LawDepot’s simple and accessible questionnaire makes creating a unique policy for your site easy. Your custom Privacy Policy should include the following information:
Different types of sites will have to meet different requirements. State what kind of site you’re creating a policy for. You can use our template for:
- Blogs
- E-commerce or online shops (including Shopify)
- Wix or Squarespace sites
- News or media sites
- Portfolios
- Other websites
Users often look to a Privacy Policy to learn more about the site. In addition to the domain name and the full name of the website owner, the policy must also include contact information, such as a phone number, email address, and physical address. The website owner can be an individual or a business.
2. Scope of business
This section of the policy will describe where you have users and which regional regulations your site has to follow.
General Data Protection Regulation (GDPR)
Suppose your site monitors the online behaviour of UK or EU users or offers them products or services. In that case, you must comply with the United Kingdom Data Protection Act (DPA) or the General Data Protection Regulation (GDPR).
California Business
Suppose your site is a for-profit business that collects the personal information of California consumers and meets the criteria set out by the California Consumer Privacy Act (CCPA). In that case, you’ll have to clarify what personal information your site collects and where the information comes from.
The CCPA requires you to add specific sections if you have disclosed or sold personal information in the last 12 months. This portion should include:
- Which third parties the information was sold or disclosed to
- What categories of personal information were disclosed or sold
- The purpose for disclosing or selling the information
If your site processes or sells children's personal information, you must describe how you obtain consent from parents or guardians. You should also mention whether you sell or disclose de-identified protected patient health information protected by the Health Insurance Portability and Accountability Act.
Lastly, you must provide a section to let your users know where to go for certain user requests. California users have the right to:
- Opt out of the sale of their personal information
- Request access to their personal information
- Request deletion of their personal information
To remain compliant with the CCPA and CPRA, your website must have pages where users can exercise their opt-out rights.
You must title the page "Do Not Sell or Share My Personal Information" and include a link on your homepage. The page must let the user opt out of the sale or sharing of their personal information through, for example, an online form for submitting opt-out requests.
If you sell or disclose sensitive personal information you must also have a page titled “Limit the Use of My Sensitive Personal Information” and include a link on your homepage. The page must let the user opt out of the use or disclosure of their personal information.
These pages may be combined into one as long as it is clear that the page allows users to exercise all three rights.
|
3. Details on data
The main portion of your Privacy policy will be about the personal information you collect and process. These sections cover how you collect the information, who can access it, and what you do with it.
Lawful basis for data processing
The GDPR demands that your site have legal justification for processing personal data. In short, you need to explain why your site can legally access users’ data.
The lawful basis can be one or more of the following reasons:
- Consent from users
- Processing is necessary to pursue your legitimate interests, and a user's interests or fundamental rights do not override your legitimate interests
- Processing is necessary to fulfill a contract
- You have a legal obligation to process user personal data
- A life depends on you processing users' personal data
- Processing is necessary to carry out a task that is in the public interest
Automatic data collection
If your site automatically collects personal information when users access it, you must clarify what data this includes. This can include information like IP addresses, location, and content viewed. You also need to explain how you use this data.
Non-automatic data collection
Some websites will collect personal information when users perform certain functions, like filling out a form, signing up for a newsletter, or paying for a product. Your Privacy Policy must mention what types of data are collected non-automatically. You will also need to explain how you collect and use the information.
Third-party disclosure
Many sites share personal user information with third-party organisations. This includes, among other things, sharing data with Google Ads or Amazon for targeted advertising.
If third parties can collect, process, or access the personal information your site collects, you need to include this in your Privacy Policy. You must mention who the third parties are, what data they have access to, and why they have this access.
Automated decision making
Automated decision-making means any decision made without human involvement. Often, sites that make automated decisions rely on user profiling. Examples of these decisions are exams or tests with pre-programmed algorithms and criteria, loan approval, and automated trading.
You must disclose if your site relies solely on automated decision-making to make decisions about users that can significantly affect them. You must also list what decisions your site uses automated decision-making for, the criteria, and how the decisions will affect users.
Online tracking
Websites often track users’ online activities over time and across third-party websites, which can be helpful for user profiling and targeted ads. Any site that tracks user activity must mention this in its Privacy Policy.
Some web browsers have a “Do Not Track” setting that, when enabled, can stop sites from tracking user behaviour. While your site isn’t legally prohibited from tracking users with this setting enabled, you must be transparent about your practices. Your Privacy Policy must inform users whether your site listens to the “Do Not Track” setting.
Opt-out option
Users of your site have legally protected rights, and one of these is the right to opt out of data collection for direct marketing purposes. For example, if you send newsletters or marketing emails to users, you need to provide an unsubscribe button.
Your Privacy Policy needs to list what collection, use, or disclosure users can opt out of and how they can do so.
Data retention and security
You must inform your users how long your site retains their data. You can keep it until its purpose has been met or specify a retention period. You also need to describe the security measures you take to protect personal information.
International data transfers
In cases of international data transfer, where your site sends personal information to another country, you must inform users where their data travels.
If you transfer the personal data of EU citizens outside the EU, you must ensure an equivalent level of data protection in the recipient country. If the recipient country doesn’t have an EU adequacy agreement, you might have to implement additional safeguards.
4. Data protection officer and privacy officer
A data protection officer (DPO) ensures that your organisation processes personal data in compliance with data protection rules.
The GDPR requires that you appoint a DPO if your organisation is one or more of the following:
- A public body or authority
- Regularly and systematically monitoring EU individuals' data on a large scale
- Involved in large-scale processing of personal data related to criminal convictions and offences, ethnic origin, political opinions, religious beliefs, or health data
If your organisation doesn’t meet the above requirements, you can still voluntarily appoint a DPO. Note that the law sets out very specific requirements for this role that you and your organisation must follow.
Organisations without a DPO should appoint a privacy officer (PO). Your organisation’s PO will be responsible for most privacy-related matters, including creating privacy policies, performing privacy assessments, and responding to personal data breaches.
Your Privacy Policy must contain the contact information for your DPO or PO.
5. Complaints
Most EU countries have supervisory bodies where users can lodge complaints if a site isn't complying with the GDPR. Your Privacy Policy must list the supervisory bodies of the countries where you have users.
In New Zealand, users can complain to the Privacy Commissioner.
6. Child users and collection of data
Specific rules apply for collecting and processing children's personal information. Depending on where your users are located, you will need to follow different guidelines.
The Privacy Act
Under the Privacy Act, children have the same rights as any other users.
However, in many cases, collecting personal information demands consent from the user. Individuals under a certain age might not have the capacity to give full consent. You might have to ask for parental consent when handling personal information from people under 16.
GDPR
The GDPR demands that you get parental consent before collecting information from children under 16. You can collect this consent by, for example, adding a consent form to your site.
If your site contains content aimed at children in the EU, the GDPR also requires you to make your Privacy Policy accessible and understandable for them.
COPPA
In the United States, websites that collect personal information from or contain content aimed at U.S. children under 13 must follow the Children’s Online Privacy Protection Act (COPPA).
In these cases, your Privacy Policy must contain the following information:
- What personal information you collect from children
- How you collect personal information from children
- If children can make their personal information publicly available on your site
- How you use children’s personal information
- Whether you disclose children’s personal information to third parties, which third parties you disclose the information to, and how the third party uses that information
- Whether any third parties collect children’s personal information from your website
Parents or guardians might have questions about your privacy policy and your use of children’s information. Your Privacy Policy must list contact information for where guardians can turn to get the necessary answers.
In cases where sites collect information from children under 13, guardians have rights over their children’s data. Your Privacy Policy should list how guardians can exercise their rights, for example, by contacting your site via email to request access to or deletion of the information.
7. Cookie policy
Cookies are small pieces of data stored on user computers. These bits of data help websites remember information about users, which can help improve user experience.
You can include a cookie policy that lists what types of cookies your sites use. There are three different types of cookies:
- Functional cookies remember user preferences and settings. They help enhance the performance of websites.
- Analytical cookies, also called performance cookies, track site visitors and user behaviours. They help monitor site performance.
- Targeting cookies build user profiles and targeted ads. They are shared with advertisers so that ad performance can be monitored.
Your site can also use third-party cookies for targeted advertising and web tracking. If you use any third-party cookies, you should mention what they’re used for.
8. Additional details
The last sections of your Privacy Policy should include any other information you want to add about how your website manages users’ personal information. You can also choose to set an effective date.