How to Write a Website Privacy Policy

Learn how to write a comprehensive and effective privacy policy for your website.
We may receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Creating and running a professional website is a lot of work. Whether it is a site used to sell products or services or one that caters to members or followers only, designing the site and creating content that keeps your visitors returning requires considerable commitment and effort.

While the Internet provides an excellent venue for doing business, providing information and facilitating communication, it also creates numerous privacy concerns for those that visit websites.

The Internet provides access to almost any type of product, service or information imaginable, and the bounds of the Web are virtually limitless. However, this broad type of access also enables hackers, immoral data miners and other unscrupulous groups or persons to potentially abuse privacy or otherwise harm Web users.

Consequently, many users are wary when visiting sites about the type of information they wish to share.

If yours is like many other websites, you probably collect some type(s) of data when a visitor reaches your site. Whether it be the collection of biographical, contact or location information or use the of tracking software to make a site easier to use, there are few sites these days that don't collect at least minimal amounts of data from visitors.

If your website does collect data from visitors, chances are good that you will be required to post policies regarding the collection of data and its dissemination. In most cases, you can satisfy requirements for this information through the posting of Cookie and Privacy policies.

What is a cookie?

If you run a website, you may already know what a cookie is and how it functions. Just in case you don't know much about cookies, though, here is a brief overview:

A cookie (sometimes also referred to as a browser cookie, HTTP cookie, Internet cookie or Web cookie) is a small file sent from a Web server to your computer whenever you visit a website.) If you return to the website later, your Web browser sends the small file to the server to notify the website of any previous activity you engaged in on the site.

Once you return to a website, the server can retrieve the cookie file from local computer to assist in expediting certain functions such as logging in and retrieving account or user data.

Cookies can serve many useful purposes, such as remembering items you had in a shopping cart, logging visited pages on the site and remembering login details so you don't have to enter them every time you visit the website. The most common types of cookies are authentication cookies, which servers use to determine whether a user is logged into a site or not.

Cookies cannot contain viruses nor install spyware or malware on your computer. However, companies can use cookies to track long-term browsing history and store information on the types of products or information viewed.

Over a period of time, aggregate information of this type can help site owners push targeted products or information to your browser during visits. While this practice may seem helpful (and it certainly can be,) it may also pose cause for concern for users that wish to keep their browsing or search habits private.

What are cookie and privacy policies?

If your site collects contact or location information, privacy policies regarding those types of data are relatively self-explanatory and easy to understand. Simply put, if your site collects details such as a user's name, address, email address, or other biographical or location data, a privacy policy outlines the types of information collected, why it is needed, how it used and how it is disseminated (or provided to other parties.)

Only a few years ago, a Privacy Policy was the only type required by most governmental and online watch groups. However, in recent years agencies and governments have listened to constituents and users by taking privacy requirements even a step further to now include requirements for Cookie Policies. Similar to those for privacies, Cookie Policies must outline the types of data stored on and retrieved from your computer and in what matter the server and website uses the information.

Why your website needs these policies

Not all jurisdictions require the posting of Privacy or Cookie Policies; however, many do and more and more governments and agencies are requiring their use every year. Even if you don't live in a country or jurisdiction that requires the posting of Cookie or Privacy Policies, though, you may be required to post such documents on your site if it receives visitors from areas that do enforce such requirements.

For instance, if you live in a country that has no such laws requiring the posting of a privacy policy, you will be required to publish and display anyway if you serve customers, members or visitors from countries such as those within the European Union (which does require the posting of Privacy Policies on websites.) Failure to do so may result in restrictions on your ability to serve traffic to visitors from within European countries.

Certain legal requirements notwithstanding, though, it is still a very good idea to post Cookie and Privacy Policies on any website you may operate or own. The reasons for this are very simple - posting such policies on your site promotes trust and respect for your website. Visitors always feel more secure when they know how sites and companies handle their personal data and information. Simply put, explaining how your site handles privacy concerns and data gives visitors more peace of mind.

Legal requirements for cookie and privacy policies

As mentioned above, there are still many countries, locales and jurisdictions that have no laws or requirements regarding the posting of Cookie and Privacy Policies on websites. Nevertheless, many prominent governments around the globe do have such laws, and the trend seems to indicate that more and more such laws will only become more prevalent.

While the United States Government does not have a Federal law regarding Cookie or Privacy Policies on websites, the State of California does have such a statute on the books and enforces it vigorously. To a lesser extent, Colorado, Connecticut, Delaware, Minnesota, Nebraska, Nevada, Tennessee and Utah also have laws regarding privacy policies - albeit not nearly as comprehensive as the one passed in California. Likewise, member countries of European Union have strict laws regarding the collection and use of personal information or computer data obtained from website visitors. Finally, many other countries are considering legislation similar that enacted in Europe and the United States to protect the privacy of citizens that use the Internet.

If your website sells to customers or accepts visitors from countries that do have laws regarding the posting of Cookie or Privacy Policies, you will be required to comply or risk losing access to visitors from those areas. In some cases, governments may impose fines or other penalties on you or your website for violations even if you have no physical presence or branch in those jurisdictions. Many recent international court decisions provide a lot of leniency and a wide berth for governments to protect their citizens from offending websites or Internet providers.

Even if governments cannot penalize a site owner directly, they may be able to penalize Internet Service Providers, telecommunications companies or others that assist in the hosting or support of a non-complying website. Since most high traffic websites are hosted in countries with online privacy laws, chances are good that your Internet Service Provider will close your site if you fail to comply with Cookie and Privacy Policies laws with your site.

Although the language used in various Cookie and Privacy Policy laws differs a bit in every jurisdiction, the essential elements of all of the laws are similar - explain the type of date or information you collect, how you collect it and how you intend to use it. With that in mind, it is possible to create effective Cookie and Privacy Policies that meet the legal requirements not only in Europe and the United States, but in other jurisdictions as well. To that end, effective and legal Cookie and Privacy Policies must contain the following information and/or disclosures:

Items to include in your website's privacy policy

Notice 

Your website's Privacy Policy must be posted in a conspicuous, easy-to-find location. The easiest way to achieve this is to post a link to your site's Privacy Policy on the home page. Additionally, the policy must be available for review by a visitor before he/she submits any type information on your website or any data is collected. The policy must also state in relatively easy-to-understand language what types of data or information your site collects. The Privacy Policy must also explain the consequences, if any, when a user or visitor refuses to provide data or information on the website. The Privacy Policy must also identify the effective date for current or proposed revisions.

Disclosure 

The Privacy Policy must list all sites, companies and organizations that will collect or receive the data or information. In the policy, you must list the legal name of the entities, their addresses and contact information. This applies to any third party companies to which the data or information may be transferred, sold or otherwise disseminated. If data or information will be kept offsite with a third party, the name and contact information of the outside party must be included as well

Purpose 

Your site Privacy Policy must also explain in detail why you collect certain data and how it is used. The policy must disclose all applicable reasons and purposes for the required data with regard to the user visiting or using the website. Data must not be used for purposes or reasons other than those defined in the Privacy Policy.

Consent 

The Privacy Policy must contain language that ensures visitors that their data or information will not be used, sold, transferred or otherwise disclosed without their prior consent. Users or visitors must also be able to opt-out or discontinue use of the website and revoke consent for the use or dissemination of data or identifiable information. The Policy must also describe the steps needed for users to opt-out or provide a link to a third-party site that allows them do so.

Security 

A Privacy Policy must address data-security concerns of users or visitor of the website. The policy must include language that expresses the site's commitment to safeguarding data and explain the steps used to ensure identifiable data or information is safeguarded at all times. If the site discloses identifiable data or information to third parties, the Privacy Policy must also address how such parties handle, store and maintain such data. The Privacy Policy should also include language that stresses the fact that the site or organization makes third parties aware of their security concerns and makes all reasonable attempts to ensure they follow proper security practices as outlined in the Privacy Policy.

Access 

Your website's Privacy Policy must include language that ensures site members, users or visitors access to their data and online information. The policy must also spell out steps the user can take to change or edit or their information as needed, or delete or remove information if they choose to do so.

Accountability 

The Privacy Policy must include information that informs users or visitors of the steps they can take to correct inaccuracies in their personal information. Furthermore, the policy should list contact details of the organization or person responsible for providing oversight for the policy and its strict implementation. For instance, if your site is a member of an online privacy alliance or group that monitors compliance, the policy should state as much and provide contact details for the organization. If your site uses an in-house staff member for such tasks (not really recommended, as third-party enforcement programs are more trusted and respected,) you must list the name, email address, phone number and address of the individual.

Cookie policies and disclosure in the European Union

With only a few exceptions, there aren't any specific requirements for cookie policies in jurisdictions other than the European Union. Nevertheless, with hundreds of millions of active Internet users living within the borders of the EU, it's hard to imagine many sites that won't receive a few visitors from the region. Consequently, posting a comprehensive cookie policy on your website will help you avoid legal hassles, possible site shutdowns or other issues because of the laws in Europe. Besides, posting a cookie policy makes your site more trustworthy and provides transparency for users. To make sure your policy meets the legal requirements set forth by the EU, it must contain the following sections:

Consent 

First and foremost, you must obtain the consent of a visitor or user before placing any type of cookie or data-tracking file on his/her computer. This can be achieved with a pop-up the first time a user visits your site, having your visitors accept a user agreement or allowing them to configure settings for cookies on initial visits. Regardless of the way you receive consent for cookies on your site, though, it must be done before your server or site places the files on the users' computers. Additionally, the method used to acquire consent from your users must include a link to the Cookie Policy for your website. Finally, if your site uses third-party cookies or trackers, you must receive consent for those types as well.

Disclosure 

In your site's Cookie Policy, you must disclose the types of cookies or data trackers placed on users' computers by your website, server or other third parties. In the disclosure, you must identify the cookies or data trackers, explain their purposes and detail the type of data retrieved from the cookies or data trackers. The disclosure must be in easy-to-understand language and be thorough enough that even lay or everyday users can understand the purpose and use of the cookies or data trackers. The Cookie Policy must also list all sites, companies and organizations that will collect or receive data retrieved from cookies or data trackers. In the policy, you must list the legal name of the entities, their addresses and contact information. This applies to any third party companies to which the data or information may be transferred, sold or otherwise disseminated. If cookie or tracker data will be kept offsite with a third party, the name and contact information of the outside party must be included as well.

Opting out 

The Cookie Policy must also include instructions that inform users how to opt-out of cookie or data tracking on your website. You may include language that informs users that using the site may be difficult or impossible if they choose not to enable cookies or data trackers on your site. Nevertheless, the Policy must include instructions on how to disable cookies or data trackers if users or visitors choose to do so.

Privacy concerns regarding children

Although the United States does not have any strict Federal laws regarding online privacy for adults, legislation for children is a different thing altogether. Introduced in October 1998, and revised several times since, the Children's Online Privacy Protection Act (COPPA) is a law designed to protect the privacy of children under 13 years of age. Consequently, if you operate or own a website designed for or directed toward young children, your site's Privacy Policy must contain additional information to satisfy the requirements for complying with COPPA.

If your site allows visitors younger than the age of 13, and collects data or information from them, the Privacy Policy must include the following elements.

  1. The type of information or data collected from children, whether it be from your server or website directly or from other third parties;

  2. The name, address, email address and telephone number of any and all operators or organizations collecting or maintaining information or data on or from the website;

  3. A description of whether the website allows children to decide if information is made public or accessible by others;

  4. How the website or organization uses any data or information collected from children;

  5. Instructions on how parents can view, edit or delete any information shared on the website by their children.

As you can see, requirements under COPPA are fairly strict and straightforward. In many cases, you can prevent hassles due to COPPA violations by simply refusing access to children under the age of 13, unless you have a good reason to do otherwise. While the above law applies primarily to children in the United States, other countries have passed similar legislation as well. Therefore, if you plan to direct content toward young children, it is wise to find out what the privacy laws are in your area regarding children users and visitors.

4.9
Limited-time offer: 69% off + 3 extra months
Learn More
On NordVPN's website

NordVPN
  • High-quality VPN offering safety and speed
  • Loads of servers for multiple connection options
  • Works with popular streaming services, including Netflix
  • Too many confusing plans