1. The 5 Core Principles of Every Privacy Statement
- Notice: Consumers should be made aware of a website’s data collection and processing practices before any personal information is collected from them.
- Access: Consumers should have the ability to access the data collected from them to ensure it is accurate and complete. Privacy policies should provide instructions on how users can access their information and correct any inaccuracies.
- Enforcement: In order for businesses to adhere to these principles, there must be enforcement measures. Privacy policies should offer a simple way for consumers to have their privacy concerns addressed, and to remedy violations.
Below, we outline the basic clauses that are legally required for privacy policies. Keep in mind that your specific business may require additional clauses depending on your website’s data collection and processing activities.
Section 1: What type of information do you collect?
Privacy policies almost always begin by explaining the types of data that a website or app may collect from users. It’s important that you are as detailed as possible with the data you collect.
You’ll likely need to conduct an audit of your site to pinpoint exactly where/when you acquire visitor data (e.g. account signup, newsletter subscription, contact form) and what data you collect at each collection point.
Not only does Spotify organize the personal data into categories – making it easier for readers to clearly understand what information is being collected – but they also offer details on when the data is collected and if it’s required or optional.
Section 2: How do you use personal information?
After you list the information you collect and process, the next section of your policy should explain what you do with visitor data.
Section 3: How do you protect personal information?
As one of the five Fair Information Practice Principles mentioned earlier, a site’s security measures should be specified in its own section. The required security measures you’ll need to have in place will depend on the amount of data you collect, and its sensitivity.
PayPal explains that they use things like firewalls, data encryption, physical access controls, and information access authorization controls.
Section 4: Do you share data with third parties?
Inappropriate processing of personal data collected through analytics tools can cost your company up to 4% of its annual revenue in GDPR fines. Our Google Analytics GDPR guide provides actionable steps for complying with the GDPR.
Section 6: How can users control their data?
With the passing of privacy laws such as the GDPR and CCPA, giving users control over their data has become a key concern for online businesses. Therefore, privacy policies have become instruction manuals for how users can exercise their data rights.
Section 7: How will you notify users of policy changes?
Google assures users that updates will never reduce their rights without consent. The policy also lets users know that if changes are significant, users will receive a notice via email.
While privacy policies have historically been long, dense, and difficult to understand, companies are opting for more user-friendly privacy statements in order to better quell customer concerns over data. For some online businesses, it has even become a necessity. Article 12 of the GDPR states that information should be presented “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
If you want to make your policy more user-friendly, here are a few steps you can take:
Implement a table of contents
Make your section headings clear
We find that an FAQ format works best, as most users visit privacy policies with questions in mind.
Once again, this is something we’ve implemented in our own policy, as you can see in the example above.
Add section summaries
Use clear and plain language
Legalese could be harmful to your legal compliance efforts and your customer relations. Instead, use plain language and be as clear as possible.
Your policy must be posted on your company or organization’s website in an easy-to-find location. The policy must be readily available to all visitors to the website, rather than just to visitors who have already submitted information or had data collected.
Many companies choose to include a direct link in the footer – allowing it to appear on any every page of their website. Make sure that the link font isn’t tiny, and that it doesn’t blend in with the footer’s background.
6. Final Words