Standard Privacy Policy

While most Privacy Policies will share certain features and structure, there is no one-size-fits-all Privacy Policy. As every website is unique, so is every Privacy Policy.

A Privacy Policy is a legal document specially crafted to disclose what personal data your app or website collects, what is done with that information, and how that information is kept secure. Since the methods your website uses will be different from another website, your Privacy Policy will also be different.

It's important that your Privacy Policy covers all relevant aspects of your services so your users know what happens to their personal data and so that you are compliant with all relevant laws and regulations.

As you can imagine, Privacy Policies come in many shapes and sizes depending on the legal needs and services provided by the app or website.

For example, the Privacy Policy for a start-up website may be very short and simple, but the Privacy Policy for Amazon.com is multiple pages long with many sections and clauses in order to cover all of the services they provide and data they collect to deliver such a variety of features.

For this reason, there is no standard Privacy Policy or one-size-fits-all solution. You need to ensure your Privacy Policy is complete from a legal standpoint, as well as informative and helpful to your users.

Different clauses for different services

Different clauses for different services

Privacy Policies are composed of a few common elements that should be present in every situation. Beyond that, different clauses will be included depending on the types of services your app or website offers.

For example, a website that processes credit card information will have a section in its Privacy Policy discussing how that credit card information is encrypted and stored so as to keep it from unauthorized access.

In this section, you will find a variety of clauses that are commonly included in Privacy Policies depending on the services offered. Clauses such as these will be mixed and matched to create your Privacy Policy, with each clause being individually tweaked to suit your specific needs.

What information do you collect?

This is a necessary part of any Privacy Policy, disclosing to your users what types of information your app or website collects. This crucial clause lets your users know right from the start whether you will be collecting data they are comfortable sharing.

For example, a website could simply collect an email address for their mailing list during registration. This would be very different from an app the collects the user's name, location, email address, and payment information.

Users have the right to know what kinds of information you collect from them! Below is an example of this clause from Apple:

Apple Privacy Policy: What Personal Information we Collect clause

Note that most privacy laws also dictate that you may only collect personal information that is reasonable and proportional to provide the services that you offer. Even if you disclose what information you are collecting, you need a reason to be collecting it.

What do you do with that information?

In addition to disclosing what types of information you collect, you must also disclose how that collected information is used. This necessary clause informs users about what is done with their personal information after it has been collected.

For example, a website may collect a user's name and address in order to deliver products that were purchased online. It is understandable that this information is necessary and no additional information is collected beyond what is needed. This would be very different from a website that collects a user's name and address and then sells that information to a third-party for the purposes of sending marketing material.

While both websites collect the same information, it is important to know how that information is used after it has been collected. Most privacy laws also dictate you only use the personal information you have collected for tasks necessary to performing your services.

Below is an example of this clause from Apple:

Apple Privacy Policy: How we use your personal information clause

How is that information kept safe?

When collecting personal data from any individual, there is an obligation to keep that information secure and accessible only to authorized persons. If you are to be trusted with handling personal information about users, you must take appropriate measures to keep that information safe.

For example, if you store customer's credit card information to expedite future purchases from them, that sensitive information needs to be securely stored behind firewalls and SSL encryption to keep unauthorized persons from hacking and stealing that data.

Over the past few years, data breaches have affected millions of internet users and many of the companies involved faced serious legal and financial burdens as a result. If you are going to be handling or storing personal information, it is your responsibility to make sure that information does not fall into the wrong hands and disclose your methods of safeguarding it to your users.

Below is an example of this clause from Apple:

Apple Privacy Policy: Protection of Personal Information Clause

Do you have users under the age of 13?

This special clause pertains only to certain apps and websites, and is regulated primarily by COPPA (the Children's Online Privacy Protection Act). While protecting the privacy of everyone is important, it is especially important in the case of minors. COPPA sets forth special requirements for apps and websites that collect data from kids, resulting in an additional clause within the Privacy Policy of apps of websites that are intended for children.

If your app or website has young users, you must read and comply with the regulations set forth by COPPA!

Below is an example of this clause from Apple:

Apple Privacy Policy: Children and Education clause

Do you handle medical data?

Medical information is deemed extra-sensitive and therefore regulated more thoroughly. HIPAA (the Health Insurance Portability and Accountability Act of 1996) is the primary law that covers the additional measures required of apps and websites pertaining to health and medical information.

If your app or website deals with health or medical information, you must read and comply with the regulations set forth by HIPAA!

Do you handle financial or credit data?

Financial information is deemed to require privacy measures greater than normal for obvious reasons. As private information related to finances and credit is extra sensitive, there are several laws that regulate what measures must be taken by companies that store or handle this kind of data in order to protect users from identity theft, fraud, and other illegal acts that could affect an individual's finances.

If your app or website deals with credit information or financial data, you must read and comply with the various laws that regulate the services you provide.

Does your app or website utilize third-party services?

A common clause often found in Privacy Policies discloses information about any third-party services used by a website. Disclosing information about third-party usage is important because those third-parties' Privacy Policies will differ from your own, and users must be able to know who has access to their information and what their policies are.

For example, a website may use a third-party credit card processor in order to complete transactions. While the website itself does not handle or store that transaction information, its users still need to know who has their credit card information and what they are doing with it. This can be as simple as stating who the third-party is and why they are used, so the user can then go and read their Privacy Policy to make sure they agree with their policies as they pertain to your website.

Below is an example of this clause from Apple:

Apple Privacy Policy: Third Party Sites and Services clause

Additional clauses

Aside these common clauses, it is likely that your website may require or benefit from additional clauses in order to fully disclose your privacy practices and inform your users about the services you provide.

Explore the Privacy Policies of your favorite apps or websites and see what additional clauses they include to cover the unique services and features that they offer.

Sample Privacy Policy structure

While there is no standard Privacy Policy that you can cut and paste for your app or website, the sample below offers a structure that may help you get started when creating a template for your Privacy Policy.

  1. What personal data do you collect?
  2. How do you use the data you collect?
    1. Do you share or sell the data you have collected?
  3. How do you secure the data you collect?
  4. Disclose third-party services that collect or utilize your user's personal data
  5. Discuss use of Cookies and other tracking technology
  6. Comply with extra regulations for sensitive data pertaining to:
    1. Children
    2. Medical information
    3. Financial information
    4. Credit reporting
    5. Other special regulations
  7. Disclose privacy guidelines for unique services or features your provide

Steps 1-3 of this outline should be included in every Privacy Policy. This may simply be the declaration that personal information is not collected or used in any way. As far as a "standard" Privacy Policy, these three steps are universal for what users expect and compliance with privacy laws.

Steps 4 and 5 are very common in most Privacy Policies as most apps and website utilize Cookies, third-party analytics, or other tools to gain insight about the behavior of their users and visitors. Even if you do not use Cookies or third-party services, it is a good idea to state this in your Privacy Policy.

Steps 6 and 7 likely will not be necessary in your Privacy Policy unless your app or website deals with certain information that has been deemed extra sensitive and in need of additional regulations. If your app or website handles this sort of information or has unique features that use or collect personal data from your users, you should include that information in your Privacy Policy.

Again, there is no universal Privacy Policy that will be adequate for all apps and websites, but the structure above is helpful for getting started and following the best practices when drafting your Privacy Policy.

Your Privacy Policy is an opportunity

Your Privacy Policy is an opportunity to improve your app or website. You should put as much consideration into your Privacy Policy page as you would any page on your website. You want it to be helpful, informative, and easy to read just like any other part of your website.

A Privacy Policy is a resource for your clients and customers that you can use to show them that you care about them and the measures that you are taking to make your app or website safe and trustworthy.

A Privacy Policy shouldn't just be a legal hurdle that you complete and forget about. Your Privacy Policy should be kept up to date and be reviewed periodically. Privacy laws change, your app or website may change, and these changes should be reflected in your Privacy Policy.

It is also important to follow the rules set forth in your Privacy Policy! Writing this document is useless if your practices don't follow the guidelines you set forth in your Privacy Policy. If your practices change, be sure to update your Privacy Policy accordingly.