At the simplest level, having a privacy policy page reduces the chance of dispute and makes clear to users and customers that you are open and honest about how you use your data.
Beyond this, several laws require some form of privacy policy:
-
- The Children’s Online Privacy Protection Rule (COPPA) applies if you aim your site at American users aged under 13 or know for sure they are using it. COPPA says you must publish a privacy policy detailing what data you collect from under-13s and how you use it.
- The California Online Privacy Protection Act (CalOPPA) applies to many large firms serving Californians and those handling California citizens’ data on a large scale. It says you must publish a privacy policy detailing the types of data you have collected, sold or shared in the past year.
- The California Consumer Privacy Act (CCPA) applies to most businesses that handle data about Californians. It requires a privacy policy detailing your data handling.
- The General Data Protection Regulation (GDPR) applies if you, the person the data is about, or the processing itself, is in a European Union country. It specifically requires you to publish certain information. Not doing so could also invalidate user consent that you may rely on to lawfully process personal data.
What to Include in a Privacy Policy Page
While the precise requirements vary between data protection laws, you should aim to cover five key points in your privacy policy page.
- What data you collect. Usually, you can list broad categories (such as “email address” or “precise location”) and then tell individuals about any specific extra information.
- How you use the data. Many laws say you must explain why you are using data and then only use it for that purpose.
- Whether you share the data. This can include selling data and sharing it with sister companies. If you send data to another country, you should say whether you’ve taken extra steps to make sure the person’s privacy rights remain protected.
- How people can access the data you hold about them. You’ll need clear contact details and an explanation of what information they can request. Most laws say people have the right to correct any mistakes and ask you to delete irrelevant or outdated data.
- How you protect the data. You should list the physical, technical and organizational measures you use to protect against unauthorized access, deletion or alteration.
How to Display Your Privacy Policy Page
In most cases, your privacy policy works best as a dedicated web page. Some laws, however, require you to clearly link to this page from your home page. Ideally, you should include it in your main navigation menu so that it’s easily reachable from any page on your site.
You should also clearly link to your privacy policy page whenever you collect personal information or ask for consent to process data. Examples include order forms and newsletter sign-up pages.
Your Next Steps
Several services can help you create a privacy policy that’s suitable for your location and organization. Examples can be found on the following sites:
- Privacy Policies
- Free Private Policy
Your privacy policy will be more effective if you know that people can readily access it — for example, when using assistive technologies. To highlight your work on accessibility and give readers added confidence, you can generate an accessibility statement like this one on our website.
Further reading and resources: