Do you run a website that collects personal data from visitors? Then listen up, friend – properly protecting your users‘ privacy should be a top priority.
- The key sections to include (and pitfalls to avoid!)
- Best practices for cookie consent notices
- How to relate your policy to your website‘s Terms of Service
- Tips for keeping your policy current
- Helpful tools for generating a customized draft
So if you‘re ready to step up your website‘s privacy practices, then let‘s dive in!
While privacy policies used to be optional, many jurisdictions now mandate them. Failing to publish one can lead to regulatory enforcement actions including orders to cease data processing or fines up to 4% of global revenue in the case of GDPR.
For example, the UK Information Commissioner‘s Office (ICO) fined hotel chain Marriott £18.4 million in 2020 partly for lacking adequate privacy notices.
It shows users that you value transparency and take steps to protect their personal information. Without one, visitors will be wary to engage with your site, share data, make purchases, or create accounts.
Although the specific requirements differ across jurisdictions, these are some essential sections to include:
Types of Data Collected
Explain the specific types of personally identifiable information you collect about website visitors. This includes things like:
- Name, email, postal address, phone number
- Payment information like credit card numbers
- IP address, device identifiers
- Browsing history, search history, clickstream data
- Account credentials like usernames and passwords
Also disclose if you allow any third-party tracking on your site through tools like analytics services, advertising networks, social media pixels/buttons, etc. These collect user data like browsing behavior too.
If you process special category sensitive data like race, health information, religious beliefs, sexual orientation, etc, explain why it‘s necessary for your service and how you ensure lawful processing.
How Personal Data is Used
For each type of user data your website collects, explain your purposes for processing it. Avoid vague statements like “to improve the user experience”.
Get specific. Examples include:
- Providing core services like account creation, fulfillment, etc.
- Personalizing content like recommendations based on past browsing
- Contacting users with important notices or promotional emails they consented to
- Analyzing traffic patterns and site usage with Google Analytics
- Serving targeted advertising to generate revenue for maintaining our site
- Detecting security incidents, protecting against fraud/abuse
If you share data with third-party processors like email providers, advertising platforms, etc, name them and describe their specific purpose for receiving the data.
Legal Basis for Processing Data
Explain your lawful basis for processing personal data under relevant regulations like the GDPR. Common legal bases include:
- User consent for optional data uses like advertising or research
- Contractual necessity to deliver purchased services
- Legitimate interests like enhancing the user experience or securing the site
- Compliance with legal obligations such as tax reporting
Avoid weak justifications that could fail a regulatory balancing test. Also note if your legal basis depends on jurisdiction.
How Personal Data is Secured
Briefly describe the administrative, physical, and technical security safeguards you implement to protect user data against risks like unauthorized access or breach. For example:
- Encryption of sensitive data in transit and at rest
- Access controls and account security protections
- Computer safeguards like anti-malware solutions
- Secure destruction of data when no longer needed
Avoid overly specific details that could compromise your security posture. You can note that controls adhere to accepted standards or frameworks if applicable.
Data Retention Periods
Explain how long you retain different types of personal data before anonymizing or deleting it when no longer necessary. Base retention schedules on your minimum legal and operational requirements.
For example, you may retain traffic analytics for 13 months, deleted accounts for 30 days, and transaction records for 7 years. Make sure you comply with local record-keeping laws too.
User Rights Around Personal Data
List the rights that users have under data protection laws regarding their personal information. These include:
- Right to access their data through a subject access request
- Right to correct inaccurate or incomplete data
- Right to delete data or be forgotten
- Right to restrict processing in certain circumstances
- Right to data portability to receive their data
- Right to object to processing like direct marketing
Explain how your procedures allow users to submit requests to exercise these rights. Provide an email address or web form they can use.
International Data Transfers
If your website involves cross-border data transfers outside jurisdictions like the EU, explain how you meet requirements.
For example, by certifying compliance with regimes like the EU-US Privacy Shield or Swiss-US Privacy Shield. Or by executing European Commission-approved model contractual clauses with third parties.
Disclose your practices around processing any data collected from children under the age of digital consent.
Explain how you:
- Verify parental consent
- Avoid unauthorized collection of data from minors
- Allow parental rights of access, removal, etc.
This helps demonstrate COPPA compliance in the US and similar youth privacy laws elsewhere.
Crafting Consent Notices for Cookies and Tracking Tools
Websites typically deploy cookies and other tracking technologies to understand user activity and deliver an effective service. But due to regulations like the GDPR, you must first provide clear notice explaining what you use them for.
Your cookie consent notice should disclose details like:
The types of cookies used
- Strictly necessary cookies: Required for core functions like shopping carts, login, etc.
- Performance cookies: Collect anonymous usage data to optimize the site.
- Functional cookies: Enable personalized features like remembering username or language.
- Targeting cookies: Create interest-based profiles for personalized ads.
- Third-party advertising cookies: Enable real-time bidding and digital ads.
The specific purposes each serves
- Measuring website traffic volumes with Google Analytics
- Remembering if you declined cookie consent to avoid asking again
- Showing relevant promotions based on products you viewed
- Bidding in real-time for ads to show you across the web
How users can control cookie settings
- Through your consent mechanism or banner
- Via individual browser settings
How to opt-out of third-party tools
- By adjusting your ad preferences with sites like aboutads.info
Your consent mechanism must require an affirmative opt-in before setting non-essential cookies like those for analytics or advertising. The notice should be prominently displayed when users first visit your site.
Also make rejecting cookies as straightforward as accepting them. And avoid making access to your site conditional on consenting to unnecessary tracking.
- Acceptable use standards
- Your rights to terminate accounts
- Disclaimers limiting liability
- Procedures for handling disputes
- Applicable laws and jurisdictions
It‘s also important to craft both documents in aligned plain language to avoid contradictory or confusing statements that undermine compliance and trust.
- Collecting additional types of user information
- Using or sharing data for new purposes
- Adding third-party processors like a new email provider
Conduct a review annually, even if no changes occurred, to show ongoing compliance.
When making significant revisions, announce changes directly in your policy and proactively notify users by email. Don‘t just quietly swap in a new policy.
Maintaining outdated policies violates transparency requirements and reduces trust. It also risks enforcement action – such as the £500,000 penalty the ICO imposed on airline Cathay Pacific for not updating policies.
Organize into short, focused sections – Break content down using concise headings and paragraphs. Avoid giant blocks of unbroken text.
Highlight key facts – Use lists, tables, and callout boxes to draw attention to important details users must understand.
Write in plain language – Steer clear of legal jargon and aim for language an average website visitor can digest.
Provide definitions – Define any specialized technical or legal terms needed to describe your practices.
Use visual design elements – Space content appropriately. Bold section headers. Align text and structure content using white space.
Enforcement and Penalties Around Privacy Policies
Regulators worldwide increasingly enforce against websites with inadequate privacy policies and notice practices.
In the EU alone, GDPR fines related to insufficient transparency and consent issues exceeded €400 million between 2018 and 2021. Penalties include:
- Lack of clear cookie consent banners: £7.5 million fine for Google in UK
- Vague privacy policies lacking detail: $57 million fine for WhatsApp in Ireland
- Failing to update old policies when collecting new data: $230 million fine for British Airways
Beyond Europe, US state attorneys general have authority to sue companies for deceptive privacy policies violating consumer protection laws. Violations carry fines of $2,500 to $7,500 per affected user.
Plaintiff class action lawsuits over deceptive policies are also on the rise, with potential statutory damages reaching into the billions.
The risks of non-compliance demonstrate why websites must implement compliant, tailored privacy policies!
Some recommended options include:
- TermsFeed‘s GDPR-compliant generator
- iubenda‘s generatory covering global requirements
These services integrate regularly updated templates covering requirements in all major jurisdictions. Their questionnaires simplify the process of documenting your specific collection, use cases, security controls, etc.
You can then take the generated draft and edit it to reflect your precise language, details, and formatting. Additionally, seek legal review before publishing your live policy.
Combining a generator‘s head start with your own customization delivers the best results.
Use this guide to build a tailored policy document that clearly communicates your data practices and legal basis for processing.
Show users how you respect their privacy – it will build trust, aid compliance, and let you focus on delivering an amazing service!