One of the key purposes of a Privacy Policy is to inform consumers about how their personal information is used, including if and how it is shared with others.

When drafting your Privacy Policy, this will be an important clause when it comes to transparency and legal compliance.

This article will explain what information you should include in this clause, and show examples of how others have drafted this clause.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is a "How Do We Share Your Information" Clause?

A "How Do We Share Your Information" clause is a clause that explains the ways that you share, or may share, the personal information you collect from consumers. It will state whether or not you do share personal information. If you do share personal information, this clause will state with whom you may share it, as well as for what purposes.

Here's an example of a standard "How Do We Share Your Information" clause that will be found within a Privacy Policy:

UnitedHealth Group Privacy Policy: How we share your information clause

What is Personal Information?

Personal information is any information about an individual that on its own or combined with other pieces of personal information can be used to identify an individual.

Some examples of personal information include but aren't limited to:

  • First names
  • Last names
  • Birthdates
  • Government-issued ID numbers
  • Phone numbers
  • Physical addresses
  • Email addresses
  • IP addresses

It can also be referred to as personal data or personally identifiable information depending on the privacy law.

Do You Need a "How Do We Share Your Information" Clause in Your Privacy Policy?

Yes, you will need to have a "How Do We Share Your Information" clause in your Privacy Policy.

While not every privacy law explicitly requires this clause, a few of the most far-reaching privacy laws do. And even if a law doesn't explicitly require it, there is an inherent implication that a Privacy Policy disclose how personal information is used, which includes sharing.

Here are just a few of the privacy laws that require you to disclose if and how you share personal information:

  • General Data Protection Regulation (GDPR): This EU law requires transparency around the collection, use and sharing of personal information.
  • California Consumer Privacy Act (CCPA): This California law requires that any data sharing or selling be disclosed.
  • The Colorado Privacy Act (CPA): This Colorado law requires that any data sharing be disclosed.
  • The Children’s Online Privacy Protection Act (COPPA): This U.S. law requires that any selling or sharing of children’s personal information be disclosed.
  • The Gramm-Leach-Bliley Act (GLBA): This law applies to financial institutions and requires the disclosure of any sharing of personal information with third parties.
  • The Health Insurance Portability and Accountability Act (HIPAA): This law applies to healthcare providers and requires the disclosure of any sharing of patient data to third parties.

Remember that privacy laws work to protect the people in their jurisdictions, so if you collect and share personal information from people in say California, the CCPA will apply to you regardless of where you're located.

How Do You Write a "How Do We Share Your Information" Clause?

A "How Do We Share Your Information" clause will contain 3-4 main components:

  1. A statement about whether or not personal information is shared. Sharing includes selling. *See note below list
  2. A disclosure of who the personal information is or may be shared with. This can be specifically-named third parties, or general categories of third parties.
  3. Your purposes for sharing or selling the personal information.
  4. If users have any rights or abilities when it comes to opting out of the sharing or selling of their personal information, and how to exercise them.

*If you do not collect any personal information, you clearly won’t be sharing any. In this case, you should disclose that no personal information is collected. For further guidance on creating a Privacy Policy when no personal information is collected, check out our article: Do I Need a Privacy Policy if I Don’t Collect Any Data?

Let's look at each component in greater detail and with examples.

A Statement That Personal Information is (or Isn't) Shared/Sold

You can start your clause by simply and clearly stating whether or not you share/sell user personal information. Many companies choose to state that they "may" share personal information with others.

People are understandably concerned about their privacy and want fast, clear answers to their questions. Jump right into it in the beginning of your clause and let users know right away what your sharing practices are before getting into the specifics.

Note that these clauses all end up containing far more detailed information. This section simply addresses the introduction or first section of the clause where it's disclosed right away whether personal information is or isn't sold, shared or otherwise disclosed.

Here's how Amazon acknowledges privacy concerns and quickly discloses that while it does not sell personal information, it does share it in ways which are disclosed later in the clause:

Amazon Privacy Notice: Share personal information clause intro

Whole Foods includes a clause mentioning children's information specifically and notes that it may be shared or disclosed:

Whole Foods Children Privacy Notice: Share information clause

Thorne starts its clause out by noting that personal information may be disclosed:

Thorne Privacy Policy: How we disclose information clause intro

If you don't share or sell any personal information, make sure to disclose this.

Here's how Beekeeper's Naturals discloses that it doesn't trade, rent or sell personal information to any third parties:

Beekeepers Naturals Privacy Policy: Personal information and third parties clause excerpt

You can explicitly note if there are types of personal information you don't sell, such as the example below where Samsung notes that it does not share any biometric data with third parties:

Samsung Privacy Policy: Biometric data clause

Next we'll look at disclosing who you share personal information with.

Who You Share Personal Information With

If you do sell or share personal information, you'll need to let users know who you share it with or sell it to.

Most companies disclose categories of who the information may be shared with, such as payment processors, analytics service providers and advertising networks. Others may be more specific and include actual company names.

Disclosing categories can be helpful to ensure you aren't being misleading. It will also require you to update your Privacy Policy less often as your business practices change.

For example, if you say you disclose information to Google for advertising purposes and end up working with another advertising company, you will need to disclose your Privacy Policy to include this new advertising company or it will technically be inaccurate and misleading.

However, if you state that you share personal information with advertising companies for advertising purposes, this will cover any and all advertising companies you work with now and in the future.

Samsung uses a well-organized list format to disclose who it may share personal information with including business partners, service providers, and when required by law:

Samsung Privacy Policy: Who do we share your information with clause

eBay also uses a list format to note categories of where personal data may be transmitted, including payment service providers, shipping companies and affiliates:

eBay User Privacy Notice: Transmit personal data clause

Thorne organizes this information in a chart format of categories including the categories of personal information shared, and the categories of service providers and third parties that it may be shared with:

Thorne Privacy Policy: How we disclose information clause

For What Purposes Personal Information is Shared

Let users know why, or for what purposes, you share their personal information.

Some common purposes for sharing personal information include but are not limited to the following:

  • Sharing address information with a delivery service to ship and deliver an order
  • Sharing email addresses with an email service to manage and organize email newsletters
  • Sharing financial information with a payment processing company to process payments for purchases
  • Sharing IP addresses and other tracking data with an analytics company to help improve services and provide tailored content

Here's how Microsoft lets users know that it shares personal data to complete authorized transactions, provide requested products, to maintain product security and more:

Microsoft Privacy Statement: Reasons we share personal data clause

Here's how Amazon notes that it shares personal information with third-party service providers for a variety of purposes including fulfilling orders for products or services, delivering packages, analyzing data, processing payments, providing marketing assistance and more:

Amazon Privacy Notice: Third party service providers clause

Note that the last sentence states that the third parties "may not use it for other purposes" than what's listed in this clause. This is a nice touch, as it helps put users at ease knowing the third parties who may receive their personal information won't then take it and use it improperly.

If you list categories instead of actual companies, including a statement like this can be helpful since concerned users won't be able to visit Privacy Policies of specific companies to see how their shared data will be used. Assuring them that their data won't be used in unauthorized or intrusive ways can be a good addition to your Privacy Policy.

If you so list specific companies that you share data with, consider linking directly to their Privacy Policies. This lets users easily see how their shared personal information may be used by who you share it with.

Here's how Samsung discloses that it uses third party analytics and may disclose information to these providers to evaluate the use of its services, help administer services, and diagnose technical issues. It specifically notes that it uses Google and Firebase Analytics, and provides links to further information from both companies:

Samsung Privacy Policy: Third party analytics clause

How Users Can Opt Out of Sharing/Selling of Personal Information

Let users know how they can opt out of any sharing or selling of their personal information. Some privacy laws, such as the CCPA/CPRA, give users the right to opt out of this. The GDPR and other privacy laws grant users the right to have their personal data deleted from a company database so it can no longer be used or shared.

For example, the CPRA states:

"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right may be referred to as the right to opt-out of sale or sharing."

To learn more about how to compliantly create and display a CPRA-compliant "Do Not Sell My Personal Information" page, check out our article: "Do Not Sell My Personal Information" Page

Opt-out methods often include some of the following:

  • Unsubscribe methods for email lists
  • Blocking cookies for analytics
  • Adjusting settings on browsers or with individual companies, such as advertising preferences
  • Exercising legal rights granted in specific jurisdictions

Here's how Whole Foods lets users know how they can adjust a number of settings that involve the use of their personal information:

Whole Foods Privacy Notice: What choices do I have clause

Amazon includes a robust clause that outlines a number of ways users can adjust the way their personal information is used, shared or sold including contacting customer service, limiting the amount of information that is shared, updating settings or exercising legal rights. Relevant links are added as well to make it more convenient for users to adjust settings:

Amazon Privacy Notice: Choices clause

Microsoft includes a clause for how users can access and control personal data collection and use. It provides links to an opt-out page, a privacy dashboard and a way to contact the company directly:

Microsoft Privacy Statement: How to access and control your personal data clause

Here are some of our related articles that you might find helpful:

Summary

Every Privacy Policy needs a section that lets users know how their personal information may be shared. Sharing includes selling.

When writing this clause, make sure you let users know the following points:

  • Whether or not you share/sell personal information. If you sell some types but not others, you can note this.
  • Who you share/sell personal information with. You can include categories of third parties instead of specifics, but including specifics is helpful as well.
  • For what purposes you share/sell personal information for. List out all the ways you may do this for. Common purposes include for fulfilling orders, processing payments and improving site services.
  • How users can opt out of the share/sell of personal information. Provide as much information as possible to make it easy for users to opt out whenever possible.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy