In today’s volatile digital environment, user privacy has become a commodity. This uproar in privacy concerns has led to the tightening of many privacy laws across the globe.
While different countries have their respective regulatory bodies, data collection is controlled in a similar matter.
The misuse of user data in the past has led to sharper privacy practices, more regulatory oversight, and consequently, more fines in case you disobey.
- Include your business name and contact information
- Mention what type of information you collect
- Explain how and why you collect data
- Describe how users can opt-out
- Mention if user data is shared with third-parties
- Specify how long you will retain user data
- Explain how you’ll protect the personal data you collect
- Describe the dispute resolution process
- Mention what happens if your online business transfers ownership
- Put everything together in one template
For example, Europe has enacted a General Data Protection Regulation (GDPR) law that regulates data privacy and imposes strict penalties for companies that fall short of meeting their requirements.
The GDPR is valid only in Europe and the European Economic Area (EEA), as well as foreign companies that do business within this region.
Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) that controls how you use, disclose and collect information.
The USA doesn’t have a dedicated federal data privacy law similar to GDPR, but it boasts a set of separate national laws and acts that had been put in place to ensure privacy compliance, such as:
- COPPA — Children’s Online Privacy Protection Act which controls how you can collect online information about children under 13 years of age, enforced by the Federal Trade Commission
- CCPA — California Consumer Privacy Act which deals which privacy rights and consumer protection in California
Because it is a legal requirement in most countries. If you’re operating in any of these countries, you’re going to face some harsh monetary fines if you don’t comply with the local rules and regulations or the federal law.
Here’s one staggering example — for not protecting their user privacy and falling victim to a data breach, British Airways was initially fined over $200 million.
While the fine was later reduced to around $30 million, this still goes to show that you can face some serious consequences if you don’t comply.
- Hiring a law firm: Reliable legal advice, but also the most expensive option out there. Having your privacy statement drafted by lawyers can cost anywhere from $275 for simple policies to over $5,000 for complex policies.
- Writing it yourself: The cheapest, but the most difficult and time-consuming. If you’re not very familiar with rules and regulations, you may fail to include important information and risk your business.
So, you can issue bulletproof privacy policies and finish them off with a legitimate signature in a matter of minutes. Not only is this cost-effective but it saves you a lot of time in the long run.
Regardless of which option you decide to go for, it’s important to ensure that you’ve dotted all the i’s and crossed all your t’s.
01. Include your business name and contact information
At the beginning of the document, you should list your company’s information, namely address, name, email address and phone number.
We also recommend encouraging your website visitors to use the previously mentioned information to contact you in case they have any questions or concerns regarding the policy.
This shows that your company is transparent, has nothing to hide and encourages open communication, which is always a good look.
02. Mention what type of information you collect
The term ”personal data’‘ is very exhaustive and more complex than you might think. It does include the regular stuff like credit card information, IP address and phone number, but also less conspicuous items like location, number plates and other online identifiers.
Personal data describes any ”the physical, physiological, genetic, mental, commercial, cultural or social identity” that are specific to the subject.
Make sure to use specific terms instead of broad ones.
For example, instead of saying ”we collect contact information,” say ”we collect your telephone number, email address and physical address.” This ensures that there’s no confusion that can lead to issues down the road.
03. Explain how and why you collect data
The next important this is to mention why and how your website collects data.
There are many different ways to collect user information, such as:
- contact forms
- course registrations
- email newsletter
- website analytics (e.g. Google Analytics)
After explaining what we said above, also mention why you’re collecting data. Is it for research purposes? Is it for marketing purposes?
Do you plan to resell the data? Do you plan to notify customers about news, updates and promotions? Do you need this information for processing orders?
Regardless of the reason, your customers have the right to know what companies are doing with their information, so don’t forget to include this in your policy.
04. Describe how users can opt-out
One of the main goals of laws like GDPR and CCPA is to give users more control over the information websites collect about them.
When users allow you to collect their data, that doesn’t mean that they’ve allowed you to collect it indefinitely. At one point, they might want to withdraw their permission and you’re bound by law to let them do so.
Your privacy statement for the website should describe which options users have in case they want to revise any previously-given permissions.
- Right to request data amendments
- Right to request you to delete the acquired information
- Right to review the collected information
Describe the process for all three instances in detail and provide users with helpful links and resources that will make the whole process easier and more convenient.
05. Mention if user data is shared with third-parties
Not disclosing this information puts you at legal risk, because most laws and regulations prioritize transparency.
For example, imagine you shared user information with your marketing agency and you forgot to add a third-party sharing disclosure on your website.
Then, the said marketing agency suffers a data breach and all their data is stolen, including your clients’. You would not only risk your company’s reputation, but you’ll also receive some hefty fines for not being transparent with your customers.
06. Specify how long you will retain user data
According to GDPR, you can only keep the collected user data no longer than it’s necessary for the purposes it was initially obtained for.
The GDPR doesn’t specify a particular timeframe, which is why you should revise this section regularly to ensure compliance.
For example, if you’re collecting data for a contract, you’re legally allowed to store this data for as long as the contract is valid. As long as the data is relevant, you have the right to process it.
Make sure to be very clear and specify a timeframe within which you’ll delete the data once it expires.
While it’s not necessary, you can also add a dedicated ”Data Retention Policy’‘ where you’ll explain different instances and be more specific.
07. Explain how you’ll protect the personal data you collect
Preserving the integrity and security of collected user data is imperative. Your customers are putting their trust in you by allowing you to gather their information.
Your responsibility is to enforce strong security measures to ensure that there’s no data leakage.
Mention how you’re protecting the user information (e.g. using SSL or other computer safeguards). Don’t be too specific in this section.
If you reveal too much, malicious actors will know how to bypass your security measures and compromise the integrity of your website. Instead, be broad and only mention general security practices.
08. Describe the dispute resolution process
Despite your best efforts to preserve harmony and keep a good relationship with your customers, legal disputes are likely to occur at some point.
Add a sentence or two about dispute resolution and how you handle it (third-party dispute resolution service provider, contact form, customer service, legal firms, etc.)
09. Mention what happens if your online business transfers ownership
Business ownership transfers are a very common occurrence and you never know if and when your website will be a subject of it.
Even if you don’t have any plans to sell your company at this particular moment, it is still a viable possibility in the future.
Including this clause will save you from any possible liability in case you eventually decide to sell your business.
This clause ensures that users are aware that their information might be handed over to a new entity in case of an acquisition.
We also recommend including a clause explaining that, while you’ll use your best efforts to secure your website, you cannot guarantee that it won’t fall victim to malicious exploits.
Nothing is foolproof and you should protect yourself as much as possible in case a data breach happens.
10. Put everything together in one template
They are compliant with most existing laws and regulations worldwide and will shorten the policy-making process tenfold.
- Company information: Name, address, phone number and email address.
- Type of collected data: Write this information in specific detail (credit card information, location, IP address, etc.) and note how and where you collected the said data.
- Mention the lawful basis for collecting data: Explain which law you’re relying on that gives you permission to collect the mentioned data.
- How you protect collected data: Which safeguards are put in place to ensure maximum data security.
- How long you’ll retain the collected information: Specify the timeframe within which you plan to use and retain the collected information.
- How you’re using the collected data: Explain what exactly you’re doing with user data – marketing purposes, notifications, order processing, data analysis, etc.
- List data subject rights: The GDPR law notes eight different types of data subject rights. List and explain them on your website as follows:
- Right of access
- Right to be informed
- Right to erasure
- Right to object
- Right of rectification
- Right of portability
- Right to restrict processing
- Rights in relation to automated data processing and profiling
If not for the sake of transparency, then do it for the sake of your business.
After all, you are legally obligated to notify your customers about how you handle their data. If you don’t include this on your website, you’re risking some serious consequences that can damage your operations.
PandaDoc makes it easy for you to generate any type of business or legal document within minutes. We also offer over 750 ready-made business templates that are expert-vetted and easily customizable.
Navigate to our business template library, choose your favorite type and customize it in less than 5 minutes.
Sign up for our 14-day free trial to see why leading businesses across the globe chose PandaDoc as their main document creation tool.
Frequently asked questions
There’s a bunch of websites whose top priority is earning ad money over the quality of service, so they don’t care to update their templates.
PandaDoc offers expert-vetted customizable templates that are always up-to-date and very easy to use.