Privacy Policy for Content Downloads/Upgrades

Privacy Policy for Content Downloads/Upgrades

A Privacy Policy is essential if you offer your users the opportunity to download content or other upgrades from your website. You should publish this Privacy Policy on your website so that it is easily accessible for users to view.

The reason you need a Privacy Policy is simple. Privacy Policies are legally required if you handle, process, collect, or store information about the people who visit your website, which is the case for most companies who offer downloadable content.

We recommend that anyone who offers downloadable content to their users drafts and publishes a simple Privacy Policy. A Privacy Policy shows your users that you take their personal information seriously.

The bottom line is that users have the right to control what happens to their personal information and what kind of information a business collects about them. Although drafting a Privacy Policy may feel time-consuming and onerous, it's designed to help you understand consumer behavior without infringing upon someone's right to privacy.

For example, a Privacy Policy lets you track daily content downloads, or collect information for an email sign-up letter, without violating someone's data protection rights.

Don't worry - we'll look at what your Privacy Policy should include in detail later. For now, it's important that you understand:

  • What a Privacy Policy is
  • Where to place your Privacy Policy
  • Why, specifically, you need a Privacy Policy
  • How a Privacy Policy affects your business
  • Who benefits from a Privacy Policy
  • Which laws govern the need for and content of a Privacy Policy

Just so we're clear, let's begin with what a Privacy Policy is.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

What is a Privacy Policy?

A Privacy Policy is a written document or statement outlining how you plan on handling a user's personal information, whether this means:

  • Storing their data for future contact
  • Collecting information about user behavior and how they navigate your site
  • Processing personal data and sharing it with third parties

Personal information is any information which can identify someone, such as their:

  • Name
  • Home address
  • Work address
  • Email or IP address
  • Telephone number
  • Social security number
  • Blood type
  • Medical records

Why You Need a Privacy Policy

Why You Need a Privacy Policy

There are a number of privacy laws that require a Privacy Policy if you collect personal information, which you will be doing if you allow users to download anything from you, even if it's free. Let's take a look at some of these laws.


Otherwise known as the General Data Protection Regulation, this regulation demands that commercial companies should harvest the minimum possible personal data from their site users. It protects EU residents and those visiting websites from EU Member States. The GDPR says that commercial companies must:

  • Tell users that they collect data
  • Restrict the data they collect to necessary information; e.g. you don't need a home address to sign someone up for an email newsletter
  • Give users the clear opportunity to withdraw their consent to data collection


The Canadian equivalent of the EU's GDPR, the Personal Information Protection and Electronic Documents Act (PIPEDA) controls how private sector businesses collect, store, and share data from those residing in Canada. If your business operates in Canada, chances are this law applies to you.

  • Like the GDPR, PIPEDA gives individuals the freedom to decide what information businesses collect about them
  • Businesses should ideally get express consent from individuals to data collection and storage


The California Online Privacy Protection Act (CalOPPA) applies to any online service, business, or website that collects personal data from users residing in California. This means that if you receive any business from users based in California, you're subject to this Act.

  • It demands the safe handling and protection of personal data
  • Like the other laws, CalOPPA states that you must give users the chance to turn off cookies

It's probably clear by now that every website collecting personal information from users, or using cookies to track their behavior, needs a Privacy Policy. The next question, then, is what should a Privacy Policy contain?

Where to Display Your Privacy Policy

Where to Display Your Privacy Policy

It should never be difficult for a user to find your Privacy Policy. There are a few key places where you can put a link to your Privacy Policy, namely:

  • Point of download
  • Website footer
  • In a pop-up notification

Let's briefly look at examples of these placements in turn.

Point of Download

You can ask users to consent to your Privacy Policy, and your use of personal data, at the point when they're downloading your app, ebook, or other content.

WhatsApp, for example, directs users to its Privacy Policy right before they download the app onto their device:

WhatsApp download screen with with link to Terms and Privacy Policy

You can also ask users to click a checkbox explicitly saying they've read and agreed to your Privacy Policy. NetGalley, a publishing website, takes this approach. You can't set up an account or download content until you agree to the Privacy Policy:

NetGalley Register form with checkboxes

Sports retailer Gymshark1 places a link to its Privacy Notice (this is the same thing as a Privacy Policy) in its website footer. This link is available no matter which page a user visits:

Gymshark website footer with links

The Privacy Policy is important because Gymshark offers users an app which they can download. The app lets them follow and track their workouts, and set fitness goals. Users can also pay for a premium service with extra features.

Since Gymshark collects personal information from users such as payment details, a Privacy Policy is essential so that users know how their information is stored, processed, and shared. And displaying the link in the website's footer makes it easy for users to find at any time.

Pop-Up Notification

The best way to display your Privacy Policy is the two-pronged approach.

This approach typically means using a notification on your homepage, or landing page, to tell your visitors about your cookie usage and your policy regarding their personal data. Then, visitors can read the Privacy Policy by clicking a link on the header or the footer or, even better, a link embedded into the notification itself.

Let's consider an example.

Origin is an online gaming platform where users download whatever games they feel like playing. Origin collects information about users to personalise their experience. A user's experience is personalized by showing them games similar to the ones they typically download and remembering their login details:

Origin cookie notice

A link is provided to a detailed cookie message where users can customize what cookies Origin can place on their device and for what purpose. As you'll note, there's also a handy link to the site's Privacy Policy here:

Origin cookie choices notice

Origin's approach draws a user's attention specifically to your Privacy Policy before letting them browse the site.

Breakdown of a Privacy Policy

Breakdown of a Privacy Policy

The great thing about Privacy Policies is that there are only a few clauses you need to stay legally compliant. The key point is that your Privacy Policy is easily accessible, easy to read, and easy to understand.

Name & Business Contact Information

Specify how users can contact you if they want further information about your services. You should set this out at the top or bottom of your Privacy Policy. MyProtein chooses the end of its policy:

MyProtein Privacy Policy: Contact Us clause

The Data Collected

Your Privacy Policy should lay out what data you collect from users. You should note that you only collect the data needed to provide your services. WhatsApp highlights this in its Privacy Policy:

WhatsApp Privacy Policy: Intro of Information We Collect clause

It then goes on to explain what information it collects in a simple, user-friendly, bulleted style:

WhatsApp Privacy Policy: Excerpt of Information You Provide clause

Why You Collect the Data

Users have a right to know why you're collecting personal information about them. The Privacy Policy should explain that you collect the data to fulfill your service obligations. Here is an example of a simple yet effective clause from Barnes & Noble:

Barnes and Noble Privacy Policy: Why do we collect personal information

Your Sharing Policies

Tell users who you share their data with. WhatsApp tells users that it shares their data with third party service providers to improve and market their services:

WhatsApp Privacy Policy: Third-Party Service Providers clause

The company also specifies when the data sharing takes place; for example, when a user engages with a third party service through the Instagram platform:

WhatsApp Privacy Policy: Third-Party Services clause

Opt Out Information

Users must be able to opt out of cookie installation and data collection for marketing or analytics purposes. You should also explain what steps the user can take to do so and adjust their preferences.

MyProtein, for example, spells out the steps for opting out of marketing communications. You'll note that the steps are simple - all users must do is update their settings or contact the retailer:

MyProtein Privacy Policy: Marketing clause - opt-out excerpt

Instagram's version of the opt out clause is equally straightforward. Again, it breaks down exactly what users can do to opt out of communications, and like MyProtein, it highlights that it's impossible to opt out of necessary emails that relate to the performance of the contract the users have with the platform:

Instagram Privacy Policy: Excerpt of Your Choices About Your Information clause

Content Upgrades and Downloads Clauses

Content Upgrades and Downloads Clauses

If you offer content upgrades and downloads, your Privacy Policy should highlight how these features affect privacy and data sharing options. Let's take a quick look at these clauses before studying a full Privacy Policy in action.

Analytics Clause

When users download or use your applications, you may want to collect personal information from them to check on the health of your products and their compatibility with various operating systems.

EA, for example, specifies that it collects data about a user's hardware, device, system interactions and usage statistics to help improve the safety and quality of its downloads.

This clause because it makes it easier for the platform to collect additional information, because this extra information is now essential to providing services:

EA Privacy and Cookie Policy: Analytics Technologies clause

Point of Collection Clauses

If users can download content from your platform, you should make it clear how this affects your Privacy Policy. Again, EA does this well. It explains specifically what information it collects, including crash reports and browser settings:

EA Privacy and Cookie Policy: Other Information We Collect When You Use Our Products clause

Limitation of Liability

You don't want to be responsible for everything that could go wrong if a user downloads content from your platform, or if they browse your website.

DeviantArt has a great clause for this. Although DeviantArt is responsible for its own content and for taking all reasonable steps to ensure the content's safety from, e.g., viruses, vulnerabilities are still inevitable:

DeviantArt Privacy Policy: Security clause

The bottom line is, so long as you act reasonably as opposed to negligently, you can't be responsible for every possible security breach. This is a vital clause when, for example, you make content available for download, or you collect personally identifiable information (PII) and payment details.

Example in Action

Let's take a closer look at a Privacy Policy for a site with downloadable content and the points at which personal information is collected.

Apple App Store

In the Apple App Store, users can download apps, upgrades, and other content for their devices. Apple places a link to its "Principles and Practices" in its website header:

Apple App Store website header links

When users click this link, they land on a user-friendly, highly readable page which highlights Apple's values and dedication to providing a great customer experience with safe downloads:

Apple App Store Principles and Practices: Section about responsibility, high standard and trust

Users can then click through to Apple's Privacy Policy.

The Policy highlights what personal information is:

Apple Privacy Policy: Intro of Collection and Use of Personal Information clause

Apple then highlights what information it collects and when - specifically, at the point of purchasing a product or downloading software:

Apple Privacy Policy: What Personal Information We Collect clause excerpt

There are also comprehensive cookie clauses which explain when Apple uses cookies and, even more importantly, when and how users can opt out:

Apple Privacy Policy: Cookies clause excerpt - Disable and opt-out section

Apple also has a clear third party sharing policy which emphasises that third parties providing content over their platform are responsible for ensuring personal data protection standards are maintained:

Apple Privacy Policy: Service Providers clause

Before you can download content from Apple, you need an Apple ID. Before signing up for an Apple ID, you're made aware of the platform's Privacy Policy:

Create an Apple ID form: Continue button

Put simply, Apple is a great example of a user-friendly Privacy Policy and you should be familiar with it if you offer downloadable content to your users.


If you offer users downloadable content, software upgrades, or apps, you must publish a Privacy Policy on your website. Place a link to the policy in your header or footer, and ensure users are familiar with it before they download content by asking for either implied or agreed consent to the policy.

The Privacy Policy should contain standard clauses regarding data transfer, storage, and handling, and it should comply with global privacy standards including laws such as the GDPR, PIPEDA, and CalOPPA.

Users should know:

  • What personal data you collect
  • Why you collect it
  • How you handle and share it
  • What their marketing options are, and how to change them
  • The scope of your liability and obligations to them

Keep your Privacy Policy accurate and up to date, and use Update Notices for material changes.