What is a privacy policy meant to communicate? Most websites and apps collect data from users via cookies and other tracking technologies. These technologies do everything from helping to make websites work correctly, enable ecommerce, and collect visitor statistics and user behavior information. Some of this information can be collected without notifying users, but in most cases, a clear and accessible privacy notice is required.
In this article, we cover everything you need to know about privacy policies, why you need one and how to create a privacy policy for your business.
What is a privacy policy?
A privacy policy is a legal document required by most data privacy laws, which outlines how you process your users’ or customers’ personal data. This includes how you collect, store, use, share and protect personal data and what rights users have with respect to their data.
You need to establish user privacy policies if you collect personal data through your website, mobile app, email newsletter, social media platform or account, TV app, ecommerce platform, smart home device or online marketplace. This is not an exhaustive list, and you may use another medium altogether. Regardless of where you collect personal data from, your privacy policy statement should explain your company’s privacy practices and how they affect users and their data.
Global privacy laws require organizations to clearly communicate specific information about what data is collected, for what purpose, who it may be shared with, and how it is secured. This is what a privacy policy — also called a privacy notice or privacy statement — is for, and is why you need one as part of your data compliance strategy for the GDPR, CCPA, LGPD and other applicable regulations.
Your users and customers should be able to easily find your privacy page or privacy information on your website, app or other platform.
Privacy policies and understanding personal data and collection
What is personal data?
Most websites and apps collect functional, statistical, or marketing data from visitors via cookies and other tracking technologies. This data is collected whether the user is accessing the website from a laptop, tablet or mobile device.
Privacy laws typically define this information as the personal data of the users from whom it’s collected via their online activities. Because such data can be used to identify an individual, it is legally protected. Personal data can include information like:
- first and last name
- email address
- account username
- phone number
- browsing history
- credit card details
- IP address
- Social Security number
Some personal data can also be classified as “sensitive” if it could be used to inflict harm, such as health information, religious affiliation, sexual orientation, or racial background.
How do I know what cookies my website uses?
Websites and apps use cookies and other tracking technologies for everything from making the website function correctly to enabling ecommerce to gathering marketing data.
Using a scan to audit your website’s cookies is a great first step to understand what personal data you collect and how information about that data and cookie use must be communicated in your website privacy policy.
Our step-by-step checklist will help you determine your responsibilities.
Users’ privacy rights
Privacy laws like the GDPR, CCPA or POPIA require that users be notified when their personal information is collected, including, for example, from Art. 13 GDPR:
- who is collecting the information, who their representative is, and their contact information
- the purpose(s) and method(s) for collecting the information
- the categories and specific information being collected
- the legal basis or legitimate interest for the data collection
- any third parties used to collect the information or with whom it may be shared
- the contracts or adequacy agreements with any third parties that will access the data
- the security measures in place to protect the information
This information is included in a standard privacy policy and must be specific to each organization depending on their operations, data collected and relevant legal jurisdictions. In many cases, users must also be provided with the option to consent to or decline the collection or sale of their personal information as well as be provided a process to do so. This information should also be part of a legally compliant privacy policy.
Privacy laws typically protect consumers by stipulating that those who decline the collection or processing of their personal information cannot be denied access to products or services, or otherwise discriminated against by a company, for refusing consent for data collection or use.
Legal requirements and risks
In many jurisdictions, the legal requirements for and contained in a standard privacy policy depend on where users are located and local protection laws. They do not depend on the type or size of business or revenue (with some exceptions, particularly in the United States), if the website is used for ecommerce, or whether or not it requires account creation. If you have EU customers, for example, you need a GDPR-compliant privacy policy statement.
It is important to know what data your website or apps collect, how it’s used, who will have access to it, and what laws are applicable to your company to ensure your privacy policy is complete and accurate. It also needs to be regularly reviewed and updated as operations, technologies and the regulatory landscape change. A privacy policy is a legal document, and as such we recommend working with qualified legal counsel and having a corporate Data Protection Officer.
Failure to comply with privacy policy requirements can contribute to regulatory noncompliance and penalties like heavy fines, prosecution, loss of business licenses, data deletion and reputational damage to the company.
Third-party services and privacy policies
There is a legal requirement that a privacy policy must outline third parties that will have access to or process the data you collect. However, it goes both ways. Many third parties require website and app operators to post a privacy notice if they use the third-party services.
These services can include in-page or in-app advertising, analytics services, ecommerce or app store usage and more. Services from large companies like Apple, Google, Facebook and Amazon are very widely used, and they all require companies that use their services to communicate with customers or users what data they collect, for what purposes, and what is done with it.
Privacy policies under data protection laws in different countries
The European Union’s General Data Protection Regulation (GDPR): The GDPR requires transparency about the collection and use of personal data from EU residents. It necessitates that privacy policies include the types of data collected, purpose(s) for processing, the legal basis for processing, data retention periods, and the rights of individuals concerning their data. It also requires information on data transfers, how users can withdraw consent, and how users can lodge complaints with supervisory authorities.
United Kingdom General Data Protection Regulation (UK GDPR): The UK version of GDPR maintains very similar requirements for privacy policies as the EU GDPR, including having detailed information on data processing activities and data subject rights. Data collectors must proactively make visitors aware of this information, and visitors must have an easy way to access it.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): The CCPA/CPRA mandates that businesses have a ‘notice at collection’, where they inform California residents about the categories of personal information collected and, if they sell the information, the right to opt -out of its sale. This notice at collection must contain a link to a standard privacy policy that details the business’s data privacy practices and informs consumers of their privacy rights and how to exercise them.
Brazil’s Lei Geral de Proteção de Dados (LGPD): Brazil’s LGPD requires organizations to provide clear and comprehensive information about data collection and usage, which can be done through a privacy policy statement. It must include data subjects’ rights, the purposes for which data is processed, and the duration of its processing, among other requirements.
South Africa’s Protection of Personal Information Act (POPIA): South Africa’s POPIA stipulates that the data collector must document all processing activities and take reasonable steps to notify consumers when collecting personal information. The notification can be done via a privacy policy.
Read more about data privacy regulations on our blog.
Why your website needs a privacy policy
A privacy policy for your website is essential for clarity on data handling practices, providing visitors with an understanding of what information is collected and how it is used. With regulations like the GDPR and CCPA setting stringent rules on data privacy, a compliant privacy policy helps avoid substantial fines and legal complications.
In addition to being a legal requirement, a comprehensive privacy policy is also important for your brand and for building user relationships. Consumers are increasingly aware of their online privacy rights and the mass collection of their data. They may not understand adtech in depth, but they should be able to exercise their rights and have confidence in the websites they visit, the apps they use, and the companies they do business with.
Making it clear what data you collect, how it’s used, who has access to it and how you keep it safe shows users that your company has mature processes in place to respect and safeguard privacy. It shows you respect the people who provide their time, data and money to your company, and that you aren’t just interested in strip mining their information. A clear, up-to-date and easily accessible privacy policy for your website is a great tool for demonstrating your business’s principle of transparency and building user trust.
