Data Privacy Policy: What It Is & Why You Need One

New data privacy legislation—including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—has emerged to make it important to give consumers certain power and freedom over their own data.

As a result, it matters more than ever that you make clear in your company’s data privacy policy—to your customers and to others—how your company uses data.

Not only are data privacy policies important for compliance with different privacy legislation, but data privacy policies also help set expectations with your website visitors. They’ll know the types of data you’re collecting, why you’re collecting, and how they can contact you with questions or concerns.

What is a data privacy policy?

A data privacy policy is a legal document that lives on your website and details all the ways in which a website visitors’ personal data may be used. At the very least, it needs to explain how your website collects data, what data you collect, and what you plan to do with that data.

In addition to living on your website, your data privacy policy also should be easily accessible to website visitors from any page they visit. That’s why you often see it in the footer of every page on a website, including our own:

segment-privacy

That link to our data privacy policy appears on every page of our website. If website visitors have questions about their data while they’re viewing our website, they can find the answer in one click.

One of the most important parts of your data privacy policy is that you need to give website visitors an easy way to contact your company. Including an email address, a mailing address, and possibly a phone number is the best way to do that.

Why you need a data privacy policy

There are a number of laws that require data privacy policies. Chances are one of the laws applies to your company.

If, for some reason, none of the laws apply to you, you still might be required to have a privacy policy because of the analytics tools, email tools, or advertising platforms that your company uses.

Legislation that requires a privacy policy

The legal landscape around privacy is constantly evolving. The GDPR is one of the most recent privacy laws to take effect, and the CCPA is going to take effect in just a few months.

California Online Privacy Protection Act (CalOPPA)

The California Online Privacy Protection Act went into effect in 2004 and was updated in 2013. It requires companies that collect personally identifiable information about California residents to have a privacy policy. Websites that collect information from Californians (such as name, contact information, telephone number, or social security numbers) must have their privacy policy hyperlinked from their home page, and must use the word “privacy” in that hyperlink. To comply, companies must do the following:

  • Detail the kinds of information you gather

  • Explain how that information will or could be shared

  • Explain how the website visitor can review and make changes to their stored information

  • Include the policy's effective date and an update on any changes that have taken place since then

Enforcement of CalOPPA falls to the California Attorney General’s Office.

Children's Online Privacy Protection Act (COPPA)

COPPA went into effect in 2000. It is designed to protect the privacy of children under the age of 13. If your company purposefully collects information from children, you must comply with COPPA. If you don't collect information from children under 13, it's a good idea to explicitly state that in your privacy policy.

To comply with COPPA, your company must:

  • Post a privacy policy

  • Make reasonable efforts to notify parents of how you collect and use their child’s data

  • Obtain parental consent

  • Provide a way for parents to review the data

  • Have procedures for data protection

  • Retain data only for as long as necessary

The FTC has fined companies up to $170 million for failing to comply with COPPA.

Gramm-Leach-Bliley Act (GLBA)

The GLBA is geared towards financial institutions. It went into effect in 1999, and similar to the two acts above, this law requires financial institutions notify their websites’ users of what data is collected, how it is used, and how it is protected. The GLBA defines financial institutions as “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.”

The one big difference between the GLBA and the other laws we’ve covered is that the GLBA requires financial companies to give visitors a way to opt out of sharing their data with nonaffiliated companies.

Failure to comply with the GLBA can result in fines of up to $100,000 for each violation, and even jail time for the person responsible for the violation.

General Data Protection Regulation (GDPR)

The GDPR is one of the most well-known data privacy laws, partially because it is so new, and partially because of how big the changes are as a result of it. The GDPR went into effect in 2018. If your company collects data from European Union citizens (whether as a data controller or a data processor), there’s a chance you must comply with the GDPR, even if your company isn’t located in the EU.

This data protection law covers a number of data protection and privacy practices, and like the others on this list, it requires a data privacy policy that explains the following:

  • What types of data you collect

  • What you do with that data

  • Why you need to collect that data

  • How long your data will be stored for

  • How customers can get in touch with your company

If your company is found to be in breach of the GDPR, it could be fined up to €20 million or up to 4% of the annual revenue.

California Consumer Privacy Act (CCPA)

The CCPA will go into effect on January 1, 2020. This law could affect your company if you collect data on residents of California. This law covers a lot of data privacy issues, but if we focus on just your data privacy policy, the CCPA requires that your company explains the following:

  • What data is being collected, and why

  • Whether that data is being sold or shared

  • Who that data is being sold or shared with

Failure to comply can result in fines of up to $7,500 per violation, regardless of whether the violation was intentional or not.

External tools that require data privacy policies

Along with specific pieces of legislation, external tools like Google Analytics and Facebook ads also require a data privacy policy:

  • Google Analytics: Their terms of service state, “You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies.” Along with that, you also need to explicitly state that your website uses Google Analytics and how that data is used.

  • Facebook Lead Ads: Not all types of Facebook ads require a privacy policy. But if you use Facebook Lead Ads, which can collect more information than other Facebook ads, you’re required to put a link to your privacy policy.

  • Twitter Ads: If you use Twitter ads that “collect user volunteered data,” you must link to your privacy policy.

Plenty of other tools that collect data on your behalf also require privacy policies. For example, if you use a mobile messaging app for your marketing, the app might require a data privacy policy.

It’s best to review the terms of service of your data collection tools and make sure you’re including any necessary language about each tool in your privacy policy.

How to make sure website visitors read your data privacy policy

It’s not enough to have a data privacy policy; you also need to make sure that your website visitors can easily understand your policy. It’s helpful to think of your privacy policy like a blog post—you want people to read it.

You can do this by following three steps:

Step #1: Use plain language

Technical legal jargon can be a turnoff to a lot of website visitors. Work with your legal team to make sure your privacy policy complies with all relevant laws and is also written in a way that is easily understandable.

Twitter’s Privacy Policy does this really well:

twitter-privacy-policy

The language Twitter uses in their privacy policy is straightforward and simple. It’s clear that they want users to read it.

Step #2: Add a '“Frequently Asked Questions” section

As part of your privacy policy, consider creating an easy-to-understand FAQs list. This will help website visitors quickly and easily answer any questions they may have.

Wikimedia does this perfectly:

wikimedia-privacy-policy

The way Wikimedia lists all questions and links to the appropriate answer creates a good user experience for any website visitor who has questions about their data privacy.

For example, the first entry in Wikimedia’s privacy policy FAQs list is, “What’s different about this Privacy Policy? Can I see older versions?” Chances are, that was listed first because it’s a common question when a website updates its privacy policy. People want to cut to the chase and find out what is different about the new version.

Step #3: Structure it for the user

Your privacy policy should be structured so that it doesn’t intimidate website visitors. Big blocks of text can be a turnoff. Use short paragraphs, bullet points, and internal links to different sections so that website visitors can easily navigate the policy.

Netflix’s privacy policy is a good example of this:

netflix-privacy-policy

Netflix uses bullet points, short paragraphs, and numbered lists in almost every section of the company’s privacy policy. That helps readers quickly understand what Netflix is doing with the data collected.

Data privacy is becoming more important

More data privacy legislation is passed every single year. On top of that, website visitors are becoming increasingly aware of the impact their data has. People want to know what you’re collecting, why you’re collecting it, and what you plan to do with it.

A data privacy policy can clear up a lot of those questions, but you have to make sure that you’re consistently updating your privacy policy. Make time every few months to review any new data privacy laws and new requirements in the terms of service of the tools your website uses. That will help you stay on top of any changes that need to be made to your data privacy policy.

NOT LEGAL ADVICE

This information provided in this article does not, and is not intended to, constitute legal advice. All information and content in this article is for informational purposes only. Information in this article may not contain the most up-to-date legal information. Readers should contact an attorney to obtain advice with respect to any particular legal matter, and consider a data privacy training course for a more detailed understanding of how to approach these matters.

Guide

Segment's Privacy Portal

With the Segment Privacy Portal, you can automate your approach to keeping your customers' data private.

Get started
image-og-privacy

Getting started is easy

Start connecting your data with Segment.