Data Security

How To Write a Privacy Policy

A.J. Kmetz Small Business Advice Leave a Comment

If you’re a small business, making a statement about how you respect and protect the information of people who visit your site, a.k.a. a privacy policy, might not seem that important. Try looking at it from the other side, though. Your data and information is everywhere. How do we know? Because you’re here, on the internet, reading this. The same is true of every other internet user out there.

This frightens some people. It might even frighten you, particularly if you’ve had personal information stolen online (or if you’re watching the new season of Westworld). But don’t go off the grid just yet! Instead, let’s talk about privacy policies, how they can help users take back control of their information, and what you need to do to create one for your business.

Disclaimer: This post provides information to help you get started writing a privacy policy, but it should not be considered legal advice. It should be taken as informational advice only. We recommend that you consult your lawyer to determine how data privacy laws apply to your specific company. 

What Is a Privacy Policy?

At the most basic level, a privacy policy lets visitors to your site know what you’re doing with the information they give you. As an online entity, you have a responsibility to your users to be respectful of any information they give you. After all, you would want the same from them! These policies (even those that go unread) help create an environment of transparency and honesty between you and your customers. It can even help increase brand trust, something we predicted would be an important part of digital marketing this year.

They also help protect your business from fines or lawsuits. Certain regulations actually require privacy policies. Here are the major ones, with links to a guide for each courtesy of

  • COPPA, the Children’s Online Privacy Protection Act (U.S.)
  • CalOPPA, the California Online Privacy Protection Act
  • PIPEDA, the Personal Information Protection and Electronic Documents Act (Canada)
  • GDPR, the General Data Protection Regulation (E.U.)

Don’t feel bad if you’ve never taken the time to read one. A Carnegie Mellon study found that if you read the privacy policy for every website you visit, it would take you between 181 and 304 hours to get through them all. And as they’re updated regularly, you would have to do that every year! This is because many privacy policies aren’t built to be read by the average user. We’re going to look at how you can do things differently.

An effective privacy policy looks like this:

  1. Clear, concise, and easy to understand, keeping technical and legal jargon to a minimum.
  2. Updated every time the use of personal information is changed, and users are directly informed of these updates.
  3. Strictly implemented by you and your staff. A policy is only as strong as its implementation. Don’t set it and forget it!

Where Do I Start?

First, tell your readers why you’re all here. Clearly spell out who you’re referring to in the policy: who your company is and who the users are. Explain what’s in the policy and what services or aspects of your business it covers. This is what ours looks like:

“This Privacy Policy governs the manner in which Punch Bug Marketing collects, uses, maintains and discloses information collected from users (each, a “User”) of the website (“Site”). This privacy policy applies to the Site and all products and services offered by Punch Bug Marketing.”

You can read the rest of our policy here.

Now you’ll need to identify the reasons you’re writing it – namely, what information you’re collecting from your website’s users. Here are two categories you can split that information into, as well as some examples of what that information might be:

Information provided indirectly

  • Browser name
  • Computer type and operating system
  • Internet service provider
  • IP address
  • Access date and time

Information provided directly

  • Name
  • Address
  • Phone number
  • E-mail address
  • Date of birth
  • Ethnicity and genetic information
  • Political affiliation
  • Religion
  • Sexual orientation

COPPA restricts companies and organizations from collecting personal information from anyone under 13 years of age for their protection. Make sure that your privacy policy reflects that and informs parents that if a child provides your company with personal data, they should contact you to have it removed from your servers.

What Purpose Does This Information Serve?

Next, disclose how you’re collecting this information. Your list might look like this:

  • Cookies (these are used to track information about a user’s activity on a website, like virtual ID cards)
  • Web forms
  • Registrations and sign-up sheets
  • Order placement (including credit card information)

Now that you’ve let your users know what you’re collecting and how, tell them why. What are you doing with their information? Is it relevant to the service you’re providing when you collect it? If not, why are you collecting it? This is a good time to determine whether you need to continue to do so. In fact, the GDPR mandates that you have a good, legal justification for processing your users’ personal information.

Here are ways you might be using information:

  • Verifying identity
  • Compiling reviews
  • Sending newsletters or emails
  • Improving customer service
  • Allowing users to create personalized profiles
  • Improving website performance and logging errors
  • Completing transactions

Lastly, give your legal basis for collecting this information. Do you have the consent of your users to collect it? Usually, by using your services, users are giving you consent. Is your data collection a legal obligation, a public task, a contract, or a vital interest? This rounds out the why of your data collection.

Who Am I Sharing Data With?

You’ve shared what data you’re collecting and how and why you’re doing it; now you need to let users know how you’re going to protect it. What kinds of computer safeguards are in place and does your company utilize secured files or physical access controls?

You are allowed to responsibly share user data with third parties. However, you need to be transparent with your users about the general types of parties these entail. For example, you might be sharing information with data collectors, analytic services, payment processors, or even mail carriers for product delivery. When you include third parties in your privacy policy, make sure you’ve read their privacy policy or terms and conditions first. Certain companies like Google Analytics require you to list them by name in your policy.

Even if you’re not planning on selling your company, you should still include a business transfer clause. This lets users know that if your company merges or is sold, their information may be passed to a new owner.

How Do I Communicate with My Users About Their Data?

Remember, users have a right to their data and they can communicate with you regarding it. Be clear as to how they can do so and make the process as easy as possible by making sure your contact information is updated. Inform users of who or what department they need to contact with questions about their data or to take any actions concerning it.

Tell your users when and how you plan to contact them, be it for these policy updates, everyday marketing notifications, or transaction information. Some websites inform their users of changes when they visit the site. Others send an email stating that policies have been updated. Find a method that suits your company and the service you provide. You can also take this opportunity to explain how to opt out of marketing communications. Giving your users this option is something they’ll appreciate, plus it will help you comply with anti-spam regulations.

Lastly, you’ll want to make your privacy policy accessible. Many companies place a link to their policy in their website’s footer. Wherever you put it, it should be available on every page of your website. If you run an online store, it’s a good idea to link to your policy in the order confirmation, as well.

Now what?

The last step in creating your privacy policy is to consult with a lawyer. As we stated in our disclaimer, this post is only giving general information, not legal advice. To get that, you’ll need to go to your lawyer. They can give you the specifics of what your privacy policy should include and how to make it comply with regulations in your industry.

If you’re still not sure how to formulate a policy, there are many privacy policy generators available online to help you get started. Privacy policies are the unsung heroes of this digital age, often overlooked but protecting the personal information of internet users everywhere. Forward-thinking companies build and enforce policies that are easy to understand and establish a basis of honesty and transparency. Shouldn’t your company be one of them?

Share on social:

Leave a Reply

Your email address will not be published. Required fields are marked *