Sample Privacy Policy Template
If your business collects or uses personal information, you will be legally required to have and post a Privacy Policy.
In this article, we will discuss the elements of a Privacy Policy to help you better understand the constructs of an effective Privacy Policy agreement that instills faith and trust in your customers and protects you from a number of liability issues.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. What is a Privacy Policy?
- 2. Why you Need a Privacy Policy
- 2.1. A Privacy Policy is Required by the Law
- 2.2. A Privacy Policy is Required by Third Party Services
- 2.3. A Privacy Policy For Increased Transparency
- 3. Example of a Website Privacy Policy
- 4. Examples of Useful Clauses for Your Privacy Policy
- 4.1. What Information is Collected and How
- 4.2. How the Information is Used
- 4.3. How the Information is Stored and Protected
- 4.4. Company Contact Information
- 4.5. Use of Cookies, Log Files and Tracking
- 4.6. Opt-Out Policy Clause
- 5. FAQ on Privacy Policies
- 6. Conclusion
What is a Privacy Policy?
A Privacy Policy is a statement or a legal document that states how a company or website collects, handles and processes data of its customers and visitors. It explicitly describes whether that information is kept confidential, or is shared with or sold to third parties.
Personal information about an individual may include the following:
- Name
- Address
- Phone number
- Age
- Sex
- Marital status
- Race
- Nationality
- Religious beliefs
For example, an excerpt from Pinterest's Privacy Policy agreement clearly describes the information Pinterest collects from its users as well as from any other source that users enable Pinterest to gather information from. The information that the user voluntarily gives includes names, photos, pins, likes, email address, and/or phone number etc., all of which is regarded as personal information.
Additionally, Pinterest also states that it collects user location data from mobile devices, and if someone makes a purchase on Pinterest, payment and contact information - including an address and phone number - will be collected. If users buy products or services for others, Pinterest gathers their contact information and shipping details, too.
Users may also give Pinterest permission to access information that is shared with other websites like Facebook and Twitter by linking their Pinterest account with them. This information would also include information about their friends and followers. The account settings have information about how much access Pinterest has to their users' data.
In sum, a Privacy Policy is where you let your users know all about how you make sure their privacy is respected by your business practices.
Why you Need a Privacy Policy
Companies or websites that handle customer information are required by law and third parties to publish their Privacy Policies on their business websites. If you own a website, web app, mobile app or desktop app that collects or processes user data, you most certainly will have to post a Privacy Policy on your website (or give in-app access to the full Privacy Policy agreement).
Privacy is not a new concept. Humans have always desired privacy in their social as well as private lives. But the idea of privacy as a human right is a relatively modern phenomenon.
Around the world, laws and regulations have been developed for the protection of data related to government, education, health, children, consumers, financial institutions, etc.
This data is critical to the person it belongs to. From credit card numbers and social security numbers to email addresses and phone numbers, our sensitive, personally identifiable information is important. This sort of information in unreliable hands can potentially have far-reaching consequences.
There are several reasons for a website to post its Privacy Policy agreement on its website.
Here are some of the main reasons:
- Required by the law
- Required by third party services
- Increases Transparency
Let's take a look at each of these reasons in more depth.
A Privacy Policy is Required by the Law
For individuals to feel comfortable sharing their personal information on the internet, there should be some sort of legal responsibility on businesses to protect that data and keep the users informed about the status and health of their information.
Countries around the world have realized the need to protect their citizens' data and privacy. Businesses and websites that collect and/or process customer information are required to publish and abide by a Privacy Policy agreement.
A majority of countries have already enacted laws to protect their users' data security and privacy. These laws require businesses to obtain explicit consent from users whose data they will store or process.
A few of these laws include the following:
For a business or a website that collects and processes user information in a certain region or country, it is very important to have complete knowledge of the data and privacy protection laws enforced in that region and the region your customers and end users are in. Non-compliance with these laws can result in hefty fines or even prosecution against the violator.
In some cases, businesses have to follow laws specific to states or regulations specific to industries.
For example, here's how General Motors complies with CalOPPA in the US by including a California-specific section in its Privacy Policy:
General Motors informs its California users of their rights through its Privacy Policy as required by CalOPPA.
If your website/app reaches users around the world, regardless of where you're located or headquartered, you'll need to make sure you follow privacy laws in all applicable countries you reach.
While data protection and privacy laws differ from region to region, a Privacy Policy must comprehensively inform its users about how their data will be used.
For example, the GDPR is currently the most robust privacy legislation in the world and one of its main requirements for any business that falls under its jurisdiction is to have a GDPR-compliant Privacy Policy that contains some very specific information and is written in an easy-to-understand way.
Whether your website is a self-help blog or a game hosted at Google Play, it is your responsibility to give your end users complete information about how any associated third-parties will collect and process their data and (if possible) to what purpose.
A Privacy Policy is Required by Third Party Services
Apart from governing laws, some websites like Apple, Amazon, and Google require website and app owners to post a Privacy Policy agreement if they use any of their services.
Many websites and apps use in-page/in-app advertising by third parties to generate revenue. As these ads also collect user data, third parties require the websites or apps to ask their users' permission for sharing their personal data.
For example, if you're using Google Analytics on your website, the Google Analytics Terms of Service requires that you post a Privacy Policy agreement. In addition to this, you must also disclose that you're using Google Analytics and some information about how it collects and processes data:
If you are a Google app developer, the Privacy Policy Guidance requires that you inform your users about what data you collect, why you collect it, and what you do with it.
Some of the most popular third party services require website and app owners to post Privacy Policy agreements on their websites. Some of these services include:
- Amazon Affiliates
- ClickBank
- Google Play Store
- Google Analytics
- Google AdSense
- Google AdWords
- Facebook Apps
- Twitter Lead Generation
- Apple's App Store
Third party vendors like Google, Facebook, and Amazon require their users (website and app owners) to explicitly inform their users if they're using advertising features, cookies, or tracking services on their websites/apps in order to deliver better user experiences based on prior browsing behavior.
Here's how Ookla - a fixed broadband and mobile network testing company - informs its users in its Privacy Policy agreement that it uses cookies, log files, flash cookies, local storage, etc., in its website-based and mobile applications in order to (1) improve performance, (2) to better understand how Ookla's software functions, and (3) to give the user a personalized experience.
A Privacy Policy For Increased Transparency
Companies whose business models revolve around handling sensitive customer information find it incredibly important to establish trust with their users. A clear and comprehensive Privacy Policy agreement that tells users exactly what information the company collects and what it does with that information inspires confidence in a business. It gives users a sense of security knowing how much control they have over their personal data under the conditions they sign up for.
Your Privacy Policy agreement should inform your users about how your website or app handles their personal information. Your users must be also be informed about the reason for the collection of information, as well as how long their data will be stored on your servers.
Even if you don't collect personal information, you should disclose this fact in a Privacy Policy. It helps with transparency because users expect to see a Privacy Policy. If you don't have one at all, users may assume you're collecting a lot of personal information and not disclosing it rather than not collecting any.
The DuckDuckGo search engine does not track user searches or store online browsing history in any way. Its Privacy Policy agreement states that it does not collect or share any user information.
To make your Privacy Policy transparent and accurate, conduct a privacy law self-audit. This will allow you to find out what your business' privacy practices are and what information you need to disclose to your users in a Privacy Policy.
Example of a Website Privacy Policy
To be transparent with your users about what personal information you collect and what you do with it, you are required to publish a Privacy Policy agreement on your website or give in-app access to it.
Websites usually post a link to the complete Privacy Policy agreement from the footer of the website, whereas apps generally add the Privacy Policy to an "About" or "Legal" menu.
Another popular location for ecommerce store apps and websites is the checkout page, or account registration page if you don't have an ecommerce component but allow users to create accounts.
Medium links its Privacy Policy agreement to its website footer:
The format and theme of the Privacy Policy agreement is consistent with the rest of the website and doesn't have any anchor navigation.
It includes the following clauses:
- Information We Collect & How We Use It
- Information Disclosure
- Public Data
- Data Storage
- Third-Party Embed
- Tracking & Cookies
- Modifying or Deleting Your Personal Information
- Data Security
- Business Transfers
- Email from Medium
- Changes to this Policy
- Questions
There's also a section that specifically addresses EU users and includes information required by the GDPR such as:
- The legal bases for collecting and processing information
- What third parties (like payment processors) Medium engages with and shares data with
- How long data is retained
- The rights of EU data subjects
- How to make a subject access request
- Contact information for Medium's EU Representative
If your company has users in the EU, like Medium does, you'll need to include this type of information in your Privacy Policy to be compliant with the GDPR.
Now let's take a look at some examples of specific clauses your Privacy Policy should have.
Examples of Useful Clauses for Your Privacy Policy
Your Privacy Policy must be accurate and easily comprehensible, with all the necessary information required by laws and for transparency.
Generally speaking, every Privacy Policy agreement should have at least the following clauses:
- What information is collected and how
- How is the information used
- How is the information stored and protected
- Company contact information
- Use of cookies, log files and tracking
- How a user can opt out of data collection/usage
Here's each one in action.
What Information is Collected and How
Privacy Policy agreements inform users what information is collected from them. This includes information users voluntarily and actively provide when they register to use services, as well as information that may be collected from them automatically, such as through the use of cookies.
You can define how you classify information e.g. public, private, or personal information. This helps the user know exactly what these terms means in the rest of the Privacy Policy document.
Here's an example of how you can construct a clause to explain this information to your users:
The PBS Kids Privacy Policy informs users what information it collects from them. It describes the information it collects as well as a short but further detailed section after each type of information that provides more information:
How the Information is Used
One of the main purposes of Privacy Policy agreements is to explain to users how the information the business collects is used.
Pinterest has a fairly large section on What we do with the info we collect in its Privacy Policy agreement. In its first paragraph, it states that the website uses the information to provide its services to its users. It goes on to explain a few different ways it uses the information including to identify users, process their transactions, make recommendations, and respond to their questions and comments.
How the Information is Stored and Protected
Another important clause to include in your Privacy Policy agreement is about how you store and protect the information you collect from your site's visitors. You can explain the different ways you store information and what measures you take to protect that information.
For example, Caffe Nero's Privacy Policy agreement states that user account information is protected by a password and explains what steps users can take to prevent unauthorized access to their accounts.
In addition to this, it also states that the website takes steps to ensure as much security as possible, however it doesn't guarantee that the measures they take will prevent unauthorized access:
Shopify states in its Privacy Policy that it follows the industry's standards on information security management to protect sensitive user information. It also says that the company performs audits annually to make sure that the handling of user credit card information is in line with the industry guidelines. Finally, it says that they cannot guarantee the absolute security of their users' personal information since no method of transmission over the Internet is 100% secure.
Company Contact Information
As a business owner, it's important that you include your company's contact information in your Privacy Policy agreement. Generally, contact information is added at the end of the Privacy Policy and contains a physical (street) address, email address, and/or phone number. The more contact information that you can provide, the better.
The British Heart Foundation provides a Contact clause that includes a mailing address as well as an email address for getting in touch:
Use of Cookies, Log Files and Tracking
Websites and apps use cookies to store user information, provide users with personalized experiences and collect their users' web history. Other websites may make other uses of cookies and may even choose to give third parties access to those cookies. Your Privacy Policy should disclose this.
In any case, website owners are required to inform their users about the tools the company uses to collect user information and track their behavior, including cookies.
Here's a look at how Discord addresses cookies usage in its Privacy Policy:
Most websites and app owners use log files to automatically collect and store information about their users' IP address, browser, data/time etc. and use it for different purposes.
Here's how AWeber explains how it uses the information collected from visitors using log files in its Privacy Policy agreement:
Note how it uses simple descriptions and clear terms to describe the use of these files, which is helpful since most people likely have no idea what these types of files are actually there to do.
Opt-Out Policy Clause
Apps and websites should inform their customers about their right to opt out of certain aspects or services offered by a website.
Forever 21's Privacy Policy, for instance, informs customers about their right to opt out of any of the company's services.
Note how the clause is broken up into many short parts with simple, clear instructions for each method of opting out.
FAQ on Privacy Policies
Most likely, yes. A Privacy Policy is both required by law (US, Europe, Canada and many other countries) but it's also required by third party services or providers that your website or app may use (such as Google Analytics).
Conclusion
Regardless of whether you own a website or app that collects, processes, and/or stores user information, you have certain responsibilities to your users. The most primary responsibilities on your part as a website owner are to keep their personal data secure, protect their privacy to the best of your ability, and to keep them informed about how their data will be stored and processed by providing a Privacy Policy.
Keep your Privacy Policy accurate and up-to-date and send out Privacy Policy Update Notices when appropriate.
If your website, web app, mobile app, or desktop app collects any sort of personal data from its end users then chances are that you're required either by the law or by third-party services to post a Privacy Policy agreement to your website/app.
As a website owner, you need to be aware of:
- The privacy laws in the jurisdiction your business is based out of and where your users are located.
- The Terms of Service requirements of third party services your website is associated with.