In the United States of America, a number of states require companies to have a privacy policy posted on their websites. However, regardless of legal requirements, every website should have a privacy policy.
A privacy policy (or privacy notice) needs to be concise and have a warm tone. Importantly, a privacy policy should reflect a company’s brand. As a result, a privacy policy will help a company gain goodwill with users and give them confidence in the company.
Personally Identifiable Information
A website collects personally identifiable information (PII) in a variety of ways. For example, a user may send PII directly to a company through a contact form. Also, a website may automatically collect PII quietly in the background, such as identifying the IP address of a user.
Basic Privacy Policy Sections
A privacy policy should disclose what types of personal data a website collects, uses, and shares. Basically, a policy needs to provide an explanation of what types of PII a website processes. Importantly, a policy should include any applicable legal requirements.
The basic sections of a privacy policy should include:
- Introduction – Provide a friendly introduction to your policy, such as “protecting your personal information is important to us.” Identify the parties that the policy applies to.
- Collection of PII – Identify the personal data that the website collects from users, such as first and last name, address, email, etc. List any data that the website automatically collects, such as in website logs and traffic analyzers. Include explanations of any methods that automatically collect data (using cookies, etc.).
- Use of PII – Describe how you use the personal information that you collect. Explain where you keep the data and how long you keep it.
- Sharing with Third Parties – Explain if you share personal data with any third parties. Also, explain when you are legally required to share data, such as responding to an information request from law enforcement or a judicial authority.
Consenting and Communicating
Users need to understand the contents of a privacy policy. Also, users need to have a way to contact someone about their concerns. All policies should include the following:
- Consent bar – Place a consent bar on your website that prompts users to agree to accept cookies and to read the privacy policy. This is a crucial step to making your website GDPR compliant.
- Contact information – Provide contact information with an email link, such as privacy@company.com, so that users can communicate with someone about their concerns.
- Updates to the policy – Explain how users are notified when the policy is updated.
- E-mail communications – Explain your policies with contacting users via email, such as when they submit a contact form or subscribe to a newsletter.
Legal Requirements
There are many jurisdictions that require specific sections in a privacy policy. These sections may include providing a list of user rights and having procedures that allow users to opt-out of the selling of their PII.
You should consult with an attorney that is licensed in your jurisdiction to review any legal requirements. Although your company is located in a jurisdiction without any privacy policy requirements, you may have users that reside somewhere with legal requirements. Therefore, to avoid penalties, it’s a good idea for your policy to be generally compliant with privacy laws.
Legally required sections in a privacy policy may include:
- Opt-out of sale or disclosure of PII to third parties – Explain how users can opt-out of having their PII shared with others.
- Opt-out or unsubscribe from third party communications – Explain how users can opt-out of subscription emails and third-party subscriptions made through the company.
- Do Not Track requests – Explain how your website responds to a Do Not Track (DNT) request when users choose to have their browsers send a DNT request when they are browsing the web.
- Right to deletion (“right to be forgotten”) – Provide a procedure to allow users to delete their data once the company no longer needs it. You should also explain the circumstances of when (and why) data is retained.
Relevant Information
A privacy policy should disclose any relevant information that users may need to know to make an informed decision about using a company’s services and products. Relevant information includes:
- Security of your PII – Explain how the company secures data. Provide an accurate overview of any security features.
- Disconnecting an account from third party websites – If you allow logins through a third-party platform, explain how the user can disconnect from the service.
- Children under thirteen – Explain if the website collects data from children. To be compliant with the Children’s Online Privacy Protection Act (COPPA), the FTC recommends posting a privacy policy so visitors can easily learn about the website’s practices with children’s PII.
- External data storage sites – Explain how the company stores data, such as using web servers located in another country.
Policy Accuracy
A company needs to periodically update its privacy policy to disclose changes with how it collects, uses, and shares data. The policy should always reflect a company’s business model, and it should never include incorrect information, which is engaging in deceptive practices. The FTC enforces the accuracy of privacy policies and can bring legal actions against organizations that mislead users. Above all, the accuracy of a privacy policy reflects a company’s reputation as being honest and reliable.
Image by Markus Winkler from Pixabay