What Is a Privacy Policy?

A website privacy policy outlines your relationship with users’ personal information. To succeed online and avoid legal turmoil, your website needs a privacy policy agreement. The first step to creating a compliant and comprehensive privacy policy is understanding exactly what that is.

Privacy Policy Definition

A privacy policy is a legal document that informs your site’s users about how you collect and handle their personal information. You may also hear privacy policies referred to by the following names:

• Privacy notice
• Privacy policy statement
• Privacy page
• Privacy clause
• Privacy agreement

A general privacy policy explains a platform’s interactions with the personal information and personally identifiable information (PII) of its users. PII is information that can be used by itself, or combined with other information, to identify an individual. Specific platforms or services may require a unique privacy policy template. However, a standard privacy policy template will likely satisfy user demands and legal requirements for your website. Standard Privacy Policy for Website We’ll dive into details later on in What to Include in a Boilerplate Privacy Policy, but a basic privacy policy outlines the following

Is a Privacy Policy Required by Law?

If your website uses personal information (e.g, collected names, email address, or credit card information), most legislations around the world require that you have a privacy policy.
If you run a website, mobile app, or desktop app, you are likely legally required to have a privacy policy somewhere on your site. You must display links to your policy clearly, prominently, and conspicuously, so that users can navigate to it quickly and easily.

As data collection and processing becomes more ubiquitous across the internet, privacy laws in the US and around the world set strict requirements for privacy policies. Here are the major laws that affect your website privacy policy:

GDPR

If you target users in the European Economic Area (EEA), you’re subject to comply with the General Data Protection Regulation (GDPR). The GDPR is one of the world’s most comprehensive privacy laws, setting international standards for appropriate data handling. Article 12 of the GDPR grants users the right to transparent information about how their data is collected and handled. For business and website owners, this means that transparent privacy policies are mandated by the GDPR.

COPPA

If your website markets to children, strict rules and regulations apply. Most notably, the Children’s Online Privacy Protection Act (COPPA) governs websites that market specifically to kids. If the target audience of your site is children under the age of 13, federal law requires you to include a company privacy policy that covers very specific information about your business.

CalOPPA

The California Online Privacy Protection Act (CalOPPA) was the original privacy law in the US which mandated that websites make privacy policies available to users. The act also outlines what information needs to be made available regarding data handling — including what data is collected, where from, and whether it’s shared or sold.

CCPA

Currently the most comprehensive data privacy law based in the US, the California Consumer Privacy Act (CCPA) builds on the online privacy policy requirements of CalOPPA. It builds on CalOPPA’s privacy policy standards, demanding that businesses and websites implement even more transparent and comprehensive policies. In effect since January 1, 2020, the CCPA sets an annual update requirement for privacy policies. Therefore, you will need to update your CCPA privacy policy every year.

Other Notable Laws

Depending on where your website is based, who your audience is, and what data you collect, there are various laws that may apply to you and your privacy policy. For example, if you send marketing emails or newsletters, you’re subject to comply with the CAN-SPAM Act, which requires a clearly posted privacy policy.
If your website is “significantly engaged” in financial activities, you may be subject to the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act, which requires the publication of “clear, conspicuous and accurate statements” regarding information collection and sharing practices. There are over one hundred privacy laws around the world and new internet laws coming out each year. Creating and maintaining a good privacy policy is essential to legally running your website or business.

What Should I Include in a Boilerplate Privacy Policy?

A basic privacy policy template includes the what, when, who, why, and how of your data collection practices. While every website and business should have a policy tailored to its own operations, even the most simple privacy policy will include the following information:

What Information You Collect

At the heart of your website’s privacy policy is a disclosure of what data you collect from users. Some common types of data that you’ll find in website privacy policy templates are:

• Personal data (like names and email addresses)
• Derivative data (like IP addresses and browser types)
• Financial data (like credit card details)
• Social network data (like Facebook login information)
• Mobile data (like mobile device IDs and manufacturers)
• Third-party data (like social network friends lists)

User Rights Over Their Data

Your privacy policy should have a section outlining what rights users have over their data, and how they can act on those rights.
For example, users from the EEA or California have the right to request access to data that has been collected about them. Specify this right in your privacy policy, including instructions on making such requests.