Knowing about privacy policies is essential for business owners in our digitally dominated world.
Nearly all of us operate online daily, giving websites, apps — and perhaps even household items — access to endless amounts of our personal information.
Privacy policies are no longer skippable walls of text we should expect our consumers to agree to without reading.
- Why Are Privacy Policies Important?
- What Do Privacy Policies Include and Cover?
- Additional Legal Policies You May Need
It also tells them their rights over how their data gets processed and gives instructions for following through on those rights.
- What personal information you collect
- How you collect that information
- Why you collect it, also known as your ‘legal basis’
- Who you share the data with or sell it to
- Where your business is located
- Where your customers come from
- How much data you collect
- Your gross annual revenue
It’s important to note that privacy policies are not the same as your terms and conditions, which protect your business by outlining your rules of use, dispute resolutions, and payment terms.
Furthermore, privacy policies are not like disclaimers, which usually go inside your terms and conditions and are used to remove liabilities from your plate.
If your company operates online in any capacity, you should have all of these necessary website policies posted to your platform. But this guide focuses on privacy policies, so let’s not get too off-topic here.
|Data Privacy Law
|🇪🇺 General Data Protection Regulation (GDPR)
|🇬🇧 The Data Protection Act (UK GDPR)
|🇺🇸 Amended California Consumer Privacy Rights Act (CCPA & CPRA)
|🇺🇸 California Online Privacy Protection Act (CalOPPA)
|🇺🇸 Virginia Consumer Data Privacy Act (VCDPA)
|🇺🇸 Connecticut Data Protection Act (CTDPA)
|🇺🇸 Colorado Privacy Act (CPA)
|🇺🇸 Children’s Online Privacy Protection Act (COPPA)
|🇨🇦 Personal Information Protection and Electronic Documents Act (PIPEDA)
|🇦🇺 Australia’s Privacy Act of 1988
|🇳🇿 New Zealand’s Privacy Act of 2020
|🇿🇦 South Africa’s Protection of Personal Information Act (PoPIA)
But for legal compliance reasons, try not to use a misleading or abstract title so it’s obvious to users what the document is.
- Privacy Notice
- Privacy Agreement
- Privacy Disclosure
- Privacy Statement
Why Are Privacy Policies Important?
Privacy policies are important because they help ensure you follow relevant data protection laws, keeping your business out of trouble and helping you avoid potentially massive fines.
Various consumer and data privacy statistics suggest that people will abandon their shopping carts or ditch your service if they think you’re dishonest about how you handle their information:
- 60% of users say they would spend more money with a brand they trust to handle their personal data responsibly. (Global Consumer State of Mind Report 2021)
- 84% of users are more loyal to companies with strong security controls. (Salesforce)
- 48% of users have stopped buying from a company over privacy concerns. (Tableau)
But you also may be required to have one if you:
- Own a website: Websites often collect personal data from visitors, and therefore they need privacy policies, whether for an online clothing store, a basic photography website, or some other ecommerce businesses.
- Run a small business: Size doesn’t matter much regarding privacy compliance, so even small businesses need privacy policies. Most fall under laws with broad thresholds, like the GDPR and CalOPPA.
- Collect information about your employees: Sometimes called an ‘Employee Monitoring Policy,’ you may need to provide your employees with details about the data you collect about them, both for in-person and work-from-home roles.
- Own a marketing agency: Yes, even marketing agencies need privacy policies, as these groups typically work with large amounts of personal data and are subject to following all applicable data protection laws.
- Have a dropshipping store: Dropshipping stores also need privacy policies, especially if they fall under any data privacy laws or take part in international data transfers, which are subject to specific legal guidelines.
- General Data Protection Regulation (GDPR)
- Data Protection Act (UK GDPR)
- Amended California Consumer Privacy Act (CCPA/CPRA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Privacy Act (VCDPA)
- Connecticut Data Protection Act (CTDPA)
- Colorado Privacy Act (CPA)
- Children’s Online Privacy Protection Act (COPPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia’s Privacy Act of 1988
- New Zealand’s Privacy Act of 2020
- South Africa’s Protection of Personal Information Act (PoPIA)
In this next section, I’ll walk you through some obligations outlined by major third-party services relevant to websites and apps.
- Develop mobile apps for the Apple App Store: Other mobile apps also need privacy policies. For example, Apple’s App Store Review Guidelines require all apps published on the App Store to have one before publication.
Privacy policies benefit both your business and consumers, making them a win-win for everyone involved. In particular, they help:
- Protect your business from violating data privacy laws: I’ve mentioned this a few times, but privacy policies are necessary if you need to comply with any data privacy laws, and posting one can help prevent you from getting fined.
What Do Privacy Policies Include and Cover?
Privacy policies include almost every detail about your data processing activities that you can imagine, and they also cover the rights your users have and explain how they can act on them.
I recommend you also put a ‘last updated’ date in this first section of your policy.
What Personal Data You Collect
All privacy policies must disclose what personal data you collect from your users.
Keep it simple and clean by listing all categories of personal information you process, including sensitive personal data.
How You Use the Data
Regulations like the GDPR, the VCDPA, and others require this, and your reasoning is subject to specific legal grounds.
How You Collect Personal Data
Common methods for data collection include:
- Voluntarily provided by the individual
- Through payment screens or checkout pages
- Filling out an online form
- Placing cookies on users’ browsers
- In-person or in-store recordings
If You Share the Data With Third Parties
List what categories of third parties you share or sell personal information to, explain why you share or sell the data, and say how it gets shared with the other entities.
An Explanation of Your Users’ Legal Rights
The rights provided by each law vary slightly, but most of them grant the right to:
- Access their personal data
- Request to amend or correct their data
- Request to delete their data
- Limit the use of their data
- Obtain a portable copy of their data
- Opt into or opt out of certain data processing activities
A Method for Following Through on Data Privacy Rights
You might achieve this by:
- Putting a link to a functioning Data Subject Access Request (DSAR or SAR) form
- Saying if you honor “Do Not Track” requests and Global Privacy Controls (GPC)
- Providing proper, working contact information
- Having a “Do Not Sell or Share my Personal Information” link (under the CCPA/CPRA)
- Using a “Limit the Use of my Sensitive Personal Information” link (under the CCPA/CPRA)
Details About International Data Transfers
For example, under the GDPR, you must disclose if an adequacy decision exists regarding the data transfer or if you use another transfer mechanism.
Data Retention Policy
You must state how long you plan to store the data for or give the process you’ll use for determining when you’ve achieved your lawful goals for using the data.
To avoid legal issues, don’t keep data for longer than necessary.
Safety and Security Measures
Laws like the GDPR and the CCPA hold businesses accountable for implementing safety and security measures to protect personal data from breaches, leaks, or other cybercrimes.
Taking the following precautions is recommended:
- Pseudonymize the data
- Encrypt the data
- Ensure ongoing confidentiality, integrity, resilience, and availability of your processing system
- Implement a way to restore the availability or access to personal data should a breach occur
- Have a process for routinely testing, assessing, and evaluating the effectiveness of your security protocols
Under the CCPA, you must update it at least once every 12 months. Plus, some laws, like the GDPR, expect you to re-obtain user consent if you change what data you’re processing or your purposes and use of the information.
The Right to Lodge a Complaint
If possible, provide the correct contact information by region for the appropriate person or entity to submit those complaints.
If your website or app targets children, you must include specific information to comply with relevant laws like COPPA, which are meant to protect minors and young people.
For example, you must inform parents or legal guardians of their right to opt their children into data processing.
Company Contact Information
The table below compares the non-compliance punishments for the 12 data protection laws covered throughout this guide.
|Data Privacy Law
|Penalties for Violating the Law
|General Data Protection Regulation (GDPR)
|The Data Protection Act (UK GDPR)
|Amended California Consumer Privacy Act (CCPA/CPRA)
|California Online Privacy Protection Act (CalOPPA)
|Virginia Consumer Data Privacy Act (VCDPA)
|Connecticut Data Protection Act (CTDPA)
|Colorado Privacy Act (CPA)
|Children’s Online Privacy Protection Act (COPPA)
|Personal Information Protection and Electronic Documents Act (PIPEDA)
|Australia’s Privacy Act of 1988
|New Zealand’s Privacy Act of 2020
|South Africa’s Protection of Personal Information Act (PoPIA)
As you can see, some of these laws, like the amended CCPA, give individual users the right to pursue privacy action against you.
Others, like PoPIA, could potentially lead to criminal charges.
You’d also face public backlash from your customers, which could cause you to lose sales.
Regulations like the GDPR and CCPA require you to present your consumers with certain information at or before the points where data collection occurs.
- The footer of your website: This is where most people look for your policy, and since it always stays the same no matter where users end up on your site, it helps ensure they always have access to it.
Because if the answer is no, all liabilities fall on your business.
- Use a managed solution like a generator
- Use a free template
- Write it yourself
To use the generator, you answer simple questions about your business, and it creates a compliant policy based on your answers. If you need help, our legal team provides tips for most sections, and we have a great group of customer support staff ready to chat.
See what it looks like in the screenshot below.
With a template, you manually fill in the blank sections with details about your business. Ours features all the necessary clauses to comply with several of the data privacy laws mentioned in this guide.
Below, you can see an example of what it looks like.
We have guides and templates for privacy policies, no matter your need.
If you try this, use easy-to-read language, and don’t leave anything out. Violating these data privacy laws — even by mistake — still leads to fines.
You should also plan to regularly review and update your policy and develop a process for keeping up with new or changing data privacy laws.
- You made a general update or change regarding your data collection and processing activities.
- You must comply with the CCPA, which states that you must update your policy at least once every 12 months.
- You’re using a new third-party service or will share the data you collect with a new entity.
- Send out an email with a link to the new policy and an explanation of what changed
- Use a pop-up notification on your website or app so anyone who visits is informed about the changes
I recommend implementing all of the above solutions so that as many of your users as possible can see the changes you’ve made to the agreement.
It’s also a good idea to provide an archive of past versions of your policy somewhere on your app or website. This way, you can prove that you’ve kept up with the appropriate changes based on any laws that may impact your business.
Additional Legal Policies You May Need
Depending on the industry you’re in and what services you provide, you may need a:
- Consent Management Platform (CMP): To set your website or app up for full compliance under most data privacy laws, you may need to use a Consent Management Platform and set up a cookie consent banner that allows your users to opt into or out of certain data collection practices, based on applicable laws.
- Terms and Conditions Agreement: If you run a website, creating a terms and conditions agreement helps protect your business by explaining the rules of use and limiting some of your liabilities. You can include clauses to outline your dispute resolution and governing laws and explain processes like your payment terms.
- Acceptable Use Policy (AUP): If your business allows users to interact with one another, post their own content, or fosters an interactive community, you should create an Acceptable Use Policy that explains all acceptable and prohibited uses, behaviors, and activities on your platform.
- Return and Refund Policy: If you run an ecommerce store, create a return policy to help answer common customer questions about if you offer returns, refunds, or exchanges and how long customers have to request one.
- Shipping Policy: If you send goods through the mail, create a shipping policy so consumers know all details about your shipping and handling practices, like where you ship to, how much it might cost, and a timeline for how long it usually takes for people to receive their packages.
- End-user License Agreement (EULA): For apps or software developers, creating a EULA helps protect your technology that’s available for public use.
- Disclaimers: Most businesses need to create at least one disclaimer on their site to help remove (aka, disclaim) liabilities from their plates.