Privacy Policies 101: The What, the Why, and the How

Privacy Policies 101: The What, the Why, and the How

Legal papers are not everyone's favorite topic of discussion, especially amid the excitement of starting a new online business. Privacy Policies are, however, absolutely necessary for most any website or mobile application.

This article covers the basic facts about Privacy Policies - what they are, why you need them, and what should be included within them.


The What and the Why

A Privacy Policy is a public statement for an online business that provides the following details for consumers:

  • What personal information is collected about users
  • How the information is collected and used
  • How the information is managed and protected
  • How a user can access and control that information

This summary by eBay provides a thorough rundown of all the topics covered by a typical Privacy Policy:

eBay’s Privacy Policy Summary

Personal information is defined as any data that may be used to identify someone, such as:

  • Name
  • Email address
  • Phone number
  • Address
  • ID numbers
  • Credit card numbers

Even anonymous information, like IP addresses and usernames, can be used in combination with other data to identify an individual, and so these are also considered personal information.

In short, any information at all that you collect from your users should be considered personal information and treated as such.

FTC Logo

According to the FTC, ""we regard data as 'personally identifiable,' and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test."

Privacy Laws

If your website or mobile application collects personal data from users, you are required by law to post a public Privacy Policy in most countries. See our article "Privacy Laws By Country" for a directory.

Here are a few examples of privacy regulations that apply to most online businesses.

United States

Privacy Policy in United States

1. FTC

The US Federal Trade Commission maintains and regulates a wide range of private data protection. Although the regulations involved are intricate and vague, the FTC prohibits unfair or deceptive practices by online businesses. This translates to companies that:

  • Fail to protect user data, leaving it vulnerable to hackers or cyber attacks
  • Fail to provide proper notice when Privacy Policies are changed
  • Fail to comply with posted Privacy Policies

2. CalOPPA

The California Online Privacy Protection Act is a California state law that applies to any business that collects information from California residents.

Its basic requirements include the following:

  • Online companies must post a conspicuous Privacy Policy.
  • The Privacy Policy will outline what information is collected from users and with whom it is shared.
  • The business must comply with its own Privacy Policy.

European Union

EU General Data Protection Directive

Going into effect in May of 2018, the General Data Protection Regulation (GDPR) is a far-reaching set of directives enforced by the European Union. It applies to any organization that collects personal data from EU residents.

The GDPR includes a wide range of requirements regarding internet privacy, but at the most basic level, it stipulates that:

  • You must provide full disclosure for all information gathered from users, including that information that is collected by cookies.
  • You must request consent for the collection of information, including the placement of cookies.
  • You must take all measures possible to protect personal information.

Canada

Canada

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) seeks to protect the basic privacy rights of consumers with various regulations and requirements for online businesses. It applies to any organization collecting personal information from Canadian citizens.

The most notable of its requirements include the following:

  • Post a public and accessible Privacy Policy.
  • Collect and protect information in a fair and lawful manner.
  • Obtain consent for the collection of personal information.

Australia

Australia Privacy Principles

The Australian Information Commissioner maintains and enforces a broad set of Australian Privacy Principles (APPs) that apply to anyone collecting personal information from residents of Australia.

Among these guidelines are the following provisions regarding Privacy Policies:

  • Businesses must maintain an updated and visible Privacy Policy at all times.
  • Inform users of what information is collected and how it is used.
  • Provide users access to view and change their own personal data.
  • Take reasonable measures to protect private information.

As you can see, no matter where you run your business, it is highly likely that you will be held accountable by one or all of the privacy laws outlined above. For the sake of limiting liability, it is recommended to follow the minimum privacy requirements of all of them, since the internet is an international framework.

Consumer Privacy Best Practices

Besides the legal requirements for creating a Privacy Policy, it's just good business. In today's world of cyber attacks and identity theft, consumers need to feel assured that your company will maintain their personal information in an honest, transparent, and secure manner.

Below is a list of best practices to follow when handling the personal information of your users:

  • Use clear, easy-to-understand language for your Privacy Policy.
  • Make sure the Privacy Policy is conspicuous and easy to find.
  • Educate the employees that handle customer data to ensure they are well-versed on privacy requirements.
  • Do your due diligence in maintaining up-to-date internal security measures for data protection.
  • Make sure consumers are given easy access to view, edit, or delete their own personal information.
  • Inform your users in a timely manner any time there is a change to your Privacy Policy.
  • Always comply diligently with your own Privacy Policy.

The How

In order to determine exactly which topics to cover in your Privacy Policy, you will need to take a close look at how you handle the personal information of users.

Below is a description of common Privacy Policy clauses and when to use them:

1. What Information is Collected and How

This clause is vital to any Privacy Policy. Here, you will inform the visitor exactly which personal information is collected and how it is collected. This includes both information that is provided directly by the user and information that is collected automatically by your website.

United Airlines provides a clear list of each item of personal information they collect:

United Airlines Privacy Policy: Information we collect about you clause

Make sure to be as thorough as possible to avoid any misunderstandings. Information you collect through cookies and third-party sources should also be included in the list.

Canva describes each type of information it collects, such a user-provided data, third-party data, and analytics data:

Canva’s Privacy Policy: Information collected clause

2. How Information is Used

Another essential is that your Privacy Policy must lay out exactly how information is used and why it is required. If you need to collect demographic information to improve your services, for example, explain this to users.

Apple describes each way they use personal information and why it's necessary, complete with a few examples:

Apple Privacy Policy: How we use your personal information clause

Full disclosure in this section will not only limit your liability under the law. It will also help to build trusting relationships with your customers.

AT&T also features a thorough bulleted list of all the ways they use customer information:

AT and T Privacy Policy: How we use information clause

3. Third-Party Access

If your business shares user data with third-party software for taking orders, analytics, advertising, or any other reason, you'll need a third-party access to information clause.

Spotify explains the need for sharing information with third-parties:

Spotify Privacy Policy: Sharing information with third parties clause

In this section, it is necessary to list what types of third-party affiliates you share personal information with and why. This is a good place to mention services like Google Analytics or credit card processing software, with whom you would have to share user activity in order for the service to function properly.

CBS goes into great detail to ensure that users understand exactly who has access to their information:

CBS Privacy Policy: Disclosure of Information clause

4. Cookies

Although it is recommended to create a seperate Cookies Policy, it is also a good idea to include a brief clause in your Privacy Policy that covers cookies.

Lonely Planet provides an itemized list of every way they use cookies:

Lonely Planet Privacy Policy: How do we use cookies clause

Explain what cookies are and why they are used. If you have seperate Cookies Policy, provide a link to it here. If there is no Cookies Policy, it's a good idea to list the cookies you use within the Privacy Policy. Make sure to include third-party cookies in this list as well.

GOV.UK created this chart of cookies within their Cookies Policy. Note how they explain what each cookie is for:

Gov.uk’s Cookies Policy: List of cookies names and purposes

5. Communications

Even if you don't send marketing emails, it's important to let users know how you plan to communicate with them. If your system sends any emails, texts, phone calls, or other types of messages, let users know.

T-Mobile provides their visitors with a preference form to choose how they would prefer to be contacted:

T-Mobile Privacy Policy: Marketing Communications clause

Especially in the case of promotional messages, you'll also want to explain to customers how to opt-out if they wish.

Bed Bath & Beyond provides methods for opting out of promotional mailings for both email and standard post:

Bed Bath and Beyond Privacy Policy: How to Opt Out of Communications clause

6. Data Handling

Although every business handles data differently, this section allows you to explain to users how their personal data is stored, accessed, protected, and managed.

A few things you can include in this clause are:

  • Where information is stored
  • How information is protected
  • How users can view, edit, or delete their personal information
  • When it is necessary to retain information after a user account has been closed

Adobe addresses all of the above points in a clear and concise way:

Adobe Privacy Policy: Clauses for storing, securing and transferring personal information

While you can describe how a user may delete his or her account, you may also mention that your company retains the right to delete user accounts as well, but that some information may be retained indefinitely for legal, transactional, or other purposes.

Facebook details how a user may make changes to account information and then goes on to explain why user data may need to be retained:

Facebook Privacy Policy: How Information is Managed clause

7. Business Transfers

A future acquisition or business merger is a possibility for any brand. To be safe, it is recommended to include a Business Transfer Clause in your Privacy Policy in anticipation of such a change.

Logitech explains a business transfer disclosure in one short paragraph:

Logitech Privacy Policy: Business Transfer clause

Simply explain to users that in the event of a corporate acquisition or merger, the personal information of the customer database will also be transferred to the new owner. It is ideal to mention that your previous commitment to user privacy will be upheld throughout and after the transfer process.

Amazon describes the business transfer process while reminding consumers that all pre-existing agreements regarding privacy will be upheld:

Amazon Privacy Policy: Business Transfers clause

8. Dispute Resolution

In most cases, legal terms will be covered within your Terms & Conditions. However, a dispute resolution clause in your Privacy Policy couldn't hurt.

Here's an example from Eventbrite:

Eventbrite Privacy Policy: Dispute Resolution clause

Here you will describe your company's process for dispute resolution and let consumers know how to initiate the process if they have any complaints.

eBay's dispute resolution clause is short and simple:

eBay Privacy Policy: Dispute Resolution clause

9. Children Under 13

Unless your business is targeted to children, this section is straightforward but necessary. In the unlikely event that a child under 13 wanders onto your website or mobile app, something like the following paragraph from Instagram should be included in your Privacy Policy:

Instagram Privacy Policy: Children Privacy under COPPA

However, if your services are intended for children or teens, you will need a separate and detailed Children's Privacy Policy that complies with the regulations of the Children's Online Privacy and Protection Act (COPPA).

The Walt Disney Company provides a good example here:

Walt Disney Children

10. Changes to Privacy Policy

You have the right to make changes to your services and Privacy Policy at any time. Let your users know that changes are bound to happen over time.

Here's an example from Whatsapp:

Whatsapp Privacy Policy: Updates to Our Policy clause

Another stipulation of this clause is that you must "inform customers of any changes to your Privacy Policy at the time of or before the changes take place. It is also recommended to let them know how these communications will take place.

CBS lets users know how they will be informed of Privacy Policy changes:

CBS Privacy Policy: Changes to This Privacy Policy clause

11. Contact

Don't let customers' questions and concerns over their privacy go unanswered. Give them an easy method of contacting you regarding privacy issues. If it's possible to provide a dedicated email or department to handle these issues, better still.

The USA Department of State provides two ways to make contact regarding privacy issues:

US Dept of State Privacy Policy: Contact Information

Above are the most common clauses you will find in a typical Privacy Policy. Here are a few more sections that you may choose to include for your business:

  • Security - A short paragraph that reminds users that despite your best efforts, no security system is 100% guaranteed to protect information on the internet.
  • Advertising choices - If your company uses remarketing software, it will be necessary to inform users of opt-out options.
  • Compliance with laws and regulations - Let customers know that in the event of a legal dispute or subpoena, you may need to share personal information with government authorities.

The Where

One stipulation of most Privacy laws is that your Privacy Policy must be conspicuous and easy to find. Many websites place a clear link within the navigational footer so that it appears on every page.

Apple includes the Privacy Policy link in the footer with other important links:

Apple website footer displaying important links

Mobile apps do not always have the capacity to place a Privacy Policy link on every interface, but a clear link on the signup or login page, as well as a privacy section with the settings interface, are usually considered sufficient.

Snapchat provides a link to the Privacy Policy within the signup interface:

Snapchat

With more and more regulations in place that require user consent, many businesses are now including their Privacy Policies within the registration or login process, requiring users to consent to the Privacy Policy before continuing with service.

In this example by Samsung, clicking the "Create Your Account" button insinuates automatic agreement with the Privacy Policy:

Samsung

Here's another example from Canvas that requires visitors to actively click and agree with the Privacy Policy before registering:

Canvas: Sign up form with clickwrap agree to ToU and acknowledge Privacy Policy example

Now that you know the What's, Why's, How's, and Where's of Privacy Policies, you're ready to create your own. Try our Privacy Policy Generator for a fast custom policy that's catered to your business.

Jaclyn K.

Jaclyn K.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.