How information is collected (including through cookies and other tracking technologies)
Who information is shared with or sold to
What rights users have over their data
The site’s contact details
Privacy policies should be clear, thorough, and easy for internet users to find on any given website.
Data privacy laws
Third-party service requirements
Maintaining trust and transparency between your business and customers
Let’s examine these three requirements in more detail:
Privacy Policies are Required by Law
Privacy laws vary around the globe, and your website or app must abide by the regulations based on the location of your business, your targeted audience, and where you conduct business.
As data collection and processing becomes more ubiquitous across the internet, privacy laws in the US and around the world set strict requirements for privacy policies.
The General Data Privacy Regulation (GDPR)
Your business must comply with the GDPR if it targets EU consumers and meets one of the following thresholds:
It offers goods or services
It monitors online behavior
Chapter 3, Articles 13 and 14 of the law clarify that users have the right to be fully informed about the collection and use of their personal data.
The penalties for CCPA non-compliance are fines of $2,5000 per violation or $7,500 per intentional violation.
The California Online Privacy Protection Act (CalOPPA)
The CalOPPA was adopted in 2004 and was one of the first data privacy regulations implemented in the United States. It set the standard for the presentation, wording, and implementation of privacy policies.
This law established the definition of personally identifiable information and introduced Do Not Track (DNT) requests for users to toggle data tracking preference settings online.
The penalties for CalOPPA non-compliance are fines of up to $2,500 per violation.
Children’s Online Privacy Protection Act (COPPA)
Any business marketing to children in the United States must follow strict rules and regulations following the Federal Trade Commission’s guidelines.
The penalties for COPPA non-compliance are fines of up to $40,000 per violation.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA covers ten fair information privacy practices companies must follow to do business in Canada and applies to all businesses, not just those operating online.
The penalties for PIPEDA non-compliance are fines of up to $100,000 CAD ($80,000 USD) from federal prosecution.
Other Notable Laws
If your website is “significantly engaged” in financial activities, you may be subject to the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act, which requires the publication of “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
Privacy Policies are Required by Third-Party Services
Google (AdSense, Ad Words, Analytics, and Play Store)
Twitter Lead Generation
Privacy Policies Increase Transparency and Build Trust
Privacy is a primary concern for modern consumers. People want to know if websites are collecting information about them, what that data might be, how it’s getting stored, and what it’s used for.
Here are some eye-opening privacy statistics showcasing the growing demand from consumers for data transparency from companies.
79% of Americans express concern with how companies use their personal data (Pew Research Center)
Last Updated Date, Intro, and Summary
The intro is also a great place to build transparency with your users. We recommend including contact information up front to help answer users’ questions that might come up while reading through your policy.
Take a note from the BBC and use links to your advantage to make it easier for users to follow along or find what they’re looking for. You should also summarize the policy using a table of contents listing all clauses your users are about to read through.
What Information You Collect and How
Under the GDPR and CCPA, users have the right to know what data you collect from them and how it gets used, making this a legally necessary clause.
Personal data: Names, addresses, email addresses
Derivative data: IP addresses, browser types, geolocation
Cookie usage: What kinds and who else has access to them
Social network data: Login information for social media accounts
Mobile data: Mobile device IDs, mobile device manufacturers
Third-party data: Any data you might share with or sell to a third-party
By using headers in the style of an alphabetical list, the BBC makes it easy for users to find and understand exactly what information they collect, and if that data is collected voluntarily or automatically.
The GDPR created additional guidelines for businesses collecting any sensitive information from users that you must follow if you store and process things like biometric or health data, or information about users’ race, political affiliations, sexual orientation, or philosophical beliefs.
Users can provide the information actively or voluntarily, or websites might collect specific details automatically using cookies or other derivative data.
You must mention both types of data gathering because leaving something out could lead to legal repercussions under laws like the GDPR and the CCPA.
How You Use the Information You Collect
For example, your business might use it to create a user account, display personalized content based on user interests, conduct research and analysis, or send order confirmations.
If you select one of the drop down options, you get all relevant details outlined in an easy-to-read table. For example, we chose ‘To provide our services’, which you can see in the photo below.
Uber’s unique table not only tells users what information they gather about them, but it also expresses why and how they use the data, helping them comply with laws like the GDPR and CCPA.
How You Store and Protect the Information You Collect
Both the CCPA and GDPR have stipulations outlining the responsibilities of businesses to protect user data from cybersecurity breaches. If you’re processing personal data, you must securely store it and inform your users about your practices.
Include a clause about the security measures your company follows to keep consumer data private, like using firewalls or encryption methods.
Do You Share Personal Information, and with Whom
You also need to link to any third-parties’ privacy policies within your document, so users can read them and choose if they want to consent to how the other entity plans on using their data.
If your business falls under the CCPA, you must provide consumers with a way to opt out of the sale of their data, making this a legally necessary clause for some companies.
You are required to embed a “Do Not Sell My Personal Information” link on your website or app, per the CCPA, so users can easily follow through on their privacy rights and to ensure your business accurately keeps track of such requests.
Disney houses the California opt out information in a specific section of the website that includes all data privacy rights for California users.
Company Contact Information
Include at least your mailing address, customer support email, and phone number so consumers can easily reach you if they have questions or concerns or want to act on their privacy rights.
Many businesses require additional clauses in their privacy policies. Read through the following list and make a note of any sections that are relevant to your website.
Transferring Information Internationally
Some privacy policies have a data retention clause outlining how long the information is kept or stored. According to the GDPR, you should store data only for as long as necessary. But this information can also be included in other clauses of your policy, like how Disney incorporated it into their data security clause pictured above.
Collecting Information from Minors
Collecting information from minors under 13 requires additional regulations in adherence with laws like COPPA. You must include a clause expressing how you use the information you are gathering about children, and you need parent or guardian consent.
Handling Social Media Logins
User Rights Over Their Data
Different laws outline data privacy rights consumers can legally act on, like opting out of the sale of data under the CCPA or opting into different personal data tracking under the GDPR.
Include a clause informing users of the process they can follow to act on their privacy rights.
Do-Not-Track Features and Controls
The GDPR and CCPA grant users the right to request access, change, or delete any data gathered about them.
Special Privacy Rights for California Residents
To simplify CCPA compliance, many companies include a separate clause outlining the specific data privacy rights granted to California residents.
Links to Other Legal Documents
Your users can always access the links you post in your website footer, no matter what page they end up on, which is important if your company needs to comply with data privacy laws like the CCPA and the GDPR.
For tips on how to make one, read through our article covering all you need to know about privacy centers.
You might also link to your policy in the following spots:
In other legal documents
They include a clause explaining guidelines for children, and express that, in compliance with COPPA, their services are not direct to minors nor do they knowingly collect information from anyone under the age of 13.
They even provide an email address so parents or guardians can easily request the deletion of any data accidentally gathered about a minor, which makes addressing privacy concerns much easier for the company and the client.
Follow Apple’s lead and provide relevant links for your users to follow through on their privacy rights directly within relevant clauses. This will also help you abide by laws like the CCPA and builds trust between your company and your users.
If you leave something out or are inaccurate within your policy, your business could pay the price if it’s found in contention with laws like the CCPA or GDPR.
Pretty nice, right? Our legal team and data privacy experts even provided helpful tips to assist you along the way if you get stuck on any questions, like the one below legally defining personal information.
Last updated [Date]
This privacy notice for [Company Name] (doing business as [Company Short Name]) ("Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
Visit our website at [Website URL], or any website of ours that links to this privacy notice
[Download and use our application(s), such as our mobile application — [Mobile App Name], our Facebook application — [Facebook App Name], or any other application
Below, we answer some of the most frequently asked questions we get about privacy policies.
Even if you don’t fall under any legal jurisdictions, consumers today expect to see privacy policies and may only trust your business if one is posted.
That said, most privacy policies include clauses about the information you collect from users, how and why you gather that data, how you use it, any third party you share it with, and what your users’ rights are over their data.
Remember, cookies and other similar forms of data tracking are considered personal data and should also be outlined in your policy.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author
Answer a few simple questions to have your fully compliant policy generated in MINUTES!