How to Write a Website Privacy Policy

How to Write A Website Privacy Policy

2018-02-16T13:55:08+00:00February 15th, 2018|Categories: Compliance, Privacy, Risk Management, Websites|Tags: , , , , , |

Many companies are still confused about whether they need a website Privacy Policy or not. In fact, some businesses are still under the (mistaken) impression that they don’t need a Privacy Policy at all, or that their existing Privacy Policy – the one they use for other business reasons, is sufficient to cover their website or app activities (it generally isn’t).

Why You Need A Website Privacy Policy

Let’s get this out of the way right here – in the United States, Canada, the United Kingdom and in many other countries, privacy policies that cover online personal data collection are required by law. 

Some companies do already have a Privacy Policy on their website. In many cases however, the policy hasn’t been updated in several years. Where there is an existing Privacy Policy, it often doesn’t even include the basic requirements required by law.  In fact, we’ve found that most existing website privacy policies don’t include clauses that cover personal data collection from new online activities such as social media.

Often, we find that a company’s website Privacy Policy has been created using a very generic template, with little customization specific to the company, its website or its data collection methods. The result is a nonspecific, overly broad Privacy Policy that often doesn’t comply with current laws, is barely useful in explaining to users how their information will actually be used, and does little to protect the company in the event of a lawsuit.

By the way, if your company has built an app, that app should also have a Privacy Policy.

A poorly written (or non-existent) app or website Privacy Policy can expose a company to regulatory sanctions and fines, customer lawsuits, and significant reputational damage.

In this post, we’ll discuss exactly what a website Privacy Policy is, the regulations that describe what a Privacy Policy must include, specific details of what a website Privacy Policy should cover, and we’ll also provide examples of website privacy policies that are effective, well-written and comply with applicable laws.

What is a Website Privacy Policy?

A Website Privacy Policy is an agreement that’s published on a business website which describes how a company collects, stores and distributes the personal data of its users.

If you’re a company that operates in the United States and have a website, a website Privacy Policy is mandatory if you’re collecting any type of information that’s personal.

At a minimum, this includes any commercial website that has simple contact forms, email links or other ways for users to communicate with the company. If you provide any type of online mechanism for a website visitor to contact you, you’re collecting personal information – either a name, phone number or email address. That information is considered personal data and since you’re receiving and collecting that data (to communicate with the website user), you must publish a Privacy Policy that describes how that data will be collected, stored and used.

Privacy Policies Are Required by Law

Privacy policies must comply with the laws of the region(s) in which your company operates. In the United States, it’s important to note that there aren’t any specific federal laws that requires U.S. companies to have a website Privacy Policy.

However, there are numerous federal and state regulations that have provisions on data privacy. These regulations have specific rules and requirements, as well as instructions on how companies must communicate to consumers how their personal data is being handled.

  • The Americans With Disability Act (1990) – The ADA is a civil rights law that prohibits discrimination against individuals with disabilitiesin all areas of public life, including jobs, schools, transportation, and all public and private places that are open to the general public.
  • The Cable Communications Policy Act of 1984 – The purpose of the CCPA is to promote competition and deregulate the cabletelevision industry.
  • The Children’s Internet Protection Act (2000) – requires K–12 schools and libraries in the United States to use Internet filters and implement other measures to protect children from harmful online content as a condition for federal funding
  • The Children’s Online Privacy Protection Act (1998) – applies to the online collection of personal information by persons or entities under U.S. jurisdictionabout children under 13 years of age. COPPA details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing of those under 13.
  • The Computer Fraud and Abuse Act (1986) – CFAA was enacted by Congress as an amendment to existing computer fraudlaw which had been included in the Comprehensive Crime Control Act of 1984.
  • The Computer Security Act (1997) – a federal law intended to improve the securityand privacy of sensitive information in federal computer systems and to establish minimally acceptable security practices for such systems.
  • The Consumer Credit Reporting Control Act (1970) – S. federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies.
  • The California Online Privacy Protection Act (2004)CalOPPA is the first state law in the United States to require commercial websites and online services to post a privacy policy. It applies to any person or company in the United States who website collects personal information from California consumers. CalOPPA requires websites to post a conspicuous privacy policy that states what personal information is collected and shared from website visitors, and requires the website operator to comply with the privacy policy. Those who don’t comply with their own privacy policy are at risk of civil litigation under the California’s Unfair Competition Law, which authorizes prosecutors to file lawsuits on behalf of injured citizens.
  • Plus other laws

Under Chapter 22 of the California Business and Professions Code, Internet  Privacy Requirements [22575-22579], the following specific provisions relate to online privacy and describe how a business must include its website privacy policy:

  1. A business that collects personally identifiable information via a website or online service must be conspicuously post a privacy policy on its website
  2. The privacy policy must:
    1. Identify the personal information that’s collected – “Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.”
    2. If you have a process in place, provide a description for users to make changes to their personal data – “If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.”
    3. Describe how changes will be made to the privacy policy – “Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.”
    4. Identify its effective date.
    5. Describe how the website responds to “do not track” – “Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
    6. Describe 3rd-party relationships related to user data collection – “Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
    7. If applicable, provide a link to further information on “do not track” program – “An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
Website Privacy Policy - Chapter 22
Website Privacy Policy - hand on computer

Federal Trade Commission Guidelines on Privacy Policies

Did you know that the Federal Trade Commission (“FTC”) has enforced the law against numerous companies that are not in compliance with federal regulations related to consumers’ privacy? Since 2002, the FTC has brought multiple enforcement actions against many companies, addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile.

The FTC oversees consumer protection regulation in the United States. With regard to online advertising and communications, the FTC has issued guidelines for websites and apps the companies should follow when writing a Privacy Policy. The FTC’s guidelines help your business to comply with truth-in-advertising standards and basic privacy principles. The FTC also recognizes that there isn’t a “one-size-fits-all” approach that works for every company.

The following guidelines from the FTC should be considered by every company that has or intends to build a website or app:

  • Build privacy considerations in from the start. The FTC calls this “privacy by design.”  What does it mean?  Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need.  Apply these principles in selecting the default settings for your app and make the default settings consistent with what people would expect based on the kind of app you’re selling.  For any collection or sharing of information that’s not apparent, get users’ express agreement.  That way your customers aren’t unwittingly disclosing information they didn’t mean to share.
  • Be transparent about your data practices.  Even if you need to collect or share data so your app can operate, be clear to users about your practices.  Explain what information your app collects from users or their devices and what you do with their data.  For example, if you share information with another company, tell your users and give them information about that company’s data practices.
  • Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared.  It’s good business to apply the “clear and conspicuous” standard to these choice mechanisms, too.  Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.
  • Honor your privacy promises. “But we don’t make any promises.”  Think again and reread your privacy policy or what you say about your privacy settings.  Chances are you make assurances to users about the security standards you apply or what you do with their personal information.  At minimum, website and app developers — like all other marketers — have to live up to those promises.  The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises in the day-to-day operation of their business.  The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other website and app developers.  What if you decide down the road to change your privacy practices?  You’ll need to get users’ affirmative permission for material changes.  Just editing the language in your privacy policy isn’t enough in those circumstances.  And while you’re taking another look at your privacy promises, read them with users in mind.  Is the language clear?  Is it easy to read on a small screen?  Are you using design elements — color, fonts, and the like — to call attention to important information?
  • Protect kids’ privacy.  If your website or app is designed for children under 13 and collects personal information, you have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.  But COPPA compliance doesn’t end there.  Regardless of the kind of website or app you sell, if you know you’re collecting personal information from children under 13 — or if you know you’re collecting personal information from another website or online service (including another app) that’s designed for kids under 13 — COPPA applies, too.
  • What does COPPA require? Under COPPA, you have to clearly explain your information practices, provide direct notice to parents about those practices, and get parental consent before collecting personal information from kids.  These obligations apply to you when third parties (like ad networks or plug-ins) collect personal information through your app.  COPPA also requires that you keep “personal information” collected from children confidential and secure.  The rule defines that term to include a first and last name, an address, a telephone number, online contact information, a screen name or user name that functions like online contact information, geolocation information, or a persistent identifier that can be used to recognize a user over time and across different websites or online services (such as device identifier, cookie identifier, serial number, or IP address).  Visit the FTC’s COPPA site for compliance advice.
  • Collect sensitive information only with consent.  Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.  It’s a mistake to assume they won’t mind.
  • Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information?  Under the law, you still have to take reasonable steps to keep sensitive data secure.
    • One way to make that task easier:   If you don’t have a specific need for the information, don’t collect it in the first place.
    • The wisest policy is to:
  1. collect only the data you need;
  2. secure the data you keep by taking reasonable precautions against well-known security risks;
  3. limit access to a need-to-know basis; and
  4. safely dispose of data you no longer need.

These principles apply both to information you ask users to give you and to any information your software collects.  If you work with contractors, make sure they abide by the same high standards.

Requirements from Third-parties

While a website Privacy Policy is required by law, it can also help show your users and customers that you value their privacy and to build confidence in your business practices.

It’s also becoming more commonplace for third parties, including social networks, app stores and large technology vendors, to require that you have a Privacy Policy before you can create an account or establish an online relationship with them.

Website Privacy Policy - young boy on computer w filter

Comply with Google Analytics Terms of Service

If you use Google Analytics, you’ll need a Privacy Policy. Google’s Terms of Service requires all users who are using Google Analytics to have and abide by a Privacy Policy.

As stated in Section 7 of the Google Analytics Terms of Service, related specifically to Privacy:

You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data.“

App Privacy Policy

  • Apple’s App Store Review Guidelinesstates that apps that intend to collect personal information from users without consent and proper notification will be rejected. Check the Privacy Policy agreement for any iOS apps.
  • The Google Play Store’s Developer Distribution Agreementrequires that you have “privacy procedures and notices in place”. Take a look at the Privacy Policy requirements for Android apps for more information.
  • Microsoft and Windows Phone apps are also required to have an app Privacy Policyfor their apps as part of the “10.5.1” rule requirement from Windows Phone Store Policies.
  • Facebook requires you to have a Privacy Policy for any Facebook apps you may develop.
  • If you want to use Login with Amazon, Amazon is also requiring you have this agreement ready and published online before you can use the sign-in functionality.

Recommendations on Writing an Effective Website Privacy Policy

We recommend that a Privacy Policy give the company maximum flexibility to operate within the law and the bounds of propriety. Don’t make changes that limit your company’s operating flexibility and, in some instances, remove provisions that are required by California Business and Professions Code Sec. 22575(b). For example, deleting our recommended opt-out language, required by B&PC Sec. 22575(b)(5).

We advise that the language of your Privacy Policy provide flexibility for the future. For example, you should retain the right to share information in the event of a merger. If you don’t specify this right within the policy, the information you collect could not be shared and your firm’s value in a merger could be reduced.

Social Media Privacy Policy Issues

When it comes to emails and social media, we advise our clients to use the broadest possible language in their website Privacy Policy. This gives you the flexibility to modify your social media usage without necessarily having to continuously modify your website Privacy Policy.

For example, if users can contact you by email from your website, they will provide their contact information so you can do so. This means you should include language in your Privacy Policy that covers the fact that they are providing their email information to you specifically for the purpose of you contacting them via email.

With regard to social media, if you are collecting any kind of personal information via a social network, you should include language that in your Privacy Policy that describes that collection, and what you intend to do with that information. For example, if you collect names and email information from clients through Facebook’s messaging feature, your Privacy Policy should clearly state how you intend to keep that information private and secure.

A broad policy reduces the likelihood that you would have to modify it every time you make a small change to your online usage. Small changes that may go unnoticed could have significant consequences. We also recommend a regular review of your Privacy Policy to ensure continued compliance.

Privacy Policy Q&A

Still not convinced your website really needs a Privacy Policy? Below is a Q and A with explanation and rationale that we’ve complied based on experience and research.

Q. Does my website need a Privacy Policy?

A:  All commercial websites are required to have a Privacy Policy compliant with Federal Trade Commission (FTC) requirements and California Online Privacy Protection Act (CalOPPA) requirements.

  1. What is a commercial website?
  2. Simply put, any website that buys, sells or offers a service of any kind is a commercial website.

CalOPPA applies to all websites that may serve California residents. CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to internet service providers (“ISPs”) or similar entities that transmit or store personally identifiable information for a third party.

In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded.

  1. My website is aimed at children, are there any special requirements for my website Privacy Policy?
  2. If your business is aimed at children under the age of 13, you need to comply with the Children’s Online Privacy Protection Rule (COPPA). COPPA is a federal law which requires websites to have a parent’s permission before collecting any personal information from children under 13.

Q. Can I use a standard Privacy Policy generator?

A:   Yes, as a start. In fact, every Privacy Policy should probably start by looking at how other websites and apps have designed their privacy policies. It would probably be far too costly for most businesses to start writing a Privacy Policy completely from scratch.

However, every “standard” privacy policy will need to be customized to suit your business uses and needs.

That’s true even if your website is really simple. If you collect, track or store consumer data, user behavior or information in any manner, including using cookies, tracking geolocation, contact forms, newsletter subscriptions etc., you’ll need to customize that standard privacy policy accordingly.

However, just like every business website is different from the next to reflect the company, its products and services, every Privacy Policy needs to be tailored to the company’s particular offerings, requirements and methods of handling its customers’ data and privacy.

The output of many Privacy Policy generators is usually so generic as to be useful only as a starting point. Most businesses will need a customized Privacy Policy that suits the features and functionality of their website.

This will vary by company and depend on the complexity of the business, website and other online services that are covered by the privacy policy. Other things to consider are regional regulations, plus how the business collects, handles, stores  and uses customer data, and how it handles do not track and opt-out mechanisms.

A template is useful as a starting point and some are better than others, however most templates are quite rudimentary and should be reviewed in any case by an attorney. It’s our experience that every Privacy Policy template needs to be customized to ensure compliance with applicable laws, while offering maximum business flexibility.

Q. Should my Privacy Policy cover our firm’s Social Media activity?

A:   Yes, if you’re collecting any kind of personally identifiable information about your users or customers, such as name, email etc.

If you’re running contests, sweepstakes or running marketing campaigns on social media to generate or build email lists or collect customers’ personal information, make sure your website privacy policy covers that activity.

If you’re using social login functionality (connecting a social network’s login feature to your website) to obtain customer data, your privacy policy should disclose how you collect, store or use any customer data from that connection.

If you’re using instant messaging via a social network such as Facebook Messaging to communicate with your audience, you should include language in your privacy policy that covers any personal information you may collect in those types of communications.

Website Privacy Policy Checklist

We’ve created a checklist for you to consider when developing a Website Privacy Policy for your business. Get started by answering the 6 questions below:

1.  Tracking Mechanisms – Will your new website use cookies or other tracking mechanism (e.g. Facebook pixels)? Please list specific tracking mechanisms used and the purpose of each.

2.  eCommerce – Does your site have a shopping or payment feature? Do you accept credit cards? For example: Google’s “Buy” button, Paypal, Shopify, Stripe etc. Include language in your policy that covers transferring data to third-party vendors if applicable.

3.  Sign-up or Download Forms – Will your site have a way for users to reach you, download or subscribe? For example, will you have a newsletter sign up form? If so, what information will you collect from users in order for them to sign up? For example: name, e-mail address, etc.

4.  What kind of information will you collect and store? What type of personally identifiable information will you be collecting and storing from website users (from credit cards, forms or login areas)? List each type of attribute and make certain you know how this information will be secured. This may include: email, first name, last name, address, etc.

5.  What 3rd-party plugins or providers do you use to provide additional services on your website, such as a Client Login area? List the names of any third-party providers your new website will use to enhance its client and/or case management functionality e.g. MyCase, Abacus, Zola. Make sure those 3rd parties have their own data privacy and compliance ducks in a row. At a minimum, their website privacy policy should be in compliance with state and federal laws.

6.  How will users contact you? What contact email will you be using if users have questions about how to opt out from tracking or the Privacy Policy? (Usually, companies will set up an info@yourwebsite.com or privacy@yourwebsite.com type of email address for this purpose).

Privacy Policy Examples

Social Networks – Website Privacy Policy Examples

Twitter Privacy Policy – a comprehensive yet clearly written privacy policy that includes sections on Information Collection and Use, Cookies, Use of Services, Twitter for Web Data, Third-parties and Affiliates, Information Sharing and Disclosure, and Accessing and Modifying your Personal Information.

Facebook Data Policy – after some initial false starts from Facebook, the leading social network finally came up with a really robust approach to explaining how it collects and uses information from its users. This is one of the most comprehensive explanations we’ve seen online with regard to consumer data and privacy. For a simpler view, take a look at Facebook’s Privacy Basics.

LinkedIn Privacy Policy – starts out by saying “Your Privacy Matters”, and contains lots of specific details on how information is collected, used and shared, plus your choices and obligations as you use the LinkedIn site. A guided tour of the Privacy Policy is also available that shows updates since the last policy, plus a Privacy Policy video.

Google Privacy Policy – Google’s privacy policy is fairly extensive, as you would expect. However, it refrains from too much legalese and uses language that’s pretty informal and easy to understand. It also provides links to a glossary of key terms, so you can understand all the technical jargon you might come across in the policy.

Corporate Website Privacy Policy Examples

Thomson Reuters Privacy Statement – comprehensive and available in multiple languages and with a large banner in the footer notifying users that the privacy statement has been updated and should be read.

Forbes Privacy Statement – checks all the boxes for privacy requirements including describing how the site tracks its visitors, opt-out mechanisms, children’s privacy and how users are notified if the statement is updated.

PepsiCo, Inc. Privacy Policy – this policy doesn’t cover all the bases and probably hasn’t been revisited in some time. There’s no effective date and no instructions for consumers who don’t want to be tracked. Time for an update.

Thomson Reuters Privacy Policy Statement Feb 2018

Summary

Your website Privacy Policy should be an integral component of your governance and risk management strategy for your digital and social media activities.

A thorough review of your website, app or social media Privacy Policy is an essential step under several circumstances:

  • When creating a new business website
  • Redesigning or adding functionality to an existing business website
  • Becoming active on a social network such as Facebook or Linkedin
  • Building an app with the intention of distributing it via an app store
  • Changing how customer or personal information will be collected, stored, used or shared with others
  • Adding Google Analytics to measure your website traffic

In addition, a basic website Privacy Policy can generally cover the following types of website uses:

  • Commercial/Promotional websites (e.g. promoting a business, organization, non-profit)
  • Websites that utilize cookies, website analytics tools etc. to track users (e.g. Google analytics snippet)
  • Websites that allow users to subscribe to a newsletter (e.g. collecting name and/or email address)
  • May have a client login area for document sharing, uploads etc.
  • May collect certain types of customer data when user completes a form on the website (e.g. contact form, download form)

We recommend further customization of a website Privacy Policy in any of the following circumstances, since these features may require additional discovery, privacy policy language and attorney review:

  • May use 3rd party systems for payment processing or to collect donations (e.g. PayPal, Event.com, Active.com)
  • May collect or use user-generated content (e.g. reviews, testimonials etc.)
  • May collect or use imagery that is non-stock photography (e.g. images of customers etc.)
  • Websites aimed at children < 13 years of age (e.g. website selling children’s toys or books)
  • Websites that directly collect, use or store credit-card information from the user
  • Transactional or other custom website applications/systems

If the process to create a website Privacy Policy seems overwhelming, don’t hesitate to contact us, send an email to info@allpryme.com. We create Privacy Policies for companies that meet your business needs while ensuring your business is in compliance with applicable laws.