Website privacy policies may not be the hottest topic in the business world—or any world for that matter—but if you’re a website owner, you should at least be aware of them and what they do.
A website privacy policy is a document that tells visiting users how the website will collect, store, and use whatever personal information they share with it.
By law, any website that collects user data is required to have a privacy policy. However, despite how it’s an obligation, it can also be an opportunity. That’s because having a credible privacy policy can also create transparency and build trust among users.
Who Needs a Website Privacy Policy?
If you own or are planning to build a website, the answer to the above question is probably you.
Every website collects personal information. Even if you’re not collecting obvious personal details like names or email addresses, you’re still receiving traffic with other information like IP addresses.
If you plan to use third-party apps from companies like Google, Meta, and Apple on your website, you’ll need a privacy policy to stay compliant while you use their services.
As for the public sector, no overarching federal law in the United States applies to internet privacy policies, but a collection of federal, state, and international regulations requires anyone who owns a website to have a privacy policy.
Here’s an overview of the internet privacy laws that require U.S. website owners to have privacy policies in place:
- General Data Protection Regulation (GDPR): The GDPR is a European data privacy and security law established in 2018. It’s hundreds of pages long and one of the world’s most demanding internet privacy laws. It applies to businesses worldwide that target or collect personal data related to people in the EU.
- California Consumer Privacy Act (CCPA): California legislators passed the CCPA in 2018. It gives Californians more control over the personal information businesses collect about them. Like the GDPR, the CCPA applies to companies outside the state that transact with or collect data from California residents. It only applies to businesses with gross revenues greater than $25 million or those that deal in significant amounts of personal information.
- California Online Privacy Protection Act (CalOPPA): Proving how serious California is about privacy, the state has not one but two internet privacy laws. CalOPPA came into effect in 2004 and was the first state law in the country to make website privacy policies an obligation for site owners. Like the CCPA, it applies to anyone doing business or collecting data from Californians.
- Children’s Online Privacy Protection Act (COPPA): COPPA is a U.S. federal law that protects the privacy of children under 13 by giving parents tools to control the information collected from their children online. It applies to any business around the world if they knowingly collect personal information about children who are U.S. citizens.
No Privacy Policy? No Bueno.
Not having a privacy policy displayed on your site can have major consequences.
First of all, privacy disputes can erode customer trust, disrupt sales cycles, and lead to negative media coverage.
Second, if someone discovers you’ve collected data or shared their information without their knowledge, that person has the right to lawyer up and take you to court for damages.
And then there’s the matter of fines for violating the above laws. Penalties can start at $2,500 each time a California resident downloads an application that’s not compliant with CalOPPA. These penalties can reach up to $20 million or four percent of your annual revenue for violations of the GDPR.
What to Include in Your Website Privacy Policy
The privacy and data protection landscape is complex. Your policy must be comprehensive to protect your business, and it should answer a lot of questions to ensure you’re compliant.
1. What is this document all about?
The first thing to include is a title and an introduction. Begin by sharing the document’s purpose and inform users how you collect, use, and protect their personal information.
Provide a name and address to identify your organization, and be sure to include contact information. Then let people know the scope of the policy and to whom it applies.
If you want to see one in action, Shopify’s privacy policy does a great job at handling the introduction.
2. What information do you collect?
The first clause in your privacy policy should outline all the personal data your website gathers from users. Be as thorough as possible in this section.
You’ll need to do a full review of your website to ensure you understand all the data collection points. Your review should include:
- User data flows, such as entry points, data process stages, and exit points
- User interaction points, including account creation, form submissions, and tracking functions like cookies
- Third-party integrations that might be collecting data on your behalf
- Functions related to the collection of user consent for data processing site-wide
- Data retention times and purpose
- Security protocols in place to protect data
- Documentation of what you learned from the review
Doing this kind of review will ensure you’re basing your privacy policy on your actual data collection practices. It also shows you’re taking a proactive approach to maintain compliance with privacy laws.
3. How will you collect the data?
In this section, you need to tell people how you plan to collect their data.
Here are some examples of common data collection points and how to address them in your policy:
- Online forms—Tell users where they’ll find fillable forms throughout your website. Let them know the kinds of information the forms could request and how you’ll use the data. This can include account creation forms, contact forms, and forms for other specific purposes.
- Payment screens—If you make sales on your website, let your users know how you collect and process data related to their payments. Include information about any of the tools behind your site and the security measures protecting their personal and financial information.
- Tracking technology—Let people know if you use cookies, pixels, or other tech to track their behavior. Be sure to include why you’re collecting it, such as to enhance the user experience, to track site analytics, or to provide personalized content. Also note that they can manage or disable tracking through their browser settings.
4. Why are you legally allowed to collect user data?
To comply with laws like GDPR, your privacy policy must state your legal purpose for collecting user data.
This applies to each category of data you collect. You’ll need to provide a clear and specific explanation for why collecting that kind of data is essential—along with your legal basis for gathering it.
Including this information ensures data is collected and processed transparently and equitably.
If you want to see how it’s done in the wild, take a look at Spotify’s privacy policy.
5. How do you plan on using the personal data?
It’s important to have a section that explains how and why you will use the personal data you collect. This creates transparency and shows how your practices align with legal requirements for privacy.
It’s also a best practice to organize this section in a table format—it’s well-structured and easy to read.
6. Do you share or sell personal data?
To comply with legislations like GDPR and CCPA, you should let users know if you share or sell their personal information to third parties. This could include partners, advertisers, or additional service providers.
This clause should clearly explain when—and under which circumstances—you share personal data with anyone outside of your organization.
Structure this section so it’s easy to sort through. You can use bullet points, lists, and outlines to categorize both the types of data you share and your purposes for sharing them.
Here’s an example of how this could look:
- Types of Data Shared
- User profile information (e.g., name, email)
- Usage data (e.g., IP addresses, cookies)
- Purposes of Sharing
- Improving user experience
- Providing personalized content
- Analytics and reporting
Also be sure to let users know you need their consent to share data, and show them how they can manage their consent preferences.
7. How do you address privacy issues for children?
Whether or not your website is aimed at younger audiences, you must include a clause addressing child privacy concerns to comply with COPPA.
Here’s an outline of what you need to include in this section:
- Start by highlighting the importance of having a dedicated clause in your policy that addresses child privacy.
- If your website isn’t intended for children, include a brief statement that confirms your site is not directed at children. The company Toys R Us has a good example of this.
- If your primary audience is people under 18, then outline how your site complies with COPPA, including how you get parental consent for children 13 and under.
- Note the potential legal implications of non-compliance with COPPA. Stress that unless you’re compliant, it might be unlawful for you to collect data from children under 13.
- Emphasize the importance of following age-appropriate data collection practices and securely handling children’s personal information.
- If your website allows users to create accounts, explain how you verify ages and obtain parental consent to determine a user’s age. The privacy policy from Disney handles this well.
8. What rights do your users have over their data?
Various state laws require website owners to tell users their rights regarding their data. That means you must include a clause with these details in your privacy policy.
It’s essential to include all the personal information you collect and any third parties who might access it. You also need to clearly highlight which states and laws the policy covers.
A great example of this type of clause can be found in Shopify’s privacy policy.
9. How can users access and control their data?
To comply with laws like GDPR and CCPA, your privacy policy needs to let users view your collected data and control access to that data.
Language in this clause should focus on empowering users by letting them exercise their right to access the data you’ve collected. It should communicate what users can expect when they exercise this right, what kinds of data they can ask to view, and how they can request access to their data.
It’s also important to share how long it will take to provide the requested information and the format in which they’ll receive it.
Be sure to emphasize that users won’t face discrimination or adverse treatment by exercising their right to access this information.
10. How do you store and secure user data?
As a website owner, you’re responsible for the safety and security of user data. That means protecting it from things like data breaches and security threats.
As such, your privacy policy should include a clause that informs users of the security measures you have in place and your commitment to protecting their personal information.
You’ll find a good example of this clause in the privacy policy from Netflix.
11. What’s your data retention policy?
Some data privacy laws, like the GDPR and Virginia’s Consumer Data Protection Act, include specific requirements for user data retention.
You’ll need a clause outlining these legal obligations and information on how you comply with them.
Meta’s privacy policy provides a good example of how to write this section effectively.
12. Do you use cookies or other tracking technologies?
Many websites use cookies, pixels, and other technologies to track user behavior. The GDPR and CCPA classify these as personal data. So, if you use cookies on your website, you must cover it in your privacy policy.
This section of your privacy policy should include:
- An explanation of what cookies are and any other tracking technologies you use
- Your purposes for using cookies and other elements to track user behavior
- How users can give or withdraw consent for cookies and the implications of doing so
- An overview of how users can disable certain cookies through their browser or opt out of third-party advertising cookies altogether
Some websites also create a separate cookie policy and link it to their general privacy statement to keep it concise.
13. How will users know if your privacy policy changes?
Internet privacy laws like CPRA and CCPA mandate website owners to update their privacy policies annually and let users know how they’ll communicate updates.
Policies might also need updating to reflect changing company practices, changes in privacy laws, and new regulations.
You’ll need to create a separate clause in your privacy policy to cover this. You can keep this one simple, like the privacy policy from X/Twitter.
14. What other related policies should users know about?
If you have any other key policy documents related to your business, it’s a best practice to link to them in your privacy policy.
These documents can include terms of service, cookie policies, and any other disclaimers or warnings.
Putting these in your policy will increase transparency with your users and lead to a better user experience. This helps maintain trust and brand loyalty.
15. Do you transfer data internationally?
If your organization transfers data over international borders, you need a clause in your privacy stating it so you can comply with the GDPR.
Linkedin’s Privacy Policy handles this very well.
16. What happens if you sell your business?
If you plan to sell all or part of your business in the future, you should include a business clause in your privacy policy.
A business clause tells users what will happen to their data if you sell your business. This often means letting them know how you’ll share data with the new owner.
This is a proactive step to reduce potential liabilities and be ultra transparent.
17. How can people contact you?
It’s critical that you let people know how to contact you with questions and concerns about your policy.
Include the email address of someone responsible for administering the policy and a mailing address for your business.
Don’t Write Your Privacy Policy Before Reading This
Writing an internet privacy policy is a big job that needs to be taken seriously. You’re creating a legal disclosure document to stay compliant with tons of laws.
With documents like these, it’s advisable to have a lawyer prepare them or at least review what you’ve written.
That said, it may not be very affordable or feasible for every website owner to hire a lawyer for their privacy policy.
Luckily, some companies offer templates and privacy policy generators that you can often use for free:
How and Where to Add a Privacy Policy to Your Website
Whether you want to work with a website designer or do it yourself, there are several options, locations, and techniques for adding your privacy policy to your website. However, most sites will follow a certain standard when it comes to each one.
- Privacy policy landing page: The first step is to create a page on your website to host the policy, which you can link to from different places on your site.
- Website footer: Most website owners include a link to their privacy policy page in the footer. This makes it available anywhere on your site. It’s also a familiar place where users look to find privacy policies and other documentation.
- Header or main navigation: Putting a link to your privacy policy in your title or one of your navigation drop-down menus makes it highly visible to users. This communicates your commitment to privacy, which can help build trust in your brand. It’s also handy in case your website design uses an infinite scroll, which can make it hard to find the footer.
- Forms, account creation, and checkout pages: Including a link to your privacy policy in places where users choose to give you their personal information can inspire confidence, create transparency, and encourage people to complete the transaction—instead of abandoning the form or cart.
- Terms and conditions page: Including a link to your privacy policy on your terms and conditions page is a standard practice that gives users a way to access details about privacy measures when they’re already looking at technical information.
- Cookie consent notice: Under GDPR, you need user consent for cookies. This is usually implemented through a banner notification. Including a link to your privacy policy here gives users an easy way to understand cookies and what giving their consent means. Paychex does a good job of providing this kind of privacy policy notice.
3 Privacy Policies to Inspire You
Along with being comprehensive enough to cover all the legal bases, your privacy policy should also be easy for users to read and navigate.
You’ll need to consider the unique points of data collection and handling practices that pertain to your specific business, and then present it in a digestible way. Few companies do this exceptionally well.
Slack
The folks at Slack have clearly studied the rules of great privacy policies. Its privacy policy covers all the critical information needed for a comprehensive approach. And it also has an attractive, user-friendly design.
Some of its highlights include:
- A linked table of contents, making getting the information you need simple.
- A simple and uncluttered design, so users can focus on the information.
- A comprehensive clause on how the company transfers user data between countries securely.
Google deals in a lot of user data, so you’d expect the company to have an excellent privacy policy. It’s well-organized and extremely detailed regarding compliance with privacy laws.
Some of the keys that make it great include:
- A straightforward, plain language approach that makes the policy accessible to a broad base of users.
- An audience-focused perspective that can boost user trust and confidence.
- Superb compliance with one of the GDPR’s critical policies by clearly letting users know how and where to remove their data.
U.S. Department of State
Big tech companies aren’t the only ones who wrangle significant amounts of user data. The Department of State website has many millions of visitors annually and deals with sensitive personal information, and its privacy policy is up to the task.
- It shuns complex terminology in favor of plain, conversational language that makes it easy to digest.
- It’s a concise policy that still covers all the essential points needed to comply with applicable privacy laws.
- Users can access related security and privacy documents directly via links in the privacy policy.