The Anatomy of a Privacy Policy

Every now and then, our inboxes get filled with “We’ve updated our Privacy Policy” emails. This usually happens when a new data privacy regulation (like the California Consumer Privacy Act, or CCPA) is released – holding companies to a new level of standards in terms of data privacy. If you’re a business that collects data, you’re not exempt – you should absolutely have a strong Privacy Policy too. This post will give you a high level overview of important sections of your Website Privacy Policy.

  1. Introduction and Definitions – The introduction section of your privacy policy should let your users know how this privacy policy does, and does not apply to the users. It sets the contractual relationship between the you, and tells the user to take the privacy policy as seriously as you take it. This section should also define the terms used throughout the policy – including what is considered as personal data, confidential information, etc.
  2. Age Consent – Depending on the state you’re in, and the content you publish – your privacy policy should set forward an age limit for use – such as “Our website is not intended for children under the age of 16”.
  3. Information you Collect – Use this section to identify what types of information you are collecting about your user, and the categories it falls under. Identify the information provided to you by the user, and the information that you collect through automatic means – like cookies, traffic data, web beacons, location data, etc.
  4. Third Party Use of Cookies and Other Tracking Technologies – If you have advertisers, ad network technology, or third party tracking apps in your code – use this section to let your users know about how they are used.
  5. Vendor Management – This section should outline how you hold your vendors and third parties to data security standards – by agreement or audit.
  6. De-identification Standards – This section defines any standards you’ve implemented for de-identification or pseudonymization of data.
  7. Industry Specific Sections – Your industry may have specific requirements. For example, if you’re in healthcare – follow HIPAA. If you’re in finance, consider SOC 2 regulations.
  8. Governance – Outline how you internally govern your data privacy standards – including by use of a Data Privacy Officer, or third party compliance standard.
  9. How You Use Information – Use this section to let your users know, very clearly and in plain terms, how you’re using the information and data they are providing you with – and what legitimate business or legal purpose this serves.
  10. Disclosure of Information – Use this section to let your users know that you may disclosure the aggregated information you collect about your users to third parties – such as subsidiaries, vendors, etc. – along with law enforcement in case of a court order, subpoena, or regulatory request.
  11. Accessing and Correcting Information – Use this section, and set forth ways in your internal procedures, to let users know that they can contact you or use built-in features of your website to access and correct information you have about them.
  12. Right to be Forgotten Data Privacy Regulations like CCPA and GDPR mandate that your users have the right to be forgotten. Make sure you clearly write out that your users have this right.
  13. Enforcement Standards – This section should outline what enforcement authorities you report to, and standards you set yourself to.
  14. Changes to Privacy Policy – This section lets users know that you reserve the right to make changes to your privacy policy, and you will let them know if and when you do.
  15. Contact Information – Use this section to let users know that they can contact you if you have any questions, concerns, or comments about the privacy policy – or if they want to exercise their right to be forgotten.
  16. Additional Sections for California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) Compliance – If you are handling the data of users in California or the European Union, you should have addendums to your privacy policy specifically addressing the requirements of CCPA and GDPR.

Let us Help

This post is just a high level overview of important sections your privacy policy should have. There are many more nuances and specifics around this, and other policies that you should understand if you plan on doing business online.

Kader Law can help you navigate and draft information security, and other policies. If you need legal assistance, feel free to contact us.

This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.