We’ll discuss a quick overview of privacy policies, how to write them, why you should include them, and laws you should know about.
Information collected can include:
- Date of birth
- Contact details like your email address
- Location/postal address/physical address
- IP addresses
- Payment details like credit card details or debit card numbers
- Social security or social insurance numbers
- Purchase activity
That last one, in particular, is something for which the effects can be seen by the average daily internet user like you.
Have you ever searched for something like “best TVs in 2022”, browsed a few articles about them, and suddenly saw TV ads when you watched a YouTube video?
That’s because the websites you’ve visited have performed data collection and relayed it to advertisers on YouTube.
On each website that users visit, the website footer usually has the privacy policies outlined to inform users and give them the option to agree and continue or to opt out.
Why Are Privacy Policies Important?
You might be asking yourself: Why is including this important? Won’t users still browse our websites even without seeing how we collect personal information?
It’s because having a privacy notice and a policy on your website is one of the most important legal requirements to fulfill.
Step 1: Include Which Parts of the Users’ Personal Data Your Website or App Collects
Be specific. Saying that you will “collect private information” can be too general and not tell users exactly what data will be collected.
Instead, outline the specific personal data collected by your website. This can range from a few items to a long list, depending on how much data your website collects.
For example, instead of saying, “we collect data”, say, “we will collect your email address, app users’ browsing activity, and postal addresses”.
Place this at the very beginning of your privacy statement because this is often the part most users are interested in reading before they agree to data collection.
Step 2: Explain Why You’re Collecting Personal Data
The next step is to notify users why you’re collecting their personal information. People want to know where the data will be used before agreeing to have it collected.
Some examples of this include planning to resell the data and use it in business practices, for research purposes, or for news updates and promotions.
FOR EXAMPLE: A great example of explaining this to users is a small business like a bakery collecting the address and phone number of the user to use it to make deliveries quicker.
Step 3: Explain How You Will Collect Information
Next, you’ll want to go into detail on how you’ll collect personal information. There are a few ways to do so, including:
- Online forms
- Email newsletters
- Website analytics like Google Analytics
- Course registrations
- Contact forms
You’ll want to include this in your privacy statement because it lets users know where they can expect to input their personal data.
Step 4: Provide Users the Option to Opt Out
Another common option you’ll see on websites is the option to disagree with privacy policies. Privacy law demands that users have more control over collected data.
They might want to pull out their data or change it at a future date, and you must comply with that request, as privacy law requires.
Your privacy statement should include the ways that users can request their personal information to be altered from your website’s servers. This includes:
- Right to review collected information
- Right to request that the website should delete data
- Right to request data amendments
You should describe the process for all three on your privacy statement to help the users with these processes if they wish to do any of them.
Another important thing you shouldn’t forget to include is how the personal data will be shared with third parties like other websites or companies.
When data sharing with these third parties, you must include a disclaimer/disclosure in your own policy. Not doing so can put you at legal risk.
There are multiple ways you may want to share your customers’ personal data with third parties.
FOR EXAMPLE: If you’re an online seller of clothes and apparel, you might need to share user data with credit card companies to process payment information.
Then, what if the credit card company’s servers get hacked, and the user’s personal data gets leaked?
Not only will your own company’s reputation be SMEARED, but you’ll get into LEGAL TROUBLE too.
Step 6: Explain How Long You Will Retain the Collected Information
Data privacy laws aren’t just concerned with the use of personal information right now. It’s also concerned with how you’ll use that data down the road.
According to the GDPR (General Data Protection Regulation) from the European Economic Area, you’re only allowed to keep data no longer than necessary for its intended use case.
For example, when doing data collection for a contract, data usage can only apply up until the contract ends. Afterward, you must DELETE IT.
This Data Retention Policy can include information on additional uses for customers’ data other than what was originally intended.
Step 7: Specify Your Personal Information Protection of Users’ Data
Remember the data leak example we gave earlier? That’s definitely not something you want to happen to your website and users!
Remember that users are putting their trust in you that their data is stored securely.
Therefore, other than implementing strong security measures like physical access controls, the other thing you need to do is explain how you’ll protect personal information.
However, we recommend not being TOO specific with enumerating the data security measures you’re implementing.
Hackers might read that specific information and figure out how to bypass your data security measures and computer safeguards.
However, there’s one more important thing to point out: Even if your website or app isn’t targeted toward children, you need to include extra provisions for their data privacy.
If your website or app collects data on children 13 years old or younger, you need to include a statement that addresses child privacy.
Step 8: Outline the Dispute Resolution Process
The next step is something your users will hopefully never have to use but is something you should include anyways.
Standard website privacy policies include how their dispute resolution process works. Most companies tend to add this to their Terms and Conditions policy.
Even though you might do your best to have a good relationship with your users or customers, at some point, legal disputes might happen.
Step 9: Explain Your Online Business Transfer Clause
Many businesses go through transitions throughout their lifespan. One of the common things that can happen is a transfer of ownership.
Including this as a disclaimer in your privacy notice will help let users know that their personal information might be transferred to another entity if the business is transferred.
Doing this will prevent you from getting into any legal trouble if your business transfers to another owner, along with the personal information of your users.
Additionally, do your best to include information and disclaimers saying that you’ll do your best to prevent any data leaks from happening to customer information.
Make sure you state that, after the data is transferred, you can’t guarantee the same level of data privacy security or privacy practices for your users’ secured files.
Step 10: Put All of This in an Easily Understood Way
The final step is to review everything you’ve written down so far. Revise any grammatical errors, check spelling, and organize it into easily browsable sections.
Separating each clause required in your privacy notice into different sections isn’t required, but we highly recommend doing so.
The wording you should use should be simple but precise. Both average users and legal entities should be able to understand what you’ve written down.
The Clauses and What You Should Include in Privacy Policies
The clauses that you should include are these 8 that we’ve described in various steps in the previous step-by-step guide:
- Types of information to be collected
- How you’ll use the information
- Third-party disclosures
- How you’ll protect the personal information
- Data subject rights
- Notification of future changes to the privacy statement
- Cookies notice
- Contact information
For example, if you don’t have disclosures on future changes to the privacy notice, users might be able to sue you if they don’t like the changes and weren’t informed about it beforehand.
Privacy Laws You Should Know About
Whether you’re an individual, small business, or a corporation, everyone needs to follow laws when making a website online.
Even if you live in the USA and the servers for your website are located here, it doesn’t mean you can disregard rules made in the European Union.
The nature of the internet means that your website will probably be accessed worldwide, meaning you must abide by the laws wherever your website can reach.
The European Union has enacted the General Data Protection Regulation or GDPR. This regulates data privacy in Europe and has strict penalties for websites that don’t comply.
Even though the GDPR is only valid in the European Economic Area, it still applies to foreign businesses or entities doing business within the area.
Canada’s specific privacy concerns are handled by the Personal Information Protection and Electronic Documents Act or PIPEDA for short
Similarly to GDPR, PIPEDA is only valid in Canada, but applies to foreign businesses or entities doing business within the area.
USA: COPPA, CCPA, CalOPPA
The USA doesn’t have one general federal data protection law, but it does have several separate privacy laws:
COPPA stands for Children’s Online Privacy Protection Act.
This law controls the collection of data for children under the age of 13 and is controlled by the Federal Trade Commission.
This is the California Consumer Privacy Act, which is a law dealing with privacy rights and consumer protection laws specifically for the state of California.
CalOPPA stands for California Online Privacy Protection Act. It requires online commercial websites and online services to include privacy policies on their website.
Therefore, if you’re based in the state of California, you’d need to follow the COPPA, CalOPPA, GDPR, and CCPA guidelines.
This is because your website is still accessible in Europe, even if you’re based in California.
Frequently Asked Questions
Yes, you can write your own privacy policies. As long as you follow the step-by-step guide that we’ve included here, you won’t have a hard time.
There are also many templates available online, which can make the process a lot faster and help you not miss any important information you should include.
However, using free tools like templates online isn’t illegal. As long as you use your own terms and make them specific to your business, there shouldn’t be any issues.
Most of the time, you don’t need to make a separate one. Just check which additional EU regulations are required and add them to your existing one.
However, if you’ve already made multiple privacy policies, then it might be best to have one separately for the EU so you don’t get confused.