How to Write a Privacy Policy for Your Website
Updated: Jan 19
As a business, it is important and a legal requirement in many states to have a posted Privacy Policy to inform and safeguard your customers about your data collection policies and procedures. While most Privacy Policies are lengthy and difficult to read, I have researched the recommendations made by the California Attorney General to assist you in writing a Privacy Policy to build trust with your customers.
DISCLAIMER: This website is for informational purposes only - the information provided on this website does not, and is not intended to constitute financial or legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information may not constitute the most up-to-date legal or other information. Readers should contact their CPA and/or attorney to obtain advice with respect to any particular matter.
A Quick History Lesson
As the most restrictive state in terms of consumer privacy protection, I will focus on California as it is thought additional states will follow suit.
2004 - California Online Privacy Protection Act (CalOPPA)
The first law with a broad requirement for privacy policies applicable to commercial websites and online services that collect personal information. Requires all businesses to outline what they do and post the privacy policy on their site.
This applies to any "commercial website owner [who] collects and maintains personally identifiable information from a consumer residing in California."
Basically, if you own a business with a website (or an app), you are most likely required to conspicuously post your Privacy Policy on your website.
2013 - AB370 for "Tracking Transparency"
Added disclosures to CalOPPA about online tracking to the requirements for a privacy policy. It does not prohibit online tracking.
2018 - Passage of the California Consumer Privacy Act
Provided consumers the rights to:
Know about the personal information a business collects about them and how it is used and shared;
Right to delete personal information collected from them (with few exceptions);
Right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising any of these rights under the CCPA.
Businesses meeting certain criteria (mostly big businesses and data brokers) are required to provide consumers notices explaining their practices for collecting, using, sharing and selling personal information, both on and offline.
2022 - California Privacy Right Act (Prop 24) - effective January 1, 2023
Allows consumers the right to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses' usage of sensitive personal information.
What must be included in your privacy policy:
Your Privacy Policy should provide a comprehensive overview of your business practices regarding the collection, use, sharing and protection of personally identifiable information.
Categories of personally identifiable information collected through the site or service about users;
Categories of third parties with whom the business may share the personal information;
Description of process for a user or visitor to review and request changes to his or her personally identifiable information collected through the site or service, if the operator maintains such a process,
Description of process for notifying users and visitors of material changes to the privacy policy;
Data retention periods;
Effective date of the privacy policy;
Business contact details; and
How your business responds to a browser DNT (Do Not Track) signal or to “other mechanisms,” and if other parties are conducting online tracking on your site or service.
Note: personally identifiable information includes the following first and last name; home or other physical address, including street name and name of a city or town; e-mail address; telephone number; social security number; any other identifier that permits the physical or online contacting of a specific individual; information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier.
Privacy Policy Outline
Scope of Policy
Identify whether the Privacy Policy applies to online data collection or both online and offline activities.
Indicate what entities it covers, such as subsidiaries or affiliates.
Data Collection
Describe how you collect personally identifiable information, such as from other sources and how you do so.
Do you collect personally identifiable information through technologies such as cookies or web beacons on your site or app?
Be reasonably specific about describing the kind of personally identifiable information you collect about users and visitors. At a minimum, list the categories of personal information that you collect from users and visitors.
If you collect personally identifiable information from children under the age of 13, you may have additional obligations under federal law. Consult the FTC’s guidance on the Children’s Online Privacy Protection Act before collecting any such information.
Online Tracking / Do Not Track
Describe your specific policy regarding online tracking or how you respond to consumers’ DNT signals. Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”
Describe if you treat consumers whose browsers send a DNT signal differently from those without one; identify if you collect personally identifiable information about a consumer’s browsing activities over time and across third-party web sites or online services if you receive a DNT signal; or if you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, describe your uses of the information.
Disclose the presence of other parties that collect personally identifiable information on your site or service, if any. State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service.
Confirm your tracking practices with those responsible for your site’s or service’s operations to ensure that your practices correspond to what you say in your policy.
Data Use and Sharing
Explain the uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
Explain your practices regarding the sharing of personally identifiable information with other entities, including affiliates and marketing partners.
At a minimum, list the different types or categories of companies with which you share customer personal information.
Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
Provide the retention period for each type or category of personally identifiable information collected.
How You Collect, Use and Share Personal Information
Provide clear instructions on how individuals can exercise their choices regarding your collection, use and sharing of their information. Identify how their preferences will be recorded and how long it will take to implement customer preferences.
You may offer your customers the opportunity to review and correct their personal information. Explain how they can get access to their own personal information in your records. Make sure you have procedures in place to verify identity and authenticate access.
Security of Personal Information
Explain how you protect your customers’ personal information from unauthorized or illegal access, modification, use or destruction.
Give a general description of the security measures used to safeguard the personal information, but not in such detail as to compromise your security.
Give a general description of the measures you use to control the information security practices of third parties with whom you share customer personal information for any purpose.
Effective Date
Give the effective date of your Privacy Policy.
Explain how you will notify customers about material changes to your Privacy Policy. Do not rely on merely changing the Privacy Policy on your web site or online service as the exclusive means of notifying customers of material changes in your uses or sharing of personal information.
Contact Information
Provide contact information for questions or concerns about your privacy policies and practices.
At minimum, provide a title and e-mail or postal address of a company official who will respond to privacy questions or concerns. It is a good idea to offer a telephone number, perhaps toll-free.
Once your Privacy Policy is complete, remember to post a link to it in a prominent location on your website and/or app. You can place it in your website footer, within any in-app menus and wherever you collect personal information such as e-mail newsletter sign-up or at purchase.
RELATED POSTS: