Privacy policy
Home Resources Articles What is a privacy policy and why do you need one?

What is a privacy policy and why do you need one?

Privacy policies help organizations comply with privacy laws by communicating to users about data collection by websites and apps.
by Usercentrics
Nov 2, 2023
Privacy policy
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

What is a privacy policy meant to communicate? Most websites and apps collect data from users via cookies and other tracking technologies. These technologies do everything from helping to make websites work correctly, enable ecommerce, and collect visitor statistics and user behavior information. Some of this information can be collected without notifying users, but in most cases, a clear and accessible privacy notice is required.

 

In this article, we cover everything you need to know about privacy policies, why you need one and how to create a privacy policy for your business.

What is a privacy policy?

A privacy policy is a legal document required by most data privacy laws, which outlines how you process your users’ or customers’ personal data. This includes how you collect, store, use, share and protect personal data and what rights users have with respect to their data.

 

You need to establish user privacy policies if you collect personal data through your website, mobile app, email newsletter, social media platform or account, TV app, ecommerce platform, smart home device or online marketplace. This is not an exhaustive list, and you may use another medium altogether. Regardless of where you collect personal data from, your privacy policy statement should explain your company’s privacy practices and how they affect users and their data.

 

Global privacy laws require organizations to clearly communicate specific information about what data is collected, for what purpose, who it may be shared with, and how it is secured. This is what a privacy policy — also called a privacy notice or privacy statement — is for, and is why you need one as part of your data compliance strategy for the GDPR, CCPA, LGPD and other applicable regulations.

 

Your users and customers should be able to easily find your privacy page or privacy information on your website, app or other platform.

Privacy policies and understanding personal data and collection

What is personal data?

 

Most websites and apps collect functional, statistical, or marketing data from visitors via cookies and other tracking technologies. This data is collected whether the user is accessing the website from a laptop, tablet or mobile device.

 

Privacy laws typically define this information as the personal data of the users from whom it’s collected via their online activities. Because such data can be used to identify an individual, it is legally protected. Personal data can include information like:

  • first and last name
  • email address
  • account username
  • phone number
  • browsing history
  • credit card details
  • IP address
  • Social Security number

Some personal data can also be classified as “sensitive” if it could be used to inflict harm, such as health information, religious affiliation, sexual orientation, or racial background.

How do I know what cookies my website uses?

 

Websites and apps use cookies and other tracking technologies for everything from making the website function correctly to enabling ecommerce to gathering marketing data.

 

Using a scan to audit your website’s cookies is a great first step to understand what personal data you collect and how information about that data and cookie use must be communicated in your website privacy policy.

Users’ privacy rights

Privacy laws like the GDPR, CCPA or POPIA require that users be notified when their personal information is collected, including, for example, from Art. 13 GDPR:

  • who is collecting the information, who their representative is, and their contact information
  • the purpose(s) and method(s) for collecting the information
  • the categories and specific information being collected
  • the legal basis or legitimate interest for the data collection
  • any third parties used to collect the information or with whom it may be shared
  • the contracts or adequacy agreements with any third parties that will access the data
  • the security measures in place to protect the information

This information is included in a standard privacy policy and must be specific to each organization depending on their operations, data collected and relevant legal jurisdictions. In many cases, users must also be provided with the option to consent to or decline the collection or sale of their personal information as well as be provided a process to do so. This information should also be part of a legally compliant privacy policy.

 

Privacy laws typically protect consumers by stipulating that those who decline the collection or processing of their personal information cannot be denied access to products or services, or otherwise discriminated against by a company, for refusing consent for data collection or use.

In many jurisdictions, the legal requirements for and contained in a standard privacy policy depend on where users are located and local protection laws. They do not depend on the type or size of business or revenue (with some exceptions, particularly in the United States), if the website is used for ecommerce, or whether or not it requires account creation. If you have EU customers, for example, you need a GDPR-compliant privacy policy statement.

 

It is important to know what data your website or apps collect, how it’s used, who will have access to it, and what laws are applicable to your company to ensure your privacy policy is complete and accurate. It also needs to be regularly reviewed and updated as operations, technologies and the regulatory landscape change. A privacy policy is a legal document, and as such we recommend working with qualified legal counsel and having a corporate Data Protection Officer.

 

Failure to comply with privacy policy requirements can contribute to regulatory noncompliance and penalties like heavy fines, prosecution, loss of business licenses, data deletion and reputational damage to the company.

Third-party services and privacy policies

 

There is a legal requirement that a privacy policy must outline third parties that will have access to or process the data you collect. However, it goes both ways. Many third parties require website and app operators to post a privacy notice if they use the third-party services.

 

These services can include in-page or in-app advertising, analytics services, ecommerce or app store usage and more. Services from large companies like Apple, Google, Facebook and Amazon are very widely used, and they all require companies that use their services to communicate with customers or users what data they collect, for what purposes, and what is done with it.

Privacy policies under data protection laws in different countries

The European Union’s General Data Protection Regulation (GDPR): The GDPR requires transparency about the collection and use of personal data from EU residents. It necessitates that privacy policies include the types of data collected, purpose(s) for processing, the legal basis for processing, data retention periods, and the rights of individuals concerning their data. It also requires information on data transfers, how users can withdraw consent, and how users can lodge complaints with supervisory authorities.

United Kingdom General Data Protection Regulation (UK GDPR): The UK version of GDPR maintains very similar requirements for privacy policies as the EU GDPR, including having detailed information on data processing activities and data subject rights. Data collectors must proactively make visitors aware of this information, and visitors must have an easy way to access it.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): The CCPA/CPRA mandates that businesses have a ‘notice at collection’, where they inform California residents about the categories of personal information collected and, if they sell the information, the right to opt -out of its sale. This notice at collection must contain a link to a standard privacy policy that details the business’s data privacy practices and informs consumers of their privacy rights and how to exercise them.

Brazil’s Lei Geral de Proteção de Dados (LGPD): Brazil’s LGPD requires organizations to provide clear and comprehensive information about data collection and usage, which can be done through a privacy policy statement. It must include data subjects’ rights, the purposes for which data is processed, and the duration of its processing, among other requirements.

South Africa’s Protection of Personal Information Act (POPIA): South Africa’s POPIA stipulates that the data collector must document all processing activities and take reasonable steps to notify consumers when collecting personal information. The notification can be done via a privacy policy.

Why your website needs a privacy policy

A privacy policy for your website is essential for clarity on data handling practices, providing visitors with an understanding of what information is collected and how it is used. With regulations like the GDPR and CCPA setting stringent rules on data privacy, a compliant privacy policy helps avoid substantial fines and legal complications.

 

In addition to being a legal requirement, a comprehensive privacy policy is also important for your brand and for building user relationships. Consumers are increasingly aware of their online privacy rights and the mass collection of their data. They may not understand adtech in depth, but they should be able to exercise their rights and have confidence in the websites they visit, the apps they use, and the companies they do business with.

 

Making it clear what data you collect, how it’s used, who has access to it and how you keep it safe shows users that your company has mature processes in place to respect and safeguard privacy. It shows you respect the people who provide their time, data and money to your company, and that you aren’t just interested in strip mining their information. A clear, up-to-date and easily accessible privacy policy for your website is a great tool for demonstrating your business’s principle of transparency and building user trust.

How to write a privacy policy for a website

Organizations need to audit their data collection and processing to know what data they collect, how it’s used and secured and who has access to it. By including this key information, a privacy policy can be kept accurate for the user and regulatory compliance. It is also important to communicate who the Data Protection Officer or other responsible party is, and provide easily accessible and accurate contact information.

DIY, copy, or using a privacy policy generator

 

You can draft your privacy policy from scratch or use a privacy policy generator or tool with privacy policy templates. It can be a page published on your website or hosted by a privacy policy service and linked from your homepage or footer. It just has to be easily accessible to visitors and easy for them to understand, as well as kept up to date.

 

Copying a basic privacy policy directly from another website is not a good idea, as that document was designed for that specific company, and it would be easy to miss necessary changes to make it fit your business’s needs, thus preventing you from being compliant with GDPR policy or other laws.

Data Processing Services

 

There are potentially thousands of Data Processing Services (DPS), which are web technologies that can be used on websites and apps and which collect and process user data. That can mean substantial work to keep them updated, correctly classified, and listed in your privacy policy.

 

Usercentrics maintains a text database of thousands of Data Processing Services that can be embedded via template into your privacy policy. Save yourself the time and resources of manually building and maintaining this list.

 

We regularly update the database, so the technologies included are up to date, helping maintain your privacy compliance and the seamless access to relevant information for your users. Companies can and should adjust these templates according to their operational needs.

 

Learn more about the Dynamic Privacy Policy feature.

 

A cookie policy is different from a privacy policy, as it only covers information relating to cookie usage. A standard privacy policy for a website covers much more information regarding data processing, data subject rights, data processor responsibilities, and more. A cookie policy can be a section within a privacy policy, meaning you can include your cookie information in the wider policy document. If you choose to combine them, your cookie policy must have its own section within the privacy policy.

 

To learn more about a tool to help you create a customized, legally compliant privacy policy for your business, get in touch with our experts.

Frequently Asked Questions

Is a GDPR policy the same as a privacy policy?

A GDPR policy is an internal set of guidelines and procedures that outline a company’s data protection policy specifically with regards to GDPR compliance. It is not a formal legal document, but it helps ensure that a company has the frameworks in place to comply with GDPR requirements when collecting user data and doesn’t necessarily need to be publicly accessible.
A privacy policy is an externally accessible legal document that informs users about the company’s data processing practices: what data is collected, for what purpose, who it may be shared with, and how it is secured. It covers information regarding compliance with all the privacy laws applicable to the company, not just GDPR.

What should a privacy policy include?

At minimum, a basic privacy policy should include what personal data you’re collecting, how you’ll collect it, why you’re collecting it, how you’ll use it, who you might share it with, and how you’ll keep it secure. It must also let users know what their rights are, how to exercise them, and provide your contact details (e.g. an email address and mailing address) in case they have questions about their data or want to submit a data subject access request. Since a standard website privacy policy is written to share important information with your users, it should be in simple language for anyone to understand, and not require legal knowledge. Read our blog post for more information on how to write a privacy policy.

What is the purpose of a privacy policy?

The purpose of a privacy policy is to comply with privacy regulation requirements, to inform users how you’ll handle their personal data, what rights they have and how to exercise them. It needs to provide up-to-date information about the tools or services you use to collect personal data. It should be specific, clear, and simple enough for users to understand so they can make an informed decision about whether to share their data and how to assert their user rights, if they want to.

Do I need a privacy policy on my website?

Most websites collect personal data from visitors through the use of cookies. If your website collects any personal data, then you need a privacy policy. This policy should detail what data you collect, why it’s collected, how it’s used, and the steps you take to protect it. Not only does this fulfill legal obligations under privacy laws like the GDPR in Europe and the CCPA in California, but it also cultivates trust by showing visitors that you are committed to protecting their privacy.

How do I create a privacy policy?

To create a privacy policy for your website, perform an audit to pinpoint the types of personal data you handle and your methods for processing and securing it. Once you have a clear picture, you can draft the policy yourself, consult a legal professional to draft it for you, or use a privacy policy generator for a custom fit, ensuring it’s clear and understandable. Directly copying another website’s policy is not advisable as it won’t reflect your company’s data processing practices and could leave you legally exposed.

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.