One of the key purposes of a Privacy Policy is to inform consumers about how their personal information is used, including if and how it is shared with others.
When drafting your Privacy Policy, this will be an important clause when it comes to transparency and legal compliance.
This article will explain what information you should include in this clause, and show examples of how others have drafted this clause.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is a "How Do We Share Your Information" Clause?
- 2. What is Personal Information?
- 3. Do You Need a "How Do We Share Your Information" Clause in Your Privacy Policy?
- 4. How Do You Write a "How Do We Share Your Information" Clause?
- 4.1. A Statement That Personal Information is (or Isn't) Shared/Sold
- 4.2. Who You Share Personal Information With
- 4.3. For What Purposes Personal Information is Shared
- 4.4. How Users Can Opt Out of Sharing/Selling of Personal Information
- 5. Related Articles for Further Reading
- 6. Summary
What is a "How Do We Share Your Information" Clause?
A "How Do We Share Your Information" clause is a clause that explains the ways that you share, or may share, the personal information you collect from consumers. It will state whether or not you do share personal information. If you do share personal information, this clause will state with whom you may share it, as well as for what purposes.
Here's an example of a standard "How Do We Share Your Information" clause that will be found within a Privacy Policy:
What is Personal Information?
Personal information is any information about an individual that on its own or combined with other pieces of personal information can be used to identify an individual.
Some examples of personal information include but aren't limited to:
- First names
- Last names
- Birthdates
- Government-issued ID numbers
- Phone numbers
- Physical addresses
- Email addresses
- IP addresses
It can also be referred to as personal data or personally identifiable information depending on the privacy law.
Do You Need a "How Do We Share Your Information" Clause in Your Privacy Policy?
Yes, you will need to have a "How Do We Share Your Information" clause in your Privacy Policy.
While not every privacy law explicitly requires this clause, a few of the most far-reaching privacy laws do. And even if a law doesn't explicitly require it, there is an inherent implication that a Privacy Policy disclose how personal information is used, which includes sharing.
Here are just a few of the privacy laws that require you to disclose if and how you share personal information:
- General Data Protection Regulation (GDPR): This EU law requires transparency around the collection, use and sharing of personal information.
- California Consumer Privacy Act (CCPA): This California law requires that any data sharing or selling be disclosed.
- The Colorado Privacy Act (CPA): This Colorado law requires that any data sharing be disclosed.
- The Children’s Online Privacy Protection Act (COPPA): This U.S. law requires that any selling or sharing of children’s personal information be disclosed.
- The Gramm-Leach-Bliley Act (GLBA): This law applies to financial institutions and requires the disclosure of any sharing of personal information with third parties.
- The Health Insurance Portability and Accountability Act (HIPAA): This law applies to healthcare providers and requires the disclosure of any sharing of patient data to third parties.
Remember that privacy laws work to protect the people in their jurisdictions, so if you collect and share personal information from people in say California, the CCPA will apply to you regardless of where you're located.
How Do You Write a "How Do We Share Your Information" Clause?
A "How Do We Share Your Information" clause will contain 3-4 main components:
- A statement about whether or not personal information is shared. Sharing includes selling. *See note below list
- A disclosure of who the personal information is or may be shared with. This can be specifically-named third parties, or general categories of third parties.
- Your purposes for sharing or selling the personal information.
- If users have any rights or abilities when it comes to opting out of the sharing or selling of their personal information, and how to exercise them.
*If you do not collect any personal information, you clearly won’t be sharing any. In this case, you should disclose that no personal information is collected. For further guidance on creating a Privacy Policy when no personal information is collected, check out our article: Do I Need a Privacy Policy if I Don’t Collect Any Data?
Let's look at each component in greater detail and with examples.
A Statement That Personal Information is (or Isn't) Shared/Sold
You can start your clause by simply and clearly stating whether or not you share/sell user personal information. Many companies choose to state that they "may" share personal information with others.
People are understandably concerned about their privacy and want fast, clear answers to their questions. Jump right into it in the beginning of your clause and let users know right away what your sharing practices are before getting into the specifics.
Note that these clauses all end up containing far more detailed information. This section simply addresses the introduction or first section of the clause where it's disclosed right away whether personal information is or isn't sold, shared or otherwise disclosed.
Here's how Amazon acknowledges privacy concerns and quickly discloses that while it does not sell personal information, it does share it in ways which are disclosed later in the clause:
Whole Foods includes a clause mentioning children's information specifically and notes that it may be shared or disclosed:
Thorne starts its clause out by noting that personal information may be disclosed:
If you don't share or sell any personal information, make sure to disclose this.
Here's how Beekeeper's Naturals discloses that it doesn't trade, rent or sell personal information to any third parties:
You can explicitly note if there are types of personal information you don't sell, such as the example below where Samsung notes that it does not share any biometric data with third parties:
Next we'll look at disclosing who you share personal information with.
Who You Share Personal Information With
If you do sell or share personal information, you'll need to let users know who you share it with or sell it to.
Most companies disclose categories of who the information may be shared with, such as payment processors, analytics service providers and advertising networks. Others may be more specific and include actual company names.
Disclosing categories can be helpful to ensure you aren't being misleading. It will also require you to update your Privacy Policy less often as your business practices change.
For example, if you say you disclose information to Google for advertising purposes and end up working with another advertising company, you will need to disclose your Privacy Policy to include this new advertising company or it will technically be inaccurate and misleading.
However, if you state that you share personal information with advertising companies for advertising purposes, this will cover any and all advertising companies you work with now and in the future.
Samsung uses a well-organized list format to disclose who it may share personal information with including business partners, service providers, and when required by law:
eBay also uses a list format to note categories of where personal data may be transmitted, including payment service providers, shipping companies and affiliates:
Thorne organizes this information in a chart format of categories including the categories of personal information shared, and the categories of service providers and third parties that it may be shared with:
For What Purposes Personal Information is Shared
Let users know why, or for what purposes, you share their personal information.
Some common purposes for sharing personal information include but are not limited to the following:
- Sharing address information with a delivery service to ship and deliver an order
- Sharing email addresses with an email service to manage and organize email newsletters
- Sharing financial information with a payment processing company to process payments for purchases
- Sharing IP addresses and other tracking data with an analytics company to help improve services and provide tailored content
Here's how Microsoft lets users know that it shares personal data to complete authorized transactions, provide requested products, to maintain product security and more:
Here's how Amazon notes that it shares personal information with third-party service providers for a variety of purposes including fulfilling orders for products or services, delivering packages, analyzing data, processing payments, providing marketing assistance and more:
Note that the last sentence states that the third parties "may not use it for other purposes" than what's listed in this clause. This is a nice touch, as it helps put users at ease knowing the third parties who may receive their personal information won't then take it and use it improperly.
If you list categories instead of actual companies, including a statement like this can be helpful since concerned users won't be able to visit Privacy Policies of specific companies to see how their shared data will be used. Assuring them that their data won't be used in unauthorized or intrusive ways can be a good addition to your Privacy Policy.
If you so list specific companies that you share data with, consider linking directly to their Privacy Policies. This lets users easily see how their shared personal information may be used by who you share it with.
Here's how Samsung discloses that it uses third party analytics and may disclose information to these providers to evaluate the use of its services, help administer services, and diagnose technical issues. It specifically notes that it uses Google and Firebase Analytics, and provides links to further information from both companies:
How Users Can Opt Out of Sharing/Selling of Personal Information
Let users know how they can opt out of any sharing or selling of their personal information. Some privacy laws, such as the CCPA/CPRA, give users the right to opt out of this. The GDPR and other privacy laws grant users the right to have their personal data deleted from a company database so it can no longer be used or shared.
For example, the CPRA states:
"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right may be referred to as the right to opt-out of sale or sharing."
To learn more about how to compliantly create and display a CPRA-compliant "Do Not Sell My Personal Information" page, check out our article: "Do Not Sell My Personal Information" Page
Opt-out methods often include some of the following:
- Unsubscribe methods for email lists
- Blocking cookies for analytics
- Adjusting settings on browsers or with individual companies, such as advertising preferences
- Exercising legal rights granted in specific jurisdictions
Here's how Whole Foods lets users know how they can adjust a number of settings that involve the use of their personal information:
Amazon includes a robust clause that outlines a number of ways users can adjust the way their personal information is used, shared or sold including contacting customer service, limiting the amount of information that is shared, updating settings or exercising legal rights. Relevant links are added as well to make it more convenient for users to adjust settings:
Microsoft includes a clause for how users can access and control personal data collection and use. It provides links to an opt-out page, a privacy dashboard and a way to contact the company directly:
Related Articles for Further Reading
Here are some of our related articles that you might find helpful:
- Privacy Policy Template
- What Does a Privacy Policy Need to Include?
- "How Do We Use Your Information" Clause in a Privacy Policy
- "How Do We Collect Your Information" Clause in a Privacy Policy
Summary
Every Privacy Policy needs a section that lets users know how their personal information may be shared. Sharing includes selling.
When writing this clause, make sure you let users know the following points:
- Whether or not you share/sell personal information. If you sell some types but not others, you can note this.
- Who you share/sell personal information with. You can include categories of third parties instead of specifics, but including specifics is helpful as well.
- For what purposes you share/sell personal information for. List out all the ways you may do this for. Common purposes include for fulfilling orders, processing payments and improving site services.
- How users can opt out of the share/sell of personal information. Provide as much information as possible to make it easy for users to opt out whenever possible.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.