Simon Coulthard July 02, 2024
Disclaimer: This blog provides general information about writing a privacy policy. However, privacy laws can be complex and vary by jurisdiction. We advise that you get legal advice from a qualified lawyer to ensure that the privacy policy meets the specific needs of your website and business.
According to Penn State University research, only one third of companies make a privacy policy available to their website visitors.
That’s a pretty damning statistic, though one that reflects a general lack of awareness about legal requirements, and common misconceptions businesses have that they don’t actually need one.
But simply put, the privacy policy is a website essential. It’s another key building block of compliance with data protection laws, and builds trust with customers who can use it to understand how their data is handled. It also protects businesses from the potential legal and financial repercussions associated with data breaches and non-compliance.
And while there’s no shortage of free privacy policy generators available online, the pages they create are superficial at best. They may look like short, simple documents, but only a specialist lawyer can create one that meets the specific legal requirements of your business.
If you’re looking for advice on writing a privacy policy for your company, then this blog is a good place to start. In it, you’ll learn what a privacy policy is and how this document differs from platform to platform. It will also run through the basics of what you need to do to create one that meets legal requirements.
Let’s dive in!
Keep pace with the fast-moving world of privacy-first analytics. Subscribe to our newsletter and get monthly TWIPLA updates alongside digital optimization insights, direct to your inbox.
A privacy policy is a publicly-available document that details how a website - and the business it serves - collects, uses, and manages the personal information that it collects from visitors.
As a privacy-first organization, we take privacy policy creation seriously here at TWIPLA, and you’re welcome to use our own Website Privacy Policy for reference.
As you can see, drafting a privacy policy is a fairly straightforward task. The page just needs to provide all the information related to the data processes of the website and any third-party dependencies.
Just to confuse matters, the privacy policy is also sometimes known as a privacy notice, as well as “fair processing information” or “privacy information”.
But regardless of terminology, it’s where you should lay out exactly what type of information is collected, your reasons for doing so, what systems are involved, and what you intend to do with it.
The short answer to who needs a privacy policy is everybody.
It’s an essential page if you collect any personal data from users. And while privacy-focused martech is growing in popularity as a way to simplify workflows and protect customers, most businesses will still be collecting personal data as an operational necessity - we’re a privacy-first company for instance, but we still need to collect personal information as part of our user onboarding and payment processes.
Given this, the privacy policy is there to ensure transparency and build trust with internet users who are more aware about the vulnerability of their personal information online than ever before.
But crucially, a privacy policy is also a legal requirement that businesses need to comply with, it’s central to many of the pieces of data privacy legislation that have mushroomed in most places around the world, including the GDPR in the EU and the CCPA in California.
It’s also important to remember that websites often have a wide range of different third-party services installed. These could be analytics, payment gateways, CRM platforms, or social media plugins.
These integrations will all rely on data from your website visitors to function. And since you remain the data controller under privacy legislation, you’re ultimately responsible for what these third parties do with this data. As such, you’ll certainly need a privacy policy so that you can detail what these other businesses are doing with your website visitors’ data.
However, some websites won’t need a one, because of course there are some exceptions:
Sites that operate in jurisdictions with no strict privacy laws might have fewer requirements.
Today, these locations are few and far between. Most countries (or trading blocs) are in the process of drafting legislation if they haven’t enacted something already, with UNCTAD research showing that less than 5% of the world is turning a blind eye to the data protection of its residents.
However, it's important to note that many privacy laws (like GDPR) have extraterritorial reach, meaning they can apply to websites outside their jurisdiction if they serve users within it.
As such, this limited geographic scope extends to the location of website visitors, and businesses would need to implement technologies that control which locations of origin can access their site if they’re to use this as a reason to not have a privacy policy.
The privacy policy should include the following information:
Introduction | |
---|---|
Purpose | Explain why the privacy policy exists and its importance. |
Scope | Specify the scope of the policy, including the types of users it applies to (e.g., website visitors, app users). |
| |
Types of Data Collected | Clearly list the types of information collected, such as:
|
Methods of Data Collection | Describe how the data is collected, such as:
|
Use of Data | |
Purposes | Specify the purposes for which the data is used, such as:
|
Data Sharing | |
Third-Party Disclosures | List third parties with whom the data is shared, including:
|
Purpose of Sharing | Explain why data is shared with these third parties. |
| |
Security Measures | Describe the measures in place to protect data, such as:
|
Data Retention | Explain how long personal data is retained and the criteria used to determine retention periods. |
User Rights | |
Access and Correction | Inform users of their right to access and correct their personal data. |
Deletion and Restriction | Detail users' rights to request the deletion or restriction of their personal data. |
Data Portability | Describe users' rights to obtain and reuse their personal data across different services. |
Opt-Out Options | Provide information on how users can opt out of data collection, marketing communications, or other data processing activities. |
Cookies and Tracking Technologies | |
Use of Cookies | Explain the use of cookies and other tracking technologies. |
Types of Cookies | List the types of cookies used, such as:
|
User Control | Provide info on how users can manage or disable cookies. |
International Data Transfers | |
Cross-Border Data Transfers | If applicable, explain how data is transferred across borders and the safeguards in place to protect it. |
Changes to the Privacy Policy | |
Policy Updates | Describe how/when the privacy policy may be updated. |
Notification of Changes | Explain how users will be notified of changes to the policy. |
Contact Information | |
How to Contact | Provide contact details for users to ask questions or exercise their privacy rights, such as:
|
Legal Basis for Processing | |
Legal Grounds | For organizations subject to GDPR, specify the legal grounds for processing personal data, such as:
|
How to write a privacy policy for a website, app, or small business is pretty similar because the fundamentals are the same. However, there are some differences to consider:
When creating a document that meets website privacy policy requirements, ensure it details the types of data collected through web forms, cookies, and third-party integrations. Specify the purposes for data usage, such as improving customer experience, UX, or marketing, and describe your data protection measures.
For mobile apps, the privacy policy should include specifics about the data collected through app permissions, such as location, contacts, and camera access. It should also explain how the data is used within the app and any third-party services involved.
Small businesses must include information about data collection practices relevant to their operations, such as customer contact details and payment information. The policy should highlight the security measures in place to protect data and the user rights regarding their information.
By now, you should have a pretty good grasp of what goes into a privacy policy. And if you’re now trying to work out what to write in a your privacy policy page, you’ll find further information on the process below:
We haven't got the crawl budget to go through every data privacy law here, but you’ll need to research the data privacy legislation that is relevant to your business and audience.
This work will ensure absolute privacy policy compliance with all the laws that matter to your business.
But when in doubt, follow GDPR. It’s the gold standard that other data privacy laws aspire to and if your privacy policy meets the requirements of this law, it meets the requirements of every law.
We’ve also written elsewhere about how to write a GDPR-compliant privacy policy for our TWIPLA users, and this short copy might help you to understand the work involved.
Next, you’ll need to work out what personal data is being collected by your website or app and any third-party dependencies that serve it.
This is ultimately just a fact-finding mission and the information should be freely available from the different organizations involved. If not, get in touch with them.
After this, you’ll want to go into detail about the methods you use to collect the data of website visitors (or app end users) in the first place.
More specifically, you’ll need to include information rebates to any website forms, cookies, app permissions, third party services. And remember, be open and transparent about ALL your data collection practices.
Next, you’ll need to detail the various ways that your website and business uses the data that is collected from website visitors.
This could be for personalizing the user experience, analyzing website performance, or for any wider marketing purposes. But ultimately, your customers need to be able to read the privacy policy and understand from it exactly why your business needs their data in the first place.
Now, you’ll want to draft information about any third-party companies that you’re sharing website visitor data with. This could be business partners, service providers, or advertisers.
They’ll all have their own specific reasons for needing website visitor data, and they’ll also have privacy policies that will go into detail about this. So explain why you’re sharing personal data with these entities, and write about the safeguards that are in place to protect his information.
Personal data protection is central to the purpose that underpins privacy legislation.
As such, you’ll need to detail the security measures that your business has implemented to protect personal information from the risks of unauthorized access, data breaches, and other threats.
This can include anything from data encryption and data minimization to secure data storage and regular security audits.
The privacy policy also needs to include clear instructions on how users can opt out of data collection, marketing communications, or any other data processing activities done by your organization.
Ensure that the process is simple and accessible via simple web forms, email links, mobile app settings, dedicated contact information, and straightforward instructions on a user-friendly interface.
Finally, don’t forget to inform your users about their rights regarding their personal data. These include their right to access, correct, delete, or restrict the processing of their information at any time.
Then, include instructions on how they can exercise these rights. For instance, they could do this by visiting your “Privacy Settings” page, contacting your business directly, or using any links provided in the privacy policy or elsewhere to manage their data preferences.
Once drafted, there’s a certain amount of freedom with regard to where to put the privacy policy on your website.
It should have its own webpage or app screen/view.
However, it should also be easily accessible from every page of the website or app. This can be done by including a link in the website footer, adding it to the app menu, or making it a part of the account registration process.
But regardless of what you decide here, remember to ensure that the link to your privacy policy is clear and visible to users.
Our advanced website intelligence solution will enable anyone to grow their website quickly, while protecting visitor data rights and driving up their ESG rating. Sign up for free today, remove your ugly cookie banner, and supercharge data collection!
And that’s it, that’s the basics of what you need to know about when creating a privacy policy for your website.
As mentioned, it’s a fundamental legal requirement and we advise that you get your lawyers to draft it on your behalf rather than using an unreliable privacy policy generator.
If you found this blog useful and want to be notified about anything we publish in the future, feel free to subscribe to our newsletter. It means that you’ll then receive a monthly summary of insights from the world of privacy-first website intelligence straight to your inbox!
Gain World-Class Insights & Offer Innovative Privacy & Security
Keep pace with the world of privacy-first analytics with a monthly round-up of news, advices and updates!