How to Create a Website Privacy Policy

Your company needs to create a website privacy policy if your business collects any personal data online. Personal data can include (but isn’t limited to) names, birthdays, and credit card numbers. Data privacy laws require businesses that collect personal information from users to have a privacy policy. These rules and regulations are not uniform and can vary depending on where a company is located and what laws are applicable. Nevertheless, the two regulations that affect website privacy policies the most are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The GDPR establishes rules on how businesses must handle the personal data collected from European Union (EU) citizens. Companies must be more transparent about their data collection practices to comply with its requirements, including making certain disclosures to users in their privacy policies. In addition, consumers must provide explicit and informed consent for a business to process their personal information.

Similarly, the CCPA is legislation for improving Californians’ data privacy. It gives California residents the right to know how their data is used and the ability to opt-out of data collection. Companies subject to the CCPA must provide notice of all activities related to their data collection practices by having a current policy.

The collection of personal information also comes with the legal obligation to protect it. A website privacy policy can help your business in the event of a data breach or a dispute regarding the use of customer information. If either of these events occur, your policy can provide peace of mind and some liability insurance by preventing customers from claiming they were not aware your company was collecting their data.

Besides the legal requirements, a privacy policy can help foster a culture of trust and transparency between your business and its customers.

Privacy policies exist to protect both customers and the businesses that collect their data. They protect customers from predatory data collection practices and other forms of data privacy abuse. Additionally, a transparent privacy policy can protect your company by providing a clear explanation of which data you are collecting and how you will use it in the future.

For example, Netflix collects and analyzes its subscribers’ search and watch data to send them movie and show suggestions (targeted advertising). Their policy explains that personal information is used to “optimize content selection, recommendation algorithms, and delivery.”

For your company to receive the benefits of a privacy policy and remain compliant with data privacy laws, you need to do more than just have the policy. It also needs to be shared with users. There are two main methods for sharing:

1. Browsewrap: A link, most often located at the bottom of the website, states that using the website indicates acceptance of the policy and provides a hyperlink to the terms.
2. Clickwrap: An agreement that requires users to click a button or check a box indicating they have read and agreed to the policy. It is often displayed to users when signing up for an account (if applicable).

Companies tend to use clickwrap contracts instead of browsewrap because clickwrap agreements are more enforceable in court. Browsewrap contracts are not reliable due to a lack of concrete assent from users. On the other hand, clickwrap agreements are generally enforceable because they require users to assent to the agreement affirmatively.

Although a privacy policy is a legally binding document and is not the simplest contract to create, you don’t necessarily need a lawyer to draft one for your business. A good policy can either be written from scratch or with the assistance of a privacy policy template. Using a template is an effective way to ensure all required information is covered.

Whether you decide to use a privacy policy template or create your own, you should include specific details about your businesses’ data collection practices. If you are unfamiliar with this information, you will need to collect it before starting the drafting process. These details will help you form the general structure of your website privacy policy.

One of the risks of writing the document from scratch instead of using a template is not complying with applicable data privacy laws. While a good policy does not need to be complicated, it should not be too generic. A generic policy could fail to comply with privacy rules and regulations, whereas many templates are written to be legally compliant with privacy laws like the GDPR.

Creating a policy with the help of a template should not be confused with copying another company’s policy. Aside from being intellectual property theft, it does not provide your business with an appropriate policy. A privacy policy needs to address your specific business’ data collection practices to be enforceable.

As a legal document, a privacy policy must meet certain requirements. For example, regulations like the GDPR and CCPA require privacy policies to be written clearly and in easy-to-understand language.

On the other hand, what should be included in your policy will depend on applicable privacy laws, service provider requirements, and your company’s data collection practices. Nevertheless, a strong privacy policy often includes the following information:

• Personal information
• Financial information
• Social network data
• Third-party information
• Mobile data (like cellphone location)
• Derivative data (like web browser type)

The GDPR and CCPA require website privacy policies to disclose what types of information are collected. This disclosure is a core component of a privacy policy.

The purpose of data collection

Many data privacy laws also require a company to have an explicit purpose for collecting user data. This purpose should be documented in your policy.

Some ways your business may make use of customer data include:

• Marketing your products (marketing materials, newsletters, etc.)
• Improving customer experience (sweepstakes, contests, etc.)
• Understanding your target market (like surveys)
• Processing orders/completing transactions

Any of the above activities, or others that involve collecting user data, need to be listed in your website privacy policy. According to GDPR, you will also need to explain why the collected data is necessary to conduct business.

Whether the information will be shared with third parties

An increasing number of websites are integrated with other services and platforms. Your website likely transfers data to certain third parties to operate efficiently and seamlessly.

A compliant and transparent policy must disclose which third parties may receive user information. Some common types of third parties include:

• Service providers
• Ad networks
• Social networks
• Business partners/affiliates.

In addition to disclosing these third parties, the purpose and scope of the data exchange should also be clearly explained.

The rights users have over their information

There should be a section of your website privacy policy outlining user rights over their data and how to exercise those rights.

For example, both EU and California users have the right to request access to their collected data. The CCPA also gives customers the option to delete data collected from them and opt out from any sale of their information. These rights and instructions on how to request data deletion need to be specified in the policy.

Other information

In addition to the previous sections, your privacy policy should also include:

• Cookie information
• Data storage and security information
• How users can control their data
• Contact information for users with questions about the policy
• Links to other legal policies (terms of condition/terms of service, disclaimer, cookie policy, etc.)

Now that you know what to include in your privacy policy, here are some best practices for creation.

Customize your policy

At first glance, every website privacy policy features similar sections, headings, and language.

However, that doesn’t mean you should copy your policy from someone else. Other companies’ privacy policies and templates can serve as references for formatting, style, and content, but your policy must be unique to your company to accurately reflect your privacy practices.

Specifically, your policy must describe:

• What personal information your company collects, and why
• How you’re collecting such information
• Under what circumstances you’ll disclose it
• How you’re using the information
• How you’re protecting user data (i.e., through physical access controls and computer safeguards)

Be specific

Don’t just restate your legal obligations—you need to be as clear and specific as possible. Avoid generalities and explain why and how you’re collecting personal information. For example, if you’re disclosing personal data to third parties, explain who these parties are, what services they provide, and why you’re disclosing information to them.

Update your privacy policy regularly

Update your website privacy policy periodically to reflect changes in your business, privacy practices, and the law. Include the effective date at the top or bottom of your policy and inform users of these updates through email and site pop-ups.
Effective emails for privacy policy updates should contain the following:

• A link to the updated policy
• The date your new policy goes into effect
• A summary or list of the most important changes made to the policy
• What users can do if they disagree with the changes

Pop-up notices for privacy policy updates should include:

• A statement that explains your policy has been updated
• A link to the updated policy so users can easily read it
• A mechanism for gaining user consent, such as clickwrap, where users must proactively check a box or button to indicate assent

Make your privacy policy easy to find

Place links to your website privacy policy in prominent areas, such as:

• Footer
• Menu
• Store
• Checkout
• Wherever users need to make a privacy decision

Make it easy for users to contact you

Give users multiple contact options to easily raise complaints or questions and request access to their personal data. Common examples include:

• Phone number
• Email
• Mailing address

Add this information to your privacy policy, footer, store, checkout, and other high-traffic site areas.

Use simple language

It’s tempting to use purple prose for your privacy policy. However, you should avoid legalese and overly complicated sentences. Remember, your policy is for consumers, not lawyers. You need to explain your company’s privacy practices in terms the average user of your site will understand. Also, make your policy as concise as possible—like you, users don’t have the time or energy to go through walls of text. They want to be able to scan and understand your privacy practices in seconds, not hours.

Structure your privacy policy

Finally, organize your website privacy policy into clear sections with headings like:

• The Data We Collect
• How We Use Your Information
• How Users Can Control Their Data
• How To Contact Us

You may also want to consider adding a hyperlinked table of contents and FAQs for ease of use.

If your company collects personal data from its website (or app) users, you are required by various data privacy laws to have a privacy policy. The purpose of a website privacy policy is to protect both businesses and consumers, so you cannot go without. Privacy policy templates can help create your company’s policy, provided that you include the necessary information related to your company’s specific data collection practices. Fortunately, Ironclad Clickwrap can help your business with data privacy compliance.