Sample Privacy Policy Template

As a business owner, you've probably been told that you need to have a Privacy Policy, but what exactly does that entail? What is a Privacy Policy, and what clauses do you need to include in your Privacy Policy in order to be compliant with local and international privacy laws?

This article will help you understand when and why you need a Privacy Policy, how to create your own, and how to display and get agreement to it after you have it drafted.

A Privacy Policy is a statement that describes how you collect, store, share, and manage your users' personal information. Personal information can include names, birthdays, email and mailing addresses, phone numbers, social security numbers, and medical and financial records among other data.

Many third-party services (such as Google Analytics) require you to have a Privacy Policy in order to be in compliance with the Terms of Service agreement.

If you do not display a Privacy Policy on your website, your business can be subject to fines ranging from a percentage of your company's returns to $100,000.00 per offense depending on what country the violated privacy law originated in.

Why Do You Need a Privacy Policy?

Privacy laws legally require the use of a Privacy Policy whenever your website collects personal information or data. It's important to understand what laws are relevant in each country where your users reside, and how to make sure your Privacy Policy meets the standards of those laws.

Global privacy laws vary from country to country, and generally apply to any business that collects data from users who are residents of the location where the law was created.

That means that even if your business is based in the United States, if you collect personal information from users who live in the European Union (EU), then the EU's privacy legislation will still apply to your business.

For example, although Volkswagen is a company based in Germany, it still includes information in its Privacy Statement about California's Privacy Rights. This is a good move for any business that expects to have consumers from around the world:

Volkswagen Privacy Statement: Your California Privacy Rights clause and chart excerpt

General Data Protection Regulation (GDPR):

The GDPR is the EU's privacy and security law. It applies to any business that collects personal data from users based in the EU. Those who are found to be in violation of the GDPR are subject to steep financial penalties.

California Consumer Privacy Act (CCPA):

The CCPA is legislation that ensures privacy rights for all consumers based in California, and requires that businesses inform users of their privacy practices.

Personal Information Protection and Electronic Documents Act (PIPEDA):

PIPEDA is Canada's privacy law which was created to protect individuals' personal data. PIPEDA requires businesses to inform users of how and why they collect personal information, and enables users to access that information.

What Qualifies as Personal Information?

When a Privacy Policy refers to personal information, it refers to any information that can be used to identify an individual, either on its own or combined with other pieces of information.

Personal information can encompass a wide range of data, including but not limited to contact information, social security and driver's license numbers, IP addresses and web-browsing behavior as captured by cookies, and even some encrypted data.

Blick Art Materials does an excellent job of using its Privacy Policy to describe exactly how it defines the personal information it collects:

Blick Art Materials Privacy Policy: Categories of Personal Information We Collect clause

What Clauses and Information Your Privacy Policy Needs to Include

A legitimate Privacy Policy should explain what kind of personal information you collect, and how you store, use, and share that data. The following clauses will be found in most Privacy Policies, and should be included in yours.

What Personal Information You Collect

Whether it's straightforward data like names and email addresses, or more sophisticated statistics such as the kind gathered through analytics, it's important to be aware of what kind of personal information you gather from your users.

Taking consistent inventory of the data your business collects and updating your Privacy Policy as needed ensures that you are able to accurately share that information with your users.

The White House lets its visitors know that they are free to keep information about themselves private when they create an account with whitehouse.gov. The White House's Privacy Policy goes on to state the types of information it would need to collect in different scenarios:

The White House Privacy Policy: Information You Give Us clause

How You Collect Personal Information

Letting your users know how you collect their personal information is an essential part of any good Privacy Policy. You might gather personal information via an email signup, through cookies whenever anyone visits your website, or whenever a customer makes a financial transaction at an ecommerce checkout page.

Chewy's Privacy Policy is quite detailed when it comes to describing what kind of information it collects, how it's collected, what it's used for, and who it's shared with:

Chewy Privacy Policy: Excerpt of chart with Sources of Personal Information column highlighted

Third Party Sharing of Personal Information

Third party sharing can occur when your business (second party) shares information from your customers (first party) with another organization (third party). Third party sharing might take place when you use another company to provide security, analytics, or Customer Relationships Management (CRM) services.

J.K. Rowling's website offers a simplified version of a third party clause, covering legal bases in case of sale of any part of her business as well as informing users of her obligation to keep her business safe through the use of third party security:

JK Rowling Privacy and Cookies Policy: Giving Your Information to Others clause

How You Use Personal Information

Letting customers know how you use their personal information is great for both legal and transparency reasons. People want to know what you plan on doing with their data, and assuring them of your purposes for collecting their information goes a long way in building consumer trust.

If your business is product based, you might gather personal information for shipping information, or you could use the data you collect to improve customer service strategies. In any case, it's important to let your users know what you intend to do with their data.

In the following clause from REI's Privacy Policy, the company explains that it uses its customers' personal information in order to offer better customer support, and follows that statement with examples of the methods it uses to enhance its services:

REI Privacy Policy: Use of Information clause

Security Processes

Informing users of the tools and techniques you use in order to safely store and keep their data secure is a necessary element of any Privacy Policy.

The security section of your Privacy Policy might include any encryption or firewall tools your website uses, as well as any kind of security-related training mandated for the personnel who have access to user data.

The Social Security Administration's Privacy Policy clarifies its dedication to legal compliance in the first line of the security section. The administration also includes examples of the various practices employed in order to keep user data safe:

Social Security Administration Privacy Policy: Privacy and Security clause

Contact Information For Your Business

You want to make sure that you include at least one method for users to contact you within your Privacy Policy. The contact information you provide should be in compliance with local and global privacy legislation, and should include, at a minimum, your business name and an email address and/or phone number, and ideally the physical location of your business.

The Privacy Notice for Whole Foods contains both a link to an email address created specifically to handle privacy concerns as well as a link to a customer service form that allows users to contact Whole Foods via telephone or online chat:

Whole Foods Privacy Notice: Contact Us clause

Now that you know what clauses to include in your Privacy Policy, let's check out a few different places where you can display your Privacy Policy once drafted.

Where to Display Your Privacy Policy

Your Privacy Policy needs to be highly visible and easily accessible on your website.

Your Privacy Policy should be made available in your site's footer, as well as at any juncture where personal information is collected. You want users to be able to access your Privacy Policy whenever they sign up for an account, join your email list or sign up to receive a newsletter, make a purchase from your online store, or download your app.

Account Sign-up Forms

Whenever a user creates an account on your website, you should provide a way for them to access your Privacy Policy.

When a user creates an online account on Sam's Clubs' website, they are given the option to click on several different privacy-related links in the footer of the sign-up page. Another way to provide this information would be through a checkbox within the actual sign-up form:

Sams Club sign-up form with privacy links in footer highlighted

Email/Newsletter Sign-up Forms

Make sure to give users access to your Privacy Policy whenever they join your email list or sign up to receive your newsletter.

When visitors subscribe to Britney Spears' mailing list, they are shown a link to her Privacy Policy, as well as language stating that through the action of subscription, users are agreeing to the terms provided within the Privacy Policy:

Britney Spears email sign-up form with Privacy Policy link highlighted

Ecommerce Checkout Pages

Every time a customer makes a purchase from your ecommerce store, they should be given the option to read your Privacy Policy.

When a customer makes a purchase via Etsy, they agree that when they are clicking "Continue," they are also consenting to Etsy's Terms of Use and Privacy Policy:

Etsy sign-up form with Terms of Use and Privacy Policy links highlighted

Website Footer

It's a good idea to dedicate an entire page to your Privacy Policy, and to make it easily accessible by creating a link to the page and placing it in your website footer.

The official NBA website links its Privacy Policy and related information at the very bottom of the homepage:

NBA website footer with Privacy Policy link highlighted

Email Footer

Ensure that everyone who receives an email from your business is able to access your Privacy Policy information by adding a link to your Privacy Policy in your email footers.

Babylist includes a link to its Privacy Policy, as well as to an Email Settings and an Unsubscribe option at the bottom of every email:

Babylist email footer with Privacy Policy link highlighted

Adding these selections to your business emails is an excellent way to make sure that your clientele is both informed and willing to receive communications from you.

In-app Menus (for mobile apps)

If your business has developed an app, it's a great idea to include your Privacy Policy in the in-app menu. Users know to look here and can access it at any time from within the app.

App Store Listings

Include your Privacy Policy in the app store listing to make sure that users have access to it before they even download the app.

How to Get Agreement to Your Privacy Policy

The best way to get consent from users is to create a checkbox that they must tick off before submitting information or navigating to a different part of your site or app. Be sure to include language affirming that checking the box means that the user has read and agreed to the Privacy Policy.

You can facilitate this process through the use of sign-up forms or pop-up forms placed at strategic locations throughout your site.

When users want to join the Adidas Creators Club, they must click a box confirming that they are at least 13 years of age, as well as an agreement to Adidas's Privacy Policy and Terms and Conditions statement:

Adidas sign-up form with consent box and browsewrap statement highlighted

Barnes and Noble makes it easy for its users to agree to the Privacy Policy by including a link in the account sign up form:

Barnes and Noble Create Account form with Terms of Use and Privacy Policy links highlighted

Summary

If you are a business owner or have a website that collects personal data, it is imperative that you create a Privacy Policy and make it easily accessible on your website.

A well-founded Privacy Policy will take into consideration global and local privacy laws and include the necessary language to remain in compliance with those laws. These laws include:

  • GDPR (EU)
  • CCPA (California)
  • PIPEDA (Canada)

A good Privacy Policy will also include detailed information about the kinds of personal information your business collects, as well as the processes for gathering, safely storing, and sharing that information. It should include:

  • What personal information you collect
  • How you collect personal information
  • Third party sharing of personal information
  • How you use personal information
  • Security processes
  • Contact info for your business

You want to make sure that you are properly displaying your Privacy Policy. Crucial areas to exhibit your Privacy Policy include:

  • Account sign-up forms
  • Email and newsletter sign-up forms
  • Ecommerce checkout pages
  • Website footers
  • Email footers
  • In-app menus
  • App store listings

Finally, it's important to get users to agree to your Privacy Policy. A simple way to gain consent is to introduce unticked checkboxes every time you collect personal information.

Creating a solid Privacy Policy is not only a legal necessity, but it's also a great way to promote transparency and to build trusting relationships with your customers. By following the simple tips in this article, you will be well on your way to helping your business to establish a legitimate internet presence.

Disclaimer: Legal information is not legal advice, read the disclaimer.

© All rights reserved

This website uses cookies, and also collects some information using Google Analytics. By continuing to use this website, you agree to our Privacy Policy, Terms of Use, and Disclaimer.