- Service-based website
- Ecommerce website
- A blog that runs advertising programs, for example, Google Adsense
Let’s take a look at some of the most common privacy laws and their legal requirements when it comes to privacy practices for websites.
If your audience is based in Europe or the UK, the General Data Protection Regulation (GDPR) applies. It’s a privacy law that gives people a range of rights over their data, and gives you plenty of responsibilities to keep it safe and use it appropriately.
CalOPPA and CCPA
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. It’s similar to other privacy laws, in that it’s designed to inform people about the collection and use of their personal data.
As with other privacy legislation, to be compliant with PIPEDA you need to explain which types of personal information you collect and how it’s used — including whether or not it’s shared with others. You should also inform people how they can contact you to exercise their right of access.
In this section, you’ll want to make a statement about who you are as a company and the purpose of this privacy notice. It’s common for you to include the following information here:
- Company name
- An explanation of key terms used — like ‘personal data’ or who you mean when you say ‘we’ or ‘you’
Your introduction section doesn’t need to be long, but it should let any readers know what to expect from the rest of the document and give them a basic understanding of its purpose.
2. Personal Data Collection and Use
In this section, you’ll want to confirm which personal data you collect. Personal data can include:
- Phone number
- Email address
- Sex or gender
- Race or nationality
- Religious beliefs
- Login or account information
- Credit card information
- IP address
- Web browser or device type
Think about not only the personal data you directly collect but the third-party services you use too. If you use tools like the Facebook Pixel or Google Analytics, these service providers will collect additional data. This is often covered by those tools’ own privacy policies, so you can direct users to review the third-party privacy documents to get a better understanding.
Next, confirm the uses for this personal data. Some privacy laws, like the GDPR, require you to have a lawful basis for processing data. Setting out how you use data helps you show that you understand and care about your obligations.
Some of the most common purposes for processing data include:
- To deliver products and services
- To make improvements to or develop those products or services
- To provide customer service and technical support
- To verify identity and enforce security
- To send relevant marketing communications
- To display more relevant or targeted social media advertising
Each business is different, so think about your own reasons for processing data and which of these may be applicable.
It’s also important to cover how you intend to or will share someone’s personal data with partners or third parties. If you do need to share data, set out here how it will be done, who it’s shared with, and for what purposes — similarly to how you cover data processing above.
There will also be moments where you’re required to process or share information as a legal requirement. Let your users know that this may happen, and situations in which it may be applicable — for example at the request from a government authority.
In most locations, you can’t sell a user’s personal information to another company or third party. In the State of California you can, so it’s wise to include a statement here to cover this. Under the CCPA, you need to legally inform people of any sale of data — including to whom it’s sold — and give users the right to opt-out of any sale.
If you don’t sell user data and don’t intend to, include a disclaimer here to that effect. If it’s not present, users may be unsure whether their data may be sold in the future or not.
- Necessity: To actually provide your product or service
- Preference: To save useful information to make things easier or offer a more personalized service — like login details or your location
- Analytics: To better understand user behavior, to improve a product or service or tailor future campaigns
- Marketing: To provide a more personalized marketing or advertising experience — for example by displaying relevant product ads
If users can manage their cookie preferences, it’s helpful to include information here about how to do so. At a minimum, the CCPA requires you to inform users of which cookies are present, what type of data they collect, and how you intend to use that data.
4. Retention & Deletion
While your users need to understand which personal data is collected, they also need to know how long you intend to keep it for and what the process for deletion looks like.
You can keep it simple here and let people know that their user data will be kept for as long as it’s required to for the purposes of providing your products and services, and also in line with any legal requirements. You should also confirm what happens when you no longer need the data — in most cases it will be deleted or anonymized.
5. Children’s Data
In most cases you won’t collect children’s data. For most jurisdictions, children are classed as people under the age of 16. If you do, make sure you follow the rules set out in the Children’s Online Privacy Protection Rule (COPPA).
Even if you don’t collect children’s data, you should display a statement here that confirms it. For example, our disclaimer on children’s data is: “We will not knowingly collect personal data from children under the age of 16 Years.”
6. Personal Data Rights
People’s personal data rights differ depending on where they’re located, and the privacy laws that apply. In some jurisdictions, data subjects have more rights than others.
As well as outlining your users’ personal data rights here, you should share how they can action them. Give details on how someone can withdraw consent or view, update, or request the deletion of their data — whether that’s through an email address or a form. If you’re using Enzuzo, it’s really easy for customers to request or update personal information.
This section can be short and sweet. Simply list when you’re likely to make changes to the policy, and how people will be kept informed.
Not everyone’s going to be satisfied all the time. To help everyone out, list a clear and easy way for people to reach you with a complaint. This may be through email, a contact form, a phone number, or a digital process.
Often people have the right to take the complaint further if they’re not happy with the outcome. Make this clear to your users and direct them to their local data protection authority to continue the process.
9. Contact Information
In this section, feature your:
- Company name
- Phone number
- Email address
It may also be helpful to name the role or department that someone needs to contact — especially if you have more than one department that may be relevant. Signpost them to your data protection officer if you have one, or a more general mailbox if you don’t.
An Easy Way to Understand Your Requirements By Privacy Law
Still not sure which sections you need to feature to be compliant? It’s not always easy to know at a glance which privacy law requires which information to be made available, so here’s a table to help you figure things out:
You don’t need to look far to find great examples of online privacy policies. With most websites required to have them, it’s easy to take a look around and get a feel for how others structure and style theirs.
Not only is our generator tool easy for you to use, but it provides your customers with a great user experience too. The simple design, user-friendly drop-down sections, and uncomplicated language means your customers can get the information they need without all the hassle. Plus,
if you opt for our Starter plan, you can have your policy available in multiple languages and customize your template even further.
Copying someone else’s privacy statement is a bad idea. They’ve had it created based on their own unique business and requirements, which won’t be relevant to yours.