Privacy Policy:

The UK University of Law: What is a Cookie clause in Privacy Policy

Cookies can be tricky because many third-party software plugins use them to track each individual's browsing, which could present privacy issues in the long term.

Make sure you know exactly what kind of cookies are being used by your website or mobile app, as well as any third-party software that is installed.

You'll need to describe each type of cookie and its function within your Cookies Clause, or even create and link to a separate Cookies Policy.

Here's an example from Land Rover's Privacy Policy page:

Land Rover's Privacy and Cookies Policy: Table information about use of cookies from third party

Include a brief, easy to understand explanation and description of what each type of cookie does that would be comprehensible to someone with little to no familiarity with the topic.

Children Under 13

Children Under 13

The guidelines for collecting information from minors may differ from one country to another, but in the United States there are specific laws that apply to the personal information of children under the age of 13.

These laws fall under the Children's Online Privacy Protection Act (COPPA) and seek to protect the privacy and rights of minors.

This clause is imperative for your Privacy Policy in the event that children find their way onto your site or mobile app. If your website/app is targeted to adults in general, you'll only need a simple disclosure like this one from DocuSign:

DocuSign Privacy Policy: Clause on Children Privacy

However, if your website or mobile app is targeted to teens or children, you may need to do far more to protect their privacy and perhaps even obtain parental consent in order to collect information from minors.

National Geographic Kids maintains a separate Privacy Policy intended solely for the use of children and their parents.

National Geographic: Separate Privacy Policy for Children Use with introduction and contents

Note how it has separate sections that address parental consent and parental control of how personal information is collected from children.

Third Party Access to Information

Third Party Access to Information

Many websites and applications use third-party software and plugins to perform various functions throughout the site. Some of these include:

  • Analytics providers
  • Advertisers
  • Social networks

These third-party providers will need to collect user data from your site in order to function correctly, but you are required to inform your users of their existence.

Here's an example from eMarketer's Privacy Policy:

eMarketer Privacy Policy: Information Sharing and Disclosure our service providers and third parties clause

Although many third-party providers feature Privacy Policies on their own respective websites, it still remains your responsibility to inform users of their existence.

It helps to include a brief explanation of why third-party access is necessary to ease the privacy concerns of your users.

Communications Clause

Communications Clause

If you plan to send any communications to your users by way of their personal contact information, it's necessary to include a communications clause.

Even if your messages are not promotional in nature, you are required to inform users of any personal communications, such as:

  • Company emails
  • Promotional emails or messages
  • Phone calls
  • Texts or other forms of messaging

Here's an example from IKEA's Privacy Policy clause on Communications that specifically addresses email communications:

Ikea's communications clause is short and simple

Many countries, including the USA, exercise anti-spam laws that prohibit unwanted email marketing. For this reason, it is also important to let users know how they can opt-out of promotional messaging and email campaigns.

If you'd like to go the extra mile in CAN-SPAM compliance, you could also set up a landing page with an unsubscribe email form and link to it directly within your Privacy Policy.

Here's an example from HubSpot's Privacy Policy:

Hubspot Privacy Policy: Unsubscribe from our communications clause

List all the different ways your users can unsubscribe, from sending emails, clicking on specific links and sending postal mail, if applicable. Whatever methods you allow, make sure to disclose them all here.

Business Transfer Clause

Business Transfer Clause

Business acquisitions and transfers often occur quickly and unexpectedly. The unauthorized transfer of users' personal data to a new business owner may cause legal issues.

To avoid liability in this situation, include a clause in your Privacy Policy that promises the continuous protection of user personal data in the case of any future business transfers.

Here's an example from Lush Cosmetics:

LUSH Cosmetics Privacy Policy: Affiliates and Business Transfer clause example

In addition to avoiding liability, clauses such as these offer reassurances to your users that their privacy is a high priority, no matter what happens to the business.

Dispute Resolution

Dispute Resolution

Despite your best intentions and privacy best practices, legal disputes may occur. Laws and regulations regarding internet privacy are convoluted and vague at times, opening up potential opportunities for unforeseen and unavoidable debates regarding user privacy and other business aspects.

A dispute resolution clause is a useful addition to the arbitration and limitation of liability clauses that will appear in your Terms and Conditions. This clause will simply provide provisions for future dispute resolution measures.

Here's an example from Citrix: Privacy Policy: Dispute Resolution clause

Of course, a more thorough explanation of governing law, arbitration and liability issues can be included in your Terms & Conditions, if needed.

Data Retention

Data Retention

Users will delete their accounts on your site or app from time to time. It happens. You should let them know that even if they do delete their accounts, some personal information may need to be retained in your database.

Here's an example of a clause that does just this from DocuSign:

DocuSign Privacy Policy: Closing your account clause screenshot

Not only does it inform users how to go about deleting an account, but it lists the specific reasons why data may be retained even after an account is closed.

Changes to Privacy Policy

Changes to Privacy Policy

As an independent business entity, you have the right to make changes to your Privacy Policy and practices at any time. Make sure your users and customers are aware of this with a simple statement that discloses your right to make changes, now or in the future.

Here's an example from Verizon's Privacy Policy:

Verizon: Changes to Privacy Policy Clause

Be aware that material changes to your Privacy Policy should be announced to all users at the time of the change. You should also inform users ahead of time of how you plan to inform them of any changes made in the future such as with a Privacy Policy Update Notice.

Here's an example from Automattic:

Automattic Privacy Policy: Privacy Policy Changes clause

Encourage your users to check the Privacy Policy often to always be up to date on the current version and to find out about any updates you have made.

Contact Information

Contact Information

Users may have questions about their privacy. Provide them with a means to communicate with your business directly regarding any concerns over privacy.

If you have the capability to set up a specific email address or department to manage these inquiries, even better.

Here's an example from Facebook:

Facebook Privacy Policy: Contact Us clause

These are just a few of the key clauses that your Privacy Policy should have. Depending on what types of information you collect, how you process or use the information and where your users are located, your Privacy Policy may need a number of additional and more in-depth clauses.

Our Privacy Policy Generator can help.