updated 2023-08-26
What to Include in Your Privacy Policy
The content of your Privacy Policy will largely depend on the function of your website, the information gathered and how you intend to use said information. However, to pass legal standards, all Privacy policies should have these basic elements within the text.
Your Business Contact Information
Your Privacy needs to display your organization details like the legal name, contact details and place of business. Best practice recommends that this part should appear as the first or the last part of your Privacy Policy for visibility.
The Type of Data You Will Collect
This ranges from emails, physical and IP addresses, credit card details, phone numbers or tracking locations. CalOPPA goes a step further to mandate that commercial or online websites collecting information on California residents must categorically list the type of personal information collected.
How You Will Collect the Information
In addition to filling out forms, you can also collect data automatically through the use of cookies. Internet cookies are, by far, the easiest way to collect user data since browsers collect and save information from an array of sites users have previously visited. However, you must also obtain consent from users to use their cookies when collecting information.
How You Intend to Use the Data
A vital element of a Privacy Policy is describing how you intend to use the data collected. This clause is particularly important if third-parties like advertising programs or fintech companies are in the loop.
Will you use the data for transactional purposes alone or will you also send newsletters to your visitors? Will your company share information with other third-party entities like merchants? If so, the law legally requires you to list down all the relevant parties who will also have access to user information alongside your business.
In Quora's Privacy Policy, they have explained in great detail how they intend to use user information, and even further clarifying that they do not sell to third parties:
Security Measures in Place to Protect Data
Perhaps the most crucial clause in a Privacy Policy, website owners should give details of the security safeguards they have in place to keep customers' and visitors' personal information safe.
The industry-standard safety measure for protecting private information is the use of a Secure Socket Layers (SSL) system. With SSLs, information fed into a website by users is automatically encrypted and coded, which prevents a breach during transmission.
You're free to integrate as many security measures as you want as long as malicious parties or unrestricted personnel can't intercept or have access to user information.
Here's how Bath and Body Works explained its security measures in place. It doesn't go too technical on what they do, but its description manages to assure customers that their details are safe:
Rights of the Users
Under the EU's GDPR laws, you should also inform your users of the rights they have with their data. Under these rights, users should be able to request, update, transfer, view or erase their data (where applicable) upon request.
The GDPR outlines explicitly that the user has a right to:
How Long You Will Retain Collected Information
As a business owner, you should also let your users know how long you intend to keep their information in your database.
First and foremost, do you have a clause stating when the policy will take effect and how long you will retain personal information? Second, a Privacy Policy must give users the leeway to opt-out, clear instructions on how to do so and what options are available for users who want to opt-out.
For example, many website owners also share with marketing entities, whether in-house or as third-party entities. This is not exactly illegal, but at the very least, users should have the option of opting out from a marketer's mailing list in a simple way like sending an email or text message to a toll-free number.