Privacy Policy FAQ
While a Privacy Policy is something you're at least slightly familiar with, you may still have some basic questions about what one is, how it works, and why you see them everywhere.
This FAQ will work to give you a solid understanding of some Privacy Policy basics and answer some common questions that readers seem to have.
Keep reading to find out more about these important legal agreements.
- 1. What is a Privacy Policy?
- 2. Do I need a Privacy Policy?
- 2.1. It's required by law
- 2.2. It's often required by third-party services
- 2.3. Users care about their privacy
- 2.4. Privacy Policies are everywhere
- 3. Which countries require me to have a Privacy Policy?
- 3.1. The United States
- 3.2. Canada
- 3.3. Australia
- 3.4. The UK
- 3.5. The European Union (EU)
- 4. How do I create a Privacy Policy?
- 5. Can I request the email address of a customer without a Privacy Policy?
- 6. Where should I place the Privacy Policy on my website?
- 7. Where should I place the Privacy Policy on my app?
- 8. What should my Privacy Policy say?
- 9. How should I structure my Privacy Policy?
- 10. What's the difference between a Privacy Policy and a Disclaimer?
- 11. What's the difference between a Privacy Policy and Terms and Conditions?
- 12. What will happen if I don't have a Privacy Policy on my website or app?
- 13. How should I get my users to agree to my Privacy Policy?
What is a Privacy Policy?
A Privacy Policy is a legal agreement designed to let visitors to your website or users of your app know what personal information you gather about them, how you use this information and how you keep it safe.
A Privacy Policy for a website or app generally covers:
- The types of information collected by the website or app
- The purpose of this data collection
- Data storage, security and access
- Details of data transfers
- Affiliated websites or organizations
- Cookies
Do I need a Privacy Policy?
If you collect any sort of personal information about visitors to your website or users of your app then you legally need to have a Privacy Policy.
Examples of personal information your website or app might collect include:
- Names
- Dates of birth
- Email addresses
- Billing/ shipping addresses
- Phone numbers
- Bank details
- Social security numbers
There are 4 important reasons why you need to have a Privacy Policy if you collect personal information.
It's required by law
This is the most important reason to have a Privacy Policy on your website or app.
Privacy laws in most countries dictate that website owners and app developers need to make a Privacy Policy available to their users.
For example, in the US the California Online Privacy Protection Act (CalOPPA) instructs that all commercial websites and apps that collect and maintain personally identifiable information from California residents must have a Privacy Policy:
If you are based in the US, but not in California, it's still important that your website or app complies with CalOPPA because a resident of California could still access and use your services.
Similar privacy laws exist in Canada, Australia and across Europe. The next section looks at privacy laws by country in more detail.
It's often required by third-party services
You also need a Privacy Policy if you use third-party services that track users for analytics or display targeted advertising.
Even seemingly anonymous data, like what web browser someone uses, is considered personally identifiable information because it can be used in combination with another type of data to identify an individual.
For example, if you use Google Analytics you need a Privacy Policy because it uses cookies to collect information about your website's visitors.
Google Analytics' Terms of Service dictate that any business who uses their services must:
"post a Privacy Policy and that Privacy Policy must provide notice of your use of cookies, identifiers for mobile devices (e.g., Android Advertising Identifier or Advertising Identifier for iOS) or similar technology to collect data. You must disclose the use of Google Analytics, and how it collects and processes data."
Similarly, you will need to have a Privacy Policy in place if you develop apps across platforms that collect user data.
Facebook's Platform Policy states that you must:
"Provide a publicly available and easily accessible privacy policy that explains what data you are collecting and how you will use that data."
Equally, if you submit an app to Apple's App Store, the App Store Review Guidelines states that you are expected to have a Privacy Policy visible to your users:
"All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner."
Users care about their privacy
Having a Privacy Policy is not just a legal requirement. It's also a matter of common courtesy to your users.
People want to feel safe when they are giving out their personal information and it is your responsibility as a website or app owner to facilitate this.
It's about building trust with your users and reassuring them that you are going to handle their personal information in a safe and ethical manner.
Privacy Policies are everywhere
Doing something just because everyone else does is not always recommended, but in the case of Privacy Policies, it absolutely is. This is because they help the user to feel safe and secure using your services.
Many websites and apps have a Privacy Policy available to their users even if they do not collect any personal data.
Rudd Studio's Privacy Policy is an example of this:
Remember - Your users and possibly even the authorities will look to see if you have a Privacy Policy and expect to see one. You should consider having one no matter what, even if it says something as simple as Rudd Studio's above.
Which countries require me to have a Privacy Policy?
As has already been discussed, most countries have some form of privacy law that requires website owners and app developers to have a Privacy Policy available to their users. Let's take a look at a few of the most influential and wide-reaching privacy laws.
The United States
The United States has a number of federal and state laws that deal with Privacy, but two of the most important ones to date that affect the most businesses and individuals are:
Both of these acts require that businesses that collect personal information from individuals in California post a Privacy Policy with some specific information. If you do business in California, regardless of where your business is headquartered, you need to become familiar with the requirements of each.
Canada
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) is designed to safeguard personal data, making it mandatory for companies in Canada to have a Privacy Policy:
"Organizations" referred to in the Act include both brick-and-mortar businesses and e-commerce or online ventures.
One of the requirements of PIPEDA is that you post a Privacy Policy that discloses your privacy practices.
Australia
Australia's Privacy Act of 1988 is the law that governs the use of personal data. It stipulates that all companies from Australia are required to be transparent and forthcoming with their privacy practices, which in essence means have a Privacy Policy and making it readily available.
The Privacy Act contains a list of 13 Privacy Principles for the collection and handling of personal data that you'll need to become familiar with if this law applies to you.
These Privacy Principles advocate for openness and transparency from businesses with regard to data gathering and an up-to-date Privacy Policy to inform users of how their personal data will be managed.
The UK
The United Kingdom's Data Protection Act 1998 (DPA) protects personal data in the UK.
It has 8 Core Principles of Data Protection to which companies in the UK must comply:
The best way to meet these core principles is to have a Privacy Policy that fully discloses what personal information you collect, how you collect and use it, how you keep it safe and how you dispose of it after your purpose for needing it is over and done.
The European Union (EU)
The General Data Protection Regulation (GDPR) requires that businesses that collect or process personal information from EU citizens must have a Privacy Policy. This doesn't only apply to businesses actually located in the EU. It applies to businesses around the world that may reach people in the EU.
The GDPR has some of the most strict requirements for what must be included in a Privacy Policy, so make sure you update your Privacy Policy accordingly. For example, you'll need to write the Privacy Policy in language that's easy to understand and make sure to include some important and specific details like the 8 user rights granted under the GDPR, what your legal basis is for collecting and processing information and who your Data Protection Officer (DPO) or EU Representative is (if applicable).
How do I create a Privacy Policy?
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
Can I request the email address of a customer without a Privacy Policy?
The bottom line is that if you request any information from a customer through your website or app, including an email address, you need a Privacy Policy.
This includes collecting email addresses through an online sign-up form for an email newsletter.
Additionally, most popular email newsletter service providers require that the website owner or app developer provides a Privacy Policy in order to use the service.
For example, Mailchimp's Terms of Use states that users must comply with laws and regulations (such as privacy laws):
Mailchimp has specific and strict requirements for users located in the European Economic Area (EEA) or those who send emails to anyone in that area. This is because the privacy laws of this area are very strict.
Mailchimp requires that these users have a clear Privacy Policy and get express consent to transfer data to Mailchimp:
Simply put, if you collect email addresses without having a Privacy Policy, you'll be violating privacy laws. If you collect email addresses, don't have a Privacy Policy and try to use a third-party service like MailChimp, you'll likely be violating the third party Terms as well.
Where should I place the Privacy Policy on my website?
There are no legal specifications over exactly where your Privacy Policy should be placed on your website.
There are, however, some basic legal requirements as well as a few things to consider in terms of usability and good practice.
The Privacy Policy must not be hidden and should be easy to access for all website visitors.
The most common place to put the Privacy Policy is in the footer area of the website. This way, the link does not clutter up the main navigation but is still accessible on every page.
Here is an example from the BBC's website:
You should also add a link to your Privacy Policy in areas where you're requesting personal information or agreement to your policy terms.
For example, Sierra Trading Post provides a link to its Privacy Policy in the form where it asks for email addresses:
Other good places are at checkout for ecommerce platforms and account sign-up or login screens for websites and apps that have such a feature.
Where should I place the Privacy Policy on my app?
Just like on a website, your app's Privacy Policy must be easily accessible.
Best practices dictate that there are 3 places the Privacy Policy should appear in an app:
-
Within the app as part of a menu.
A "Legal," "About," or "Settings" menu is a common place to find an app's Privacy Policy linked.
-
On the app store listing page as a link so that users can view the Policy before downloading the app.
Note that some app stores explicitly require you to include a link to your Privacy Policy here.
- In the footer of the accompanying website, if you have one, as seen in the previous section regarding website link placement.
What should my Privacy Policy say?
The content of your Privacy Policy very much depends on your information gathering activities and data management policies.
As a minimum, it's suggested that your Privacy Policy should cover:
- Your identity and contact details
- Exactly what personal data you collect and record through your website or app
- For what purpose this data is collected and processed
- How the data is processed
- Specific details of any disclosure of information to third parties (who and why)
- A list of privacy laws with which you are compliant
- An explanation of how users can opt-out or request for their data to be deleted
You should make sure that your Privacy Policy is written in plain English and in a way that is easy to understand for your audience.
For example, if your website is primarily aimed at teenagers, your Privacy Policy should be easily understood by this age group.
You must also be careful to regularly update your Privacy Policy in line with both changes in regulations and changes in your business activities.
For example, if you start collecting email addresses for an email newsletter, be sure to add this to your Privacy Policy if it wasn't mentioned before.
How should I structure my Privacy Policy?
There are no hard and fast rules about how to structure your Privacy Policy.
Like the content of your Privacy Policy, it very much depends on your business' activities and functions.
The best approach is to structure it in a way that makes sense for both your business activities and your audience.
Try breaking it down into key categories like this example from an earlier version of eBay's UK User Privacy Notice. This is an excellent example of a well-structured and nicely presented Privacy Policy summary:
It's separated into different activities that are clearly signposted with icons.
Consider adding an anchor-linked table of contents as well to help users quickly and easily navigate to sections they may wish to read without needing to scroll through the entire policy to find the relevant section.
What's the difference between a Privacy Policy and a Disclaimer?
A Disclaimer is a statement or short paragraph that makes it clear that the website or app owner is not legally responsible for such things as the accuracy of any information or what the user chooses to do with this information.
There are a number of different types of disclaimers, including affiliate disclaimers, medical disclaimers and disclaimers of warranties.
A Privacy Policy is a legal agreement that informs visitors to your website or users of your app what personal data will be recorded, how it will be processed and managed, and for what purpose.
Here's an example of a fairly standard Disclaimer from the New York Times:
"NYT does not represent or endorse the accuracy or reliability of any advice, opinion, statement, or other information displayed, uploaded, or distributed through the Services by any user, information provider or any person or entity. You acknowledge that any reliance upon any such opinion, advice, statement memorandum, or information shall be at your sole risk."
What's the difference between a Privacy Policy and Terms and Conditions?
The purpose of a Privacy Policy is to inform users about the collection and use of personal data through a website or app.
However, the Terms and Conditions of a website or app is a legal agreement that sets out the terms of use relating to that particular website or app.
Terms and Conditions typically include information on:
- Copyrights and intellectual property
- Billing
- Subscriptions
- Prohibited activities
- Consequences of engaging in prohibited activities
- Applicable warranties and disclaimers
Terms and Conditions are sometimes also referred to as "Terms of Use," "Terms of Service" or "Conditions of Use."
To demonstrate, here's the table of contents from Spotify's Terms and Conditions:
And here's the table of contents for Spotify's Privacy Policy:
You can see by the titles of the sections that each agreement covers and addresses completely different types of information and serves different purposes for the users.
What will happen if I don't have a Privacy Policy on my website or app?
The punishment for not displaying a Privacy Policy on your website or app when you collect personal information very much depends on the country whose privacy laws you have breached.
For example, in the UK there are several penalties for breaching privacy laws such as the GDPR.
Some penalties of GDPR non-compliance include:
- Monetary fines of up to £500,000
- Prosecutions and prison sentences for severe and deliberate breaches
- Mandated actions to prove compliance and to avoid further prosecution
- Compulsory auditing
Privacy is considered to be a fundamental human right and violations of this right are taken extremely seriously around the world.
If in doubt, it is always better to err on the side of caution and provide an easily accessible, clear, comprehensive and up-to-date Privacy Policy on your website or app.
How should I get my users to agree to my Privacy Policy?
You should use a method called clickwrap to get your users to agree to your Privacy Policy.
This method requires that your users click something that shows they're agreeing to your Policy. It's a legally-compliant method that's accepted and recommended around the world because it lets you get really clear, undoubted agreement from your users.
Do this by adding a link to your Privacy Policy and a checkbox and/or "I Agree" button at the place on your website or app where you want users to give their agreement.
Common places are during account registration, online checkout or wherever a user may submit information to you.
Here's an example:
Be aware that if you update your Privacy Policy you need to get your users to agree to it again. This can be done with a simple pop-up notification on your website or app. (Remember to use an Update Notice for material updates.)
Here's an example from Pinterest:
