Global and local laws require a Privacy Policy when collecting a user's personal data. This article details what makes a good Privacy Policy.
A Privacy Policy outlines information, including the personal data you collect. It also contains information on how you use it, who has access to it, and how you protect it. You must make your policy public, and people must agree to it before using your website, app, or product.
Personal details are personally identifiable information that is unique and pertains to an individual. Personal details include:
Note that other data, such as place and date of birth, isn't necessarily personal. Different people can share this information. However, when combined with other personal information, anyone can use it to identify a specific person.
A good privacy policy must be legally compliant and easy to understand to establish user trust and mitigate legal risks.
Your Privacy Policy must include the following:
Here are some considerations to make your Privacy Policy easy to read and understand:
Privacy policies keep you compliant with the law and provide transparency for your readers and customers. Your Privacy Policy will have specific wording depending on what data you collect and how you use it.
However, all Privacy Policies should contain the following:
In the US, Privacy Policies must contain information as outlined in the California Online Privacy Protection Act, or CALOPPA.
The law requires you to include two essential clauses: the type of data collected and the reason why you collect it.
Narratize, a generative AI app, states what information they collect:
Narratize also states how they will use the information they collect:
CALOPPA also requires you to include a way for users to review and change the type of information you've collected. You also must give users a way to opt-out:
Here's an example, again from Narratize:
The legislation requires your policy to contain the date it goes into effect, an update notice, and any changes to the agreement since then.
Narratize states how they will notify users of any updates:
Consider adding the following to your Privacy Policy.
Add your business name, address, and contact information.
If you sell personal data to a third party, you will need to disclose that.
Include contact information for your legal team.
Users will want to know how safe and how long you'll keep their data.
Detail how you gather a user's data by polls, surveys, tracking, or other means.
Users must know what privacy risks they may encounter while using your product, website, or app.
Identify how you handle the Do Not Track option. DNT is a clause that lets users know you respect their decision not to be tracked by advertisers and third parties.
Here are details of a few laws that require Privacy Policies.
The Children's Online Privacy Protection Act (COPPA) requires online services for children 13 years of age or younger to acknowledge that they're collecting personal information from a child. It applies to both US and globally-based businesses.
Your website must comply with COPPA if any of the following applies:
The California Consumer Privacy Act (CCPA) states that customers have control over personal details that businesses collect about them. The law secures privacy for users by the following customer rights:
The California Privacy Rights Act of 2020 (CPRA) builds on previous privacy rights stated in The California Consumer Privacy Act (CCPA) by allowing customers to request that the business collecting their data disclose what information is collected. It enables users to either opt out of selling their personal data or to delete it.
Specific laws have different requirements, depending on where people use your app or website.
The European Union's General Data Protection Regulation, GDPR, is meant to give users better control over collecting and removing their private information. The GDPR applies to all companies that process the personal data of EU citizens.
Canada's Personal Information Protection and Electronic Documents Act, PIPEDA, controls how privately owned businesses collect and use personal information. It includes investigating and enforcing laws and compliances.
The United States California Online Privacy Protection Act, CalOPPA, safeguards anyone in California by requiring a prominently placed Privacy Policy from any website that collects their personal information.
Biometric information refers to technology such as face and fingerprint recognition. Biometric data is protected under the law. For example, Utah's Genetic Information Privacy Act, (GIPA), details how direct-to-consumer (DTC) genetic testing companies should obtain users' consent to collect and use their biometric information.
Users have the right to access and remove their genetic data from DTC companies.
According to CalOPPA, your policy must be easy to locate. Best practices are to include links anywhere you collect personal information, such as:
Western Union, a money-sending app, links its Privacy Policy in its footer:
Western Union also mentions their Privacy Policy in its Terms and Conditions page:
There are a few ways to write your Privacy Policy. Here are a few examples.
Hiring a lawyer may be the easiest way to ensure you have a legally compliant Privacy Policy. However it is also the most expensive.
Writing a Privacy Policy yourself can be difficult and time-consuming. You may also inadvertently leave out information required by law.
Using a template or generator is the most cost and time-effective. Answer a few questions, and get a template or complete policy you can download immediately.
The most considerable consequences of not including a Privacy Policy on your website are:
You should include the following when updating your Privacy Policy:
You should notify users of any changes within two weeks or as soon as possible. You can also let users know the changes are already in effect.
When creating your original Privacy Policy, decide how to send updates. Include the update method in that policy. You can update users using email, a website popup, or an on-site news release.
Here's an example of an updated Privacy Policy from Klarna, a Fintech company. It's easy to read and includes what's changed, the effective date, and a link to the update online:
The notification comes via email and outlines what's changed from the previous policy:
If you fail to notify users of changes to your Privacy Policy, you risk a lawsuit.
When creating a good Privacy Policy, it's helpful to remember the following: