There are 1.13 billion websites on the internet, according to a quick Google search. In case you were wondering, that’s approximately a *bleep ton of websites.
So, naturally, there are numerous blogs offering guides on how to create websites that look visually appealing, perform well, generate leads, drive conversions, and make your logo look larger. However, few are discussing how to create a privacy-friendly website, which is a real shame.
Privacy is more important than ever to consumers and website visitors, to the point where it’s a competitive advantage to incorporate good privacy practices into your website. For example:
- A study by Cisco found that 32% of respondents have switched from one company to another because of privacy practices
- Pew Research found that 52% of Americans will not use online products or services that they believe have privacy issues
Consumers care. Website owners and builders should care too.
Not to mention, unlike logo size, failing to meet certain privacy standards could result in fines or lawsuits. There are already dozens of privacy laws designed to protect people from websites mishandling their privacy rights. While each of these laws is different and comes with different enforcement actions, fines typically start at $2,500 per website visitor whose rights have been infringed upon.
So, let’s leave the logo size as it is for a moment, and let’s take a look at this checklist for building a privacy-friendly website.
Table of Contents
🔲 Only add data-collecting features you know you’ll use NOW (ask yourself the following before installing)
*Note: data-collecting features are anything that may collect names, emails, phone numbers, IP addresses, etc. Common features that are placed on websites but not used are Google Analytics, Contact Forms requesting more information than what’s needed, and digital advertising pixels.
🔲 Am I going to use this now?
🔲 What information will I use now if I collect it (vs. might use later)?
🔲 Will collecting this data help my business?
🔲 Do I have a plan for the data I’m trying to collect?
🔲 Is there a privacy-friendly alternative that collects less data?
🔲 Limit tracking software by implementing the following:
🔲 Remove IP Address Intelligence Services
🔲 Store fonts locally (like Google Fonts)
🔲 Load videos locally (instead of embeds from Vimeo or YouTube)
🔲 Use screenshots instead of map embeds
🔲 Consider privacy-focused analytics tools (UseFathom instead of Google Analytics)
🔲 Consider privacy-focused alternatives to reCaptcha (Friendly Captcha)
🔲 Create website policies
* Note: Not all websites need all the policies listed below. It depends on numerous factors like your industry, business practices, business size, location, etc.
🔲 Privacy Policy (which should include:)
Note: The information you are required to provide depends on the privacy laws that apply to you, so your Privacy Policy may not need all of these (or may need additional bits of information)
🔲 Effective date
🔲 Your name and contact information
🔲 What Personally Identifiable Information (PII) is collected
🔲 How PII is collected
🔲 How PII is used
🔲 How PII is shared
🔲 How the website responds to ‘Do Not Track’ signals
🔲 How you will notify users of Privacy Policy changes
🔲 Is PII being sold by the website?
🔲 Does the website use Targeted Ads?
🔲 The privacy rights provided to consumers
🔲 How consumers can exercise their privacy rights
🔲 Appealing a decision made regarding a privacy rights request
🔲 Complaints to authorities
🔲 Legal bases for processing PII
🔲 How long is PII stored on the website
🔲 Direct marketing
🔲 Automated decision making and profiling
🔲 Is PII transferred to other places by your site?
🔲 List the contact information of the Data Protection Officer (if applicable)
🔲 Explain how PII is protected on the site
🔲 Policies, procedures, standards and codes
🔲 Use of analytics tools
🔲 Use of identification or location technologies
🔲 Use of cookies and other tracking technologies
(For more details, check out our blog on what needs to be in a Privacy Policy)
🔲 Terms and Conditions (which should include:)
🔲 Company name and contact details
🔲 Who the Terms of Service (ToS) applies to
🔲 If consumers can make purchase on your website:
🔲 What does the website offer for sale?
🔲 The prices for those goods or services or where the price can be found
🔲 Whether those prices include taxes and other fees
🔲 How customers can make a purchase
🔲 What third-party payment processor is used, if any
🔲 What payment methods are accepted
🔲 Can users cancel their order? If so, the cancellation policy should include:
🔲 When a customer can cancel their order
🔲 How a customer can cancel their order
🔲 Whether there’s a cancellation fee
🔲 Whether a refund will be issued to a customer who cancels their order
🔲 Do customers get a refund? If so, your refund policy should disclose:
🔲 Under what circumstances do customers qualify for a refund
🔲 When a customer qualifies for a refund
🔲 If goods are sold, does the customer need to pay to ship back the goods?
🔲 If you sell goods that are shipped to customers, a shipping policy that includes:
🔲 The cost of shipping
🔲 The timing of the shipping (or when customers will receive that information)
🔲 Will customers receive a refund if their advanced payment is cancelled?
🔲 What warranties are offered (if any)
🔲 What remedies are provided to customers (if any)
🔲 Whether you offer subscriptions, and if you do, the following disclosures:
🔲 The initial term of the subscription
🔲 Whether you offer a free trial and the length of the trial
🔲 If a minimum purchase is required (and how much)
🔲 How frequently the subscription automatically renews
🔲 Whether consumers can revoke their subscription and how to do so
🔲 Whether consumers can create an account on your website (and any rules)
🔲 Whether consumers can comment or upload content (and any rules)
🔲 Prohibited uses of the website (hacking, copying of the text, spamming efforts, etc.)
🔲 A clause that allows you to correct any errors on the website (e.g. pricing errors)
🔲 A clause that limits your liability if a user clicks on a third-party link and is harmed
🔲 A clause that clarifies that the content on the website is your own intellectual property
🔲 A clause with the necessary closures for the Digital Millennium Copyright Act
🔲 A link to an industry or trade code of conduct that you subscribe to (if any)
🔲 A clause ensuring that all website disputes are resolved in a forum convenient to you
🔲 How users will be notified of any ToS changes
🔲 Where individuals can contact you if they have any questions about the ToS
🔲 Cookie Policy (which should include:)
🔲 The classifications of cookies that a website uses (essential, marketing, functional)
🔲 The exact cookies that a website uses, including:
🔲 The provider of the cookie
🔲 Whether it is a first-party or third-party cookie
🔲 The purpose of the cookie
🔲 How long the cookie will be stored on a user’s device
🔲 How a user can exercise their choices regarding cookies
🔲 Who users should contact if they have any questions about cookie usage
🔲 Disclaimer (if one or more below apply to your website:)
🔲 Advertise third-party products or services
🔲 Sell or display health products
🔲 Participate in an affiliate program
🔲 Provide health, medical or fitness advice
🔲 Provide information that could be seen by others as legal advice
🔲 Set up security
🔲 SSL certificate
🔲 Security & privacy training for employees
🔲 Updating plugins and software
🔲 Install intrusion prevention and detection systems
🔲Data rentention periods
🔲Risk assessments & risk treatment plans
🔲Performing background checks on employees
🔲Performing due diligence of vendors who access PII
🔲 Get Consent
🔲 Forms collecting PII – make sure they have an “agree to Privacy Policy” box (can’t be pre-checked and must offer hyperlink to Privacy Policy)
🔲 Check any contact forms
🔲 Check any email-newsletter forms
🔲 Check any account sign-up forms
🔲 Check any eCommerce forms
🔲 Check any subscription forms
🔲 If you are tracking website visitors and are required by law to have a Cookie Consent Banner, make sure your banner has:
🔲 An “Accept’ and “Deny” button
🔲 “Accept” and “Decline” buttons that are the same size and color
🔲 No pre-ticked boxes
🔲 No deceptive colors/word choices
🔲 Lists specific cookies collected (with the ability to accept/decline each)
🔲 The ability to prevent tracking if no consent is given (not a placebo)
🔲 Implement Privacy-By-Design principles (GDPR guidelines)
🔲 Your website is proactive, not reactive. Preventative, not remedial.
🔲 Common example to check: On a reset password page, if the system notifies a user that they have registered with a different email and what that email is,, it could become a privacy violation as scammers can run multiple emails through this page to determine who has an account
🔲 Privacy is always the default setting
Common example: Contact forms shouldn’t opt people into marketing emails by default but should instead allow them to opt in only if they want to do so.
🔲 Privacy embedded by design
Common example: Screen all plugins to ensure they are privacy-conscious.
🔲 Full functionality – positive-sum not zero-sum
Common example: Don’t add emails used for security (2FA) to marketing lists.
🔲 Full lifecycle protection
Common example: Keeping people’s data only as long as you need it (not forever).
🔲 Visibility and transparency
Common example: Check footer to ensure policies aren’t hidden behind ‘Legal’.
🔲 User-centric privacy
Common example: Cookie banners that just say “Okay” for a cleaner design. It must give users the ability to decline being tracked if they so choose.
🔲 Get Help!
If all this looks overwhelming, that’s because it can be. Staying up-to-speed on privacy standards is no easy task, and with new privacy laws regularly going into effect, it’s not getting any easier. Luckily, you have the following options available to help out:
🔲 Use a privacy attorney
- PRO: The best option because they can provide legal advice that’s directed specifically to you and your website/business.
- PRO: Can update your policies as changes occur to privacy laws
- CON: Having a privacy attorney on retainer does get pricey, though.
🔲 Use a Privacy Policy Generator like Termageddon
- PRO: Very affordable
- PRO: Founded by a privacy attorney
- PRO: Automatically updates policies as laws change
- CON: Can’t offer legal advice.
