What needs to be included in a Privacy Policy

As consumers have become more interested in the privacy of their Personally Identifiable Information (PII) online, more countries and states have passed their own privacy laws. These privacy laws protect the PII of consumers by providing them with certain privacy rights, requiring websites to have a Privacy Policy and imposing heavy fines for failure to comply. While these laws certainly have different guidelines as to what needs to be included in a Privacy Policy, there are three main disclosures that every Privacy Policy must make: 

  • What PII is collected; 
  • How that PII Is used; and 
  • Who it is shared with. 

Unfortunately for those who write Privacy Policies, the above three disclosures are not sufficient to have a compliant Privacy Policy under most laws, and the disclosures can become very lengthy, depending on what privacy laws apply to your website. In this article, we will break down what needs to be included in a Privacy Policy and which privacy law(s) require those disclosures so that you can check your Privacy Policy for compliance. 

Effective date

The following laws require you to disclose the effective date of your Privacy Policy: 

  • California Online Privacy Protection Act (CalOPPA); 
  • Delaware Online Privacy Protection Act (DOPPA); and
  • Nevada Revised Statutes Chapter 603A. 

Your name and contact information

In order for individuals to understand the use of their PII online, they need to know who is collecting that PII so you must disclose your name or the full legal name of the company that owns the website. You also need to provide your contact information so that users may contact you with any questions or concerns regarding their privacy.

What Personally Identifiable Information you collect 

One of the goals of privacy laws is to provide consumers with enough information to allow them to understand what a business does with their PII so that it should come as no surprise that a Privacy Policy must state what PII you actually collect. While each privacy law has its own unique definition of Personally Identifiable Information, it is generally defined as any information that could identify a particular individual. Examples of PII commonly collected by websites include: 

  • Name; 
  • Email; 
  • Phone number; and 
  • Physical address. 

Websites most commonly collect PII through one or more of the following means: 

  • Contact forms; 
  • Newsletter signup forms; 
  • Account signup forms; and 
  • Billing portals. 

While all laws require you to disclose what PII you collect, they have different formats for that disclosure, with some requiring you to disclose specific pieces of information collected (e.g. name), and others requiring you to disclose the categories of PII collected (e.g. identifying information). If they apply to you, the following privacy laws require you to disclose what PII you are collecting in your Privacy Policy: 

  • California Online Privacy Protection Act (CalOPPA); 
  • Delaware Online Privacy Protection Act (DOPPA); 
  • Nevada Revised Statutes Chapter 603A; 
  • California Consumer Privacy Act (CCPA); 
  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  • Australia Privacy Act 1988. 

Sources from which you collect the PII

Some privacy laws may require you to disclose the sources from which you have actually collected the PII. The following are a few examples of the sources that websites most commonly use to collect PII: 

  • The consumer; 
  • Tracking pixels; and 
  • Social networks. 

The following laws require Privacy Policies to disclose the sources from which PII is collected: 

  • California Consumer Privacy Act (CCPA); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  • Australia Privacy Act 1988. 

Purposes for which you will be using the PII

The next requirement of what needs to be included in your Privacy Policy is the purposes for which you will use the PII that you collect. You should understand exactly how you are using the PII and record all purposes as specifically as you can. Some privacy laws require you to get consent from the consumer before you are able to use PII for any new purposes so your initial list of purposes in your Privacy Policy should be as complete as possible. Due to the fact that data breaches increase in cost and severity as you hold more PII, you should aim to have a clear and specific purpose for each piece of PII that you collect and not collect PII just in case you may need it in the future. 

The following is a list of examples of the purposes for which PII is used by websites: 

  • Performing services; 
  • Processing payments; 
  • Sending e-mail marketing newsletters; 
  • Analytics; or 
  • Providing customer service. 

The following privacy laws require you to disclose the purposes for which you use PII: 

  • California Consumer Privacy Act (CCPA); 
  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  •  Australia Privacy Act 1988. 

Sharing PII

Privacy laws may also require you to disclose, in your Privacy Policy, whether you share PII with third parties. While most people do not think that they share PII, this is simply not the case with most websites. Websites that have newsletter signup forms often share email addresses with third party marketing tools such as MailChimp or Constant Contact. A lot of businesses will also put customer PII into a customer management system such as Hubspot or Salesforce, which also qualifies as the sharing of PII. 

If PII is shared, privacy laws also require you to disclose what categories of third parties you share the PII with. Note that while the General Data Protection Regulation (GDPR), a privacy law that protects the PII of European Union residents, gives you the option of identifying the third parties by name, you are also allowed to use categories. As modern Privacy Policies are usually too long for consumers to actually read already, one may argue that listing categories of third parties with whom PII is shared is the most efficient solution. 

Here are the most common examples of categories of third parties that websites share PII with: 

  • Email marketing vendors (e.g. MailChimp or Constant Contact); 
  • Customer management systems (e.g. Hubspot or Salesforce); 
  • Parties that need to operate the website (e.g. your website developer); 
  • Financial transactions processors (e.g. Stripe or Paypal); and
  • Content management systems (e.g. WordPress or Wix). 

Finally, certain privacy laws will ask you to disclose why you share PII with the third parties that you enumerated, meaning that you have to justify the sharing of the PII. The following privacy laws require website Privacy Policies to disclose whether PII is shared and what categories of third parties that PII is shared with: 

  • California Online Privacy Protection Act (CalOPPA); 
  • Delaware Online Privacy Protection Act (DOPPA); 
  • Nevada Revised Statutes Chapter 603A;
  • California Consumer Privacy Act (CCPA);
  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  • Australia Privacy Act 1988. 

How your website responds to Do Not Track signals

The next requirement of what needs to be included in a Privacy Policy is, under certain laws, how your website responds to Do Not Track signals. Do Not Track is a browser setting designed to allow Internet users to opt out of tracking by websites. What is interesting about this disclosure requirement is that it does require your website to honor Do Not Track signals, only to disclose how your website responds to such signals. The following privacy laws require this disclosure: 

  • California Online Privacy Protection Act (CalOPPA); and
  • Delaware Online Privacy Protection Act (DOPPA). 

How you will notify users of changes to your Privacy Policy

Since privacy practices and therefore Privacy Policies can change frequently, some laws state that your Privacy Policy must disclose how you will alert users of such changes. Alerting users to changes is certainly best practice so that everyone is on the same page and there are no surprises as to your privacy practices. If you use the Termageddon Privacy Policy generator, we will automatically update the Privacy Policy on your website whenever changes to that policy are made, thereby alerting users. The following privacy laws require this disclosure: 

  • California Online Privacy Protection Act (CalOPPA); 
  • Delaware Online Privacy Protection Act (DOPPA); 
  • Nevada Revised Statutes Chapter 603A; and
  • Australia Privacy Act 1988. 

Selling Personally Identifiable Information

The next requirement of what needs to be included in a Privacy Policy is whether you sell the PII that you collect. While the initial answer of website operators who are asked whether they sell PII is a strong “no”, some privacy laws have very broad definitions of sale, meaning that you could be selling PII without realizing it. For example, Nevada’s privacy law defines sale as the exchange of the PII for monetary consideration by the operator to a person to sell or license the PII to additional persons. Meanwhile, the California Consumer Privacy Act (CCPA) defines sale as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer’s PII by you to another business or third party for monetary or other valuable consideration. 

If you do sell PII, certain privacy laws may also require you to disclose the following: 

  • How consumers can opt out of you selling their PII; 
  • What PII you have sold; 
  • What third parties you have sold the PII to. 

If the CCPA applies to you, and you sell the PII of 4,000,000 or more California consumers, you also need to disclose how many of the following requests you have received, complied with in whole or in part, and denied: 

  • Requests to know; 
  • Request to delete; and 
  • Requests to opt out. 

You will also need to disclose, in your Privacy Policy, the median number of days within which you have responded to such requests. The following laws may require you to disclose whether you sell the PII that you collect: 

  • Nevada Revised Statutes Chapter 603A; and
  • California Consumer Privacy Act (CCPA). 

The privacy rights provided to consumers

Most privacy laws protect the PII of consumers by providing them with certain privacy rights such as the right to access the PII that you hold about them and having that PII deleted. These privacy laws require certain websites to include this list of privacy rights in their Privacy Policy. If multiple privacy laws apply to you, then you need to specify who the privacy rights apply to. In addition, if you do business in multiple states or countries, this would be a great time to decide if you do want to provide the privacy rights to everyone that visits your website or only to the people who are specified as protected by the relevant privacy law(s). Providing these rights to everyone may reduce customer complaints and frustrations. 

The following privacy laws require certain Privacy Policies to list the rights of consumers: 

  • California Consumer Privacy Act (CCPA); 
  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  • Australia Privacy Act 1988. 

Exercising the privacy rights afforded to consumers

Knowing that a privacy right exists without knowing how to exercise it does not help the consumer much. That’s why certain privacy laws require the disclosure of the following: 

  • How someone can submit a request to exercise their rights. This could be through email, phone or a website portal; 
  • What information a consumer will need to provide to verify their identity to exercise their rights; and
  • If a consumer can designate an agent, what information needs to be submitted to designate such an agent. 

The following privacy laws require Privacy Policies to disclose how consumers can exercise their rights: 

  • California Consumer Privacy Act (CCPA); 
  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and 
  •  Australia Privacy Act 1988. 

Complaints to authorities

The following privacy laws require Privacy Policies to disclose how a user may complain to the relevant authorities if they feel like their privacy rights have been infringed upon: 

  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  • Australia Privacy Act 1988. 

Legal bases for processing PII

Next on the list of what needs to be included in a Privacy Policy is the GDPR requirement to disclose the legal basis under which you are processing PII. GDPR actually prohibits the collection, use and disclosure of PII unless an exception (legal basis) applies. Examples of legal bases include consent and the performance of a contract. You must the legal basis that applies to the processing of PII or your data processing could be unlawful under GDPR, which can lead to fines. 

How long you store PII

Some privacy laws may require you to disclose how long you store PII. You may be able to provide a specific time period (e.g. 3 weeks) or, if that is not possible, state the criteria upon which that period is determined (e.g. until user research project x is completed). A data retention schedule will be helpful in providing that disclosure. Remember that you should refrain from holding PII indefinitely as that not only could be a violation of a few privacy laws, but also because such practices can increase the severity and costs of data breaches. 

The following privacy laws require Privacy Policies to disclose how long PII is stored: 

  • General Data Protection Regulation (GDPR). 

Direct marketing

An additional item that may need to be included in a Privacy Policy is whether you use the PII for direct marketing. Direct marketing is generally defined as the business of selling products or services directly to the public, rather than retailers, a common practice on the Internet. The following laws require Privacy Policies to disclose whether you are engaged in direct marketing and how users can opt out of such practices: 

  • General Data Protection Regulation (GDPR); and
  • Australia Privacy Act 1988.

Automated decision making and profiling

GDPR requires Privacy Policies to disclose whether PII will be used to make decisions solely on automated processing, including profiling, which produces legal effects concerning the consumer. If you are using PII for automated decision-making or profiling, you must also disclose the logic underlying such processing. 

Transfers of Personally Identifiable Information

The next requirement of what needs to be included in a Privacy Policy is whether you intend to transfer PII outside of the country in which the individual lives and that has passed the privacy law. If you transfer PII, you may also be required to disclose what countries you intend to transfer it to. 

The following privacy laws require you to disclose whether you plan to transfer PII: 

  • General Data Protection Regulation (GDPR);
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and
  • Australia Privacy Act 1988. 

Data Protection Officer

GDPR requires certain entities to appoint a Data Protection Officer that oversees the privacy program of that entity. If this requirement applies to you, then you must disclose the name and contact details of your Data Protection Officer in your Privacy Policy. 

How you protect the PII that you collect 

If the Personal Information Protection and Electronic Documents Act (PIPEDA) applies, your Privacy Policy will need to disclose how you protect the PII that you collect so that individuals can determine whether they feel safe providing you with their PII. Some examples of popular security measures include: 

  • Limiting the amount of PII that you collect to strictly necessary only; 
  • Using SSL or other secure connection technologies when receiving or sending PII beyond internal networks; 
  • Destroying the PII that you no longer need; and 
  • Performing regular risk assessments. 

You are responsible for ensuring that any security measures that you implement are effective and appropriate for the nature of the PII that you collect and hold. 

Policies, procedures, standards and codes

PIPEDA may also ask you to include any policies, procedures, standards and codes that you have for how you manage the privacy and security of PII in your Privacy Policy. A few examples of the types of documents that you could link to include the following: 

  • Information Classification Policy; 
  • Bring Your Own Device Policy; 
  • Password Policy; and 
  • Acceptable Use Policy. 

Use of analytics

When you use Google Analytics or similar analytics products, your website may be collecting IP addresses and other PII such as how a particular user interacts with your website. Furthermore, most analytics providers require you to have a Privacy Policy that discloses your use of that analytics service and how users can opt out of being tracked. 

Use of cookies and other tracking technologies

The final disclosure that you may need to include in your Privacy Policy is whether your website is using cookies or other similar technologies that track users. Cookies are small pieces of data sent from a website and stored on the user’s computer that are used to track browser activity. If you use cookies or other similar technologies, the following privacy laws require you to make certain disclosures in your Privacy Policy: 

  • California Online Privacy Protection Act (CalOPPA); 
  • Delaware Online Privacy Protection Act (DOPPA); 
  • Nevada Revised Statutes Chapter 603A; 
  • General Data Protection Regulation (GDPR); 
  • Personal Information Protection and Electronic Documents Act (PIPEDA); and 
  • Australia Privacy Act 1988. 

As you can see, the answer to the question of what needs to be included in a Privacy Policy can be complex. The journey to a compliant Privacy Policy always begins with determining what laws require your website to have a Privacy Policy, as the law(s) that apply will state what disclosures you need to make. It is important to note that as more states propose and pass their own privacy bills, the requirements of what a Privacy Policy needs to include will change. Use Termageddon’s Privacy Policy generator to help you make the right disclosures, keep your policies up to date with privacy law changes, and avoid privacy-related fines and lawsuits.