Privacy Policy for Websites - Free Template
Few entrepreneurs consider online privacy policy issues when they build their websites. However, with the General Data Protection Regulation (GDPR) laws being passed in the EU, that will have to change if they hope to do business there.
In this post, we’ll detail the elements of a successful privacy policy and provide a GDPR compliant, free-to-use template at the bottom of this page so you can begin constructing your own agreement
Online Privacy Policy Basics
First, let's take a look at some basic information about a website's online privacy policy.
What type of site needs a privacy policy?
Any website or service that collects data from users, tracking users with analytics, or displays ads needs one. If the business is located in the EU or plans on doing business with citizens with the EU, they will have to make sure their privacy policy is up to the GDPR standards.
Why are these policies necessary?
Your online privacy policy explains to users:
- What information you gather
- How you collect the information
- How you store and protect the information
Is there a difference in the types of information collected?
Yes. Most policies separate personally identifiable information from non-private data.
The National Institute of Standards and Technology (NIST) defines personally identifiable information as:
“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Non-private data is defined as:
“Information that may correspond to a particular person, account or profile, but is not sufficient to identify, contact, or locate the person to whom such information pertains.”
Examples include:
- Browser type
- Browser plug-in details
- Local time zone
- Date and time of each visitor request (i.e. arrival, exit on each web page)
- Language preference
- Referring site
- Device type (i.e. desktop, laptop, or smartphone)
- Screen size, screen color depth, and system fonts
Many users concerned with sharing this non-private data employ browser extensions to mask its availability. Also, VPNs help avoid sharing certain types of non-private data. For instance, a VPN can mask the time of the site visit as well as the user’s local time zone. If you're interested in learning more about VPNs, click here.
Are there legal consequences if I do not post a privacy policy?
Yes. Collecting data without detailing the activity to users is punishable by law. You are also at risk if you violate the terms of your policy by collecting more than what you state or otherwise change the data collection/use without updating the policy.
Sites that aren’t GDPR complaint could face fines up to 20 million Euro or 4% of their global revenue.
Online Privacy Policy - Free-to-Use Templates
Thanks to their length and complexity, most online privacy policies go unread. In fact, one study found they are so cumbersome that it would take the average person about 30 full working days to actually read the privacy policies of the websites they visit in a year.
One of the changes that web owners will need to make to keep their privacy policy GDPR compliant is to shorten their privacy policy, making it concise and easy to understand.
Complex as they can be, they also address many users’ greatest internet-related concerns: data security, fraud protection, and personal privacy. And since online consumers are becoming more aware of privacy issues, it behooves a website owner to make the online privacy policy as clear and concise as possible. In the analysis below, we detail the most important sections of these agreements and offer free-to-use template language that cuts through the legalese.
Point #1: Information Collection
Every policy should explicitly describe what information the site collects and its’ collection methods and what will happen with the collected data.
Point #2: Information Use
After detailing the information collection, the policies then describe how the website owners use it. Facebook had trouble with this message when it sought to update its privacy policy in 2013. The company wanted to add language to its policy so it could use personal data about its members, including children under 18, for advertising purposes.
Facebook eventually abandoned this language when watchdog groups called it to the attention of the Federal Trade Commission. In 2014, Facebook rolled out a plain English version of their privacy policy, which cut the legalese by two-thirds.
Companies – and their websites – who take your data security seriously:
- Never sell personally identifiable information to 3rdparties
- Anonymize and/or encrypt the data to protect against breaches
- Only store the data for a short period of time
Point #3: E-Commerce Considerations
For e-commerce platforms, the policy must stipulate the protective measures in place for personal financial information gathered to facilitate transactions. This encompasses data like credit card details, social security digits, or banking account particulars.
Point #4: 3rd Party Information Disclosures
There should be clear language about the website’s relationship(s) with 3rd parties. Ideally, your site will not sell or share personally identifiable information unless there is a legally compelling reason. It should also detail what your company does with non-private data.
Point #5: Information Security and Tracking
Today’s best privacy policies highlight their information security and detail cookie use.
GoGoogle endured privacy policy issues last year thanks to its cookie disclosures. The UK’s Information Commissioner’s Office forced the internet giant to include information about who may collect “anonymous identifiers” – which are similar to cookies – and the purposes to which the company put that data.
Point #6: Unsubscribe Methods
Every online privacy policy should state how a customer can unsubscribe from unwanted communications.
Point #7: Consent
The standard online privacy policy states that users agree to the policy simply by using the website. In addition, the policy must explain the rights of the individual, such as sending in a request to delete or change some of the data and/or seeing the data that was collected about them.
Click here for a template you can use.
Summary: Your Online Privacy Policy Enhances User Trust
Your privacy policy offers valuable protection for your company and your users. Most of all, it creates a heightened level of trust. By presenting plain English, straightforward policies that describe concrete protections, your site will have an advantage over competitors with complex, confusing policies.
The template language provided in this post should be a starting point only. Every website has different methods and intentions and the best privacy policies reflect a high level of customization. To ensure the effectiveness of your policy, consult with privacy lawyers and research other policies from companies similar to yours. Most of all, keep checking www.vpnmentor.com for more information on policy language and privacy issues.
Please, comment on how to improve this article. Your feedback matters!