The Privacy Policy Checklist

The Privacy Policy Checklist

Privacy Policies are written statements that let your clients, customers, or website visitors know exactly what personal information you are gathering from them, and how that information will be used, managed, and disclosed to others.

A Privacy Policy is mandatory even if you collect just an email address. It's mandatory to have it posted online and make it easy to find by users.

In the US, the Federal Trade Commission (FTC) has provided guidance on the use of these agreements, and all states have laws requiring at least a minimal disclosure of exactly what information is being collected and how that information will be used.

Before you begin to draft this legal agreement, read this checklist to make sure you can keep your customers informed and your business compliant when dealing with personal information collection.

1. Post an appropriate and thorough "Privacy Policy" agreement

Make sure you include all of the required important information in your Privacy Policy.

Identify all of the types of personal information you collect, as well as:

  • How it's collected,
  • How it's used,
  • What third parties have access to it, and
  • How you protect it

eBay Privacy Policy Embedded on Mobile App

Include information about how people can request to see what information you've collected, and either make changes themselves or request that you make changes.

Describe any processes you have in place, such as contact forms, email addresses or account sections where users can access this information.

Apple's Privacy Policy: Access to Personal Information clause

Additionally, you must disclose how your website responds to any actions a client or customer takes to maintain privacy, such as the "Do Not Track" web browser settings which is required by CalOPPA in the US.

Disclose whether third parties have access to the data you collect or are collecting this data themselves through your business.

Apple's Privacy Policy: Do Not Track clause

Always include the effective date of the policy, and describe the process that you will use to notify users of any material changes to your policy.

Twitter Privacy Policy page: Changes to this policy

Always post your Privacy Policy in an easy to find, conspicuous place on your website and within your mobile app.

The footer of websites and the Legal section of your mobile app are common placement locations.

Onyx Coffee Lab website footer: Link to Privacy Policy

To summarize, here are some best practices for creating an appropriate and thorough Privacy Policy:

  • Place the agreement on every page of your website. You should be certain that the link is conspicuous and easily found.
  • If you have mobile app, make the typeface large enough for the agreement to be read on a small screen.
  • Describe what methods you'll use to inform users about future changes to your Privacy Policy.
  • Mention the effective date.
  • Inform users whether you respond to "do not track" (DNT) signals or not.
  • Inform users if and how they can make choices regarding the collection of their personal information.
  • Inform users if whether the use of your website or mobile app results in any third-party collection of personal information.

2. Know your third party data sharing practices

If you work with any third party companies that have access to your users' data and personal information, make sure your Privacy Policy accurately reflects the agreement between your business and those third parties when it comes to third party information collection.

Keep in mind that agreements between central businesses often translate through to subsidiaries and affiliates, so one contract can have long-running ramifications.

Shopify mentions third parties collecting certain personal information from users in its Privacy Policy:

Shopify Third-Party Privacy Policy

3. Don't forget to include passive tracking methods

Passive tracking methods include cookies, pixel tags, web beacons, browser fingerprinting, and other simple but material ways of tracking users.

Your Privacy Policy must thoroughly address these passive means of data collection for you to stay compliant and out of trouble.

Misrepresentations here can lead to charges of deceptive advertising. Even the smallest and simplest tracking method needs to be disclosed.

4. Incorporate "Privacy by Design" as early as possible

With the collection of personal information comes the drive for appropriate privacy.

Users don't want you collecting excessive data from them, and you don't want to have to deal with maintaining and disclosing this excessive collection.

Because of this mutual wish for minimal data collection, there is a new trend towards considering privacy from the beginning and only collecting minimal and necessary data. When developing your website or mobile app, keep this in mind.

Design your websites or mobile apps with a drive for privacy to avoid complications with lawsuits and lengthy and complex legal agreements.

5. Give users a choice

Always give your users the option to opt-out of any marketing communications, or make them have to opt in explicitly.

This makes it easy when it comes to consent and notice requirements because your customers will always be consenting to receive your communications.

  • The US uses an opt-out standard for sending marketing emails to users, while other countries use an opt-in standard instead (EU, for example). Pay extra attention on how you approach this in regards to the marketing emails you may send to users.
  • Opt-in and consent from users are required for when dealing with specific personal data requests (reading SMS messages, geolocation data, and so on) on mobile devices.

6. Always have a formal, written data protection compliance program

This isn't required of all businesses, but it's a best practice for any business and may become a legal requirement one day.

By documenting what your business will do to protect the collected data, you will be favorably regarded by your customers and third-party collaborators, and will help avoid potential future data disasters, or at least know how to deal with one if one arises.

7. Be aware of any behavioral advertising your company does

Online Behavioral Advertising ("OBA") works by collecting data about what someone views online and then tailoring advertising specifically to the personal interests of the individual at a later date and on a different website.

If your company participates in this, you must remember to include indemnity provisions and requisite insurance information in any agreements with vendors who collaborate with the OBA campaigns and also disclose all OBA activities in your Privacy Policy.

Retargeting, also known as remarketing, is an example of Online Behavioral Advertising. If your business started running any retargeting campaigns, make sure to follow the requirements from various platforms you use:

Before data can be collected about anyone under the age of 13, aside from the fact that the individual is under the age of 13, parental consent must be obtained.

If your website or mobile app is not directed towards children, take steps to ensure you are not collecting data from these children to avoid a violation of the Children's Online Privacy Protection Act (COPPA).

If your company develops the website and/or the mobile app to be used by children under 13, make sure you comply with the COPPA Act.

9. Always give notice about location-based information

Location-based information technology works by tailoring advertising or technological features to an individual based on his or her GPS location, such as in or near a specific store, or in a certain town.

Geolocation ask

Always give notice to your customers about how this location information will be collected and used, shared and disclosed.

  • Get the user's consent before collecting the location information.
  • Try to have the notice of location information collecting and getting the consent from a user on a separate page or separate mobile app screen so that the user clearly understands that location information will be collected.
  • This must be an opt-in service, not an opt-out. You must get consent before collecting the information.

By following the above checklist you can ensure compliance when it comes to your Privacy Policy requirements and notification procedures.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.