A strong privacy policy protects your business and your customers from unauthorized data access and use. If you gather any type of data on your website or app users, you need this policy in place. The privacy policy outlines how your business collects, stores, uses and shields personal information.
More than half of American adults (53%) have decided not to use a service because of data privacy concerns, according to data collected by the Pew Research Center. Understanding applicable laws and best practices allows you to create a comprehensive, effective privacy policy for your website or app.
A privacy policy should be clear, thorough and easily accessible to your users. As you begin to draft this document, prioritize these key components.
Familiarize yourself with the legal landscape before you create your privacy policy. Businesses must comply with national and global privacy laws when handling personal data.
Although the specific regulations vary by industry, most companies with websites and apps should abide by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) /California Privacy Rights Act (CPRA).
The GDPR law applies to businesses that store and use data from European Union (EU) residents or operate in the EU. Under the GDPR, your company must:
The CCPA and CPRA apply to businesses that handle data from California residents or operate in California. These laws prohibit discrimination against customers who exercise their privacy rights. They also require you to:
Virginia and Colorado are currently the only other states with data privacy laws. Federal privacy laws focus on a specific type of data rather than private information as a whole. For example, the Health Insurance Portability and Accountability Act protects medical data while the Fair Credit Reporting Act regulates how companies can share consumer credit reports.
To comply with the applicable regulations, your company's privacy policy should include these key elements.
Both the GDPR and the CCPA/CPRA require businesses to get explicit consent before collecting user data. Most sites install a pop-up at the bottom of the screen that explains the consent policy and includes "I agree" checkboxes. Uncheck the box by default so the user must check to give clear consent. You may also want to incorporate additional consent boxes for different types of data use, like sharing information with third parties or sending targeted marketing communications.
Keep detailed user consent records that note the date and method of consent. You should also provide a simple way for users to withdraw consent if they want you to stop collecting their data.
Specify the types of personal data you collect, such as name, email and IP address. The example below comes from the Snapchat privacy policy.
In this section, clearly state the company's reasons for collecting and using personal data. For example, Snapchat starts with a general explanation of how and why they use member information. The policy also links to a table with details about each type of collected data and its purpose:
Below this introduction, the Snapchat privacy policy provides more information about common purposes. It explains how the company uses data to deliver relevant ads, operate and maintain its service, improve features, conduct research, and get in touch with members if necessary.
If you share data with other individuals, businesses or organizations, your privacy policy should disclose this information and identify these organizations. Here's an example of how Snapchat publishes information about third-party sharing.
The rest of the section goes into further details about what type of data they share with other users of the service, third-party apps, partners, affiliates, vendors and other groups.
In this section, outline the data-related rights of your users and explain how they can exercise these rights. Here's an example:
Your privacy policy should describe the measures you use to protect personal user information. See the example below, which mentions various levels of security. It also provides a link and an expandable button so readers can dive deeper if they want further details.
About 70% of Americans feel their data is less secure than it was five years ago, so steps to shield their information give them the peace of mind they need to interact with your business online.
Explain the use of tracking technologies such as cookies. You can draw inspiration from eBay's blurb below, which directs users to locations where they can obtain additional information.
Let users know how you'll tell them about changes to the privacy policy. You can post updates to the webpage where the policy lives, as in the example below from the iHeartRadio privacy policy. In some cases, you may have a legal obligation to directly communicate privacy policy changes by emailing or otherwise contacting users.
Here's an example:
Your privacy policy must accurately reflect your actual privacy practices. Misleading or false information can lead to legal issues and damage your reputation.
Regularly reviewing and updating the policy can ensure it remains accurate. Periodically audit the company's data handling practices, checking them against the statements in your privacy policy. Make sure you have consistent protocols across all your online platforms, like websites, mobile apps and employee intranets.
When you change the way you use or access customer data, communicate with your users about the change. In addition, update the privacy policy right away to reflect the new process.
Give your users the information and access they need to exercise their privacy rights. The privacy policy should include easy ways for users to:
Make sure you also have dedicated user support channels. Establish a specific phone number or email address for privacy questions and requests, and set user expectations about when they can expect a response to their queries. The privacy policy should also include a non-discrimination clause, which lets users know you won't discriminate against them for exercising their privacy rights.
Write your policy in plain language that users can easily understand. Avoid technical terms and legal jargon where possible. If you have to use complex words, provide readers with a short definition.
Consider navigation when structuring your privacy policy. Headings and subheadings help users find the information they want quickly. Bulleted and numbered lists also support comprehension. When explaining how your company collects and uses data, illustrate each point with a real-world example that speaks to the reader.
Make it simple for all users to access your privacy policy. They should be able to get to the privacy policy from anywhere on your website or app. Add links to the policy in prominent places such as:
Select a clear, legible font and use large print. Design the privacy policy with a responsive layout, which means it adjusts automatically to the size of the user's screen.
Begin with an internal audit of your data collection practices. First, list all the types of personal data your business collects. Add a second column with the source for each type of data, such as a third-party service, software cookie or website form. In the third column, list how you use each type of data, displaying a clear purpose for collecting personal information.
Familiarize yourself with the applicable privacy laws for your business. Consider the requirements of your physical business location as well as any geographic area where you have users. At a minimum, most companies should comply with the GDPR and CCPA.
Use the information you gathered in steps 1 and 2 to outline your company's privacy policy. You should include these basic sections:
Review the draft carefully to edit for clarity and simplicity. Make sure to use simple language and avoid jargon. Organize and break up large blocks of information with headings, subheadings and lists. Double-check the content to ensure consistency with your actual data practices.
Have your privacy policy reviewed by an attorney for compliance with applicable laws. This step helps identify any legal gaps or inaccuracies.
Before you make the policy public, plan an internal roll-out with robust employee training. Your team should understand the legal implications of the privacy policy and the role they have in compliance.
To officially implement your privacy policy, display it in a prominent place on your website and app. A link to the policy should also appear on every page where you collect personal information, such as registration and check-out forms.
Privacy practices and laws evolve over time. A periodic review of your privacy policy maintains compliance and accuracy. The policy should always remain current with changes in your data practices and applicable laws.
A well-crafted privacy policy builds trust with your users and bolsters the reputation of your business. It also helps you avoid significant fines for compliance issues and puts potential consumers at ease with using your website or app. You can protect your business and your customers even further by collecting the minimum data necessary for your intended use.