What is a Privacy Policy?

If you collect any personal data from individuals, then there's a good chance you'll need a Privacy Policy for your website or mobile app.

A Privacy Policy is a key legal document which describes your company's data processing practices. This article will break down how a Privacy Policy works and how you can create a Privacy Policy for your own website or mobile app.

Definition of a Privacy Policy

In a nutshell, a Privacy Policy is a document that discloses what types of information you collect from your users and why. It also describes the methods you use to collect personal data e.g. cookies and how people can limit the data they share with you.

The definition of personal data varies depending on which law applies, but generally, personal information is any data which allows businesses to identify an individual person.

Examples of personal information include:

• Name
• Email address
• IP address
• Passport Number

Some businesses also collect sensitive data such as financial details, biodata, or data belonging to minors. If a business collects such data, this should be highlighted in a Privacy Policy.

Although, as mentioned, the exact meaning can vary, here's a fairly simple definition of personal data from Article 4 of the EU's General Data Protection Regulation (GDPR).

The GDPR is one of the world's most comprehensive privacy laws, so it's a law worth familiarizing yourself with even if you don't target EU-based individuals.

The Purpose of a Privacy Policy

Privacy Policies serve a few specific purposes:

• Privacy Policies compel businesses to act more transparently
• A Privacy Policy gives individual website users and consumers more control over their personal information
• Privacy Policies can help build trust between website owners and consumers because both parties know what is expected of them

In many ways, Privacy Policies strike a balance between the rights of individuals to control who they share data with, and the need for businesses to process some personal information for commercial purposes.

Laws Which Require a Privacy Policy

Privacy Policies are not always optional, and are often required by law. Here are some of these laws:

• General Data Protection Regulation (GDPR): If you sell goods or services to EU residents,or process their personal data to a certain extent, then you must comply with the GDPR which sets out rules for processing and safeguarding personal data.
• California Privacy Rights Act (CPRA): The CPRA makes it mandatory for businesses targeting California residents to provide them with a compliant Privacy Policy.
• Personal Information Protection and Electronic Documents Act (PIPEDA): Under this Canadian law, businesses often need consumers' informed consent to data processing. A Privacy Policy helps with this.
• Virginia Consumer Data Protection Act (CDPA): The CDPA gives Virginia residents more control over their personal data, and a Privacy Policy should be provided.

Privacy Policies are required elsewhere around the world. To help ensure compliance with these laws, it's good practice to always have a Privacy Policy, no matter where in the world your audience is based.

Benefits of Privacy Policies for Businesses

There are some important ways that your business could benefit from a Privacy Policy:

• You may be able to rely on the terms of your Privacy Policy if a customer raises a dispute. It can help you manage or mitigate liability.
• A clear and transparent Privacy Policy gives people confidence in your business which could help growth.
• A Privacy Policy makes your business appear more professional and reliable.

In other words, a Privacy Policy helps you regulate the relationship between your business and customers.

How to Create a Privacy Policy

One of the best ways to generate a compliant Privacy Policy is to use a template or Privacy Policy generator. All you need to do is follow the simple, step-by-step instructions which usually involve:

• Answering some questions about your business
• Selecting what country or state applies
• Explaining what type of data you collect and why

Of course, you can always customize the clauses, but the generator will give you a template you can use right away.

You can also refer to Privacy Policies from other businesses to help you with wording and drafting (although it's not advisable to copy other Privacy Policies word-for-word as this may constitute a copyright violation and also won't be accurate for your business).

What to Include in a Privacy Policy

Aside from an introductory clause, every Privacy Policy should include, at a minimum, the following information:

• Confirmation of whether you collect personal data. Even if you don't collect any personal information at all, you should still have a Privacy Policy to this effect.

• Explanation of:

  • What type of information you collect
  • How you collect the data
  • Whether you use cookies, web beacons, or other tracking technologies
• Description of who you share the data with e.g. third parties
• A clause setting out what rights people have concerning their personal or sensitive data
• Explanation of how people can exercise these rights e.g. how they can "opt out" of sharing non-essential data with you
• Contact details so users can reach you to discuss your Privacy Policy in more detail

Examples of Compliant Business Practices

When considering how to create your own Privacy Policy, it's helpful to look at some examples of good business practices. Before you draft a Privacy Policy, here are some tips to bear in mind.

Drafting User-Friendly Clauses

Every Privacy Policy should be accessible and easy for the average person to read. Meaning, you should, where possible:

• Use simple language
• Break up long clauses into shorter, more readable sections
• Highlight key words or phrases
• Use bullet points to improve readability

Here are some examples.

Walmart uses a mixture of bullet points and short, concise paragraphs to make key points. You'll also note they use straightforward, jargon-free language as much as possible:

Netflix highlights key words and uses bullet points to improve readability. It's easy for users to scroll through the Policy, jump to relevant sections, and make a note of the most important points:

If you use cookies or other tracking technologies, it's really important to ensure users understand this.

Some companies, like Netflix, break down each category of cookies they use to help subscribers make informed choices regarding which cookies they'll accept. Note that you don't need permission to use essential cookies. However, you should still describe them in your Privacy Policy:

So, to summarize, always prioritize readability and clarity. What's more, when drafting a Privacy Policy, you should always consider your audience. In many cases, you won't need an overly long or complex Privacy Policy. It often depends on the type of data you handle, who you share it with, and how it's processed.

Including Internal Links

Most businesses have various online policies e.g. Terms and Conditions, Returns Policy, Cookies Policy, and so on. It's good practice to include links to these policies within your Privacy Policy so users can quickly access the information they need from one central location.

Let's take a Privacy Policy from Etsy, for example. Users are directed to the Terms and Conditions, which they should accept if they want to use the website. Etsy provides a link through to the Terms and Conditions so it's easy for customers to jump between policies:

In the next paragraph, it links people to the Minors Policy. No one under 13 can use Etsy, but there's more information for parents and account owners in the Minors Policy:

And in section 2, "Information Collected or Received," a link is provided to the Cookies and Similar Technologies Policy so customers can learn more about cookies:

Always make it simple for users to access the various policies around your website. And to be clear, you should also include a link to your Privacy Policy within these other key documents.

Displaying a Privacy Policy

Before users perform an activity which results in sharing personal data e.g. opening an account or purchasing an item, make it easy for them to read your Privacy Policy first by displaying it prominently on your website.

Gymshark, for example, displays a link to its Privacy Policy (called a Privacy Notice) at the point of account registration:

You'll also find links to key policies, including the Privacy Policy, within the website footer. These links appear on every page:

UPS helpfully includes a link to its Privacy Policy within its Cookie Notice, which is a banner you should have if you use cookies to track user behavior or collect personal data;

It's good practice to link to the Privacy Policy within such a banner, because users can then quickly and easily make informed decisions as to whether they want to use your website or adjust the settings.

In short, always ensure it's easy for customers to access your Privacy Policy by placing it conspicuously around your website.

Getting Affirmative Consent

Some laws, such as the GDPR, may require consent before you can collect or process someone's personal data. This is especially relevant when it comes to Cookie Notices.

As a result, some companies seek affirmative consent for their Privacy Policies by including a checkbox which users must tick to:

• Confirm they've read the Privacy Policy
• Agreed to its terms

Consent isn't always necessary, even under the GDPR, so we won't find such checkboxes everywhere.

However, here's an example from Lancome of what such a checkbox might look like. Unless customers accept the Privacy Policy, they can't proceed to open an account:

It's good practice (although not always legally necessary) to get affirmative consent to a Privacy Policy, so consider using checkboxes for your own website.

Failure to Provide a Privacy Policy

If you don't have a Privacy Policy, or your Privacy Policy doesn't meet legal requirements, you could face fines. Here are some examples of monetary penalties which may apply, depending on the relevant laws.

• GDPR: A failure to comply with the GDPR means facing fines of over $20 million or up to 4% of your company's global annual turnover (whichever is the highest amount)
• PIPEDA: Companies can be fined up to $100,000 for every occasion when they knowingly break this law
• CPRA: You may be fined up to $7,500 for every time you knowingly break the CPRA, and up to $2,500 for each accidental violation
• CDPA: The Attorney General can apply for damages of up to $7,500 for every intentional violation of the Act

The penalties can vary widely based on factors such as the severity of the violation and whether it's a company's first offense. Make sure you get legal advice for your specific situation, if required.

Conclusion

A Privacy Policy is a document which outlines how your company processes and safeguards personal data. If you collect any personal or sensitive data from users, then you should have a Privacy Policy on your website.

A Privacy Policy should include clauses detailing:

• Whether you collect personal information
• Why you need the data
• How you collect this information
• What choices users have regarding their personal data

You should display your Privacy Policy somewhere obvious on your website and certainly before users provide you with any personal data.

You can use a template or Privacy Policy generator to help you create a legally compliant document for your business. If you decide to draft your own Policy, ensure you:

• Use jargon-free language
• Keep paragraphs short, where possible
• Include links to other key policies e.g. Terms and Conditions
• Highlight the most important words or sentences

You can face serious financial charges or reputation damage if you fail to comply with privacy laws around the world.