Creating a Privacy Policy for Your Website

Jenna Christensen | June 2018

If you have, or are creating, a website, it’s important that you understand your responsibilities to your customers and their personal information. A privacy policy informs your customers how your business plans to collect and use their information. 

Privacy policies have been in place for some time, but the European Union’s recent General Data Protection Regulation (GDPR) ruling has changed privacy regulations. These new regulations go into effect later this month.

What is a privacy policy?

A privacy policy lets your customers know what personal information you collect, how you use it, how you keep it safe or whether you share or sell that information to other businesses.

Personal information includes name, address, date of birth, contact information, marital status, financial records, medical history, personal identifiers such as SSN, passport or state ID information, among other things.

Why do you need a privacy policy?

Aside from providing good customer service by making sure your customers are aware of your data practices, having a privacy policy may be required by law or a third-party service your site uses. And, user trust is important. It’s just better for your business and your customers if you’re transparent about your business and data practices.

Many countries legally require a privacy policy. The U.S. does not have one federal law that specifically requires a privacy policy, but there are several federal and state laws that make having a privacy policy a requirement. The GDPR also requires a privacy policy.

If your website uses a third-party service like Amazon Affiliates or Google AdSense, these companies require that you have a privacy policy to use their services.

How has the GDPR changed privacy policies?

The GDPR has increased the information that a privacy policy needs to include, including detailed information about how a business is processing information they collect. It also specifies that the privacy policy must be written in easy to understand language to ensure fairness and transparency.

There are eight rights that are guaranteed to individuals under the GDPR:

1. The Right to Be Informed: Organizations must be transparent in how they’re using personal information.
2. The Right of Access: Individuals have the right to know what information is collected about them and how
   it’s processed.
3. The Right of Rectification: Individuals can have data about them corrected.
4. The Right to Erasure: Individuals can request to have their data deleted or removed.
5. The Right to Restrict Processing: Individuals can restrict or block the processing of their data.
6. The Right to Data Portability: Individuals can retain and reuse their own personal data.
7. The Right to Object: Individuals can object to having their personal data used, including marketing, research and to perform a task in the public interest.
8. The Rights of Automated Decision Making and Profiling: Protects individuals from a potentially damaging decision that is made without human intervention.

Additionally, the GDPR defines two roles an organization may play in using customer information, the Controller and the Processor. If the organization determines the purpose (the why) or means (the how) of data processing, then they are a Controller, if not, they are a Processor. Controllers are responsible for choosing to work with Processors that comply with the GDPR or they risk penalty.

What should be included in a privacy policy?

There is some overlap between what privacy policies have included and the GDPR requirements, but there are some new elements. Your existing privacy policy may need to be revised to comply with the GDPR.

What has been included in a privacy policy:

• Your name or the name of your business, address and contact information.
• What information you’re collecting and how you’re collecting it.
• How you use the information you’re collecting.
• Whether the information you’re collecting could include personally identifying information.
• How you’re protecting that information and keeping it safe.
• Whether you’re sharing the information with a third-party, including what information you’re sharing.
• Whether it’s optional to share their information, how to opt out and what that means.
• List the state, federal and international privacy laws and initiatives your policy complies with.

What the GDPR requires in a privacy policy:

• Controller’s identity and contact information.
• Details of the data protection officer, if required.
• The purpose and legal basis for processing personal information.
• The interest for processing personal information.
• The recipients or types of recipients of the personal information, if shared.
• The consequences of the individual not providing personal information, if there is a statutory or contractual agreement that requires it.
• How the controller collects the personal information, if it’s not being provided directly by the individual.
• The rights of the individual.
• How long the personal information will be retained or how the retention period is calculated.
• Whether any automated decision making, such as profiling, will be made and what information will be used in that decision.
• Whether personal information is processed outside the European Economic Area (EEA) and how the personal data will be kept safe.

Best Practices for Privacy Policies

For your privacy policy to benefit your customers, and to comply with GDPR, there are some best practices you can follow:

• Write your privacy policy in clear, concise, simple language that is easy to understand.
• Make it freely available to your customers.
• Include a privacy page on your website, so your customers can easily access it.
• Let your customers know that your privacy policy will be updated regularly.
• If your business operates across platforms (website, social media, etc.), make a consistent privacy policy that can be used across all of them.