Privacy Policy
Almost every business that collects data through a website, mobile app, or desktop app must publish a privacy policy due to one or all of the following:
- Data privacy laws
- Third-party service requirements
- Maintaining trust and transparency between your business and customers
Let’s examine these three requirements in more detail:
Privacy Policies are Required by Law
Privacy laws vary around the globe, and your website or app must abide by the regulations based on the location of your business, your targeted audience, and where you conduct business.
As data collection and processing becomes more ubiquitous across the internet, data privacy laws in the US and around the world set strict requirements for privacy policies.
The following laws impact if and when you legally need a privacy policy page for your website or app:
The General Data Privacy Regulation (GDPR)
The GDPR regulates privacy policy requirements for entities targeting users in the European Union (EU) and the European Economic Area (EEA), regardless of the company’s physical location.
Your business must comply with the GDPR if it targets EU consumers and meets one of the following thresholds:
- It offers goods or services
- It monitors online behavior
Chapter 3, Articles 13 and 14 of the law clarify that users have the right to be fully informed about the collection and use of their personal data.
Linking to a generic privacy policy is not enough under the GDPR; you also need freely given consent from users before collecting their personal information. Under the law, personal data refers to any information relating to an identifiable person, either directly or indirectly.
It’s important to note that different privacy laws use unique definitions for personal information, each with slight variations in meaning.
Your business can communicate all relevant data gathering and processing information in compliance with the GDPR and request user consent by publishing a privacy policy on your website.
The penalties for GDPR non-compliance are fines of up to 4% of your annual global turnover or €24 million ($23 million), whatever is highest.
The California Consumer Protection Act (CCPA)
The CCPA regulates privacy policy requirements for businesses targeting users in California, regardless of the company’s physical location.
Your business falls under the CCPA if it meets one of the following thresholds:
- It generates over $25 million in annual gross revenue
- It annually buys, receives, sells, or shares the personal information of 50,000 or more consumers (changing to 100,000 under the CPRA)
- It derives 50% or more of its annual revenue from the sale of personal consumer data
Under the law, you must inform users about the personal data you collect and how it’s processed.
The text of the CCPA defines personal data similarly to the GDPR but excludes publicly available information, like social media posts.
You must also provide a way for consumers to opt out of the sale of their data.
To comply with the CCPA, you can outline your data practices with our standard privacy policy template and include a conspicuous “Do Not Sell My Personal Information” link.
The penalties for CCPA non-compliance are fines of $2,5000 per violation or $7,500 per intentional violation.
The California Online Privacy Protection Act (CalOPPA)
The CalOPPA was adopted in 2004 and was one of the first data privacy regulations implemented in the United States. It set the standard for the presentation, wording, and implementation of privacy policies.
This law established the definition of personally identifiable information and introduced Do Not Track (DNT) requests for users to toggle data tracking preference settings online.
The penalties for CalOPPA non-compliance are fines of up to $2,500 per violation.
Children’s Online Privacy Protection Act (COPPA)
Any business marketing to children in the United States must follow strict rules and regulations following the Federal Trade Commission’s guidelines.
Under COPPA, federal law requires groups targeting an audience of 13 or younger to provide a comprehensive privacy policy posted on any part of your website or app that collects data from children. Consent from a parent or guardian is also required before data gathering begins.
The penalties for COPPA non-compliance are fines of up to $40,000 per violation.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA covers ten fair information privacy practices companies must follow to do business in Canada and applies to all businesses, not just those operating online.
Under the law, organizations must transparently inform the public about data handling practices, and a privacy policy can help meet these requirements.
The penalties for PIPEDA non-compliance are fines of up to $100,000 CAD ($80,000 USD) from federal prosecution.
Other Notable Laws
Depending on where your website is based, who your audience is, and what data you collect, there are various other laws that may apply to you and your privacy policy.
For example, if you send marketing emails or newsletters, you’re subject to comply with the CAN-SPAM Act, which requires a clearly posted privacy policy.
If your website is “significantly engaged” in financial activities, you may be subject to the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act, which requires the publication of “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
There are over one hundred privacy laws around the world and new internet laws coming out each year. Creating and maintaining a good privacy policy is essential to legally running your website or business.
Our legal team keeps our comprehensive privacy policy template up to date with ever-evolving data privacy laws.
Privacy Policies are Required by Third-Party Services
Do you use Google Analytics, WordPress plugins, or other third-party services? If so, you’ll need a privacy policy.
Many third-party companies require you to provide consumers with a privacy policy to use their tools and resources, even if your website doesn’t fall under laws like the GDPR or CCPA.
Examples of third-party services that require you to have a privacy policy:
- Amazon
- Apple
- ClickBank
- Google (AdSense, Ad Words, Analytics, and Play Store)
- Twitter Lead Generation
Your privacy policy should clearly state what third parties can access user data and explain how and why the information is shared.
You must also link the third parties’ privacy policies directly from your own privacy policy so your users can read through the other agreements and choose if they consent to how those services handle their data.
Privacy Policies Increase Transparency and Build Trust
Privacy is a primary concern for modern consumers. People want to know if websites are collecting information about them, what that data might be, how it’s getting stored, and what it’s used for.
Here are some eye-opening privacy statistics showcasing the growing demand from consumers for data transparency from companies.
- 79% of Americans express concern with how companies use their personal data (Pew Research Center)
- 60% of users say they would spend more money with a brand they trust to handle their information responsibly. (Global Consumer State of Mind Report 2021)
- 48% of users have stopped buying from a company over privacy concerns. (Tableau)
- 84% of users are more loyal to companies with strong security controls. (Salesforce)
A clear, precise, and easy-to-understand privacy policy ultimately builds trust between your company and the user. Being transparent helps customers feel secure while visiting your website or using your app.
A privacy policy is essential, even if you don’t collect data from your website visitors. If you do not post one, users might assume you are secretly collecting data without informing them, which could be detrimental to your business.
You can download our free website privacy policy template below to quickly customize a professional and accurate policy for your business.
Required Clauses in a Website Privacy Policy
The clauses required in your website’s privacy policy depend on applicable laws and the type of business you’re conducting. However, some clauses commonly appear in a boilerplate privacy policy.
Let’s look at some of the most common clauses in a basic privacy policy sample:
Last Updated Date, Intro, and Summary
You should introduce your business right at the start of your privacy policy. Take the time to explain who you are, what the privacy policy is for, what it applies to, and define how you’ll refer to the company (“we”,”us”,”our”) and any of your services.
The intro is also a great place to build transparency with your users. We recommend including contact information up front to help answer users’ questions that might come up while reading through your policy.
Take a look at the BBC for a great example of a privacy policy introduction clause that is simple, easy to read, and answers most questions a reader might have, like where to go to view the correct policy if you’re in the UK versus other parts of the world.