While the specific contents of every Privacy Policy will vary from business to business, there are some key and essential clauses that are standard across the board.
Just about every Privacy Policy will include the clauses outlined in this article.
Here are the essential clauses you need for your Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Privacy Policy Clause #1: Types of information collected
- 2. Privacy Policy Clause #2: How information is collected
- 3. Privacy Policy Clause #3: What you do with collected information
- 4. Privacy Policy Clause #4: Your Use of Cookies/Your Cookies Policy
- 5. Privacy Policy Clause #5: Third party access to information
- 6. Privacy Policy Clause #6: Dispute resolution
- 7. Privacy Policy Clause #7: Business transfer clause
- 8. Privacy Policy Clause #8: Changes to Privacy Policy
- 9. Privacy Policy Clause #9: Opting out of communications
- 10. Privacy Policy Clause #10: Children's privacy
- 11. Privacy Policy Clause #11: Data retention
- 12. Privacy Policy Clause #12: Contact information
- 13. Summary
Privacy Policy Clause #1: Types of information collected
Describing the information you collect from users is a good way to start your Privacy Policy agreement.
This kind of clause makes it clear to users what personal information you need for your website or mobile app to function properly and allows users to determine whether they are comfortable giving that information to you.
A "Types of information collected" clause protects your business from liability too because if you are forthright about the information required in your Privacy Policy, no one can claim you used that information without authorization.
Sometimes, a Privacy Policy describes what personal information is collected in simple definitions.
Here's an example of this type of clause:
Other Privacy Policies contain more detail. Here's how SurveyMonkey gave a complete list in its agreement:
Note that SurveyMonkey has since updated this section of its Privacy Policy, but still discloses the same information.
The more sensitive the information you collect, the more detail you'll want to provide in your Privacy Policy.
A detailed but incomplete list of types information collected can work against your business more than broadly described information types.
Privacy Policy Clause #2: How information is collected
All Privacy Policies should include provisions on how personal information is collected by your company (through the website and/or through the mobile app).
Even if you only collect and use information users provide directly to you, your Privacy Policy should have provisions describing that.
Here's an example:
Information provided directly by users could seem self-explanatory. After all, many businesses request names, email addresses, user names, and payment information.
Privacy Policy Clause #3: What you do with collected information
Explaining why you collect data and what you do with it also provides additional liability relief. Depending on your business, you may have several purposes for collecting information from users.
The "What we're doing with the collected information" section is best written in detail since you do not want to be accused of using personal data inappropriately.
Here's how SurveyMonkey explains the uses for the data it collects:
Again, note that SurveyMonkey has since updated this section of the Policy but includes all the relevant information.
Privacy Policy Clause #4: Your Use of Cookies/Your Cookies Policy
When a website or a mobile app uses cookies frequently, it's a good idea to have a separate Cookies Policy.
In many cases, it's appropriate to include these provisions related to your Cookies Policy in the Privacy Policy agreement too.
Here's an example of a cookies clause that you can include within a Privacy Policy. It explains that cookies help with analytical data and users have an option to refuse them (but by doing so there's a likelihood that the platform may not work properly):
Here's another example of a clause about cookies in a Privacy Policy. It starts by explaining how cookies work and how the app benefits from using cookies:
This clause also informs users about the option to refuse cookies before accessing the app. However, this has the impact of limiting the scope of app to users who make that decision, which is disclosed here:
It's important that you cover cookies in your Privacy Policy or in a separate policy. The EU Cookies Directive, for example, requires disclosures on cookies for any EU-based company or any foreign company interacting with EU citizens.
Privacy Policy Clause #5: Third party access to information
Advertisers, analytics apps, and social networking apps (Facebook, Twitter) are third parties who may access the collected data or collect data through your website or mobile app.
When you integrate these third parties on your website or app, you need to cover access to data by these third parties in your Privacy Policy.
Generally, the Privacy Policies of these parties control how they handle your users' information. But you still need to mention them in your Privacy Policy so users are informed that you allow this access.
You need to address third party use in your Privacy Policy even if the third parties have their own privacy practices and their own agreements.
Here's an example of a clause that addresses this regarding advertisers but also third parties that help the website function:
Privacy Policy Clause #6: Dispute resolution
Unlike Terms & Conditions, Privacy Policies do not normally contain provisions on governing law.
That said, privacy is often a contentious issue and disputes can arise. For that reason, "Governing Law" provisions are replaced with clauses regarding dispute resolution.
Dropbox contains provisions for dispute resolution in its Privacy Policy:
Privacy Policy Clause #7: Business transfer clause
If your company merges with another or is acquired by a larger entity, your users will likely feel concerned about the continued handling of their information.
You can protect yourself from liability and offer reassurance by adding a "Business Transfer" clause to your Privacy Policy.
A "Business Transfer" clause merely states that users' data will be protected as it was before under the previous Privacy Policy. Even if you don't anticipate a sale or transfer, market may change quickly and you never know when selling your business becomes a possibility.
Here's an example:
Privacy Policy Clause #8: Changes to Privacy Policy
If your Privacy Policy changes, always announce Privacy Policy changes to your users.
The method you chose for notifying your users about changes can be described by you in the agreement.
Here's an example:
When you choose a method to inform users about Privacy Policy changes, choose one that works for you. It's important to only mention methods you plan to use.
Privacy Policy Clause #9: Opting out of communications
Due to anti-spam laws in several nations, such as CAN-SPAM in the US, you need to be careful sending users unwanted email or communications.
Here's an example of how you can disclose to users that they have the right to opt out:
When you include a section like this in your Privacy Policy, you can also provide a link to the opt-out page.
Privacy Policy Clause #10: Children's privacy
Children are protected under privacy laws. Disclose in your Privacy Policy that you do not knowingly collect or process personal information from children. This will help with your legal liability.
Here's an example:
If your website or app is for children under 13, you need to take a completely different approach to your privacy practices and Privacy Policy.
Here are some types of clauses and information that should be presented:
You can mention that you don't collect data from the 13-and-under users or adapt your Privacy Policy to be COPPA compliant.
Privacy Policy Clause #11: Data retention
Users can delete their accounts with you or you may act on your Terms & Conditions and deny access to a user who violated your rules.
This issue of deleting or suspending user accounts must also be addressed in the Privacy Policy. This content is found in a Data Retention clause like this one:
The normal course of action is to retain personal information only as long as necessary and destroy at the end of that time period, but compliance requirements may compel you to keep it longer.
Privacy Policy Clause #12: Contact information
Every Privacy Policy also needs a section letting users know how to get answers to questions about matters related to their data privacy.
Large companies generally afford to have separate departments for these inquiries, especially if the company takes a Privacy By Design approach.
Here's an example of this:
Summary
If you collect or use personal information, you will need a Privacy Policy. That Privacy Policy should include some basic clauses that address how you collect information, how you use it, how long you retain it for, and that users can opt out of having it used.
Inform users about how you use cookies, and how children's personal information is handled, if it is at all.
While every Privacy Policy will be different in specific content, by using these clauses as an outline you will have a great outline to fill in with your own specifics.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
