In today’s volatile digital environment, user privacy has become a commodity.
This greater understanding of privacy concerns has led to the tightening of privacy laws across the globe.
While different countries have their respective regulatory bodies, data collection is controlled in a similar manner.
The misuse of user data in the past has led to tighter privacy practices, more regulatory oversight, and consequently, more fines.
It should lay out what type of information you collect from users or visitors, your reasons for doing so, and what use you put it to.
For example, Europe has enacted a General Data Protection Regulation (GDPR) law that regulates data privacy and imposes strict penalties for companies that fall short of meeting their requirements.
The GDPR is valid only in Europe and the European Economic Area (EEA), as well as to foreign companies that do business within this region.
Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) that controls how you use, disclose, and collect information.
The USA doesn’t have a dedicated federal data privacy law similar to GDPR, but it boasts a set of separate national and state laws and acts that have been put in place to ensure privacy compliance, such as:
- COPPA — Children’s Online Privacy Protection Act which controls how you can collect online information about children under 13 years of age, enforced by the Federal Trade Commission
- CCPA — California Consumer Privacy Act which deals which privacy rights and consumer protection in California
Because it is a legal requirement in most countries.
If you’re operating in any of these countries, you’re going to face some harsh monetary fines if you don’t comply with the local rules and regulations or the federal law.
Here’s one staggering example — for not protecting their user privacy and falling victim to a data breach, British Airways was initially fined over $200 million.
While the fine was later reduced to around $30 million, this still goes to show that you can face some serious consequences if you don’t comply.
Hiring a law firm
Reliable legal advice, but also the most expensive option out there.
Having your privacy statement drafted by lawyers can cost anywhere from $275 for simple policies to over $5,000 for complex policies.
Writing it yourself
The cheapest, but the most difficult and time-consuming.
If you’re not familiar with rules and regulations, you may fail to include important information and risk your business.
Using a privacy notice template
Using a privacy notice template: The quickest, cheapest, and easiest method to choose when deciding how to write a privacy statement.
Issue bulletproof privacy policies
You can issue bulletproof privacy policies and finish them off with a legitimate signature in a matter of minutes.
Not only is this cost-effective but it saves you a lot of time in the long run.
01. Include your business name and contact information
At the beginning of the document, you should list your company’s information, namely address, name, email address, and phone number.
We also recommend encouraging your website visitors to use the previously mentioned information to contact you in case they have any questions or concerns regarding the policy.
This shows that your company is transparent, has nothing to hide and encourages open communication, which is always a good look.
02. Mention what type of information you collect
The term ”personal data’‘ is exhaustive and more complex than you might think.
It does include regular stuff like credit card information, IP address, and phone number, but also less obvious information like location, number plates, and other online identifiers.
Personal data describes any of ”the physical, physiological, genetic, mental, commercial, cultural or social identity” that are specific to the subject.
Make sure to use specific terms instead of broad ones.
For example, instead of saying “we collect contact information,” say “we collect your telephone number, email address, and physical address.” This ensures that there’s no confusion that can lead to issues down the road.
03. Explain how and why you collect data
The next important step is to mention why and how your website collects data.
There are many different ways to collect user information, such as:
- contact forms
- course registrations
- email newsletter
- website analytics (e.g. Google Analytics)
Do you plan to resell the data?
Do you plan to notify customers about news, updates, and promotions? Do you need this information for processing orders?
04. Describe how users can opt-out
One of the main goals of laws like GDPR and CCPA is to give users more control over the information websites collect about them.
When users allow you to collect their data, that doesn’t mean that they’ve allowed you to collect it indefinitely.
At one point, they might want to withdraw their permission and you’re bound by law to let them do so.
Your privacy statement for the website should describe all the options users have in case they want to revise any previously-given permissions.
- Right to request data amendments
- Right to request you to delete the acquired information
- Right to review the collected information
Describe the process for all three instances in detail and provide users with helpful links and resources that will make the whole process easier and more convenient.
05. Mention if user data is shared with third parties
Third parties include service providers, marketing partners, consultants, credit card processors, etc.
Not disclosing this information puts you at legal risk, because most laws and regulations prioritize transparency.
For example, imagine you shared user information with your marketing agency and you forgot to add a third-party sharing disclosure on your website.
Then, the said marketing agency suffers a data breach, and all their data is stolen, including your clients’.
You would not only risk your company’s reputation, but you’ll also receive some hefty fines for not being transparent with your customers.
06. Specify how long you will retain user data
According to GDPR, you can keep the collected user data no longer than necessary for the purposes it was initially obtained for.
The GDPR doesn’t specify a particular timeframe, which is why you should revise this section regularly to ensure compliance.
For example, if you’re collecting data for a contract, you’re legally allowed to store this data for as long as the contract is valid.
As long as the data is relevant, you have the right to process it.
Make sure to be very clear and specify a timeframe within which you’ll delete the data once it expires.
While it’s not necessary, you can also add a dedicated ”Data Retention Policy’‘ where you’ll explain different instances and be more specific.
07. Explain how you’ll protect the personal data you collect
Preserving the integrity and security of collected user data is imperative.
Your customers are putting their trust in you by allowing you to gather their information.
Your responsibility is to enforce strong security measures to ensure that there’s no data leakage.
Mention how you’re protecting the user information (e.g., using SSL or other computer safeguards). Don’t be too specific in this section.
If you reveal too much, malicious actors will know how to bypass your security measures and compromise the integrity of your website. Instead, be broad and only mention general security practices.
08. Describe the dispute resolution process
Despite your best efforts to preserve harmony and keep a good relationship with your customers, legal disputes may occur at some point.
Add a sentence or two about dispute resolution and how you handle it (third-party dispute resolution service provider, contact form, customer service, legal firms, etc.).
09. Mention what happens if your online business transfers ownership
Business ownership transfers are a very common occurrence and you never know if and when your website will be subject to it.
Even if there are no plans to sell the company at this particular moment, it is still a possibility in the future.
Including this clause will save you from any possible liability in case you eventually decide to sell your business.
This clause ensures that users are aware that their information might be handed over to a new entity in case of an acquisition.
We also recommend including a clause explaining that, while you’ll use your best efforts to secure your website, you cannot guarantee that it won’t fall victim to malicious exploits.
Nothing is foolproof and you should protect yourself as much as possible in case a data breach happens.
10. Put everything together in one template
Instead of going through the arduous process of drafting it from scratch, you’ll be able to use templates and create privacy policies within minutes.
Legal documents are very complex, which is why having templates on hand will be a true lifesaver.
They’re compliant with most existing laws and regulations worldwide and will drastically shorten the policy-making process.
What we didn’t discuss is how to approach the writing process itself.
- Company information: Name, address, phone number, and email address.
- Type of collected data: Write this information in specific detail (credit card information, location, IP address, etc.) and note how and where you collected the said data.
- Mention the lawful basis for collecting data: Explain which law you’re relying on that gives you permission to collect the mentioned data.
- How you protect collected data: Which safeguards are put in place to ensure maximum data security.
- How long you’ll retain the collected information: Specify the timeframe within which you plan to use and retain the collected information.
- How you’re using the collected data: Explain what exactly you’re doing with user data – marketing purposes, notifications, order processing, data analysis, etc.
- List data subject rights: The GDPR law notes eight different types of data subject rights. List and explain them on your website as follows:
- Right of access
- Right to be informed
- Right to erasure
- Right to object
- Right of rectification
- Right of portability
- Right to restrict processing
- Rights in relation to automated data processing and profiling
Specifying their use of web beacons (also known as clear GIFs) and log files in a detailed way, Canva has gone the extra mile to ensure its users understand exactly what happens with their data when they use the website.
They even go so far as to explain what happens to user data if they sell the business further down the line.
This unusual approach is great for delivering transparency to users and goes against competitors who tend to include this detailed data information behind cookie policies.
Slack has taken steps to reassure users on how their data is transferred between different countries and how they adhere to privacy laws, such as GDPR.
The use of plenty of white space, together with useful subheadings, make it easier to read than most privacy policies.
Slack has implemented a handy table of contents so that you can skip ahead to sections of interest, making for an intuitive and simple user experience.
They’ve also included their other business policies in the sidebar so you can reference them with ease.
This transparent approach helps to build trusted relationships with Airbnb’s customers.
Privacy policies may seem redundant for many people.
If not for the sake of transparency, then do it for the sake of your business.
After all, you are legally obligated to notify your customers about how you handle their data.
If you don’t include this on your website, you’re risking serious consequences that can damage your operations.
PandaDoc makes it easy for you to generate any type of business or legal document within minutes.
We offer over 750 ready-made business templates that are expert-vetted and easily customizable.
That way, you keep your website users and visitors happy and ensure your business stays on the right side of the law.
Sign up for our 14-day free trial to see why leading businesses across the globe chose PandaDoc as their main document creation tool.
Originally published December 17, 2021, updated January 17, 2023
Under GDPR regulations (and to adhere to most other legislation), you must tell your users about their eight rights.
- to be informed
- of access
- to rectification
- to erasure
- to restrict processing
- to data portability
- to object
- to automated decision making and profiling
- The type of data collected
- The contact details of all operators
- How parents can view, edit or delete any data
There will also be some specific factors that relate only to your eCommerce store, such as how you advertise, your products, payment data, and how payment processors are involved with your site and your data.
For example, you may use reader data to improve services, process payments, or personalize content.
It’s easier because your operations likely aren’t that complex just yet, so you’ll have less information to cover.
There are many websites with the top priority of earning ad money over quality of service, meaning they don’t update their templates.
PandaDoc offers expert-vetted customizable templates that are always up-to-date and very easy to use.
The downside of using free tools is that they’re often unreliable and outdated.
You’re better off paying a reasonable fee for expert-vetted customizable templates like the ones PandaDoc offers than risking your company’s integrity by trying to do it for free without proper oversight.