Table of Contents
We'll help you include sections that give context on how you’re using customer data, what data is being collected, who you’ll potentially share that information with, and how website visitors can opt out of sharing their information. Let's dive in.
Step 1: Understand Your Legal Obligations
It doesn't matter if your business doesn't have a physical presence there. You're still required to comply with relevant data privacy laws if you process personal information.
Step 2: Engage in a Privacy Audit
Step 3: Start by Writing Your Introduction
In this section, you’re going to list your business name — as well as if you’re operating under a different corporate entity. More importantly, this is where you confirm that your business is compliant with various privacy laws.
Step 4: Outline Personal Data Collection and Use
This section is one of the most crucial ones — and is a key section that governing bodies use to determine the accuracy of your privacy handling claims. Make sure to put whatever data you’re collecting from consumers in this section, such as:
- Phone number
- Email address
- Sex, gender, or orientation
- Race, nationality, or ethnicity
- Religious beliefs
- Financial information such as credit card or banking details
- Login and account information
- IP address
- Web browser and/or device, device software, etc.
This section should also include services like Google Analytics and Facebook Pixel that can monitor and track user behavior. All of these types of services can fall under the general term “trusted third parties”.
Step 5: Talk About How and Why the Data is Being Used
- Providing a more personalized experience
- Verifying identity
- Providing optimized customer service support
- For marketing communications purposes
Whichever of these actions is applicable to how you plan to use consumer data, be sure to clarify it here. Remember that you also need to include how you’ll share data if necessary, to which parties, and for which purposes.
Alternatively, if you have no plans to attempt to sell user data, then you should explicitly state it here.
This section can be a minefield if you’re not careful as California’s CCPA and the EU’s GDPR require businesses to inform users that cookies are present. More importantly, there needs to be an easy-to-find option to adjust cookie settings to stay compliant with both of those state and international regulations.
Step 7: Discuss Data Retention and Deletion
Consumers need to know how long you plan on storing their private information. Some regulations, like the GDPR don't provide a maximum data retention period and state that businesses should retain data for "no longer than necessary."
For expediency, we recommend sticking to a reasonable time limit or following what the relevant data privacy law suggests in your case. Additionally, we suggest that you add some details on how the data will be removed and whether any access to third-parties will be revoked as well.
Step 8: Insert Details on How You Process Children’s Data
Most websites avoid collecting data from children as regulations are even stricter for gathering and managing underaged personally identifiable information. However if you’re so inclined, you need to at least follow the guidelines outlined by the FTC’s Children’s Online Privacy Protection Rule (COPPA).
In most cases, jurisdictions view “children” as legally referring to people under the age of 16. As a precaution, be explicit here and let users know if you won’t be collecting data from minors.
Step 9: Highlight Personal Data Rights
The actual rights a user has regarding their personal data can vary widely based on the jurisdiction in which they reside. Again, this section will depend on the countries where you do business and the research you put in at the start. With dozens of privacy and data rights regulations worldwide, proper research is crucial. The goal is to provide transparency for users looking to exercise their rights.
Step 10: Discuss Changes and Complaints
Step 11: Add Contact Information
- Company name
- Phone number
- Email address
It’s best practice to have one dedicated person or department that’s assigned to monitor contacts for this purpose.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.