But what is it, and why do you need one? Data security is more important than ever due to data privacy laws.
Privacy policies are needed to keep users informed and to protect your company from liability.
This article discusses how privacy policies work and how to make a good template.
It must disclose how personally identifiable information is collected, processed, and protected.
The kind of information a company collects from users depends on the purpose of the company. Typically, the personal information collected includes:
- Complete name
- Email address
- Phone numbers
- Billing address
- Mailing address
- Marital status
If the company intends to collect information such as photos, location, and other information from site visitors, it should also be included in the privacy statement.
Privacy policies should be written CLEARLY and explicitly to guarantee that users understand how their personal data will be used.
Digital platforms that collect personal data are legally required to have privacy policies on their websites, mobile applications, blogs, or e-commerce sites.
Privacy policies also compel companies to act transparently regarding how much access they have to customers’ personal information.
On top of that, privacy laws legally require private policy agreements to protect users’ information.
Required by Law
In the U.S., privacy laws aim to give customers the freedom and power over how companies collect and use their personal information.
It would be hard to avoid doing business in the U.S. without accounting for the following regulations:
California Online Privacy Protection Act (CalOPPA)
It was amended in 2013 to include new disclosures on tracking activities during online visits.
CalOPPA applies to all entities, whether inside or outside the U.S., that intend to collect personal information from California residents online.
This policy requires that websites have a clear and CONSPICUOUS privacy notice that discloses what information users are expected to give and to whom it will be shared.
- What personal information will be collected
- How the user can review and change the personal information that can be collected
- The third-party services with whom the information will be shared
- The effective date of the policy
CalOPPA is enforced through California’s Unfair Competition Law (UCL) and is subject to actions by the Federal Trade Commission.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy and Protection Act (COPPA) protects the privacy of children under 13 years old online.
It took effect in 2000 and was later amended in 2013. It applies to all businesses and online services DIRECTED at children.
COPPA was established in response to the growing number of online platforms targeting children’s personal information without parental consent.
Under this legislation, website owners must be in compliance with the following:
- Obtain parental consent before collecting any personal information from children under 13
- Allow parents to review or delete any collected data
- Limit the personal data gathered from children
- Strictly protect the confidentiality and integrity of any data collected from children online
COPPA applies to foreign websites as long as it is marketed to U.S. children.
The Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999, is intended for financial institutions.
This law covers businesses such as:
- Credit unions
- Insurance companies
- Security firms
- Auto dealers
It requires businesses that provide financial services to disclose their data collection and data processing to their customers.
Any information gathered for financial or commercial transactions must be protected from threats or unauthorized access.
This act compels financial institutions to allow website users to decline to share their information with non-affiliated entities.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) intends to regulate the collection and processing of personal data from individuals residing in the EU, including all member states.
How is this relevant to US-based websites?
Any business that collects data from EU citizens is still subject to GDPR rules regardless of where they are located.
- What kind of data is collected
- What will it be used for
- Why was it collected
- How long will it be stored
- How can customers contact the company
A firm can be fined up to €10 million to €20 million, or 2% to 4% of the worldwide annual revenue from the previous financial year, if found in violation of GDPR.
Be aware of international privacy laws if you allow website visitors from different regions to protect your business from liability.
Required by Third-Party Services
Aside from legal requirements, third-party services also demand privacy policies.
If you intend to monetize your website traffic with Google AdSense or host Google Ads, you’ll also need to COMPLY with Google’s policies.
It caters to the rights of individuals to control their personal data online and the needs of businesses to process personal data for commercial purposes.
What a website can require from a user varies depending on the business industry and the user’s location.
Most privacy policies contain the two most important clauses: the type of customer information to collect and for what purpose.
What Clauses Are Included?
The most commonly requested personal information from users includes:
- Full name
- Email address
The user information gathered from customers often depends on the nature of the business. For example, retail mobile apps may also ask for customers’ billing and shipping addresses.
Any user information gathered should only be used for specific purposes, so don’t collect more data than you need.
Generally, any identifying information that a business wants to collect is covered under this clause.
How the Information Is Used
This clause expounds on the purpose of the data collection and what the business will do with user data.
Depending on the business, there are numerous reasons for collecting data from users.
It is important to EXPLAIN the reason for collecting user information and for what purposes to avoid liabilities.
How the Information Is Stored and Protected
This clause should convey the fact that the company will properly handle and PROTECT user information.
It should also explain the scope of the security measures against threats, attacks, and unauthorized access.
The level of security the company can provide should match what’s written in the clause to prevent any legal disputes.
Company Contact Information
It should contain email or mailing addresses, phone numbers, and other company contact details.
If the company operates in many different regions, separate contact information sections based on location can be helpful for users.
Cookies, Log Files, and Tracking
Cookies, log files, and other tools are intended to track users’ browsing information.
Since websites can share these data with third-party services, this clause should notify users how the company uses tools like cookies and log files to improve their website.
Opt-out Policy Clause
An opt-out clause enables users to exercise the rights granted by privacy laws like CalOPPA and GDPR.
Cookies opt-out and management can help build consumer trust as it shows that companies respect users’ privacy.
At the minimum, the two options of “accepting all cookies” and “rejecting all cookies” should be equally prominent.
Other Examples of Good Privacy Policies
It doesn’t come with bright graphics or colors that can distract users.
It demonstrates transparency to users and shows the level of compliance the company follows to adhere to privacy regulations.
The site discloses its use of additional tracking tools, such as log files and web beacons, to give users a better idea of what happens with their information.
Each section of the agreement ends with a summary that recaps key points that are accessible and understandable for users.
That includes Chrome, Google Meet, Youtube, Gmail, and every Google product on the market.
It’s a handy way to inform users how Google uses its information and what they can do to control and manage them.
Frequently Asked Questions (FAQs)
Below are some commonly asked questions about privacy policies.
However, there are federal and state laws that include provisions on data privacy, such as:
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Americans With Disability Act
- Virginia’s Consumer Data Protection Act (CDPA)
- Maryland’s Personal Information Protection Act (PIPA)
State laws from Virginia, Colorado, Connecticut, and Utah also detail several provisions for privacy practices.
In the U.S., federal and state laws include provisions on privacy practices for online entities.