Privacy Policy for landing pages

Privacy Policy for landing pages

In the marketing world, landing pages are for connecting with users to either warm them up to a product or gather their information for a later contact.

The common practice is to remove all unnecessary links and navigation bars from a landing page, so that users are focused towards a call-to-action, such as a web form in which they can enter their contact details or request a quote or an action button that will redirect the user to another part of the website.

However, this often means that your website's legal agreements (such as a Privacy Policy) are removed from the landing page altogether.

This creates a problem for the website's owner, in that they are quite possibly collecting customers' personal data through that landing page, but the customer has not agreed to the website's privacy statement which discloses how the website is using the collected personal data.

Privacy Policy for different types of landing pages

In one sense, a landing page is any page that users can land on. In another, stricter use of the word, a landing page has just one purpose:

to act as a single web page separate from the rest of your website, with one objective and one focused call-to-action for your customers.

There are 2 main types of landing pages:

  1. Click-through landing pages
  2. Lead generation landing pages

The purpose of the click-through landing page is to persuade the user to click through to another part of your website.

On the other hand, lead generation pages have the goal of collecting user's data such as their name and email address so that you can follow up with that person later and market to them.

Landing pages are typically stripped of any content that could distract the customer away from your primary call-to-action, such as navigation bars, footers, and social media links. However, landing pages still need to follow the principles of good design to attract customers:

  • Good use of balanced space to guide the user towards a call to action
  • Hierachy of content
  • Contrast of colors
  • And so on

Here's an example of a click-through landing page from Unbounce:

Example of landing page from Unbounce: Gamground

You can see that the primary call-to-action on this landing page is for users to click the "Connect with Facebook" button and go through to the Facebook page of Gameground.

Now let's look at a lead generation page:

Example of landing page from Unbounce: Immuno

You can see that the main difference here between the click-through and lead generation pages is that the lead generation page has a web form in which the user is encouraged to enter information.

The problem that this creates, however, is that in both cases, user data is collected. Remember that all landing pages collect some data about your customers, even if your page is click-through only.

Some examples of the types of data that a click-through landing page collects can be:

  • The IP address of the user who just landed on that page
  • The time when your website was accessed by a user
  • The type of browser and operating system used by a user
  • If it's a click-through page, what other pages were visited by a user
  • What site the user came from

Lead generation pages collect this kind of information (like above), as well as whatever your user enters some information into the web form.

Also, if you use Google Analytics or other analytics software, you might be collecting more data through these third-parties. Google Analytics requires you to have a Privacy Policy.

This can be an issue because most privacy legislation around the world requires that you inform your users that their data is being collected, among other things.

This means that your landing page should still be linking to your Privacy Policy agreement - the agreement that you should be using to disclosing what kind of personal information are being collected from users.

The most common place is in the footer of the landing page, below the fold. Even Google does this:

Privacy and Terms link in Google Footer

This is usually not enough to provide you with good legal protection, particularly if you're actively collecting information about users. Instead, you can improve on this by displaying the link more prominently such as at the top of the landing page like The Telegraph, shown in the example below:

Privacy and Cookies Links in Header at Telegraph

Another option is for your Privacy Policy to pop up as soon as the user lands on your landing page. This way they can click "I Agree" before they continue, and you can feel more secure knowing that they have legally agreed to your agreement.

For lead generation landing pages, it's even more important that your users agree to your legal agreements. Some potential options are:

  • Display the link to the Privacy Policy in a prominent position on the landing page
  • Include a tick-box near the Submit button on the web form
  • Include a tick-box that is required to be ticked before the Submit button can be pressed

If you chose to use a tick-box solution, it would usually say something like "I Agree to the Terms of Service and the Privacy Policy" with links to both of those documents, like this example from Skype:

Skype Check-box: I Agree to Terms of Use, Cookies & Privacy Policy

Using a checkbox that is required to be ticked before the Submit button can be pressed is the strongest protection for you.

Another way to protect yourself is to consider what information you really need to collect when you are creating your web form on your landing page. Don't ask for information that you don't really need, and make sure that all types of information that you ask for are covered by your Privacy Policy.

But some landing pages may not collect personal data directly from users, i.e. ask users to fill a form. But you can indirectly collect this type of data through third-parties that your website may use.

And these third-parties may require you to properly notify users of this third-party usage. This notification translates in having a Privacy Policy across all your website pages, including any landing pages.

  • If you use Google Analytics you need a Privacy Policy as Google Analytics' own Terms of Service agreement has this requirement:

    You will not and will not assist or permit any third party to, pass information to Google that Google could use or recognize as personally identifiable information. You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data.

  • If your landing page is part of a remarketing campaign, AdWords also requires you to have a Privacy Policy:

    While remarketing can be a great way to attract past visitors back to your site, you should inform these people that you gather information for remarketing or similar audiences on your website.

  • And so on

Privacy laws that apply to landing pages

Most countries have some kind of privacy legislation, which covers what you need to tell your customers with regard to their personal information: what you collect, how you use it, and who you share it with, for example.

If you have no Privacy Policy displayed on your landing page, you won't be adequately notifying your users and may be breaking the law.

US Flag

With regard to US law, there's no general data privacy law, but the California Online Privacy Protection Act of 2003 (CalOPPA) requires that your legal agreement must contain at least the following:

  • What type of information/data is being gathered by or through your landing page
  • How that information (which you collect) may be shared and with whom
  • How can a user review and make changes to the information

If you think you might have users from California, ensure that you comply with CAlOPPA. If you don't have a Privacy Policy displayed at all, including any landing page (regardless of what type of page it is), you won't be meeting CalOPPA's requirements.

Flags of EU, CA, AU

If you think your landing page might attract people from the UK, Canada, Australia or the EU, UK's DPA act, Australia's Privacy Act, Canada's PIPEDA, and European law all require that certain data collection rules be followed when collecting private information.

The main principles these jurisdictions have in common are:

  • The business should give notice (provide a statement) when collecting personal information from users
  • The business should collect the information only for the purpose stated
  • The business shouldn't disclose personal information without consent
  • The business must keep the information secure
  • The business must inform the customer about who is collecting the information (the business, third-parties etc.)
  • The business should provide customers access to the information for review and/or any changes
  • The business should have an accountability process if these principles aren't being followed

The key thing to note here is that they all require you to give notice when collecting information. If you haven't got a Privacy Policy displayed at all, how are you notifying your users that you're collecting their information?

You don't need a separate agreement for your landing page if you already the legal agreement, but make sure it is being displayed on your landing page in some way and it's updated to reflect what your landing pages might collect.

Use a clickwrap method

A clickwrap agreement is a type of legal agreement where the customer clicks "I agree" in one way or another.

You could use a pop-up window, check box, or button. This is called an explicit or express consent. Here's an example of what clickwrap on a landing page looks like, from Salesforce:

Registration form from SalesForce

Notice what appears underneath the "Start free trial" call-to-action button on Salesforce's landing page:

By submitting your details to us, we may provide salesforce.com information you as set in our Privacy Policy & Security Statement

Clickwrap is traditionally contrasted with browsewrap, which is different: the user is presumed to have agreed to any legal agreement(s) of the website by just browsing the website.

Typically, this method is implemented by displaying links to the legal agreements in a website's footer:

KISSmetrics footer: Links to Terms of Use and Privacy Policy

Given that the general aim of many landing pages is to get rid of navigation and footer bars, browsewrap may not be the best option from a marketing perspective.

This isn't the best option from a legal perspective too, as most courts consider browsewrap methods not to be enforceable. The clickwrap method has been upheld by the courts, as they show that the user has clearly and explicitly agreed to the legal agreements.

In the US, in the 2012 Zappos case (In re Zappos.com, Inc., Customer Data Security Breach Litigation, No. 3:2012cv00325), hackers breached zappos.com, and took the information of Zappos' customers. The customers sued Zappos, but Zappos argued that they had displayed their Terms of Use on their website, which didn't allow the customers to sue.

The Court held that the links to the Terms of Use were not enough for the customers to have had "actual or constructive knowledge" of the terms. The Court stated:

Here, the Terms of Use hyperlink can be found on every Zappos webpage, between the middle and bottom of each page, visible if a user scrolls down. ... The link is the same size, font, and color as most other non-significant links. The website does not direct a user to the Terms of Use when creating an account, logging in to an existing account, or making a purchase. ... Without direct evidence that Plaintiffs click on the Terms of Use, we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use.

What Zappos used is known as browsewrap agreement. A browsewrap agreement is where the user must browse the website to access the terms, like the examples shown above with the Privacy Policy linked in the footer of the landing page.

Zappos footer: Links to Terms of Use, Privacy Policy

Courts have generally held that a browsewrap agreement is not enough for a contract to be made between the website operator and the user, unless the link is displayed conspicuously and frequently throughout the website.

This is in contrast to a clickwrap agreement, where the user must click on the terms to continue using the website, or click an "I Agree" button before submitting information through a web form. Clickwrap agreements have typically been upheld by the Courts as valid.

Zappos login: Agree to Privacy Policy, Terms of Use

When you start adding the links to your Privacy Policy, consider the click-through rate of your landing page. The more barriers that exist for the user before they can access your website, the less likely they are to sign up or buy a product.

This means that on one hand you are faced with the huge benefits of using a clickwrap method for your legal agreement, as it provides you with the greatest legal protection; on the other hand, by using a clickwrap method you may see reduced click-through and sign-up rates of users.

If you choose to use a browsewrap method instead, ensure that your links are displayed prominently on your landing page and frequently throughout your website.

The best way to set up a clickwrap method without affecting conversion on your landing pages is to use a checkbox on your lead generation landing page at the end of your web form where you collect customer information, like Salesforce's example above.

Leah H.

Leah H.

Qualified Solicitor. Writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.