Privacy Policy for Websites: Requirements & How To Create It

Privacy policies, often hyperlinked, at the foot of a website, are ordinarily filled with lengthy texts and complicated jargon that many users find arduous to go through. This legal document, however frequently disregarded, is undoubtedly among the most significant texts on a website.

A privacy policy is integral to a comprehensive strategy to ensure that your website complies with state, national, and international data privacy laws. Along with the terms of service, cookie policy, and consent policy, the significance of a privacy policy ranks the highest.

A privacy policy should be posted if your website collects, processes, sells, and shares personal data. Let's dive deeper into understanding a privacy policy, its importance under significant and evolving data protection laws, and how to create one for your website.

What Is a Privacy Policy?

A privacy policy is an internal statement guiding an organization's management of personal data. It is typically intended for staff members or data controllers or processors who may handle or make decisions regarding users' personal data.

It provides insight into how to collect, use, store, and share personal data lawfully and ethically and details any specific rights that users (data subjects') may have. A privacy policy may include a system of checks and balances (including penalties) to ensure legal and regulatory compliance and methods to assure internal enforcement of an organization's privacy posture.

From a website’s perspective, a privacy policy is a legal document that explains to your website visitors how you collect and process their personal data. A privacy policy is often associated with other terms, such as privacy notice, privacy policy statement, privacy page, privacy clause, and privacy agreement.

A typical privacy policy details the website's interactions with users' personal information. Personal information includes anything that can be used to identify a specific person, including but not limited to that person’s:

• Name,
• Address,
• Date of birth,
• Marital status,
• Contact information,
• ID issuance and expiration date,
• Financial records,
• Credit information,
• Medical history,
• Place(s) of travel, and
• Likelihood of purchasing goods and services.

Since a privacy policy is a declaration of a website’s policy on how it collects, maintains, and discloses personal information, the visitor (individual) is made aware of the exact personal data that is collected and if it will be kept private, shared with partners, or sold to other businesses.

Most countries have laws and regulations governing how a privacy policy should be formulated and published, and what minimum content it should incorporate.

Learn the difference between a Privacy Policy and a Privacy Notice.

Why Do You Need a Privacy Policy for Your Website?

Consumer privacy laws are evolving and becoming more stringent. Customers and business partners now demand comprehensive information on how companies manage and safeguard their customers' personal data. Some of the explanations for why you need a privacy policy for your website are as follows:

• It is a necessary requirement to ensure compliance with data privacy laws (GDPR, CCPA, COPPA, and others),
• It shows business confidence and builds customer trust,
• It demonstrates transparency and a dedicated security posture,
• It helps avoid fines for non-compliance with laws,
• Third-party apps, analytics apps, and marketing tools demand privacy policies,
• It ensures that an organization’s staff is managing data correctly,
• It establishes internal checks and balances, and
• Through placing efficient controls, it reduces the risk of data exposure and data breach.

Standard Elements to Create a Privacy Policy for Your Website

Your privacy policy should be customized to your platform, including where you operate and the kind of business you run, as different countries and states have different legal requirements.

It might be useful to consult with a lawyer to assist you in creating your privacy policy, depending on the intricacy of your company's operations. For instance, if you have an online store with clients worldwide, you can benefit from legal counsel to ensure your privacy policy complies with all the applicable privacy regulations.

As a matter of prudence, all privacy policies need to contain the following components as a minimum:

• Who is the website owner or operator,
• Information regarding the kinds of user data you gather and process, including names, addresses, phone numbers, and email addresses,
• How and why do you utilize the information you gather,
• Email addresses for email marketing, contact information for customer care, and addresses for shipment,
• How do you keep user data accurate and current,
• How do you store user data,
• The legal basis for collecting user data,
• Information regarding whether you share user data, with which entities you share it, including any parent companies and subsidiaries, as well as whether you are compelled by any law to disclose user data,
• Which third parties will have access to the data,
• Whenever relevant, information about cross-border or international data transfers, including what safeguards are taken to ensure safe and legal transfer of data,
• What rights do users enjoy? Can they request to see the information you have about them? Can they request to have it corrected or deleted? and
• An explanation of the procedure for informing users and visitors when the privacy policy is updated.

Global Laws that Require Privacy Policy / Privacy Notice

Most global data privacy laws demand that you have a privacy policy if your website collects personal data, including sensitive personal data.

You are most likely legally obligated to include a privacy policy on your website if you operate a website, mobile app, or desktop app. Links to your policy must be displayed in a way that makes them obvious, clear, and easy to find for users.

Privacy regulations in the US and other countries set stringent criteria for privacy policies as data collection and processing become increasingly pervasive online. Following are important details regarding two significant data privacy legislation, i.e., GDPR and CPRA, and their requirements for privacy policies:

General Data Protection Regulation (GDPR)

The GDPR obligates organizations subject to it and involved in collecting and processing personal data to ensure transparency for data users regarding such operations in the form of a privacy notice. It is important to note that the GDPR does not use the terms ‘privacy policy’ or ‘privacy notice.’ The guidelines provided below are applicable to any document presented by an organization to its data subjects or the public regarding its data process activities.

An organization should comply with the GDPR if they offer goods and services to customers and businesses within the EU, regardless of their place of operation.

One such requirement is when it comes to privacy notices. Per the GDPR requirements, an organization must ensure it has a “succinct, legible, clear, visible, and transparent” privacy notice, available free of charge on its website in a timely manner.

Learn the ins and outs of the GDPR.

The contents of a GDPR-compliant privacy notice should include:

• The Data Protection Officer’s contact details (number/email).
• If an organization is not established in the EU but the GDPR applies to it, contact details of a representative of such organization in the EU.
• Information about the legal basis that was used for a data processing activity and the corresponding rationale.
• Information about data subjects’ right to withdraw consent at any moment without incurring any adverse repercussions, where consent has been used as the legal basis.
• The following details regarding data retention periods for each data processing activity, where legitimate interests have been cited as the legal basis for processing the data:
  • Information about the legitimate interests pursued by the organization or a third party,
  • Balancing test that has been carried out to balance the organization's legitimate interests with the freedoms and rights of data subjects,
  • Any privacy and security safeguards that are taken to ensure the protection of personal information.
• Children’s Data Processing
  • Describe the legal age below which a person is considered a child in your country,
  • In a language that a child can understand, describe:
    • how the organization interacts with parents in a language that a child can understand,
    • what data is acquired from minors and shared with others in a language that a child can understand,
    • parental choices and controls in a language that a child can understand,
    • how long the company retains this data in a way that a child can understand it.
• Sensitive Personal Data
  • Which categories of sensitive personal data are collected and processed and what is the legal basis for collecting and processing such data,
  • Describe the purposes of collection and processing of sensitive personal data,
  • Give an explanation of the security measures used to secure sensitive personal data.
• If applicable, details on any data processing pertaining to criminal charges and convictions.
• Information on any automated individual decision-making, including profiling:
  • Categories of personal data that is collected and processed,
  • The right to object to automated decision-making, including profiling,
  • Logic involved in the automated decision-making process and its consequences,
  • The suitable safeguards employed to secure the rights and freedoms of data subjects.
• International Data Transfer
  • Which personal data categories are being sent to which countries,
  • The reason for transmitting data internationally,
  • The legal basis of data processing,
  • The transfer method, including the details about where and how to access or acquire the concerned document, such as by providing a link to the method used. Simply providing a link to a generic European Commission website is insufficient. The data subject should be able to access the specific document, and if access is not directly provided, obtain access to such document.
  • Specify the GDPR article relied on by the organization for the transfer mechanism,
  • Any additional safeguards employed for the protection of transferred data.
• Information about the rights of data subjects and instructions on how to exercise those rights. These rights include:
  • Right to information,
  • Right of access,
  • Right to rectification,
  • Right to erasure,
  • Right to restriction of processing,
  • Right to data portability,
  • Right to object,
  • Right to not be subject to automated individual decision-making, including profiling.

Learn more about GDPR’s stance on a privacy notice.

California Privacy Rights Act (CPRA)

You must follow the rules of the California Privacy Rights Act (CPRA) if you intend to collect personal information from California residents who visit your website or sign up for your services online.

The CPRA doesn't just apply to companies with California addresses. Any company that handles customer personal information in California is the target of this law and must meet the following thresholds:

• Have annual gross revenues in excess of $25 million
• Buy, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households or derive 50% or more of their annual revenues from selling consumers' personal information

The CPRA thus covers businesses everywhere, much like another significant California privacy law, the California Online Privacy Protection Act (CalOPPA).

Every website is required by the CPRA to include a privacy policy. It obligates businesses to provide a privacy notice to consumers at or before the point of collection of individuals’ personal information. The privacy notice must include the categories of personal information that the business collects, uses, and shares, as well as the purposes for which the information is used. Consumers must be informed of the many rights the CPRA grants them in this privacy policy.

The CPRA privacy policy should address:

• Information about consumer rights under the CPRA;
• Instructions on how California consumers can request access to and deletion of their personal information;
• A link to your ‘Do Not Sell or Share My Information Information’ page;
• The categories of personal information the website has collected in the past 12 months;
• Disclose the sources of personal information collected;
• The purpose for the collection of personal information;
• Any personal information that’s been sold;
• Any categories of personal information that the website has disclosed for business purposes to third parties over the past 12 months;
• Categories of personal information that the business has sold or shared to third parties in the past 12 months;
• ​​Statement of actual knowledge that business sells or shares the personal information of consumers under 16 years of age;
• If business knowingly sells PI of minor consumers, details on how parents or minors can opt-in;
• Statement regarding whether business uses or discloses sensitive personal information for purposes other than those specified in CPRA Section 1798.121 and CPRA Regulations 7027(m);
• Every 12 months, the business must update its privacy policy;
• The business must have a "conspicuous" link to its privacy policy on the home page of the website.
• Explanation of the rights, such as:
  • Right to know
  • Right to delete
  • Right to correct
  • Right to opt-out
  • Right to limit the use of sensitive PI
  • Right to non-discrimination
• A description of the methods by which consumers can exercise their  rights, what they can anticipate from those methods, and the means by which consumers can do so;
  • Notice of right to opt-out or link to it;
  • Notice of limit the use of my sensitive PI or link to it;
• A basic explanation of the procedure the company employs to confirm a consumer's request to know, request to delete, and request to correct, where appropriate, including any details the customer is required to provide;
• A description of how a consumer's  opt-out preference signal will be handled and how the consumer might make use of an opt-out preference signal;

Penalty for Non-compliance

In order to enforce the CPRA, the California Attorney General or a consumer may file a lawsuit against a business if it fails to give customers the appropriate privacy notice. For each infraction, the company may be subject to civil penalties of up to $2,500 or up to $7,500 for willful violations. Moreover, injunctions and other equitable remedies may be used against businesses to enforce CPRA compliance.

Common Elements for GDPR and CPRA-Compliant Privacy Notice
The following components must be present in both a GDPR- and CPRA-compliant privacy notice:

• Name, identity, and contact information of the data controller
• Details of data processing activities:
  • The categories of personal information that will be collected,
  • Data processing purposes (specific business or commercial purpose),
  • Data retention periods:
    • Specific and precise data durations should be explicitly stated.
    • Where details of the storage period aren’t mentioned, details of the criteria used to determine the retention period should be mentioned.
  • The source, or categories of sources, from which personal data is collected in case it is not gathered directly from the subject.
• Data Sharing
  • The people or groups of people who received personal information when it was sold or shared. Provide categories of recipients or actual (named) recipients of the personal data, as applicable, so that data subjects are aware of who is in possession of their personal information,
  • A clear business or commercial objective for the sale or transfer of customer data,
  • Types of third parties who received the information,
  • A clear business or commercial purpose for disclosing the customer's personal data.
• Cookies
  • The data subject’s right to opt-in and opt-out of cookies,
  • The explanation that essential cookies will always remain enabled,
  • The right of the data subject to withdraw and update their consent, and the procedure for doing so (cookie preference center),
  • The purposes of cookies,
  • The data retention periods,
  • Whether or not third parties can access personal data via cookies,
  • Where applicable, details on appropriate safeguards and any potential risks associated with cross-border data transfers via cookies.
• A clear description of data security measures employed by the business to protect the confidentiality of data.
• The data subject's right to lodge a complaint with the relevant regulatory authority against the organization for violating their rights.
• Explicit mention of the date the privacy policy was last updated.
• The individual’s name and their contact details for any questions or concerns about the business’s privacy policies.

Children's Online Privacy Protection Act (COPPA)

A federal law known as the Children's Online Privacy Protection Act of 1998 (COPPA) places particular obligations on owners and operators of websites and online services that collect, use, or disclose personal information from children, or on whose behalf such information is collected or maintained. COPPA aims to safeguard the privacy of children under the age of 13 by putting parents in control of what information about their children is collected, used, shared, or disclosed.

COPPA specifies that the privacy policy outlining data collection and disclosure practices for personal information should be prominently displayed and that businesses should make reasonable efforts to inform parents about these practices.

In addition to providing a parent with a direct notice, operators are required to place prominently labeled links to an online notice of their information practices concerning children on the homepage, landing page, or screen of their website or online service, as well as at each location where personal information about children is collected.

The owners of a website or online service may provide the name, contact information (including phone number and email), and email address of a single owner who will answer all queries from parents regarding the owners' privacy policies and the handling of children's data.

An explanation should be provided of the data the operator collects from children, including whether the website or online service allows children to make their personal data public, how the operator uses that data, and how the operator discloses that data.

COPPA-compliant privacy policy should also indicate parent’s rights such as the right to review, edit, or request the deletion of their child's personal information, as well as the right to refuse to allow their data to be collected or used in the future and the procedures for exercising these rights.

How Often Should I Update My Privacy Policy?

Your privacy policy has to be reviewed and updated frequently. To ensure it accurately reflects your current data processing operations, you should evaluate your privacy policy once a year.

Specific privacy rules call for updates after a certain amount of time. For instance, the California Privacy Rights Act (CPRA) makes it clear that companies that must abide by its provisions must update the information in their privacy policy or policies at least once every 12 months.

Privacy Policy Best Practices

In addition to your legal obligation, protecting the privacy and security of the data you collect from your users is good for continued business and renewed customer trust. Follow these fundamental recommended practices when creating your privacy policy to help the internet become a better place:

• Your privacy policy should be written in simple, comprehensible language.
• Regularly update your policy to reflect adjustments to the law, your company, or your practices. Inform users of these changes and specify the policy's effective date in the notification.
• Be open and honest while upholding your commitment to user privacy.
• Provide an easy and straightforward way for consumers to opt-out of receiving commercial communications and to update, modify, or delete their personal information.
• Make sure that your privacy statement is visible and easy to find.

As a general rule, maintain stringent internal security procedures to guarantee that personal data is, in fact, secure. Use only the minimum amount of user data necessary to deliver your services, and avoid deceptive tracking techniques.

Automate Key Privacy Functions with Privacy Center

Securiti offers a fully functional automated Privacy Center that you can set up in just a few minutes. The Privacy Center offers a common platform that allows you to address all your key data privacy obligations, including consent and cookie management, DSR fulfillment, Do Not Sell or Track Signals, and Privacy Notices.

Create meaningful transparency with your website visitors with an automated Privacy Policy that you can set up in a minute via custom or pre-built templates. The module is mapped to global privacy regulations so that you can set up relevant notices. Dynamically update privacy notices in real time through consent, DSR, or data mapping.

Sign up for Securiti Privacy Center, and automate your privacy notices.