Privacy Policy Form

Privacy policies address how information is collected and how it is used. Make sure that you keep your privacy policy updated!

Please note: If your website knowingly collects information from users under the age of 13, you will need additional modifications to this privacy policy, and to your website, to comply with the Children’s Online Privacy Protection Act (COPPA), and you should consult an attorney to ensure compliance. If you are doing business in the European Union, you should consult an attorney to ensure compliance with GDPR.   

What is a privacy policy?

An online privacy policy is something that is becoming increasingly common with the Internet and websites. It is used to let users know what information is being collected from them while they are using a website or account.

An online privacy policy should detail what kind of information will be used by you or a third-party, such as the user’s name, birthdate, phone number, email address, or other contact information. You should also list any 'opt-out' options if they are available.

This policy is very important for any website, especially those that will share information with other parties. To ensure your online privacy policy is a binding legal document with all required enclosures, seek counsel from an experienced lawyer.

A privacy policy is a legal document outlining the manner in which you will handle your customers’ private and sensitive information.

One of the biggest concerns among visitors to Web sites is how their personal information is going to be used. This isn’t a new development; back in March of 2000, BusinessWeek did a cover story on Internet privacy, including a survey showing that the vast majority of users were either very or somewhat concerned about how their information would be used. The same cover story discussed how best to inform and reassure users. (You can see other such surveys, dating back to 1997, here.)

Unfortunately, while the number of businesses with web sites has continued to expand, as has the sites’ sophistication, the level of disclosure of data practices has not significantly improved. True, most web sites (especially business ones) have posted “privacy policies,” but too many simply copy language they’ve found on other web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.

Keep in mind that a privacy policy is a disclosure document, whose purpose is to inform (and therefore protect) consumers. When it comes to consumer protection, the Federal Trade Commission and state attorneys general have jurisdiction, and even absent any other applicable laws about privacy (such as the Children’s Online Privacy Protection Act or COPPA), the enforcers can and do sue and fine sites whose privacy policies are well-meaning but wrong. (The FTC publicizes its enforcement and its penalties, adding to the embarrassment for some major companies, including Microsoft.)

How do well-meaning companies get themselves into trouble with their privacy policies? Among the biggest problems is a statement such as, “We will not share your information with any third party.” Very reassuring; almost certainly false. When it comes to the web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the banks clearing credit card payments, etc.

Another problematic statement: “We collect your information through the form you complete on the site.” This may be true, but the site owner will likely also be collecting personal information about the user from text messages, e-mails, faxes, telephone calls, postal mail or other communications with the user, as well as from outside sources (credit card processors, database vendors), etc. Further, though there is not (yet) a federal law requiring all Web sites to have privacy policies, states such as California have rules about policies and what needs to be included in them. (California’s Civil Code Section 1798.83, which mandates certain language and procedures for privacy policies, can be found on this page.)

Given that copying another site’s language is a bad way to create a privacy policy, what’s the right approach? An attorney familiar with the laws and rules about data can guide you through the process of learning exactly how your organization collects data, how it uses the data and how it shares them with others, so the policy can be accurate as well as flexible enough for future uses. For the best results, this process should include IT, sales, marketing, and any other group within the company that touches the site’s information. (Don’t forget that data may also be collected through offline operations; if the information is shared between Web and offline in the company, the offline part needs to be included in the policy.)

There are also organizations that offer templates and consulting to help with policies. You may find some good information from the International Association of Privacy Professionals (IAPP). Finally, if your site collects information from children, includes health or financial data, or you have operations in other countries, there may be additional laws with which you must comply. For those, asking a competent lawyer is definitely a good idea.

Don’t forget that your privacy policy has to remain accurate over time. If your information practices change and they’re no longer what’s described in your policy, the policy should change. Be careful, though, that if you are making major changes in your data use, you don’t use information collected under the earlier policy without getting permission from those users. got into trouble with consumers and got the attention of the FTC in 2001 when it made a change in its policy; the FTC said that were Amazon to make a “material change,” it would actually have to get permission from each of its previous customers before using their information in the new ways, which would be a major and probably unsuccessful effort.

Beyond helping you craft an accurate and flexible privacy policy, having a complete picture of how your organization collects, uses and shares information has one other major benefit: it can show you how you’re underutilizing the data you already have. With that knowledge, you can find new ways of understanding, communicating, and serving your customers, while providing them with the comfort that comes with full disclosure.

Most common uses

Any entity that collects or uses personal information from its users needs a privacy policy.  Common businesses to use privacy policies include:

  • Websites
  • WordPress or Wix blogs
  • E-commerce stores
  • Mobile apps
  • Facebook apps
  • Desktop apps
  • SaaS apps (Service as a software)
  • Google AdSense and AdWords users
  • Digital products

Components of a Privacy Policy

Believe it or not, privacy of information is one thing that is barely regulated in the US compared to other countries. We take a comparatively laissez-faire approach to things like personal privacy and property. This might be due to our enterprising, go-getter do-it-yourself culture.

That said, the feds do not ignore the issue. Privacy of information is an extremely important asset to protect, both from a legal and a marketing point of view. You want to brand your new company as trustworthy, reliable and on top of its legal obligations. For this reason, you’ll want to be sure all the important main components of a privacy policy exist in yours.

Explain what data will be taken

Tell the client exactly what information you will or may be taking from them. For example:

Porcupine Media, Inc. may collect the following information from our customers:

•    Your name/job title

•    Your contact information

•    Demographic data such as preferences/interests and postal area

•    Other information relevant to client-based surveys

Discuss security

Explain your secure storage strategy. Maybe you use secure software, maybe you you use de-identification methods. Either way, the customer should know about it.

Anonymization, or de-identification, is a process of rendering personal data unidentifiable by removing or replacing personal identifiers. Porcupine Media, Inc. performs a 4-step data de-identification process. We are committed to the persistent and perpetual improvement of our data protection strategy.  Porcupine Media, Inc.’s automatically de-identifies data that has been stored in an identifiable form in our system for longer than 2 months.

Legal Considerations

If you run a business that in any way makes use of customer information, you must have a sound and complete privacy policy in place. This means creating one that falls within all legal strictures and is understood by every customer, employee and third party associate.

Private information is an issue that the government takes seriously. Numerous regulations must be followed when constructing your privacy policy. I’ve listed the big ones below, but you’ll want to investigate them in more depth on the FTC’s official website. The main thing is to treat customers’ sensitive information like radioactive material. It must be stored properly, used wisely, and disposed of discreetly and safely.

Data/Identity Security – If you keep customers’ personal information on file, you must by law have a secure electronic system in place. It is your responsibility to protect info you’ve been entrusted with from identity theft.

Collection of Data – While the law does not strictly regulate this, data collection is one subject in which care and caution will protect you from legal issues. You may only collect data using methods outlined to and agreed to by your customers. For this reason, your privacy policy should lay out very clearly the methods you will and will not use. Note – there are very strict guidelines as to how market research may be done on children under the age of 13.

Financial Information – There are very clearly defined practices for the use and sharing of financial information. If you provided investment services, insurance or any other financial services, you need to train your employees in the correct procedures and ensure they follow them to the letter.

Credit Reports – If you conduct customer evaluations based upon credit reports, you need to follow the correct procedures for the use, protection and disposal of said credit reports. Hit the FTC website’s section on this subject for details.

GDPR - If you do business in Europe, you must comply with the EU General Data Protection Regulation (GDPR).

There are a few shortcuts you can use to make sure all your main legal points are covered. If you use a website privacy policy template, or an internet-based privacy policy generator, you’ll often find less research is necessary. You can find plenty of free privacy policy information resources as well. Just be sure you use a reputable website.  Of course, it's always a good idea to seek legal advice if you have any questions about whether your privacy policy document and terms & conditions comply with applicable privacy laws such as the Can-Spam Act and the Federal Trade Commission Fair Information.

Download a PDF or Word Template

Release Of Liability

Business Proposal

Sample Privacy Policy

Read Full Document

Sample Privacy Policy

Create Privacy Policy