Privacy Policy Form

Privacy policies address how information is collected and how it is used. Make sure that you keep your privacy policy updated!

Please note: If your website knowingly collects information from users under the age of 13, you will need additional modifications to this privacy policy, and to your website, to comply with the Children’s Online Privacy Protection Act (COPPA), and you should consult an attorney to ensure compliance. If you are doing business in the European Union, you should consult an attorney to ensure compliance with GDPR.   

What is a privacy policy?

An online privacy policy is something that is becoming increasingly common with the Internet and websites. It is used to let users know what information is being collected from them while they are using a website or account.

An online privacy policy should detail what kind of information will be used by you or a third-party, such as the user’s name, birthdate, phone number, email address, or other contact information. You should also list any 'opt-out' options if they are available.

This policy is very important for any website, especially those that will share information with other parties. To ensure your online privacy policy is a binding legal document with all required enclosures, seek counsel from an experienced lawyer.

A privacy policy is a legal document outlining the manner in which you will handle your customers’ private and sensitive information.

One of the biggest concerns among visitors to Web sites is how their personal information is going to be used. This isn’t a new development; back in March of 2000, BusinessWeek did a cover story on Internet privacy, including a survey showing that the vast majority of users were either very or somewhat concerned about how their information would be used. The same cover story discussed how best to inform and reassure users. (You can see other such surveys, dating back to 1997, here.)

Unfortunately, while the number of businesses with web sites has continued to expand, as has the sites’ sophistication, the level of disclosure of data practices has not significantly improved. True, most web sites (especially business ones) have posted “privacy policies,” but too many simply copy language they’ve found on other web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.

Keep in mind that a privacy policy is a disclosure document, whose purpose is to inform (and therefore protect) consumers. When it comes to consumer protection, the Federal Trade Commission and state attorneys general have jurisdiction, and even absent any other applicable laws about privacy (such as the Children’s Online Privacy Protection Act or COPPA), the enforcers can and do sue and fine sites whose privacy policies are well-meaning but wrong. (The FTC publicizes its enforcement and its penalties, adding to the embarrassment for some major companies, including Microsoft.)

How do well-meaning companies get themselves into trouble with their privacy policies? Among the biggest problems is a statement such as, “We will not share your information with any third party.” Very reassuring; almost certainly false. When it comes to the web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the banks clearing credit card payments, etc.

Another problematic statement: “We collect your information through the form you complete on the site.” This may be true, but the site owner will likely also be collecting personal information about the user from text messages, e-mails, faxes, telephone calls, postal mail or other communications with the user, as well as from outside sources (credit card processors, database vendors), etc. Further, though there is not (yet) a federal law requiring all Web sites to have privacy policies, states such as California have rules about policies and what needs to be included in them. (California’s Civil Code Section 1798.83, which mandates certain language and procedures for privacy policies, can be found on this page.)

Given that copying another site’s language is a bad way to create a privacy policy, what’s the right approach? An attorney familiar with the laws and rules about data can guide you through the process of learning exactly how your organization collects data, how it uses the data and how it shares them with others, so the policy can be accurate as well as flexible enough for future uses. For the best results, this process should include IT, sales, marketing, and any other group within the company that touches the site’s information. (Don’t forget that data may also be collected through offline operations; if the information is shared between Web and offline in the company, the offline part needs to be included in the policy.)

There are also organizations that offer templates and consulting to help with policies. You may find some good information from the International Association of Privacy Professionals (IAPP). Finally, if your site collects information from children, includes health or financial data, or you have operations in other countries, there may be additional laws with which you must comply. For those, asking a competent lawyer is definitely a good idea.

Don’t forget that your privacy policy has to remain accurate over time. If your information practices change and they’re no longer what’s described in your policy, the policy should change. Be careful, though, that if you are making major changes in your data use, you don’t use information collected under the earlier policy without getting permission from those users. Amazon.com got into trouble with consumers and got the attention of the FTC in 2001 when it made a change in its policy; the FTC said that were Amazon to make a “material change,” it would actually have to get permission from each of its previous customers before using their information in the new ways, which would be a major and probably unsuccessful effort.

Beyond helping you craft an accurate and flexible privacy policy, having a complete picture of how your organization collects, uses and shares information has one other major benefit: it can show you how you’re underutilizing the data you already have. With that knowledge, you can find new ways of understanding, communicating, and serving your customers, while providing them with the comfort that comes with full disclosure.

Who needs a Privacy Policy?

Most businesses with an online presence need a privacy policy. This is because most business websites offer newsletters, online coupons, and other digital experiences that require users to sign up. When users sign up, the information collected that can be used to identify them. There are federal and state laws that govern the creation of privacy policies. From the federal perspective, websites in the United States may need a privacy policy to comply with the Fair Credit Reporting Act, Right to Financial Privacy Act, Electronic Communications Privacy Act, Video Privacy Act, Cable Television Protection and Competition Act, Children’s Online Privacy Protection Act, HIPAA security regulations, and the GLB Act

Businesses with websites that may have users who are EU citizens are required to have privacy policies must comply with GDPR, the new data and privacy security legislation. Essentially, its purpose is to help EU citizens understand how businesses collect, secure, use, and share their data.

Most common uses

Any entity that collects or uses personal information from its users needs a privacy policy.  Common businesses to use privacy policies include:

  • Websites
  • WordPress or Wix blogs
  • E-commerce stores
  • Mobile apps
  • Facebook apps
  • Desktop apps
  • SaaS apps (Service as a software)
  • Google AdSense and AdWords users
  • Digital products

Components of a Privacy Policy

Believe it or not, privacy of information is one thing that is barely regulated in the US compared to other countries. We take a comparatively laissez-faire approach to things like personal privacy and property. This might be due to our enterprising, go-getter do-it-yourself culture.

That said, the feds do not ignore the issue. Privacy of information is an extremely important asset to protect, both from a legal and a marketing point of view. You want to brand your new company as trustworthy, reliable and on top of its legal obligations. For this reason, you’ll want to be sure all the important main components of a privacy policy exist in yours.

Explain what data will be taken

Tell the client exactly what information you will or may be taking from them. For example:

Porcupine Media, Inc. may collect the following information from our customers:

•    Your name/job title

•    Your contact information

•    Demographic data such as preferences/interests and postal area

•    Other information relevant to client-based surveys

Discuss security

Explain your secure storage strategy. Maybe you use secure software, maybe you you use de-identification methods. Either way, the customer should know about it.

Anonymization, or de-identification, is a process of rendering personal data unidentifiable by removing or replacing personal identifiers. Porcupine Media, Inc. performs a 4-step data de-identification process. We are committed to the persistent and perpetual improvement of our data protection strategy.  Porcupine Media, Inc.’s automatically de-identifies data that has been stored in an identifiable form in our system for longer than 2 months.

State your purpose

Explicitly disclose what you intend to do with your clients’ private information. Will you be using it for survey purposes? Financial analysis?

We require this information in order to provide you with a better service, and apply it to the following purposes:

•    Internal record keeping.

•    Improvement and possible promotion of products and services.

•    We may occasionally use your information to conduct critical market research. We may contact you by email, phone, fax or mail.

•    Though we may occasionally provide your information to our third party partners, we will do so for express purposes of marketing or promotion only. Porcupine Media, Inc. will never sell your information.

We will never sell your information.

Give the user control

Allow the user to verify and control the nature of his private information’s use. Provide details on exactly what steps the user may or must take to keep his or her information private. This section is often entitled “User Rights.” The main thing is to make your clients feel comfortable sharing their information, knowing that they are doing so by choice.

You may restrict our collection or use of your personal information, by clicking to the box on our website forms that indicates you do not want your information to be used.

You should also alert user to your policy on updates, and let them know how to be sure they are alerted to any changes that are made.

Be sure to visit the Federal Trade Commission’s website to review your legal responsibilities in detail. Also check your state and city websites to see if any local laws apply.

Legal Considerations of a Privacy Policy

If you run a business that in any way makes use of customer information, you must have a sound and complete privacy policy in place. This means creating one that falls within all legal strictures and is understood by every customer, employee and third party associate.

Private information is an issue that the government takes seriously. Numerous regulations must be followed when constructing your privacy policy. I’ve listed the big ones below, but you’ll want to investigate them in more depth on the FTC’s official website. The main thing is to treat customers’ sensitive information like radioactive material. It must be stored properly, used wisely, and disposed of discreetly and safely.

Data/Identity Security – If you keep customers’ personal information on file, you must by law have a secure electronic system in place. It is your responsibility to protect info you’ve been entrusted with from identity theft.

Collection of Data – While the law does not strictly regulate this, data collection is one subject in which care and caution will protect you from legal issues. You may only collect data using methods outlined to and agreed to by your customers. For this reason, your privacy policy should lay out very clearly the methods you will and will not use. Note – there are very strict guidelines as to how market research may be done on children under the age of 13.

Financial Information – There are very clearly defined practices for the use and sharing of financial information. If you provided investment services, insurance or any other financial services, you need to train your employees in the correct procedures and ensure they follow them to the letter.

Credit Reports – If you conduct customer evaluations based upon credit reports, you need to follow the correct procedures for the use, protection and disposal of said credit reports. Hit the FTC website’s section on this subject for details.

GDPR - If you do business in Europe, you must comply with the EU General Data Protection Regulation (GDPR).

There are a few shortcuts you can use to make sure all your main legal points are covered. If you use a website privacy policy template, or an internet-based privacy policy generator, you’ll often find less research is necessary. You can find plenty of free privacy policy information resources as well. Just be sure you use a reputable website.  Of course, it's always a good idea to seek legal advice if you have any questions about whether your privacy policy document and terms & conditions comply with applicable privacy laws such as the Can-Spam Act and the Federal Trade Commission Fair Information.

Privacy Policy Enforcement

Enforcing a privacy policy can be accomplished by using the “clickwrap method.” This involves requiring users to take some sort of action, such as checking a box, that shows they understand and accept the terms of the privacy policy. If the user does not accept the privacy policy, they are unable to complete the steps required to create a user account.

Privacy Policy Sample Library

Here’s a reference library of privacy policies to help you understand how a thorough privacy policy should read:

The Office of Privacy and Open Government

US General Services Administration

US Department of Agriculture

Harvard Medical School

Etsy

Twitter

PayPal

United Way

Download a PDF or Word Template

Release Of Liability

Business Proposal

Sample Privacy Policy

Read Full Document

Sample Privacy Policy

+
Create Privacy Policy