Sample Privacy Policy for US (United States)

Businesses operating from the United States looking to ensure compliance with their legal agreements with the law quickly find that there isn't a single omnibus law governing Privacy Policies or a law protecting identifiable personal information that businesses may collect from users.

Lawmakers and regulators in the United States have opted, instead, for a sectoral approach to regulating how consumer information is protected online.

Learn what are the best practices to implement your first Privacy Policy for your website or mobile app if you're operating from the United States.

A sectorial approach disperses enforcement authority between industry self-regulation, private remedies for civil actions, and civil and criminal penalties levied by the Federal Trade Commission (FTC).

US Flag

While some privacy measures are not necessary in all jurisdictions, businesses should follow some best practices to maximize their Privacy Policy compliance across U.S. state laws and internationally too (for example with EU's Cookie Directive if users are from EU).

Best practices from the FTC

FTC Logo

The Federal Trade Commission's Fair Information Practice is the Commission's attempt to draft best practices for Privacy Policies in the United States.

While the Fair Information Practice principles are not themselves a law or regulation, the principles are based on the FTC's existing enforcement powers, based in laws such as:

  • Fair Credit Reporting Act
  • Right to Financial Privacy Act
  • Electronic Communications Privacy Act
  • Video Privacy Protection Act
  • Cable Television Protection and Competition Act

The Principles of FTC's Fair Information Practice are:

1. Notice / Awareness.

Users should be aware that their personal information is being collected, what kind of information is being collected, and how will that collected information be used (what for).

Asana (based in the US) specifies in its Privacy Policy how they use some of the personal information collected from users:

Asana Privacy Policy - Information We Collect

2. Choice / Consent.

Users should have some ability to control how their personal information is being used and should have an option to "opt-in" or "opt-out" of tracking.

Here's how Pandora's Privacy Policy describes how users can opt-out of various marketing emails that Pandora might be sending:

Pandora Opt-out Info in Privacy Policy

The text reads:

We will send you transaction confirmation emails and other strictly Service-related announcements on rare occasions when it is necessary to do so. For instance, if our Service is temporarily suspended for maintenance, we might send you an email. Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account.

Whenever a business is using Google AdWords Remarketing, their Privacy Policy must be updated to inform users that the website or mobile app the business is operating is using remarketing tags and cookies and how can users opt-out.

3. Access / Participation.

Users should have access to review the personal information collected.

4. Integrity / Security.

Website and/or mobile apps developers should take reasonable security measures. Greater security is needed as more sensitive information is collected.

5. Enforcement Redress.

The FTC identified 3 types of enforcement measures:

  • Self-regulation by the information collectors or an appointed regulatory body.
  • Private remedies that give civil causes of action for individuals whose information has been misused to sue violators.
  • Government enforcement that can include civil and criminal penalties levied by the government.

California Business Code

California Logo

As the most populous state in the United States and the headquarters of many prominent online companies (Google, Facebook, Apple), compliance with California laws have practically become the norm for operating online businesses in the United States.

Section 22575 of the California Business Code sets out the requirement for Privacy Policies of companies operating in California or which collect identifiable personal information of residents of California.

This means that, if you reside in another state, but collect personal information from users in California, you must comply with California's laws.

Under Section 22575, businesses collecting personal information over the Internet about individual consumers residing in California who use or visit their commercial Web site or online service are required to conspicuously post a Privacy Policy on their website.

YouTube, a Google-owned website, places the link to their Privacy Policy in the footer:

YouTube Footer

Additionally, the Privacy Policy should include the following:

  1. Identification of the categories of personally identifiable information that the operator collects through the website about individual consumers who use or visit its commercial website and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
  2. Provide a description of the process for an individual consumer who uses its website to review and request changes to any of his or her personally identifiable information that is collected through the website.
  3. Describe the process by which the operator notifies consumers who use or visit its commercial website of material changes to the operator's Privacy Policy for that website.
  4. Identify its effective date.
  5. Disclose, by providing a clear and conspicuous hyperlink, how the operator responds to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information across third-party Websites or online services, if the operator engages in that collection.
  6. Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service.

While California's Business Code mentions websites mostly, it's important to understand that a online service can be anything that collects personal information from online users:

  • Websites
  • Ecommerce websites
  • Mobile apps (iOS, Android, Windows)
  • Desktop apps (Windows, Mac OS X)
  • Facebook apps
  • SaaS apps
  • Or any other platform where users would share their personal information.

CalOPPA

California Online Privacy Protection Act (or CalOPPA) is another California law that requires businesses to have a Privacy Policy.

The main requirement of CalOPPA law is: website operators must conspicuously link to a Privacy Policy on their website.

Similar to the California Business Code, "operator of a website or online service" doesn't specifically means a website, but to any kind of online service: websites, apps, blogs etc.

Do Not Track ("DNT")

The Do Not Track (DNT) header is the proposed HTTP field that sends a request to a web application (website, mobile app) to disable its tracking or cross-site tracking of an individual user.

There are no legal or technological requirements for its use. Websites and advertisers may either honor the request or completely ignore it.

CalOPPA requires businesses to update their Privacy Policy with a Do Not Track clause disclosing how the website or the mobile app responds to DNT requests.

Special requirements

Both state and federal lawmakers in the United States have enacted special requirements on privacy practices (and thus for Privacy Policies) of certain business models, most often for those business models that involve children, minors or students as users.

In Massachusetts, for example, a "Written Information Security Program" ("WISP") is required if a company has personal information of Massachusetts residents, even if the company itself is not present in the state.

SOPIPA

In addition to the requirements for a Privacy Policy set out by California's Business Code, California also has special requirements for businesses that handle personal information of students under the Student Online Personal Information Act (or SOPIPA).

SOPIPA prohibits businesses (website or mobile app developers etc.) from the following activities:

(1) Targeted advertising.

(2) Use of information, including persistent unique identifiers, to amass a profile about a K-12 student except in furtherance of K-12 school purposes.

(3) Selling a student's information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.

(4) Disclosing covered information unless the disclosure is made:

(A) In furtherance of the K-12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:

(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that student's classroom or school; and

(ii) Is legally required to comply with subdivision (d);

(B) To ensure legal and regulatory compliance;

(C) To respond to or participate in judicial process;

(D) To protect the safety of users or others or security of the site; or

(E) To a service provider, provided the operator [complies with SOPIPA]

COPPA

On a federal level, the Children's Online Privacy Protection Act (COPPA) requires companies operating under United States jurisdiction which collect information on children under the age of 13 to post a Privacy Policy and imposes more restrictions on how the collected information is being used.

The FTC has published a simple checklist providing 6 steps for COPPA compliance if your business is targeting children under 13 (such as mobile app games for kids):

  1. Determine if your company is a website or online service that collects personal information from kids under 13.
  2. Post a Privacy Policy that complies with COPPA.
    • List all operators collecting personal information.
    • Describe what personal information is collected, and how it is used.
    • Describe parental rights.
  3. Notify parents directly.
  4. Get a parent's verifiable consent before you start collecting personal information.
  5. Honor parents' ongoing rights with respect to the collected personal information.
  6. Implement exceptions to COPPA's Verifiable Parental Consent requirement.

Security Compliance

All privacy laws and best practices have a "reasonable security" component requiring businesses to protect any information that they've collected.

Among the laws mandating some form of "reasonable" security are:

  • The HIPAA security regulations applicable to the health care industry.
  • The Gramm-Leach-Bliley Act ("GLB Act") that safeguards regulations for financial institutions.
  • State insurance law analogs to the GLB Act Safeguards Rule applicable to insurance companies.
  • State laws governing businesses that maintain personal information of residents. (see Massachusetts, Nevada, and California)

Even if your business happens to operate outside the reach of these particular data security laws, there is a growing consensus that implementation of a formal, written security compliance program is a best practice.

United States vs. the world

United States vs. EU

Flag of EU

For European Union (EU) businesses, the laws regarding privacy (and thus, Privacy Policies) are mainly the Data Protection Directive and the ePrivacy Directive.

When a business directly develops, operates, or distributes a website or a mobile app and is deemed to be a controller (collects personal information), that business is responsible for certifying compliance with the Directive, as well as any additional member state specific laws.

It's important to note what personal information actually is in accordance with these EU Directives:

terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human rights and Fundamental Freedoms

This means that information is considered personal when it's related to an individual who is either directly or indirectly identifiable to the controller or to a third party.

Some examples:

  • name (first and last names)
  • users location, e.g. mobile app geolocation or GPS
  • contacts
  • a unique device identifier, such as a mobile number
  • identity of the data subject
  • identity of the phone (name of the device)
  • credit card and banking data
  • call logs
  • text messages or other forms of messaging
  • browsing history
  • email
  • pictures
  • videos
  • biometrics data
  • and so on

If a certain type of information can identify an individual, it's considered personal data.

If 2 or more types of information, when grouped together, can identify an individual, it's also considered personal data. Taken separately, the information can't identify somebody, but if grouped together, it can identify individuals.

Article 10 of the Data Protection Directive notes that every data subject (user) has a right to know who is processing their personal information, what kind of information is being asked or collected and what's the intended use of the information.

This is distinct from the best practices in regards to Privacy Policies in the United States, which may require notice and consent for transferring personal information to a third party, but not necessarily where the information is going.

Here's how BBC, a London-based (UK) business, informs users in their Privacy Policy about the intended use when collecting their personal information:

BBC: How We Use Your Information

Like the United States, which has laws that vary among the states, businesses should also consider the law of the EU member state in which they are providing the website or mobile app.

France and Germany, for example, have more stringent requirements for protecting data than what's required by the Data Protection Directive.

United States vs. Australia

Australia Flag

In Australia, the Enhancing Privacy Protection Act (Privacy Act), which was updated in 2014, marked some substantial changes to Australia's existing privacy laws.

The Privacy Act in Australia incorporates 13 Privacy Principles that dictates how personal information must be handled by certain governmental agencies and private sectors (businesses.)

A company of any size, with an annual gross income of more than $3,000,000 is subject to this Privacy Act and its regulations.

Businesses whose income is less than $3,000,000 annually might still be covered by one of the exceptions:

  • A business that discloses personal information about another individual to anyone else for a benefit, a service or an advantage is covered.
  • A business that provides a benefit, a service or an advantage so that they may collect other individuals' personal information is covered.
  • A website that does not gross more than $3,000,000 annually and that requires an email address for activation from is not covered.
  • If a website or mobile app owner decides to start selling the email addresses the website/app collected to advertisers, the Privacy Act would cover this.
  • Additionally, certain kinds of specialty organizations, such as health care providers, are covered.

A small business (less than $3,000,000 annually) may still choose to opt-in to be covered by the Act.

If a small business would otherwise not be covered by the Australia's Privacy Act, the business may petition to be covered by the Act to assure their customers that they are committed to privacy. Many small businesses will not be covered by the Privacy Act but might find some benefit in voluntarily choosing to be covered.

If the business is covered by the Act and must adhere to the Australian Privacy Principles, they are considered a "covered entity" for the purposes of the law.

You can look at the Privacy Policy of Atlassian for an example of Privacy Policy for Australian businesses. Atlassian is based in Australia.

Atlassian Privacy Policy

Although best practices in regards to privacy practices and/or Privacy Policies in both the United States and Australia are largely the same, Australia benefits from the clarity of the privacy laws being compiled into a single law, rather than the hodgepodge of administrative and enforcement powers of the FTC.

Australia's threshold for business income when applying their privacy law has no equivalent in the United States, which is more oriented towards the location of the business or consumer.

United States vs. Canada

Canada Flag

In Canada, the Personal Information Protection and Electronic Documents Act (or simply PIPEDA) governs the collection and use of personal information from users and how it's protected.

PIPEDA requires businesses operating in Canada to obtain a user's consent when collecting, using or disclosing that user's personal information.

Schedule I of PIPEDA provides 10 Fair Information principles that businesses must follow to remain in compliance.

The personal information that a business collects through its website or mobile app may only be used for the express purpose for which it was collected.

Any additional use outside the scope of the original grant requires further consent from the user. And users must be assured that the business will reasonably protect their personal information.

Generally, the law gives individuals the right to:

  • Know why an organization collects, uses or discloses their personal information
  • Expect an organization to collect, use or disclose their personal information appropriately, and not use the information for any purpose other than that to which they have consented
  • Expect an organization to protect their personal information by taking appropriate security measures
  • Expect the personal information an organization holds about them to be accurate, complete and up-to-date
  • Obtain access to their personal information and ask for corrections if necessary
  • Complain about how an organization handles their personal information if they feel their privacy rights have not been respected

Canada's PIPEDA requires businesses to:

  1. Get consent from users when the website/mobile app collects, uses and discloses personal information
  2. Have Privacy Policies that are clear, understandable and available
  3. Collect personal information by fair and lawful ways
  4. Supply the user with a product/service, even if the user refuses to give consent, unless the collection of personal information is essential to the transaction

For an example of a Privacy Policy from a Canada-based business, you can take a look at Privacy Policy of Shopify:

Screenshot of Shopify Privacy Policy

Like Australia and the European Union, the most notable difference between Canada's PIPEDA and privacy laws in the United States is the existence of a single statute and enforcement authority as opposed to the sectorial approach of the United States.