How To Write A Privacy Policy For Your Website

Launching a website? This guide goes through what you need to know about creating, and writing, a privacy policy for your website. Don't know if you do need a privacy policy? A very simple question will answer this for you: do you collect any kind of personal data from your users? If yes, then you need a privacy policy – it's required by law in most countries.

Think you’ve got what it takes to write amanual for MakeUseOf.com? We’re alwayswilling to hear a pitch! Send your ideas tojustinpot@makeuseof.com; you might earn up

to $400

Table Of Contents

1 What Is A Privacy Policy?

2 Privacy Policy Requirements

3 Privacy Policy Best Practices

4 Sample Privacy Policy Clauses

5 Privacy Policy Study Cases

6 Privacy Policy Versus Terms andConditions

7 Privacy Policy Template

8 Conclusion

MakeUseOf

1 What Is A Privacy Policy?

Launching a website? This guide goes throughwhat you need to know about creating, andwriting, a privacy policy for your website.Don't know if you do need a privacy policy? Avery simple question will answer this for you:

do you collect any kind of personal data fromyour users? If yes, then you need a privacypolicy – it's required by law in most countries

What is a privacy policy? What are the legalrequirements regarding privacy policies?What are the best practices for writing thisagreement?

The guide will answer these questions foryou Please note that this guide is for

informational purposes only, and does notconstitute legal advice

1.1 Definition

The definition of a privacy policy, as outlined

by Wikipedia: "a statement or a legal

document that discloses some or all of theways a party gathers, uses, discloses andmanages a customer or client's data."

So, a privacy policy is a legal statement thattells the user how a company or websiteoperator may use, gather, manage or sharethe personal data that the user sends to thewebsite when using that website or service.Privacy policies are considered to be one ofthe most important pieces of information on acompany's website, because it referenceshow users' personal information collected onthat website will be treated People want to

know that the information they enter on awebsite is going to be processed correctlyand, once stored, it is going to be protected.

What is personal information? Personalinformation can be anything that can be used

to identify an individual, not limited to butincluding:

Financial records

Credit card information

Medical history

Facebook, with its complex Privacy Settings,

is asking for a first name, last name, emailaddress, gender and birth date when youregister for a new account All of this ispersonal information

For a website operator, the privacy page iswhere you should declare how you collect,store, and release personal information youreceive from your users The page needs toinform the user what specific information isbeing gathered, and whether it is kept

confidential, shared with third parties and soon.

1.2 Principles

Personal information should only be collected

if it's done correctly and in accordance withthe law When crafting a privacy policy foryour site, it might be helpful for you to keep inmind the following three principles

Transparency

Users have the right to know how their

information is being used As a point of law,the website owner must provide his contactdetails, along with the purpose of processing,the recipients of the data and any other

information that would be relevant to the user

to know

In 2012 Google launched the Good To Knowcampaign, which promotes privacy

transparency and give users more details onhow their information is being used acrossGoogle's services

In general, personal data can only be

processed if the following circumstances aremet:

Users have given their consent for theirpersonal information to be collectedWhen processing of personal information

is necessary for the performance of orfor entering into a contract in order tofulfill legal obligations and compliance

When processing is necessary for thepurpose of protecting the interests of theuser

When processing is necessary for thepursuit of legitimate interests by the datacontroller (website owner) or by any thirdparties to whom the data are disclosedThe user has the right to access the dataabout him and has the right to demandrectifications, deletion or blocking of datathat is incomplete, inaccurate or isn'tbeing processed in compliance with thedata privacy law

Personal data can only be processed in anadequate and relevant way It cannot beprocessed in an excessive manner of thatwhich it was collected for

The collected information needs to be

accurate and kept up to date Businessesmust take reasonable steps to make sure thatany data collected would not be inaccurate or,

if it's incomplete, to be erased or rectified.Personal data must be kept in a confidentialmanner Businesses must have appropriatesafeguards for processing personal data

1.3 Quick Facts

Privacy policies are necessary, required bylaw and also helpful for establishing users'confidence when using your website.

This type of agreement guides and helps yourusers know how your site collects and storesthe personal data secure (such as an emailaddress) This practice of being transparentwith your users and potential customersthrough a privacy policy page can increasetrust

In Aug 2013, The Office of the AustralianInformation Commissioner (OAIC) releasedthe results of a "Privacy Sweep" report Thesweep was part of the first internationalInternet privacy sweep, an initiative of GPEN(Global privacy Enforcement Network).The report states that over 65% privacypolicies examined have provided informationthat was not relevant to the handling ofpersonal information Some websites did nothave a privacy policy at all.

Among the best practices observed from thisInternet sweep was that it's possible tocreate a transparent privacy policy by makingthem easily accessible, simple to read andwith privacy-related information that theconsumer would be interested to know.

Google's Shared Endorsements were in thenews last year This feature changed thedetails of their privacy policy, but Googleprovided a web page where users can learnwhat these Shared Endorsements are, andhow they can opt out of having their profileused for these ads.

2 Privacy Policy Requirements

For many online businesses, the need forcollecting user information is a necessary part

of doing business, but it is the company's orthe website owner’s legal obligation to takesteps to properly secure (or dispose of) thisdata

Financial data from online financial tools,

personal information from children (under 13)and material derived from credit reports mayneed additional compliance considerations –

as opposed to an online business with abusiness model that involves less personalinformation

2.1.1 United States of America (USA)

There are several federal and state laws thathave provisions for data privacy in the US,such as:

the Americans With Disability Act;

the Cable Communications Policy Act of1984;

the Children’s Internet Protection Act of2001;

the Computer Fraud and Abuse Act of1986;

the Computer Security Act of 1997;the Consumer Credit Reporting Control

and several others

In every aspect, an American's privacy (intheory) is protected by more than oneapplicable federal and state law

The Federal Trade Commission (commonlyreferred to as the FTC) is the governmentoffice that regulates data protection forconsumers in the US

The FTC issued a set of guidelines for

companies to follow when writing their privacypolicies:

1 What information does the companycollect and how does it do so?

2 How does the company protect theinformation it collects?

3 How does the company use the

information it collects?

4 Does the company share the information

it collects with others, and if so, what isshared and with whom is the informationshared

5 Do customers have control over theirpersonal data, and if so, what control dothey have?

For different types of companies, the legalrequirements of having privacy policies aremore extensive as there are federal (as well

as state laws) that regulate what must bedisclosed in a privacy policy by companies

that collect, use and share customer

information in a variety of circumstances.For instance, the Children’s Online PrivacyProtection Act (COPPA) governs websites oronline services that collect personal

information from children under the age of 13.Some websites avoid these obligations bydiscouraging children from using their servicealtogether: The Tumblr app is now for onlyages 17 & up in the iTunes store

The Gramm-Leach-Bliley Act regulates theuse and sharing of a person's financial details

by financial institutions, and the Health

Insurance Portability and Accountability Actgoverns privacy in relation to health-careservices.

Path, the personal sharing app, was fined

$800,000 USD by the FTC for failing to

comply with COPPA and because the appstored the names and numbers from theusers' phonebook without a proper disclosure

2.1.2 Australia

The Privacy Act of 1988 is the law that

governs Australia's data privacy The actincludes several principles when dealing withpersonal information of individuals:

11 Information Privacy Principles thatapply to public sector agencies

10 National Privacy Principles that apply

to Australia-based businesses when theycollect, use and store personal

information from Australians

Information related to credit reports (such ascredit reports or credit worthiness) is subject

to other specific rules The Act allows

companies to opt-in to be covered by the Act

For example, the privacy policy of Shop ADocket, an Australian website for deals andcoupons, specifies that they make an effort tohandle personal information in accordancewith the Privacy Act of 1998:

We make every effort to maintain the highest standards in dealing with personal

information in accordance with the Privacy Act 1998 (Cth) and the ADMA Code of

Practice ("the Law").

2.1.3 United Kingdom (UK)

The Data Protection Act 1998 (or, the DPA) isthe governing law on data privacy in the

United Kingdom

The Data Protection Act controls how your

personal information is used by

organisations, businesses or the government

- Data protection on GOV.UK

DPA contains strict rules (called principles ofdata protection) to make sure the data

gathered by businesses is being collected,used and stored correctly

You can find the full text of the law here TheGOV.UK website summaries these principles:

information is used fairly and lawfullyinformation is used for limited, specificallystated purposes

information is used in a way that is

adequate, relevant and not excessiveinformation is accurate

information is kept for no longer than isabsolutely necessary

information is handled according to

people’s data protection rights

information is kept safe and secure

information is not transferred outside the

UK without adequate protection

Hungryhouse, an easy one-stop stop forrestaurants in the UK (which also has amobile app) mentions in their privacy policythat they comply with the principles of theUnited Kingdom's Data Protection Act of1998:

Hungryhouse.com Ltd complies with the principles of the 'Data Protection Act, 1998' and is registered with the Information

Commissioner's Office who oversee this act.

2.1.4 Canada

In Canada, the law that governs data privacy

is called The Personal Information Protectionand Electronic Documents Act (or, the

PIPEDA) You can find the full text of the lawhere

The Act applies to businesses that collect,use and store personal information fromCanadians during a commercial activity.Exempt from PIPEDA are businesses that aresubject to provincial legislation that is deemed

substantially similar to PIPEDA "with respect

to the collection, use or disclosure of

personal information occurring within the

respective province".

Under the PIPEDA act, personal information

is defined as information about an identifiableindividual, but does not include the name, title

or business address or telephone number of

an employee of an organization Under thislaw, active businesses in Canada are requiredto:

get the user consent when collecting andusing personal information

collect personal information by fair andlawful means

have personal information policies (likethe privacy policy) easy to read and easy

to find

2.1.5 India

The Information Technology Act 2000 (IT Act2000) incorporates a few provisions regardingdata protection in India Outside this Act,there are no other dedicated data protectionlaws in India.

RedBus, an online bus booking website inIndia, has its privacy policy similar to whatother websites have Its agreement coversthe most important principles of a privacypolicy: collection, sharing and security of

personal information.

2.1.6 European Union (EU)

Countries in the European Union have theirown national law that governs data privacy,but at a European Union level the Directive95/46/EC or the Data Protection Directiveaims to harmonise these data protection lawsacross the EU member states You can find

the full text of the directive here.

Under this directive, the personal information

of users can be collected under strict rulesand businesses must respect certain rights ofthe owners of the personal data

The names of data privacy laws for various

EU member states, per country:

Switzerland: the Federal Law on DataProtection of 1992

Denmark: the Act on Processing ofPersonal Data of 2000

France: the Data Protection Act of 1978Germany: the Federal Data ProtectionAct of 2001

Italy: the Data Protection Code of 2003Norway: the Personal Data Act of 2000

2.2 Requirements by Third Parties

To run a website, you sometimes use thirdparties for various purposes: Google

Analytics for stats, MailChimp for sendingmarketing emails and many other tools.Some of these third parties may require youadhere to certain requirements in relation toyour website's privacy policy.

Google, for example, requires you to updateyour privacy policy if you use their

remarketing services (also known as

retargeting) from Google AdWords or

Remarketing Lists with Google Analytics

If you use any advertising service from

Google on a website or section of a websitethat is covered by the Children's Online

Privacy Protection Act (COPPA), you are

required to notify Google of those specific

You must not use interest-based advertising

to target past or current activity by users

known by you to be under the age of 13

years But the disclosure of using remarketing

or retargeting must be included in any privacypolicy, regardless of the tool you're using tobenefit from this activity (Google AdWords,Facebook or any other)

This applies to running ads on Facebook as

well, even if you do it through a third party likeAdRoll AdRoll is a Facebook Exchangeofficial partner that you can use for

retargeting on Facebook

Amazon, with its new “Login With Amazon”service, requires new customers registeringwith this service to have a privacy policy and

include a URL to their page when registering

a new app

Depending on which online tools your

business is using (or plans to use), it's a goodidea to have a look at their privacy policy todetermine how they use the data they'recollecting and if there are any requirements toupdate your own privacy policy after signing-

up as a member

3 Privacy Policy Best Practices

The State of California (USA) has been held

as a model of Internet privacy policies

worldwide The California Online PrivacyProtection Act of 2003 ("OPPA"), was thefirst state law in the nation to require owners

of commercial Web sites or online services topost a privacy policy

California Attorney General announced

measures to improve privacy protections forconsumers who access the Internet throughmobile apps