A privacy policy provides transparency about data practices such as personal data collection, data processing, third-party access, and data subject rights. As privacy laws become stricter, businesses must ensure that they have a clear and accessible privacy policy in place. This blog provides comprehensive information on everything you need to know about privacy policies.
What is a privacy policy?
A privacy policy is a legal document that enables individuals to understand how businesses handle their personal data/personally identifiable information, such as phone numbers and credit card information. Therefore, it serves as a gateway to data transparency and assists users in determining whether to interact with your company. Furthermore, many privacy regulations require businesses to provide users with a detailed and accessible privacy policy on their websites.
These documents are sometimes called a privacy notice or a privacy statement. They mostly contain information about the organization, the categories of user data it collects, the purpose of data processing, with whom it shares the data, user rights and methods to exercise them, the date of the last update, and more.
What are some examples of privacy policies?
Businesses can customize privacy policies according to their data practices and style. Here are some examples.
Below is a snippet from Pepsico’s privacy policy. They have adopted a user-friendly approach by adding accordions for each category of information and have also included the last update date.
CookieYes’s privacy policy has a dedicated section for cookies and other tracking technologies, which is essential for almost all websites.
The image below shows how Louis Vuitton has enumerated the purposes of data processing. This is just one of the numerous ways to present the information.
Slack’s privacy policy defines the retention period of the collected data in the following way.
Here is an example from McDonald’s privacy policy describing their international data transfer standards.
Why do you need a privacy policy for your website?
You should publish a privacy policy on your website for many reasons. Here are some of them:
- Legal obligation: Almost all privacy laws worldwide, including GDPR and CPRA, require businesses to disclose data practices. Failure to comply with this requirement can result in severe consequences.
- Customer trust: Customers reasonably expect privacy, so they favour organizations that give them an overview of how their personal data will be handled.
- User rights: Privacy policies inform users of their rights such as to delete or correct their personal data and opt out of certain types of processing. Similarly, it also lets them know how these rights can be exercised.
- Credibility: Businesses having a well-crafted privacy policy demonstrate credibility and are more attractive to customers.
What happens if you don’t have a privacy policy?
Since privacy policies are a legal requirement, not providing them can result in legal consequences such as penalties. Furthermore, it can also diminish your business’s credibility. This can lead to a trust cliff, which results in potential customers avoiding your business.
What are the key elements of a privacy policy?
The key to creating a comprehensive privacy policy is to include all necessary information, which varies depending on the applicable laws. Below is an outline of the key elements that your privacy policy must contain:
Controller’s name
Provide the legal name of your business in the privacy policy like an email address, contact number, etc. GDPR also requires some controllers to provide the name and contact information of their data protection officers.
Categories of information
Including the types of information you collect from consumers/data subjects is a key requirement by almost all privacy laws. For example- IP addresses, social security numbers, location, contact information, health information, etc.
Purpose of processing
Your privacy policy must also contain the specific purposes for which each category of data is used. For GDPR compliance, you must also specify the legal basis for processing.
Sources of information
Identify the sources from which you collect personal information such as websites or directly from the consumer. According to GDPR, it is also important to specify whether data collected from any other source than from the individual is publicly available.
Cross border transfer
If your organization engages in the cross-border transfer of personal data, it must be mentioned in your privacy policy. Also, add details about the security safeguards that you have adopted for the same. This is particularly important for GDPR.
Data sharing/ sale
Your privacy policy must specifically mention whether you share or sell personal data with third parties. This includes the names of the recipients and the types of personal data you share with them.
Consumer rights
Almost all data privacy laws empower users with privacy rights such as the right to access and delete. It is mandatory to enumerate such rights as provided under the law in your privacy policy along with the methods to exercise them. For example- an email address.
Cookies and other tracking technologies
Cookies are an integral part of website optimization. Likewise, it is also important to inform users about the cookies and other trackers you use. This includes the categories of cookies, their purposes, retention period, etc.
Controller’s contact information
Provide contact details of your organization in your privacy policy. For example: An email address, physical address or phone number.
Data retention period
You cannot store consumer data infinitely. Instead, you must inform the users how long your organization will retain the collected data.
This period must be reasonable and proportional to the purpose of collection.
If you cannot determine the retention period, at least mention the criteria used for its determination.
Privacy policy updates
Specify how you will notify users of any changes made to the privacy policy.
Effective date
Include the effective date/ last update date of your privacy policy. You can also provide the older/ archived versions.
Privacy policy under different data privacy laws
Many countries have enforced data protection laws that require the inclusion of a privacy policy. Let’s explore some of these laws and the legal enforcement of violations.
GDPR
The General Data Protection Regulation (GDPR) requires businesses that collect personal information from EU citizens to provide a privacy policy containing information such as the controller’s name, types of data collected, legal bases of processing, use of cookies and other trackers, data subject rights, etc. Fines for each violation may reach up to 20 million euros or 4% of the global annual turnover.
CPRA
California Privacy Rights Act (CPRA), the amended version of the California Consumer Privacy Act (CCPA), applies to businesses targeting California residents on a threshold basis. Businesses to which the law applies must provide consumers with a privacy policy/privacy notice.
A CCPA privacy policy must contain the categories of personal data collected, specific purposes, consumer rights including the right to opt-out, methods to exercise these rights, etc. Penalties for non-compliance can range up to $7500 per violation.
LGPD
Brazil’s federal law, LGPD, requires applicable businesses to provide users with information such as the categories of data they collect, the purpose of processing, data subject rights, methods to exercise the rights, data retention period, etc. Non-compliance may result in fines of up to 2% of annual global turnover or $10 million.
PIPEDA
The federal data privacy law of Canada, known as PIPEDA, also includes provisions for privacy policies. It must contain information about the privacy officer, collected data, etc. Penalties for breaches may reach up to CAD 100,000.
What are the best practices for writing a privacy policy?
It is important to consider specific key points to create a compliant privacy policy. The following information provides an overview of best practices for drafting one.
Understand legal requirements
Before drafting your privacy policy, it is important to understand what components it must contain according to various laws. For this, you can carry out your own research or seek advice from a legal expert.
Plain language
Privacy policies are legal documents meant for the awareness of customers. Therefore, use plain language and try to avoid any technical or legal jargon.
Concise
Try not to make your privacy policy too long. Instead, draft it in an easy-to-understand manner and post it conspicuously on your website. For instance, you can include tabular formats to provide information, such as the types of data collected or the purposes/legal basis for each data processing.
Free of charge
Do not charge a fee to access the policy. Furthermore, make sure to provide it in an easy-to-access format at the time of data collection.
Be transparent
The primary purpose of a privacy policy is to be open and honest with users. Therefore, provide information transparently and avoid any hidden practices.
Regular updates
Privacy policy is not a “publish-and-forget” document. It requires reviews and revisions at regular intervals. This includes any changes in the data practices or business operations. Don’t forget to notify users about these changes.
How do I create a privacy policy?
Now that you know what a privacy policy should look like, let’s create one using the insights provided above.
Digital tools
Using online tools to create a privacy policy is the most convenient and reliable method. Our free privacy policy generator lets you create customized privacy policies in three simple steps.
Need a comprehensive and compliant privacy policy?
CookieYes can simplify the process
with its free privacy policy generator
No signup required
Privacy policy templates
Another approach is to refer to various templates available offline and online. Though more challenging than a privacy policy generator, you can create a customized privacy policy with careful research and consideration.
Consult a legal professional
If your business serves residents of several countries, it is always better to consult a legal expert to understand the policy requirements under various laws.
FAQ on privacy policy
Websites have privacy policies for several reasons, including compliance with various data privacy regulations, such as GDPR in the European Union, Canada’s PIPEDA, the Australian Privacy Act, California CCPA, and more. Additionally, privacy policies help foster customer trust, increase credibility, and inform consumers of privacy practices.
A privacy policy discloses an organization’s data practices, such as the categories of data collected and their sources, specific purposes of processing, user rights, privacy practices, etc. On the other hand, a cookie policy provides information about the cookies used on a website.
You need a privacy policy if your business collects personal data from users, such as email addresses, phone numbers, social security numbers, health information, IP addresses, etc. The content of the privacy policy varies with jurisdictions, such as federal laws such as PIPEDA, LGPD, and UK GDPR, or at higher levels, such as the GDPR of the European Union.
The purpose of a privacy policy is to inform users about how their personal data will be handled by an organization, their rights and how these rights can be exercised.
You can place your privacy policy in the footer or header of your website. For mobile applications, you can also include it in the settings menu. Use terms like “privacy” or “privacy policy” to hyperlink it.
There is no silver bullet for determining what you must include in your privacy policy. It depends upon your organization’s information practices and the laws that apply to you. Therefore, a good privacy policy of an organization based solely in California may not be the same as that of a European organization.