The Definitive Guide to Privacy Policies

Having a legally compliant privacy policy is no longer just a "good practice".
Privacy policies are required by law, and a must-have for any website or app which handles user data.

Privacy policies are not only one of the most important pages of your website or app, but they are also a matter of legal compliance. 

As you might have already guessed, privacy policies are more important now than ever before. Privacy laws derived from the General Data Protection Regulation (GDPR) are already in full effect. And, one of the key rules of the GDPR is that companies and websites must clarify how the personal data of customers is handled. This means that all matters involving personal data need to be written down in a comprehensive privacy policy.

However, before we get into the depths of analyzing privacy policies and how they relate to the GDPR & other international laws, let’s find the answers to some common questions we get asked most often. This guide to privacy policies was put together to help shed some light on the topic, both from a legality standpoint, and from the standpoint of website & app owners.

Let’s start by examining what exactly is a privacy policy.

What is a Privacy Policy?

A privacy policy is a public statement of how your organization applies the data protection principles to processing data. It should be a simple to understand, yet in-depth document that is easily accessible and visible for data subjects. Privacy Policies are meant to help customers understand what kind of information you collect, why you collect it, and how they can update, manage, export, and delete their information.

A privacy policy details to your site’s visitors what kind of information you collect, how you collect that information, why you need the information, and what you will do with the information.

This is most commonly seen on websites that collect sensitive info like credit card details. However, if you collect any kind of information—such as names, email addresses, cookies, location, etc.— you will still need a privacy policy. 

These can be tricky to write on your own because a privacy policy needs to meet several different legal requirements. Hiring a lawyer to write a privacy policy can be very expensive and time-consuming, so many people use a privacy policy generator.

However, you might find that a privacy policy generated through automation does not state absolutely all of your personal data processing methods.

In this scenario, you have three choices:

  1. Manually add missing clauses to the generated privacy policy
  2. Consult a legal firm for a fully personalized privacy policy
  3. Write a full privacy policy on your own (unrecommended, unless you are a legal expert)

If you choose to go down the route of writing and/or updating the privacy policy by yourself, then read our section on how to write a privacy policy.

How to Write a Privacy Policy?

Your privacy policy should explain all the ways you are accountable for data protection, how individuals can exercise their data subject rights, and which kind of tools and methods you use for personal data processing.  

A Privacy Policy is different from a data protection policy which is an internal document that details your organization’s data protection objectives, responsibilities and how you intend to handle violations.

Articles 12, 13 and 14 of the GDPR outline the requirements on how to write a Privacy Policy. They essentially say that you need to inform data subjects that you have their information and let them know how you are collecting it, where it is being stored and how long you intend to keep it.

Additionally, a privacy policy has to clarify how data subjects can exercise their data subject rights. Individuals have eight data subject rights in total. For more information and some examples of a GDPR compliant privacy policy, you can refer to Jonathan Lea’s GDPR Privacy Policy example and checklist.

Website Privacy Policies

You might be asking yourself: 

Do I really need a privacy policy for my website?

The reality is, that almost all websites in the world handle personal data, and therefore they are required to have an accessible, clear and visible privacy policy. If you as much as use Google Analytics, then you are already processing user data and therefore you need to state your data processing activities within a privacy policy.

To give you an idea of what you’re up against, here are two examples of regulations which all websites need to comply with:

  • GDPR (General Data Protection Regulation)
  • CalOppa (California Online Privacy Protection Act)

While we will cover the relation between privacy polices and the GDPR in-depth in a further section, it’s worth noting that the GDPR sets standards for data transfer out of the European Union. One of these standards is that data transfer outside of the European Union may only take place into countries which have met specific requirements regarding data protection laws. Generally, the EU does not list the US as one of the countries that meet this requirement.

However, Privacy Shield, which is an agreement between the EU and US, does allow US companies, or EU companies working with US companies, to meet this requirement of the GDPR. Besides Privacy Shield, several laws affect your privacy policy in the USA and therefore must be taken into consideration. CalOPPA is one of the strictest out of all of them and deserves special attention. CalOPPA requires websites and apps to have a clearly visible and accessible Privacy Policy, amongst numerous other factors.

Where to Put Privacy Policy on Websites

There are no legal requirements on where exactly a website’s privacy policy should be placed, as long as it’s easily accessible and visible. Many websites like to put their privacy policy in the footer section, next to disclaimers, terms of use, and other similar pages.

The Legality’s privacy policy, for example, is also placed in the footer section:

Where to Place Privacy Policy on a Website

If you would like a more visualized guide on where to put Privacy Policy on Websites, then refer to the following video:

App Privacy Policies

The  conditions and legislation surrounding the privacy policies of mobile apps are no different than those of a website. A privacy policy still has to meet the same requirements, and it should still comply with the same international laws mentioned earlier, such as the GDPR and CalOppa.

Similarly to websites, a mobile app is required to have a privacy policy if it handles the personal information of its users. Additionally, a privacy policy will be required even if you only use as much as third-party tool/tools such as analytical tools which might collect personal data through your mobile app. Also, all of the major app stores require you to have written a privacy policy in order to be featured in the store.

Therefore, it is absolutely crucial for all apps to have a legally compliant privacy policy in place.

Privacy Policies and the GDPR

Having a GDPR compliant privacy policy is crucial if you want to avoid large fines and lawsuits. According to the GDPR, if a company does not maintain adequate records of personal data processing and/or does not provide a full list of data processing methods to the authorities, they are subject to fines. Scarily big fines, in fact. The possible fines could be 10 to 20 million euros, or 2% to 4% of the company’s annual turnover, depending on the specific provisions which were infringed. Refer to Art. 83(4) and Art. 83(5) of the GDPR for more information on this. 

Why is Everyone Updating Privacy Policies?

The reason why everyone is updating their privacy policies as of recent is the implementation of the GDPR, which came into force in May of 2018. During this time of implementation, everyone got seemingly bombed by privacy policy updates. 

The BBC reported that some high-profile US news websites had been temporarily unavailable in Europe after new EU data protection rules came into effect.  Meanwhile, Facebook and Google have been already facing complaints over violations of the brand new regulations. That’s because GDPR gives EU citizens more rights over how their information is used. Basically, any personal data which is stored in or is transferred in or out the EU must comply with these regulations. 

Conclusion

Privacy policies are more important now than ever before. While there are seemingly endless amounts of factors to take into consideration when writing a privacy policy, the process really is not that difficult.

We can recommend the following two resources for getting a quick and compliant privacy policy:

  • Here is a basic checklist you can use to harden your GDPR compliancy
  • And, here is our article reviewing various privacy policy generators. We found that some Privacy Policy Generators do, in fact, meet all legal requirements. Therefore, they can be some of the easiest methods of obtaining a high-quality privacy policy within minutes.