As a business owner, you've probably been told that you need to have a Privacy Policy, but what exactly does that entail? What is a Privacy Policy, and what clauses do you need to include in your Privacy Policy in order to be compliant with local and international privacy laws?
This article will help you understand when and why you need a Privacy Policy, how to create your own, and how to display and get agreement to it after you have it drafted.
A Privacy Policy is a statement that describes how you collect, store, share, and manage your users' personal information. Personal information can include names, birthdays, email and mailing addresses, phone numbers, social security numbers, and medical and financial records among other data.
Many third-party services (such as Google Analytics) require you to have a Privacy Policy in order to be in compliance with the Terms of Service agreement.
If you do not display a Privacy Policy on your website, your business can be subject to fines ranging from a percentage of your company's returns to $100,000.00 per offense depending on what country the violated privacy law originated in.
Privacy laws legally require the use of a Privacy Policy whenever your website collects personal information or data. It's important to understand what laws are relevant in each country where your users reside, and how to make sure your Privacy Policy meets the standards of those laws.
Global privacy laws vary from country to country, and generally apply to any business that collects data from users who are residents of the location where the law was created.
That means that even if your business is based in the United States, if you collect personal information from users who live in the European Union (EU), then the EU's privacy legislation will still apply to your business.
For example, although Volkswagen is a company based in Germany, it still includes information in its Privacy Statement about California's Privacy Rights. This is a good move for any business that expects to have consumers from around the world:
The GDPR is the EU's privacy and security law. It applies to any business that collects personal data from users based in the EU. Those who are found to be in violation of the GDPR are subject to steep financial penalties.
The CCPA is legislation that ensures privacy rights for all consumers based in California, and requires that businesses inform users of their privacy practices.
PIPEDA is Canada's privacy law which was created to protect individuals' personal data. PIPEDA requires businesses to inform users of how and why they collect personal information, and enables users to access that information.
When a Privacy Policy refers to personal information, it refers to any information that can be used to identify an individual, either on its own or combined with other pieces of information.
Personal information can encompass a wide range of data, including but not limited to contact information, social security and driver's license numbers, IP addresses and web-browsing behavior as captured by cookies, and even some encrypted data.
Blick Art Materials does an excellent job of using its Privacy Policy to describe exactly how it defines the personal information it collects:
A legitimate Privacy Policy should explain what kind of personal information you collect, and how you store, use, and share that data. The following clauses will be found in most Privacy Policies, and should be included in yours.
Whether it's straightforward data like names and email addresses, or more sophisticated statistics such as the kind gathered through analytics, it's important to be aware of what kind of personal information you gather from your users.
Taking consistent inventory of the data your business collects and updating your Privacy Policy as needed ensures that you are able to accurately share that information with your users.
The White House lets its visitors know that they are free to keep information about themselves private when they create an account with whitehouse.gov. The White House's Privacy Policy goes on to state the types of information it would need to collect in different scenarios:
Letting your users know how you collect their personal information is an essential part of any good Privacy Policy. You might gather personal information via an email signup, through cookies whenever anyone visits your website, or whenever a customer makes a financial transaction at an ecommerce checkout page.
Chewy's Privacy Policy is quite detailed when it comes to describing what kind of information it collects, how it's collected, what it's used for, and who it's shared with:
Third party sharing can occur when your business (second party) shares information from your customers (first party) with another organization (third party). Third party sharing might take place when you use another company to provide security, analytics, or Customer Relationships Management (CRM) services.
J.K. Rowling's website offers a simplified version of a third party clause, covering legal bases in case of sale of any part of her business as well as informing users of her obligation to keep her business safe through the use of third party security:
Letting customers know how you use their personal information is great for both legal and transparency reasons. People want to know what you plan on doing with their data, and assuring them of your purposes for collecting their information goes a long way in building consumer trust.
If your business is product based, you might gather personal information for shipping information, or you could use the data you collect to improve customer service strategies. In any case, it's important to let your users know what you intend to do with their data.
In the following clause from REI's Privacy Policy, the company explains that it uses its customers' personal information in order to offer better customer support, and follows that statement with examples of the methods it uses to enhance its services:
Informing users of the tools and techniques you use in order to safely store and keep their data secure is a necessary element of any Privacy Policy.
The security section of your Privacy Policy might include any encryption or firewall tools your website uses, as well as any kind of security-related training mandated for the personnel who have access to user data.
The Social Security Administration's Privacy Policy clarifies its dedication to legal compliance in the first line of the security section. The administration also includes examples of the various practices employed in order to keep user data safe:
You want to make sure that you include at least one method for users to contact you within your Privacy Policy. The contact information you provide should be in compliance with local and global privacy legislation, and should include, at a minimum, your business name and an email address and/or phone number, and ideally the physical location of your business.
The Privacy Notice for Whole Foods contains both a link to an email address created specifically to handle privacy concerns as well as a link to a customer service form that allows users to contact Whole Foods via telephone or online chat:
Now that you know what clauses to include in your Privacy Policy, let's check out a few different places where you can display your Privacy Policy once drafted.
Your Privacy Policy needs to be highly visible and easily accessible on your website.
Your Privacy Policy should be made available in your site's footer, as well as at any juncture where personal information is collected. You want users to be able to access your Privacy Policy whenever they sign up for an account, join your email list or sign up to receive a newsletter, make a purchase from your online store, or download your app.
Whenever a user creates an account on your website, you should provide a way for them to access your Privacy Policy.
When a user creates an online account on Sam's Clubs' website, they are given the option to click on several different privacy-related links in the footer of the sign-up page. Another way to provide this information would be through a checkbox within the actual sign-up form:
Make sure to give users access to your Privacy Policy whenever they join your email list or sign up to receive your newsletter.
When visitors subscribe to Britney Spears' mailing list, they are shown a link to her Privacy Policy, as well as language stating that through the action of subscription, users are agreeing to the terms provided within the Privacy Policy:
Every time a customer makes a purchase from your ecommerce store, they should be given the option to read your Privacy Policy.
When a customer makes a purchase via Etsy, they agree that when they are clicking "Continue," they are also consenting to Etsy's Terms of Use and Privacy Policy:
It's a good idea to dedicate an entire page to your Privacy Policy, and to make it easily accessible by creating a link to the page and placing it in your website footer.
The official NBA website links its Privacy Policy and related information at the very bottom of the homepage:
Ensure that everyone who receives an email from your business is able to access your Privacy Policy information by adding a link to your Privacy Policy in your email footers.
Babylist includes a link to its Privacy Policy, as well as to an Email Settings and an Unsubscribe option at the bottom of every email:
Adding these selections to your business emails is an excellent way to make sure that your clientele is both informed and willing to receive communications from you.
If your business has developed an app, it's a great idea to include your Privacy Policy in the in-app menu. Users know to look here and can access it at any time from within the app.
Include your Privacy Policy in the app store listing to make sure that users have access to it before they even download the app.
The best way to get consent from users is to create a checkbox that they must tick off before submitting information or navigating to a different part of your site or app. Be sure to include language affirming that checking the box means that the user has read and agreed to the Privacy Policy.
You can facilitate this process through the use of sign-up forms or pop-up forms placed at strategic locations throughout your site.
When users want to join the Adidas Creators Club, they must click a box confirming that they are at least 13 years of age, as well as an agreement to Adidas's Privacy Policy and Terms and Conditions statement:
Barnes and Noble makes it easy for its users to agree to the Privacy Policy by including a link in the account sign up form:
If you are a business owner or have a website that collects personal data, it is imperative that you create a Privacy Policy and make it easily accessible on your website.
A well-founded Privacy Policy will take into consideration global and local privacy laws and include the necessary language to remain in compliance with those laws. These laws include:
A good Privacy Policy will also include detailed information about the kinds of personal information your business collects, as well as the processes for gathering, safely storing, and sharing that information. It should include:
You want to make sure that you are properly displaying your Privacy Policy. Crucial areas to exhibit your Privacy Policy include:
Finally, it's important to get users to agree to your Privacy Policy. A simple way to gain consent is to introduce unticked checkboxes every time you collect personal information.
Creating a solid Privacy Policy is not only a legal necessity, but it's also a great way to promote transparency and to build trusting relationships with your customers. By following the simple tips in this article, you will be well on your way to helping your business to establish a legitimate internet presence.