If you're a Facebook Page Admin, creating a Privacy Policy is an important step to comply with Facebook's terms, and with privacy law. You need a Privacy Policy to explain to your customers how you collect and use their personal information.
In this article, we'll be looking at how to create a basic Privacy Policy and add it to your Facebook Page. We'll also be looking at Facebook's special requirements for Page Admins in the European Union (EU).
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Do I Need a Privacy Policy for My Facebook Page?
- 1.1. A Privacy Policy is Required By Law
- 1.2. A Privacy Policy is Required Under Facebook's Terms
- 2. How to Create Your Facebook Page Privacy Policy
- 2.1. Your Contact Details
- 2.2. Personal Information You Collect
- 2.3. How You Use Personal Information
- 2.4. How You Share Personal Information
- 3. If You Have Customers In the UK or EU
- 3.1. Your Obligations Under Facebook's Page Insights Controller Addendum
- 3.2. Your Legal Basis and Legitimate Interests
- 3.3. Responsible Data Controller and Data Protection Officer
- 4. How to Add Your Privacy Policy to Your Facebook Page
- 5. Summary
Do I Need a Privacy Policy for My Facebook Page?
Yes, you need a Privacy Policy for your Facebook Page. This is true even if you only have a Facebook Page, and you don't even have any other online presence.
Creating a Privacy Policy is standard practice for any business. It will help you show that your business is legitimate and that you treat your customers' personal information with care. It's also a legal requirement in pretty much every major economy.
A Privacy Policy is Required By Law
Privacy law requires you to have a Privacy Policy if you collect the personal information of consumers.
Here are some activities that might qualify as "collecting personal information":
- Recording the names or email addresses of your customers
- Taking payments via a payment processor such as PayPal or Stripe
- Using Facebook's Page Insights product
If you collect the personal information of consumers in any of the following regions, you'll need to create a Privacy Policy:
- United States: Several state laws that require anyone who operates a commercial website or mobile app to create a Privacy Policy, most notably in California.
- European Union: The General Data Protection Regulation (GDPR) places very strict data protection requirements on all businesses.
- United Kingdom: EU privacy law still applies in the UK, so if you have UK customers you must also comply with the GDPR
- Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) requires all private sector organizations to create a Privacy Policy.
A Privacy Policy is Required Under Facebook's Terms
Even if your business only has a Facebook Page and you don't engage with customers in any other way it's still important to create a Privacy Policy. This is a requirement of your legal agreements with Facebook.
Take a look at this section of Facebook's Pages, Groups and Events Policies:
When you use Facebook to take orders or engage with customers, you're collecting their personal information and you must provide notice in the form of a Privacy Policy.
How to Create Your Facebook Page Privacy Policy
Every Facebook Page Privacy Policy will be slightly different since its details depend on the nature of your business, and also on the laws you need to comply with. However, there are some clauses that every Privacy Policy must have.
First, we'll talk you through some of the basic information that every Privacy Policy should contain. If you have customers in the EU, there are some extra steps you need to take.
These steps will help you get started with a basic Privacy Policy.
Your Contact Details
You should include full contact details for your business, including its legal name, business address, and email address.
Here's an example from Product Hunt:
Note that Product Hunt refers to itself as "the Controller." This is only relevant if you have customers in the EU and have to comply with the GDPR. We'll discuss this in more detail below.
Personal Information You Collect
Your Privacy Policy should identify what personal information you collect, whether via Facebook or via other means.
Whether you're running a physical store, an ecommerce store, or online services business, you'll need to collect basic personal information such as customers' names and contact details.
If you collect any personal information via your Facebook Page or other means, you need to explain this to your customers in your Privacy Policy.
Here's an example from Bando:
If you have a broader online presence extending beyond your Facebook Page, you'll also need to explain the other ways in which you collect personal information.
Here's an example from Microsoft:
If your website uses cookies for advertising or analytics purposes, you should disclose this in your Privacy Policy.
How You Use Personal Information
You must explain your purposes for collecting personal information, i.e. how you use it.
For example, you can use your Facebook Page to enable customers to book appointments or make orders. Or you might use Facebook Messenger to engage with customers and receive inquiries.
You should have a clear business purpose for using any personal information you collect. If you collect email addresses, names, and shipping addresses, you must explain why you do this.
Here's an example from catering business Chrissie Cakes and Supplies:
How You Share Personal Information
You probably share personal information with several other businesses, such as payment processors, direct marketing companies, and shipping companies. You need to explain this in your Privacy Policy.
Here's an example from ecommerce business Jasmin Studio Crafts:
Note that you don't necessarily need to name the businesses with whom you share personal information: you can just identify the types of businesses.
If You Have Customers In the UK or EU
If you have customers in the UK or the EU, there's some extra work to do to comply with Facebook's terms. You should also check out our GDPR Privacy Policy Template for guidance on how to create a comprehensive GDPR Privacy Policy.
If you've ever visited a company's Facebook Page from within the UK or the EU (or the wider European Economic Area), you might have noticed a link reading "Information about Page Insights data."
Clicking this link leads to a page explaining that Facebook and Facebook Page Admins are "joint controllers" under the GDPR.
A German court required Facebook to create this policy based on how its "Insights" product works. Here's where to find Insights:
The Insights tool automatically collects data about who visits your Page. As a Page Admin, you would never be able to actually use this data to determine whether a particular individual had visited your page.
However, according to the EU, this data is personal information. And under the GDPR, you and Facebook are jointly responsible for processing it.
Your Obligations Under Facebook's Page Insights Controller Addendum
As a Facebook Page Admin, you're held jointly responsible for Insights data. Facebook's Page Insights Controller Addendum sets the rules about how you and Facebook should meet your legal obligations.
The GDPR allows joint controllers to decide among themselves how they will fulfill their legal obligations. Fortunately, Facebook has allocated almost all of the GDPR's duties to itself, and there's not much left for Page Admins to do.
Here are Page Admins' duties under the Addendum:
The Addendum requires that you provide the following information in your Privacy Policy:
- Your legal basis for processing Page Insights data and the "legitimate interests" you are pursuing by using this data
- The identity of your responsible data controller and their contact details
- The identity of your Data Protection Officer (if you have one)
Facebook doesn't explain what any of this means or how you can communicate it to your customers. That's where we come in.
Your Legal Basis and Legitimate Interests
Facebook requires you to identify your legal basis for processing Page Insights data.
The concept of the "legal basis" (or "lawful basis") is very important under the GDPR.
We won't go into detail about the legal bases here. Essentially, there are six legal bases, and every time you collect personal information, you need to identify a legal basis for doing so.
See our article Lawful Basis for Processing Under the GDPR for more information.
So, what's your legal basis for receiving personal information from Page Insights? Well, Facebook suggests that it might be in your "legitimate interests," which is one of the six legal bases.
"Legitimate interests" can be a suitable legal basis when you process personal information in a way that benefits your business without causing any significant privacy risks. You should carry out a Legitimate Interests Assessment if you plan on relying on this legal basis.
If you decide that receiving Insights data is in the legitimate interests of your business, you need to explain this in your Privacy Policy.
Here's an example of a clause that addresses this:
The clause explains how Insights works and then identifies its legitimate interests in receiving Insights data: the ability to recognize user preferences and locations and to adapt and improve its offer accordingly.
Responsible Data Controller and Data Protection Officer
Facebook requires that you provide a name and contact details for the "responsible data controller."
The responsible data controller is your company. Your company is a data controller under the GDPR because it decides why and how to process personal information.
Facebook also requires that you provide contact details for your Data Protection Officer. However, unless your business has over 250 employees, or it regularly processes sensitive personal information, it's unlikely you'll need to appoint a Data Protection Officer.
How to Add Your Privacy Policy to Your Facebook Page
Once you've written your Privacy Policy, you need to make it publicly available. If you have a website, create a new page titled "Privacy Policy." If you don't have a website, you can simply create a publicly-available document using a service such as Google Docs.
Once you've hosted your Privacy Policy online, adding it to your Facebook Page is easy.
First, go to your Facebook Page dashboard and select "Edit Page Info" in the top right-hand corner.
Scroll down to the bottom of the page, then enter a link to your Privacy Policy into the box.
A link to your Privacy Policy will now appear on your Facebook Page.
Summary
Your Facebook Page requires a Privacy Policy that explains, at a minimum:
- Who you are, and how your customers can contact you
- What personal information you collect
- How you use personal information
- How you share personal information
Ensure your Facebook Page Privacy Policy also complies with local privacy law.
If you have customers in the UK or EU, you also need to comply with Facebook's Page Insights Joint Controller Addendum.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.