They’re complicated and not especially fun to write, but privacy policies are necessary to protect and respect our users. This post offers guidance on the elements you need in your policy and why they exist. We based the steps outlined below on GDPR guidelines, because it’s the best framework for drafting comprehensive policies, regardless of whether your company must comply with GDPR.
This post is simply a guide—you should always check with your attorney to finalize any policy.
Introduction and Definitions
- Contact information
Principles for Processing Data
When you explain why you collect data and that you take privacy seriously, you should also briefly cover the principles you follow for processing data. Article 5 of the GDPR lists six principles all companies must abide by when collecting and processing personal data. These principles are listed below, and you can also find more information about them here.
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
This section is a chance to be transparent and promise customers that you:
- Believe user privacy and data protection are human rights
- Take protecting privacy seriously and recognize the duty you have to the people whose data you process
- Only collect and process data when it is absolutely necessary
- Will always make it clear why you collect data, how it will be used, and how long you will hold it for
- Will not spam them and will give them the option to unsubscribe
- Will not share their personal information without their permission
Types of data
Most E.U. and U.S. regulations require companies to report the types of data they’re collecting. The GDPR says specifically calls out personal data and sensitive personal data. Your policy should be absolutely clear about every single type of data you deal with, and why you need to be handling that data.
Personal Data includes any information that relates to an identifiable, living person. This includes a wide range of information relating to that person or a combination of information which, if put together, means that the person can be identified. The specifications under GDPR for personal data are very broad, so it’s likely that your company processes some type of personal data from site visitors, even if they never directly contact you or give you their name and email address.
Examples of personal data include:
- Email Address
- Phone Number
- IP Address
Sensitive Personal Data
Sensitive Personal Data (sometimes also referred to as “special category data”) includes much more specific personal data such as an identification number or one or more factors specific to a person’s physical, mental, physiological, economic, cultural, or social identity.
Examples of Sensitive Personal Data includes:
- Date of birth
- Ethnic origin
- Social Security number
- Sex life and/or sexual orientation
- Trade union membership
How You Use Data
Examples of what some companies list in this area include:
- Verifying site users’ identity
- Personalizing the advertising they see on the website so that it is more relevant to them
- Improving the design and style of the website
- Sending them service messages about their subscription or account registration
- Enabling them to share your content with others using social media or email
- Compiling customer reviews
- Conducting market research
- Granting them access to a subscription
- Informing them about products, services or promotional offers they might find interesting (if they have chosen to receive those types of communications)
- Logging and using information about any service errors or interruptions on the site that they may have experienced in order to create fixes and make technical improvements.
Legal Basis for Collecting Data
Part 1 of Article 6 gives examples of possible instances/scenarios when it is lawful to collect and process personal data:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
What does this look like in real life? You could develop one statement for a single legal basis. Or you could show the correlation between types of data, the activity, and why you need to use it. The Pint of Science Festival is a good example of an organization clearly laying out its legal basis.
Consumers’ Rights to Their Data
Consumers have rights to the data you have collected about them, so you need to tell them what they can do. Some examples:
- They can request information about what data has been processed, who else outside of your company may have received access to it, how long their data will be stored, where/how the data was collected, etc.
- They may request you correct/rectify the record of their personal data if it is inaccurate
- They have the right to request your company erase any of their data or cease processing it
Walmart offers an intuitive layout. They condense the majority of the content, and if the user wants to see additional information, they simply click “More” to expand the text block.
Consult with a Lawyer
After your draft is complete, or if you already have a policy, consult with a lawyer to help you determine the application of relevant data privacy laws to your company’s specific circumstances.
This blog post provides information about data privacy laws to help you understand the potential legal issues associated with them, but should NOT be considered legal advice. We highly recommend you consult with a lawyer to determine the application of data privacy laws to your company’s specific circumstances. While we have conducted extensive research to determine that our content here is as accurate as possible, you should consider this blog post as intended for informational purposes only.