What is a Privacy Policy?

A Privacy Policy is a publicly-posted legal agreement that discloses how a business collects, uses, shares and protects personal information. Privacy Policies are required by a number of laws and by third-party services.

For example, the EU's GDPR requires a Privacy Policy for businesses that interact with users in the EU regardless of where the business itself is located. Commonly-used services like Google Analytics and Mailchimp require their users to have a Privacy Policy in place when using the service.

1. What is a Privacy Policy?
2. What's the Purpose of a Privacy Policy?
3. Do Laws Require a Privacy Policy?
4. Do Third Party Services Require a Privacy Policy?

What is a Privacy Policy?

Typically, a Privacy Policy will be linked in a website's footer with other important and useful links:

Berkshire Hathaway website footer with links and Privacy Policy highlighted

You can also find them in mobile app menus, such as an About, Settings, Help or Legal menu:

While every Privacy Policy is unique, each one ultimately has the same goal: To inform users about how their personal information will be used, what their rights are, and what actions they can take regarding the use of their personal information.

Take a look at this table of contents from Spotify's Privacy Policy. It's a great example of what type of content and information you'll find in a standard Privacy Policy:

Spotify Privacy Policy Table of Contents updated

A Privacy Policy will be made up of a number of different clauses and sections, each offering additional information to keep the user informed. These agreements can be very long or very short, depending on the nature of the business and the unique practices of the business.

For example, here's a short, simple clause disclosing that all personal information is only processed in the United States:

Berkshire Hathaway Privacy Policy: Processing Location clause

Now note how much more complex this next clause is from a company that shares personal data globally with both its own group companies and subcontractors:

Spotify Privacy Policy: Transfer to other countries clause

You can see how the specific content of a Privacy Policy will change depending on the practices of each business, but in general the same information should be disclosed:

What personal information you collect
How you collect it
Why you collect it/how you use it
How long you keep it for
How you secure it
How users can opt out of any of the uses
How users can contact you with questions
The date you last updated your Policy

What's the Purpose of a Privacy Policy?

The main purpose of a Privacy Policy is to give consumers important information they need when deciding whether or not to share their personal information with a company.

Since a Privacy Policy discloses details about how personal information is used, consumers can review a company's Privacy Policy to learn about what will happen to their information if they choose to share it.

For example, say you're looking to buy a home and are considering which realtor to work with. You're checking out the Berkshire Hathaway website and things look good. You head to the company's Privacy Policy, where you can find out exactly how any information you share may be used.

Berkshire Hathaway discloses that it may use personal information for marketing and promotional purposes, and may share your information with other companies:

After learning about the use of your personal information for marketing, you can keep reading the Privacy Policy to find out how you can opt out of having your information used for such purposes if you wish to do so:

Berkshire Hathaway Privacy Policy: Rights and Opt-Out - Marketing clause

This clause mentions you can contact the company to opt out from marketing communications, and a bit further down in the Privacy Policy you'll find a clause with contact information:

Berkshire Hathaway Privacy Policy: Contact Information clause

Without a Privacy Policy, none of this information would be disclosed or accessible to the public. This would mean consumers wouldn't be able to make informed decisions when sharing their personal information with companies.

After sharing personal information, a Privacy Policy is still useful to consumers because they can find information such as the opt-out and contact clauses noted above.

Do Laws Require a Privacy Policy?

To further this purpose of protecting consumers and their personal information, many laws around the world require a Privacy Policy. Businesses that collect or use personal information will fall under the scope of these laws, which include:

The General Data Protection Regulation (GDPR) from the EU
The Personal Information Protection and Electronic Documents Act (PIPEDA) from Canada
The California Online Privacy Protection Act (CalOPPA) from California

Not only do these (and other) laws require a Privacy Policy, but they each have specific requirements for the content and display of the Policy.

For example, CalOPPA requires that the word "Privacy" be included in the publicly-accessible website link. The GDPR requires that the legal basis for processing data be included in every GDPR-compliant Privacy Policy.

Here's how Berkshire Hathaway meets that GDPR requirement with a clause in its Privacy Policy:

Berkshire Hathaway Privacy Policy: Basis for Processing of Personal Information clause

Privacy Policies are required by privacy laws to boost transparency of businesses and help protect consumers around the world.

Do Third Party Services Require a Privacy Policy?

If you use a third-party service for something like sending out your email newsletter, tracking visits to your website or processing payments, it's almost guaranteed that the service will require you to have a Privacy Policy.

You'll find this requirement in the Terms and Conditions or Terms of Use that you'll have to agree to if you wish to use the service.

The reason is technical, but also intuitive. Because these third parties collect data either from you or on your behalf, they themselves must comply with privacy laws that require a Privacy Policy. To help limit their own liability, they will require you to have a Privacy Policy and follow the laws as well.

Here's how Mailchimp requires its clients to post, maintain and abide by a public privacy notice:

Mailchimp Terms of Use: Privacy Notice Requirement clause

Think of how personal information flows in a situation with a third party like Mailchimp.

The information goes from the user, to the company, to the third party (here, Mailchimp). The third party's Privacy Policy is mostly between itself and the company. So, the company's Privacy Policy needs to be in place for the users to review.

Always check the Terms and Conditions agreement for any third-party service you sign up for to see what's required, including a Privacy Policy.

To summarize, a Privacy Policy is a legal agreement between a business and its users that dictates how the users' personal information will be handled and what rights the users have. The agreement is required by laws and third-party services.

Privacy Policies work to protect consumers' personal information and their rights by increasing transparency amongst businesses that handle personal information, and giving users the information they need to make the most informed decisions regarding sharing their personal information.