If you’ve ever signed up for a social media platform, created an email address, downloaded an app, or ordered something online—In short, if you are anybody reading this article— you’ve encountered a privacy policy.
A privacy policy is a thorough explanation of how you plan to use any personal information that you collect through your mobile app or website. These policies are sometimes called privacy statements or privacy notices. They serve as legal documents meant to protect both company and consumers.
Privacy policies are different from data protection (or security) agreements and cookie policies. A data protection agreement is an internal document that outlines how you, your company, and any third-party vendors will work to safely handle your customers’ personal information. Your customers are unlikely to ever have a reason to read your data security agreement.
A cookie policy lets users of your website or app know that you use tiny pieces of code stored on their hardware called cookies to track and store some of their activity. These policies tend to pop up when users first access a website, as opposed to a privacy policy which will likely only come up when users enter their personal data to — for example — register an account with you.
If your company collects any type of personal information from users, a clear and accessible privacy policy is a must. Let’s take a look at what privacy policies are for, how you can manage them, and how you can save yourself a ton of time (and legal headaches) by strategically managing them.
The purpose of a privacy policy
Privacy policies exist to protect customers from predatory data collection practices. A good policy will also protect your company by explaining which data you’re collecting from customers, why you’re collecting it, and how your company plans to use that data in the future.
Say your company collects birthdates from customers as a way to calculate sales statistics for a particular demographic, and as a way to build customer retention by sending out birthday coupons. The privacy policy would explain that personal information would be used for internal sales tracking purposes, and also for marketing purposes. If your company also sells those birthdates to a third party, the privacy policy would need to disclose that, too.
When do I need a privacy policy?
Basically, if you or your company collects any type of personal information, you need a privacy policy. Email addresses, names, birthdays, social security numbers and credit card numbers are all examples of personal information. Your method of collecting this information might vary. You may use a website, a mobile app, an eCommerce site or emails to get the info. No matter how you get users’ personal data, you will need a policy that explains what you’re using it for.
Is a privacy policy required by law?
In short: Yes! Several privacy regulation laws require privacy policies. This is a fairly recent development, and the laws aren’t the same everywhere.
The GDPR (General Data Protection Regulation) laws set guidelines starting in 2016 for how data can be collected and processed if you live or do business in the EU. The CCPA (California Consumer Privacy Act) is a state statute signed in 2018 meant to protect the residents of California from predatory data collection practices.
There’s currently no single piece of federal legislation that governs the way that companies disclose their data use and collection practices. But chances are, some of your online customers are from the EU or California, where this legislation exists and is enforceable. What’s more, if you collect data from your customers, you are under legal obligation to keep it safe. The Federal Trade Commission (FTC) governs and oversees customer complaints about data collection and data breaches. By having a privacy policy, you no longer have to fear a security breach situation where a customer can claim they weren’t even notified that you were collecting their data.
Parts of a privacy policy
A privacy policy is a legal document, so it needs to include some very specific things. You have some wiggle room with what information you’ll write the policy itself, but not much. GDPR and CCPA regulations require privacy policies written in clear and easy-to-understand language. A strong privacy policy includes:
- A list of the type of information that your company collects, and how it is collected. Some websites only store information that is expressly given to them through an online form, for example. Other websites might ask permission to collect data through your cell phone location or web browser and, if permission is granted, store that information, too. Your company may also partner with social media platforms to get further customer data, which a privacy policy would need to clearly spell out.
- The reason that your company is collecting the data. Is the data being used to market your products? Is it used to improve customer experience? Is it mainly for understanding who your target customer is? Maybe it’s a combination of these things and more. You will need to define your company’s reasoning for collecting and keeping customer data. You’ll also need to make a case for why it’s necessary for you to have this data in order to conduct business, according to GDPR regulations. (Here are some GDPR privacy policy examples.)
- All of the things that your company plans to do (and not do) with customer data. If your company plans to partner with a third party to use customer data, that needs to be clearly explained in the privacy policy. If law enforcement agencies will be able to request the data for any reason, that will need to be mentioned as well. The privacy policy also needs to detail where the data is stored and how it’s going to be kept safe from potential security threats. You’ll need to explain how long you will keep the data, and how you will securely wipe data after a certain period of time or a customer’s request.
- The opt-out policy. The CCPA requires that customers be given the option to delete data that companies have collected from them, as well as opt-out of the sale of their personal information. Details on how customers can do that need to be provided in your privacy policy.
Limitations of privacy policy
A good privacy policy will establish expectations for how you are handling your customer’s data. It also establishes limitations on what customers can and should be able to expect.
For example, if your privacy policy outlines that data is stored in a third-party vendor’s care, with end-to-end encrypting and other protective measures in place, your customer can’t pursue legal action against you if that third-party vendor is hacked or fails to live up to their data protection promises.
Creating a privacy policy
All privacy policies are contract documents that are considered legally binding. In fact, your privacy policy should state that it is a legal document and that your customers are agreeing to its terms by giving you their data.
You don’t necessarily need a lawyer to write a privacy policy. You can start the creation process by collecting information about your company’s current data collection practices. You’ll need to know what type of data is being collected, why your company collects it, how it’s used, where it’s stored, and whether there is currently a way for customers to opt out. From there, you can begin to craft the basic structure of your policy.
Writing a privacy policy doesn’t need to be overly complicated or overwhelming. You can think of the privacy policy as an opportunity to emphasize how much you value your customers. Use it to show your customers they are making the right choice by doing business with you. You can personalize it with your company’s value statements and highlight the steps that you’ve taken to protect their data and be transparent.
What about clickwrap?
A clickwrap (or click-accept, click-to-sign, or clickthrough) agreement is an online agreement that users “sign” by clicking a button or checking a box. Privacy policies and Terms and Conditions are two of the most common types of clickwrap agreements that companies can add to sign-up pages, checkout flows, and login pages.
Clickwrap agreements have become a common, legally binding way to enter into a contract with another party online. The transaction is comprised of a collection of trackable data points confirming that a user “actively assented” to an agreement through an action — in this case, clicking a button.
Because clickwrap agreements require users to affirmatively assent to a contract by checking a box or clicking a button, a clickwrap is far more enforceable than sign-in-wrap and browsewrap agreements. Ironclad Clickwrap provides any easy, legally binding way to manage online agreements while maintaining a seamless user experience on your website.
Managing privacy policies
Updating privacy policies can be daunting. You have to keep track of constantly changing regulations and update the policy frequently to make sure you’re in compliance. There’s also the question of keeping your policy live in the right place on your website, apps, and other digital assets.
The good news is that digital contracting can make managing privacy policies so much easier. You can track and manage all versions of your policies without getting lost in a sea of outdated documents with countless owners. Best of all, you can update all versions with quick and simple processes, like a dynamic repository to hold contract data and Workflow Designer, to make creating and updating new policies a breeze.
Next steps
Track and manage your privacy policy with Ironclad. Sign up for a consultation here to be one step closer to managing all your digital contracts.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.
- The purpose of a privacy policy
- When do I need a privacy policy?
- Is a privacy policy required by law?
- Parts of a privacy policy
- Limitations of privacy policy
- Creating a privacy policy
- What about clickwrap?
- Managing privacy policies
- Next steps
Want more content like this? Sign up for our monthly newsletter.