Table of Contents
Likewise, you can be a massive multi-national corporation like General Motors, or a tiny corner pizza shop with a website that accepts online orders. If you’re using a website for any commercial purpose, your activities are regulated by the FTC and they expect you to explicitly outline to your audience how you’re collecting, using, or sharing their data. As such, you need a dedicated place for website privacy statements.
Why Are Privacy Policies Important?
Simply put, this refers to any information that can be used to directly identify a person. In more severe cases, this could be a person’s social security number, name, passport number, or banking information. More loosely, it can refer to someone’s zip code, IP address, or even their gender or date of birth.
Whichever version you’re collecting, visitors that arrive on your site have the right to know exactly what you’re gathering from them, how you’re using it, and if you’re going to share it with “trusted third parties.”
To piggyback on this idea, consider that there are more comprehensive privacy laws now. More importantly, major laws like the General Data Protection Regulation (GDPR) from the European Union, or the California Consumer Privacy Act (CCPA) here in the U.S. are quite explicit regarding how they expect commercial businesses to treat consumer data.
As a caveat, even if you’re not located in these state or national jurisdictions, you’re not absolved from following the expectations that these policies outline. There’s a laundry list of multinational corporations that found themselves paying millions of euros or dollars to respective agencies for flouting privacy violations. Giant conglomerates can afford expensive litigation and settlements over violations. But more than likely the average small business can’t weather that storm.
Step 1: Understand privacy laws. Verify what data privacy legislation applies to your business and get acquainted with all legal obligations.
Step 2: Engage in a privacy audit. A thorough privacy audit will determine every piece of personal information you collect from users.
Step 3: Explain your reason for collecting data.
Step 4: Answer how you collect data - whether it’s via capturing email addresses, tracking cookies, or more.
Step 5: Explain how you use the personal data. Laws like GDPR & CCPA require you to state how you use personal data, including if it’s shared or sold to any third parties.
Step 6: Highlight your safety practices, including how you handle data securely. Data privacy laws make this mandatory for businesses, too.
Step 8: Add other relevant clauses like the rights of users and how you treat the data of minors (if collected).
We’re not going to lie, privacy policies can be heavy on jargon. However, they all tend to follow a similar formula. If you have the fortitude to read through a few policy templates for small business or major national competitors, you’ll probably see that they all follow a strikingly identical format. This is by design.
Including the same boilerplate headers ensures that any required information is included that’s mandated from various governing bodies both domestic and foreign.
As the header implies, this is your introduction. You’re going to list your business name — as well as if you’re operating under a different corporate entity. More importantly, this is where you confirm that your business is compliant with various privacy laws.
Keep in mind that even if your business isn’t located in the same jurisdiction as a privacy law, you’re not exempt from legal action if you’re found to be non-compliant. This is because you can still get web traffic from those jurisdictions. So, unless you preemptively refuse to accept traffic from consumers in those areas, you’re still liable and held responsible for how you handle data collected from those jurisdictions.
Personal Data Collection and Use
Every part of a policy template for small businesses is important. But this section is probably one of the most crucial ones — and is a key section that governing bodies use to determine the accuracy of your privacy handling claims. Simply put, be sure that whatever data you’re collecting from consumers is clearly defined here. Common options can include:
- Phone number
- Email address
- Sex, gender, or orientation
- Race, nationality, or ethnicity
- Religious beliefs
- Financial information such as credit card or banking details
- Login and account information
- IP address
- Web browser and/or device, device software, etc.
Don’t forget that part of this collection will also include if you’ve leveraged plug-ins or applets designed to process information in the background. This can include pixel and analytical services like Google Analytics, Facebook Pixel, or even other social platforms like Pinterest or Tik Tok that leverage connecting into your backend to serve data to their proprietary business services dashboards. All of these types of services can fall under the general term “trusted third parties”.
How and Why the Data is Being Used
- Providing a more personalized experience
- Verifying identity
- Providing optimized customer service support
- For marketing communications purposes
Whichever of these actions is applicable to how you plan to use consumer data, be sure to clarify it here. Remember that you also need to include how you’ll share data if necessary, to which parties, and for which purposes. Likewise, be mindful of data sales. Most jurisdictions don’t support data sales — with California ironically being the exception.
However, the state requires that you provide proper notice of your intent to do so. Alternatively, if you have no plans to attempt to sell user data, then you should explicitly state it here.
This section can be a minefield if you’re not careful as California’s CCPA and the EU’s GDPR require businesses to inform users that cookies are present. More importantly, there needs to be an easy-to-find option to adjust cookie settings to stay compliant with both of those state and international regulations.
Retention and Deletion
Consumers need to know how long you plan on storing their private information. For ease, it’s best to stick to whatever is the jurisdictional mandated maximum time frame that you can store data. Just remember, whatever you commit to here needs to be enforced. Don’t forget to tell users how you plan on removing that data. Typically this includes deleting or anonymizing that information.
Most websites avoid collecting data from children as regulations are even stricter for gathering and managing underaged personally identifiable information. However if you’re so inclined, you need to at least follow the guidelines outlined by the FTC’s Children’s Online Privacy Protection Rule (COPPA).
In most cases, jurisdictions view “children” as legally referring to people under the age of 16. As a precaution, be explicit here and let users know if you won’t be collecting data from minors.
Personal Data Rights
There are so many different privacy and data rights regulations worldwide, with varying degrees of user control. So, this is one area where using a generator is smarter than trying to go it alone. Don’t forget to outline how users can withdraw consent, or request access to their information here. The goal is to provide transparency. Ideally, users shouldn’t have to jump through unnecessary hoops to access and adjust how you’re using their data — unless you want to be fined.
Complaints are inevitable, but you need to have a reliable method for receiving not-so-positive feedback from your website users. In most cases, this should be a dedicated email, phone number or submission form where people can file their grievances. If a person wishes to escalate their complaint, be sure to provide clear direction of which oversight authority is within their jurisdiction.
- Company name
- Phone number
- Email address
It’s best to have one dedicated person or department that’s assigned to monitoring contacts for this purpose.
Along with being overwhelmed by the sheer amount of information that needs to be included, it’s very easy to run afoul of the various international privacy regulations. Note that there are roughly 137 different regulations that are available worldwide. However, only a few tend to be viewed as the brand standard. These tend to be PIPEDA (Canada), GDPR (EU), CCPA (California), and LGPD (Brazil).
1. Complete a short questionnaire
We ask you some details about your business or website to generate a policy page personalized to your requirements.
You’ll need to share your:
- Legal business name
- Business address
- Email address and/or phone number
2. Pick Your Business Type
First things first, determine what kind of business you’re running. Additionally, you can always preview the policy in both desktop and mobile format.
3. Add The Essential Details
Drop in your official business name as well as physical address. Meanwhile, your policy updates in real time so you can see exactly what’s being included as it’s being created.
4. Add Contact Details
Choose how much or how little information you want to include. Just remember that you’re legally required to include at least one form of legitimate contact. Note here is where you can also include details if your company is a DBA (doing business as).
You might notice we don’t get into colors and fonts here. That’s because Enzuzo pulls this styling directly from your website theme, so there’s no clashing of styles.
In this step, you're also able to customize your policy to be compliant with privacy laws. Changes made here are reflected in the wording, so it’s important to choose wisely to cover all your bases. We recommend checking all the boxes here so you’re covered, no matter where your next visitor or customer comes from.
6. Customizing Cookies, Privacy Laws, and Applicable Communications
After you’ve established the essentials for your business details, it’s time to specify cookie usage. Note that the generator is preset to usage for web applications, to remember preferences, and to personalize content. But you also have options for analyzing traffic and third party data sharing.
Likewise, Enzuzo defaults to the five major privacy laws (CCPA, GDPR, PIPEDA, LGPD, and POPIA), but you can also opt for worldwide coverage. Specifically for GDPR compliance, you can clarify whether you process and/or transfer personal data — and if so, where this activity occurs. If you have multiple company locations, you can also specify that.
The generator defaults to stating that your business doesn’t collect personal or sensitive data — as well as usage information — but you can adjust this if needed. If you use analytics or remarketing solutions, the Generator can be edited to reflect this.
Tell us which website builder you’re using our drop-down menu.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.