I’ll start with a bold statement: All businesses of any size operating online that collect customer data need a privacy policy, including website owners, app owners, and anyone in between.
A privacy policy is required by law for many businesses, but it also shows consumers that you’re honest about your data processing activities.
So, let me proudly present you with the ultimate privacy policy requirements checklist — I’ll walk you through what goes into a privacy policy to what laws require them to where you need to post them on your site, and so much more.
Privacy Policy Checklist
My checklist includes a breakdown of the legally necessary clauses for your privacy policy, the details you must have within those clauses, and a list of the regulations that require it.
Privacy Policy Clause | To-do | Required By The… |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legal Requirements for Privacy Policies
This table covers which laws require a privacy policy and their expectations of businesses.
Data Privacy Law | Privacy Policy Requirements |
🇪🇺 General Data Protection Regulation (GDPR) |
|
🇬🇧 The Data Protection Act (UK GDPR) |
|
🇺🇸 Amended California Consumer Privacy Rights Act (CCPA/CPRA) |
|
🇺🇸 California Online Privacy Protection Act (CalOPPA) |
|
🇺🇸 Virginia Consumer Data Privacy Act (VCDPA) |
|
🇺🇸 Connecticut Data Protection Act (CTDPA) |
|
🇺🇸 Colorado Privacy Act (CPA) |
|
🇺🇸 Children’s Online Privacy Protection Act (COPPA) |
|
🇨🇦 Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
🇦🇺 Australia’s Privacy Act of 1988 |
|
🇳🇿 New Zealand’s Privacy Act of 2020 |
|
🇿🇦 South Africa’s Protection of Personal Information Act (PoPIA) |
|
Privacy Policy Requirements Explained
In this section, I’ll explain the required clauses from above in more detail.
Personal Data Collection
Every data privacy law gives individuals the right to know what personal data is being collected or processed about them, making this one of the most critical clauses in your privacy policy.
To comply with these laws, you must clearly list all categories of personal data you collect, including sensitive personal information, which is subject to stricter guidelines under the GDPR, the amended CCPA, and the VCDPA.
While the precise definition of personal data varies depending on what legislation you look into, it typically refers to any information that could reasonably be linked to an individual or household, directly or indirectly.
Along with what data you collect, you also need to state:
- Why you collect the data, including your legal basis if you must comply with laws like the GDPR
- How you collect the personal data — for example, you might gather the information voluntarily from the user, through web forms, by placing cookies on users’ browsers, or when they sign up for accounts or make purchases, etc.
- What you do with the data, like using it for marketing or research purposes, to enhance the user experience on your website, or to provide consumers with targeted ads and more specific product recommendations.
Many companies put this information into tables or bullet lists in their privacy policy, with titles representing each specific legal requirement.
This is how the music streaming service Spotify does it, which you can see in the screenshot below showing what data they collect.
In this next screenshot, you can see Spotify’s table explaining their purpose for using that data.
Selling or Sharing of Personal Data
If you share or sell the personal data you collect to any third parties, you must disclose it in your privacy policy. Laws, including the GDPR, the amended CCPA, and others, legally require this.
To comply, you must also list all categories of third parties you share information with or sell the data to directly. For formatting, consider using a table or a bullet list.
Below, see another example of how Spotify writes this clause in its privacy policy.
Privacy Rights for Consumers
Several data protection laws require you to list individuals’ rights in your privacy policy. A few also stipulate that you must provide instructions or means for following through on those rights.
You can achieve this by creating clauses specific to the users in those regions. For example, if you fall under both the VCDPA and the amended CCPA, make a clause outlining users’ rights in Virginia and another for users in California.
This is how the general merchandise retailer Target does it in their privacy policy, pictured below are their rights pertaining to Californians.
Next, see their rights pertaining to Virginia residents.
Alternatively, you can provide links to completely separate privacy policies based on the unique region of your users.
Whatever method you choose, ensure you follow the specifications outlined by all laws that apply to your business, be it a “Do Not Sell or Share My Personal Information” link as described by the CCPA or a generic Data Subject Access Request (DSAR or SAR) form as recommended for the GDPR.
International Data Transfers
You may be subject to international transfer requirements, particularly by the GDPR and the UK GDPR, if you transfer personal data from users who live in a different country than where your business is located.
Under the GDPR, if an adequacy decision is in place, international data transfer from an EU/EEA nation can occur without other authorizations or assessments.
But if there is no decision in place, as is the case with the US, you must ensure the international transfer meets all requirements outlined by Chapter 5, Articles 44 – 50 of the Regulation.
You also must put a clause in your privacy policy explaining if and where you transfer the data and what protections are in place to ensure the information is appropriately protected and that individuals can follow through on their rights.
See how internet search engine Google writes about international data transfers in their privacy policy below.
Data Retention Limits
Laws like the GDPR, Canada’s PIPEDA, and others mandate that you can only keep personal data for as long as necessary based on the purposes you outlined in your privacy policy. But you must also describe your data limitation process in a clause within the policy.
If the purpose for collecting personal data doesn’t have a clear end or time limit, explain how you’ll determine when you’ve achieved your goal and no longer need to retain the information.
See how Google writes their data limitation clause in their privacy policy below.
Security Measures to Protect Personal Data
Data protection laws like the GDPR and the CCPA hold businesses accountable if personal information gets breached or leaked. You must explain in a clause in your privacy policy what security measures you have in place to prevent this type of cybercrime or error from occurring.
You might consider:
- Anonymizing the data
- Encrypting the data
- Pseudonymization the data
This clause can be short and sweet, but it is legally necessary. Below, see a great example of how the supermarket and general store chain Woolworths phrases the security portion of their privacy policy.
Privacy Policy Updates
Legally, your privacy policy must always remain current, so include a clause explaining when you’ll make changes to the policy, why the changes may be necessary, and how you’ll update your users.
The amended CCPA requires you to update your privacy policy at least once every 12 months.
But many of these laws, including the GDPR and the VCDPA, state that you can only use personal data based on what you put in your privacy policy. So you also need to update your policy, inform your users, and sometimes even re-obtain their opt-in consent if you want to change your data collection and processing activities.
See an excellent example of this type of clause from Woolworths’ privacy policy in the screenshot below.
Remember, this is a living document. It should change as often as you need it to.
Just ensure you properly inform your consumers every time, fix the ‘Last Updated’ date on your policy, and tell your users what exactly is different about your policy.
Submitting Complaints
Laws, including the GDPR, PoPIA, and others, grant individuals the right to submit complaints if they think you violate their data privacy rights.
You must include a clause within your privacy policy explaining this right and giving the proper contact information based on the applicable law.
If you fall under multiple laws, you should consider using a separate clause for each relevant regulator or supervisory authority so your users from those locations can easily find the proper contact information.
Once again, see how Woolworths does it in their privacy policy, shown below.
For comparison’s sake, this is how simply the popular South African grocery chain Shoprite does it in their privacy policy, highlighted in the screenshot below, to comply with PoPIA.
Data Processing Impact Assessments (DPIAs)
Where you intend to perform certain types of processing that carry a ‘high risk’ to your consumers, data privacy laws, including the GDPR and the CTDPA, require you to perform DPIAs, and you should explain this process within a clause in your privacy policy to keep your consumers adequately informed.
You must explain that you performed an appropriate DPIA to assess the risks associated with the processing and to identify suitable protections for your users.
Your users also have the right to limit how their sensitive personal data gets used, so give them a way to follow through on their rights regarding this information.
Below, see how higher education group Study.Iceland handles this clause in their privacy policy.
Company Contact Information
Several data privacy laws require you to include appropriate contact information within your privacy policy so your users can submit a complaint, ask questions, or request to follow through on their rights to access, amend, or delete their data.
Under the GDPR, if you have appointed a Data Protection Officer, you must also identify them and provide their contact details.
Under laws like COPPA, which protects minors, you must include correct contact information within your privacy policy so legal guardians can protect their children’s privacy rights.
Below, see an example of where the department store Harrods puts their contact details within their privacy policy.
10 Tips for Complying With Privacy Policy Requirements
Before we get to the actual privacy policy checklist, I have a few tips to help you comply with the various privacy policy requirements outlined by the different data privacy laws.
Trust me, I’ve helped many businesses and marketing agencies create privacy policies, and following these tips will make the entire process easier for you.
Penalties for Not Complying With Privacy Policy Laws
I’ve mentioned that violating data privacy laws could lead to hefty fines and a lot of public scrutiny — well, this is where I put my money where my mouth is.
In the table below, read through the financial consequences of violating the data protection laws and regulations I mentioned in the privacy policy checklist.
Data Privacy Law | Penalties for Violating the Law |
General Data Protection Regulation (GDPR) |
|
The Data Protection Act (UK GDPR) |
|
Amended California Consumer Privacy Rights Act (CCPA/CPRA) |
|
California Online Privacy Protection Act (CalOPPA) |
|
Virginia Consumer Data Privacy Act (VCDPA) |
|
Connecticut Data Protection Act (CTDPA) |
|
Colorado Privacy Act (CPA) |
|
Children’s Online Privacy Protection Act (COPPA) |
|
Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
Australia’s Privacy Act of 1988 |
|
New Zealand’s Privacy Act of 2020 |
|
South Africa’s Protection of Personal Information Act (PoPIA) |
|
Depending on the size of your business, not complying with these laws, even by accident, could lead to fines large enough to put your company under.
But beyond losing money, you’d also face public backlash that is arguably just as damaging to your brand as a fine.
Just check out these data privacy statistics suggesting that customers aren’t afraid to end their relationship with you if you don’t treat their personal information with respect:
- 63% of Internet users believe most companies aren’t transparent about how their data is used, and 48% have stopped shopping with a company because of privacy concerns. (Tableau)
- 33% of users have terminated relationships with companies over data. They left social media companies, ISPs, retailers, credit card providers, and banks or financial institutions. (Cisco)
The consequences just aren’t worth it. Retain more customers and avoid legal fines and bad press by publishing an honest, compliant privacy policy on your platform.
How Termly Helps Your Business Create a Privacy Policy
By this point, I’ve hopefully convinced you of how essential privacy policies are for businesses operating online.
But don’t worry, you don’t need to make your own — Termly can help do the hard work for you if you use our privacy policy generator or free template.
Termly’s Privacy Policy Generator
Let me take a second to brag about Termly’s privacy policy generator — it’s pretty great.
Our team updates it whenever new regulations enter into force (or if old ones get amended).
Whenever this happens, our customers get emailed with instructions if anything is necessary to ensure compliance with the relevant data privacy laws.
To use it, you just answer easy questions about your business, and it creates a compliant policy based on your answers that’s ready to publish on your website or app.
See a screenshot of it below.
Termly’s Privacy Policy Templates
Besides our generator, we also offer a privacy policy template that you can customize to fit any business need you can think of.
Templates require more work on your end because you have to manually fill in the blank sections with details about your business. But it’s already formatted for you and includes clauses that follow the privacy laws I’ve covered in this guide.
Below, see a screenshot of what it looks like.
Check out this massive table of guides and templates that you can rely on depending on your industry, what platform you use, or the laws relevant to your business.
Summary
Privacy policies are essential documents that help businesses comply with applicable laws and build trust by transparently informing users about what you do with their personal information.
With this guide in your toolbox, you’re ready to create a compliant privacy policy that’s extensive enough to follow some of the most significant data privacy laws worldwide.
Pair this information with Termly’s privacy policy generator, and, wow, looks like you’ve just made your privacy compliance process super easy. Nice!