What Goes in a Privacy Policy

What is a website privacy policy?

A website privacy policy is a statement that informs visitors to your website about the data and information you collect on your visitors and what you will or will not do with the data. Typically, a privacy policy is a single page on a website accessed through the website’s footer.

There is no single U.S. law that requires websites to have a policy, so you are not technically required to have one. However, California law does require companies serving state residents to have a privacy policy accessible via the homepage, so a lot of companies comply for that reason. And even if you don’t operate in California, a privacy policy is a widely accepted must-have.

Users value their privacy, and want to know what information of theirs you are collecting and sharing with other parties. Being explicit about this is a transparent move that internet users appreciate. Additionally, it gives you a legal footing in a rare legal case.

So does your website need a privacy policy? Most likely, yes. What should be in it? Here are some tips:

Keys to a good privacy policy

1. Figure out what information you collect first! You may be surprised or unfamiliar with information your website collects from users. Talk with your IT team and any online vendors to ensure you have an up-to-date and complete list.
2. Document what you do with your users’ information. Is their information ever shared with third-party partners or applications or is it all kept in house? If you collect information for one purpose (like event registration), could it be used for another purpose (like future marketing campaigns)? Add this to your list.
3. Clear language is critical. Your privacy policy is for users. Don’t hide behind legal jargon.
4. Short, sweet, and to-the-point is a plus. Without leaving anything out, get straight to the point so your privacy policy is clear to a user.
5. Don’t just copy and paste someone else’s privacy policy. Your policy should be tailored to your site and users’ needs.

What to include in a privacy policy

1. How you collect users’ information – most websites collect information voluntarily from their users. Voluntarily collected information includes contact forms, newsletter subscriptions, and signing up for services.
2. How you use that information – often users’ information is just used internally, but be sure to mention if you sell, share, or rent this information with any third party.
3. Email communications – most websites have a form where people enter their email. Use your policy to be clear about what you do with users’ emails. It’s a great place to be clear about what types of emails users can expect to get from you. Also, clearly detail how someone can unsubscribe or opt-out of email notifications. (If you collect and use phone numbers, include that, too!)
4. Cookie usage – most website store cookies (including any website running Google Analytics). You need to mention this in your privacy policy as well as whether you link that cookie to any personally identifiable information.
5. External link information – if your site links to a different domain, it’s good to remind people that you’re not responsible for any content or privacy practices on those other websites. Essentially, you’re pointing out that while you may be linking offsite, you aren’t endorsing those websites outright.
6. Legal information – when a legal investigation is involved, you might be compelled by a court to provide information about your users. Sometimes it can be good to point out that is one situation where you might need to share information you normally wouldn’t share outside your organization.
7. Information about the policy itself – tell users what the policy is for, how often you intend to update the privacy policy, and how you will communicate with users when you do.  
8. Contact information – make it clear how users can get in touch with you with questions regarding the privacy policy.