How to Add a Privacy Policy to Your Facebook Page

How to Add a Privacy Policy to Your Facebook Page

If you're a Facebook Page Admin, creating a Privacy Policy is an important step to comply with Facebook's terms, and with privacy law. You need a Privacy Policy to explain to your customers how you collect and use their personal information.

In this article, we'll be looking at how to create a basic Privacy Policy and add it to your Facebook Page. We'll also be looking at Facebook's special requirements for Page Admins in the European Union (EU).


Do I Need a Privacy Policy for My Facebook Page?

Yes, you need a Privacy Policy for your Facebook Page. This is true even if you only have a Facebook Page, and you don't even have any other online presence.

Creating a Privacy Policy is standard practice for any business. It will help you show that your business is legitimate and that you treat your customers' personal information with care. It's also a legal requirement in pretty much every major economy.

A Privacy Policy is Required By Law

Privacy law requires you to have a Privacy Policy if you collect the personal information of consumers.

Here are some activities that might qualify as "collecting personal information":

  • Recording the names or email addresses of your customers
  • Taking payments via a payment processor such as PayPal or Stripe
  • Using Facebook's Page Insights product

If you collect the personal information of consumers in any of the following regions, you'll need to create a Privacy Policy:

  • United States: Several state laws that require anyone who operates a commercial website or mobile app to create a Privacy Policy, most notably in California.
  • European Union: The General Data Protection Act (GDPR) places very strict data protection requirements on all businesses.
  • United Kingdom: EU privacy law still applies in the UK, so if you have UK customers you must also comply with the GDPR
  • Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) requires all private sector organizations to create a Privacy Policy.

A Privacy Policy is Required Under Facebook's Terms

Even if your business only has a Facebook Page and you don't engage with customers in any other way it's still important to create a Privacy Policy. This is a requirement of your legal agreements with Facebook.

Take a look at this section of Facebook's Pages, Groups and Events Policies:

Facebook Pages, Groups and Events Policies: Collection of data from users on pages clause

When you use Facebook to take orders or engage with customers, you're collecting their personal information and you must provide notice in the form of a Privacy Policy.

How to Create Your Facebook Page Privacy Policy

How to Create Your Facebook Page Privacy Policy

Every Facebook Page Privacy Policy is different. Its contents depend on the nature of your business, and also on the laws you need to comply with.

First, we'll talk you through some of the basic information that every Privacy Policy should contain. If you have customers in the EU, there are some extra steps you need to take.

These steps will help you get started with a basic Privacy Policy.

Your Contact Details

You should include full contact details for your business, including its legal name, business address, and email address.

Here's an example from Product Hunt:

Product Hunt Privacy and Cookies Policy: Who we are and how to contact us clause

Note that Product Hunt refers to itself as "the Controller." This is only relevant if you have customers in the EU and have to comply with the GDPR. We'll discuss this in more detail below.

Personal Information You Collect

Your Privacy Policy should identify what personal information you collect, whether via Facebook or via other means.

Whether you're running a physical store, an ecommerce store, or online services business, you'll need to collect basic personal information such as customers' names and contact details.

If you collect any personal information via your Facebook Page or other means, you need to explain this to your customers in your Privacy Policy. Here's an example from Bando:

Bando Privacy Policy: Information you provide clause - Social media excerpt

If you have a broader online presence extending beyond your Facebook Page, you'll also need to explain the other ways in which you collect personal information.

Here's an example from Pearl Daisy:

Pearl Daisy Privacy Policy: What do we do with your information clause excerpt

Note that Pearl Daisy collects the IP addresses of visitors to its website. Websites commonly collect data that can constitute personal information. For example, if your website uses cookies for advertising or analytics purposes, you should disclose this in your Privacy Policy.

How You Use Personal Information

You must explain your purposes for collecting personal information, i.e. how you use it.

For example, you can use your Facebook Page to enable customers to book appointments or make orders. Or you might use Facebook Messenger to engage with customers and receive inquiries.

You should have a clear business purpose for using any personal information you collect. If you collect email addresses, names, and shipping addresses, you must explain why you do this.

Here's an example from catering business Chrissie Cakes and Supplies:

Chrissie Cakes Privacy Policy and GDPR: What we do with your data clause

How You Share Personal Information

You probably share personal information with several other businesses, such as payment processors, direct marketing companies, and shipping companies. You need to explain this in your Privacy Policy.

Here's an example from ecommerce business Jasmin Studio Crafts:

Jasmin Studio Crafts Privacy Policy: How we share your information with third party apps clause excerpt

Note that you don't necessarily need to name the businesses with whom you share personal information: you can just identify the types of businesses.

If You Have Customers In the UK or EU

If you have customers in the UK or the EU, there's some extra work to do to comply with Facebook's terms. You should also check out our GDPR Privacy Policy Template for guidance on how to create a comprehensive GDPR Privacy Policy.

If you've ever visited a company's Facebook Page from within the UK or the EU (or the wider European Economic Area), you might have noticed a link reading "Information about Page Insights data."

Screenshot of TermsFeed Facebook page

Clicking this link leads to a page explaining that Facebook and Facebook Page Admins are "joint controllers" under the GDPR.

A German court required Facebook to create this policy based on how its "Insights" product works. Here's where to find Insights:

Facebook Page Insights tool

The Insights tool automatically collects data about who visits your Page. As a Page Admin, you would never be able to actually use this data to determine whether a particular individual had visited your page. However, according to the EU, this data is personal information. And under the GDPR, you and Facebook are jointly responsible for processing it.

Your Obligations Under Facebook's Page Insights Controller Addendum

Your Obligations Under Facebook's Page Insights Controller Addendum

So, as a Facebook Page Admin, you're held jointly responsible for Insights data. Facebook's Page Insights Controller Addendum sets the rules about how you and Facebook should meet your legal obligations.

The GDPR allows joint controllers to decide among themselves how they will fulfill their legal obligations. Fortunately, Facebook has allocated almost all of the GDPR's duties to itself, and there's not much left for Page Admins to do.

Here are Page Admins' duties under the Addendum:

Facebook Page Insights Controller Addendum: Page admins clause - Legal basis and contact details excerpt

The Addendum requires that you provide the following information in your Privacy Policy:

  • Your legal basis for processing Page Insights data and the "legitimate interests" you are pursuing by using this data
  • The identity of your responsible data controller and their contact details
  • The identity of your Data Protection Officer (if you have one)

Facebook doesn't explain what any of this means or how you can communicate it to your customers. That's where we come in.

Facebook requires you to identify your legal basis for processing Page Insights data.

The concept of the "legal basis" (or "lawful basis") is very important under the GDPR.

We won't go into detail about the legal bases here. Essentially, there are six legal bases, and every time you collect personal information, you need to identify a legal basis for doing so.

See our article Lawful Basis for Processing Under the GDPR for more information.

So, what's your legal basis for receiving personal information from Page Insights? Well, Facebook suggests that it might be in your "legitimate interests," which is one of the six legal bases.

"Legitimate interests" can be a suitable legal basis when you process personal information in a way that benefits your business without causing any significant privacy risks. You should carry out a Legitimate Interests Assessment if you plan on relying on this legal basis.

If you decide that receiving Insights data is in the legitimate interests of your business, you need to explain this in your Privacy Policy. Here's how Daimler does this:

Daimler Facebook Page Privacy Policy: Page Insights data and GDPR legitimate interest clause

Daimler explains how Insights works and then identifies its legitimate interests in receiving Insights data: the ability to recognize user preferences and locations and to adapt and improve its offer accordingly.

Responsible Data Controller and Data Protection Officer

Facebook requires that you provide a name and contact details for the "responsible data controller."

The responsible data controller is your company. Your company is a data controller under the GDPR because it decides why and how to process personal information. We looked at providing your company's contact details above.

Facebook also requires that you provide contact details for your Data Protection Officer. However, unless your business has over 250 employees, or it regularly processes sensitive personal information, it's unlikely you'll need to appoint a Data Protection Officer.

How to Add Your Privacy Policy to Your Facebook Page

How to Add Your Privacy Policy to Your Facebook Page

Once you've written your Privacy Policy, you need to make it publicly available. If you have a website, create a new page titled "Privacy Policy." If you don't have a website, you can simply create a publicly-available document using a service such as Google Docs.

Once you've hosted your Privacy Policy online, adding it to your Facebook Page is easy.

First, go to your Facebook Page dashboard and select "Edit Page Info" in the top right-hand corner.

Facebook page with Edit Page Info link highlighted

Scroll down to the bottom of the page, then enter a link to your Privacy Policy into the box.

Facebook page settings: Add Privacy Policy link field

A link to your Privacy Policy will now appear on your Facebook Page.

Summary

Your Facebook Page requires a Privacy Policy that explains, at a minimum:

  • Who you are, and how your customers can contact you
  • What personal information you collect
  • How you use personal information
  • How you share personal information

Ensure your Facebook Page Privacy Policy also complies with local privacy law.

If you have customers in the UK or EU, you also need to comply with Facebook's Page Insights Joint Controller Addendum

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.