Almost all websites use cloud hosting services these days, managed by third-party providers. These hosting services are also known as Cloud Service Providers (CSPs).

If you're struggling to figure out whether you need a Privacy Policy, whether your policy should disclose that you are using a CSP, or how to talk about the CSP in your policy, this article is for you.

This article will cover:

  • What a Privacy Policy is
  • What a cloud service provider (CSP) is
  • Why you need a Privacy Policy when you are using a cloud service provider (CSP)
  • How to write a good Privacy Policy that includes a description of your use of CSPs
  • How to display your Privacy Policy so that your users can find it and agree to it

This will make sure that you comply with legal requirements, as well as potential requirements that your cloud service provider (CSP) may have as part of using their services. Let's get started.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is a Privacy Policy?

A Privacy Policy is a legal document that explains to your users who you are, what kinds of personal information you collect from them and for what purpose, as well as who you share that data with. It also explains how you store data and keep it safe, as well as users' legal rights about their privacy.

Most privacy laws around the world require you to have a Privacy Policy, as well as specific requirements about how you should display it to your users. In places like the EU there are very strict privacy laws such as the General Data Protection Regulation (GDPR).

For example, Article 12 of the GDPR says that you must provide information about data processing to your users in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." You can see this in the image below:

GDPR Article 12 excerpt

Other laws such as the California Online Privacy Protection Act (CalOPPA), also explain that you should have a Privacy Policy to tell users how you are using their personal data. In the section below you can see that according to CalOPPA, you must "conspicuously post" the Privacy Policy on your website or otherwise make it available to your users:

CalOPPA Section 22575 excerpt

A well-written Privacy Policy usually contains the following sections:

  • The effective date of the Privacy Policy
  • The owner of the website or app
  • How personal data is used and collected and stored
  • Who personal data is shared with
  • Whether personal data is sold to third parties, or transferred to other countries
  • User rights, such as the rights granted under the GDPR, or how "do not track" requests are dealt with
  • How users will be informed about updates to the Privacy Policy

We'll go into this in more detail below, particularly looking at sections to do with data sharing with third-parties, and transfer to other countries.

Now let's take a deeper look at cloud service providers (CSPs), what they are, and why your Privacy Policy needs to address them.

What is a Cloud Service Provider (CSP)?

A Cloud Service Provider (CSP) is a company that offers storage, databases, infrastructure, or application services over the internet. When something is in the cloud, this means that the actual storage or database is off-site and spread between multiple servers and data centers. Data centers might also be in another country.

In many cases, CSPs use a number of different data centers that may be spread throughout different locations. The computing power from these data centers is then combined to serve their customers. Most websites and apps use CSPs, particularly cloud hosting services.

Cloud hosting services allow a website or app to be hosted online and from elsewhere instead of on one individual server "on premise," i.e. where you are.

The use of website hosting services goes back very far in the history of the internet. Cloud hosting is a newer development where the services are provided at a larger scale and the website could be hosted on multiple servers, split between numerous locations.

The benefit of this is that the website hosting can be more reliable. This is because if one server fails, there are others that can pick up the slack.

Computing power is also shared between multiple machines meaning that when your website or app requires more Bandwidth or CPU power, this is possible. The entire system is more flexible.

Some of the most common cloud hosting services include the following:

  • Google Cloud
  • Amazon Web Services
  • DigitalOcean
  • GoDaddy
  • HostGator

If you are hosting your website or app using cloud hosting services you will be sharing data from your website or app with this hosting service. This means that you will need a Privacy Policy that discloses this to your users. Let's explore why.

Why Do You Need a Privacy Policy for Cloud Service Providers (CSPs)?

When using a cloud hosting service or cloud service provider (CSP), you share data from your website with the provider. This data can include information about your website users, some of which may also be personal data.

When you are collecting or processing personal data, privacy laws around the world require you to have a Privacy Policy. In this policy you have to explain how your users' personal data will be shared, including with third parties, and where it will be stored or processed.

This means that you should disclose in your Privacy Policy when you are using a cloud service provider (CSP) and provide information about which data is shared with it. In addition, you need to tell your users if their personal data will be transferred to another country (such as if your company is based in Europe, but the CSP is in the U.S.).

The GDPR explains in Article 13 which information should be provided in your Privacy Policy. Take a look at the following list:

GDPR Article 13 Section 1

You can see that the GDPR would require your Privacy Policy to explain who the recipients are of the personal data. This would include a cloud service provider (CSP). The GDPR also requires, as you can see in section "f." above, that you must tell your users if data will be transferred to a third country, and explain whether there is an "adequacy decision" relating to that country.

An adequacy decision is a legal decision about whether that country's laws are comparable (i.e. "adequate") to the requirements of the GDPR. A country that has very low-quality privacy laws would not receive an adequacy decision.

You can see below that CalOPPA outlines what your Privacy Policy should contain:

CalOPPA Privacy Policy contents section

CalOPPA requires you to tell your users what personal information you collect, and the categories of third-parties you might share it with. A third-party would include a cloud service provider (CSP).

In addition, the cloud service provider (CSP) itself might have a requirement that you have a Privacy Policy explaining the use of the CSP to your users. You should check the Terms and Conditions Agreement or Data Processing Agreement with the CSP to check what they require of you.

For example, DigitalOcean has a Data Processing Agreement with its customers that explains how personal data is dealt with. It says in this agreement that customers (of DigitalOcean) must comply with privacy laws. You can see this in the image below:

DigitalOcean Data Processing Agreement: Compliance and Customer Processing of Personal Data excerpt

This would include your compliance obligations to tell your users who you share their personal data with. In addition, if you transfer data to another jurisdiction because your CSP is based in another country, you need to tell your users this.

DigitalOcean's Data Processing Agreement also explains how it deals with countries without adequacy decisions, and what legal agreements or frameworks are used to deal with transfers of personal data internationally:

DigitalOcean Data Processing Agreement: Adequacy excerpt

In your Privacy Policy you can include a section called "Sharing of Your Personal Data" that addresses third party processors and CSPs.

Here's an example:

First Table Privacy Policy: Excerpt of clause about sharing personal data with third party processors

Include a clause as well that addresses the transfer of personal data and explains how personal data is shared, as well as whether it is transferred to other countries (such as through a CSP).

Here's an example of a clause that explains where data may be transferred:

ClickUp Privacy Policy: Data transferred clause

How to Write a Privacy Policy When Using Cloud Service Providers (CSPs)

Here are some tips for writing a Privacy Policy when using CSPs.

Specify What Data You Collect

Because cloud service providers (CSPs) collect a wide range of data, including IP addresses, you need to specify this in your Privacy Policy when you are using a cloud service provider (CSP) for your website. CSPs also often include a provision in their own Privacy Policy, explaining what they collect.

Here's an example from the Google Cloud Privacy Policy that outlines what data is collected:ΕΎ

Google Cloud Privacy Policy: Service Data clause

You can see that Google Cloud uses error data and crash reports, authentication details, as well as quality and performance metrics. Google also collects data on technical information so that the cloud services can function, which can include information relating to your website users such as cookies or IP addresses.

Here, you can see an example from Omni Thrive Technologies where its Privacy Policy highlights which information will be passed to their cloud provider (in this case, AWS):

Omni Thrive Technologies Privacy Policy: Cloud Services Data clause

This lets users know which information will be collected for cloud purposes.

Keep the Language Simple

In addition to the content of your Privacy Policy, it's important that the information in your policy is written in a way that your users can understand it. This means that the language that you use should be simple and easy to read.

Here's an example of an easy-to-read clause that explains what personal data is collected by Etac, a provider of assistive devices for the elderly:

Etac Privacy Policy: Type of information we collect clause

The section uses plain English, as well as bullet points to make the information clear and obvious.

Here's another example from Microsoft that uses simple language to explain how Microsoft uses the data that it collects:

Microsoft Privacy Statement: How we use personal data clause

Like in the Etac example, the use of bullet points helps to make the list easier to read.

Here's another example from EurA, an international consulting company, that explains how information is collected in relation to a cloud service provider (CSP):

EurA Privacy Policy: Cloud services clause

The particular cloud services that you use (such as website hosting) will depend on your individual business or website.

Explain How Data is Used

You also need a clause that explains how data is transferred, shared or sold to third parties.

Here's an example of this type clause from Ruddr, a professional services platform:

Ruddr Privacy Policy: Sub-processors clause

In this section, you can see a clear list of companies who are processing the personal data of customers from Ruddr. Most of these processors are cloud services providers. You can see that the section is also written in plain language, also specifying the locations of these providers. This is a good example of how you can list cloud service providers (CSPs) to your users.

Here's another example from the Einstein Foundation:

Einstein Foundation Privacy Policy: Hosting clause

The Einstein Foundation explicitly states which provider is hosting its website, information about them, and further details about the hosting provider. It also specifies that there is a Data Protection Agreement with the hosting provider. This is another good example of how you can provide important information to your users, and comply with privacy laws.

How to Display a Privacy Policy When Using Cloud Service Providers (CSPs)

Once you have set up your Privacy Policy for using cloud service providers (CSPs) you must display it in a way that is clear and obvious, or "conspicuous," to your users. A common place to display your Privacy Policy is in your website footer.

Here's an example of this from Everty:

Everty website footer with Privacy Policy highlighted

You can see that the link is the same size as the other links, and isn't hidden or obscured in any way.

If you have a mobile app or mobile version of your website, you should also display your Privacy Policy in the legal or settings menu so that users can find it easily.

Here's an example:

Mobile legal menu with Privacy Policy section highlighted

Other websites and apps use pop-ups to encourage their users to agree to the Privacy Policy before they begin using the website or app. In some cases both the Cookie Policy and the Privacy Policy of the website or app are displayed together.

In this example, a link to the Privacy Policy is placed within the pop-up for agreeing or declining cookies:

Cookie consent mechanism with Privacy Policy link highlighted

This allows users to clearly see a link to the Privacy Policy as soon as they start using the website.

Summary

When you are using a cloud service provider (CSP) to host your website or app, you will share data with this CSP. This data includes customer data that could be personal information. Under the GDPR and other privacy laws, you are required to inform your customers of how their data is collected and processed including who it is shared with, and whether it is transferred to, or processed in, other countries.

This means that your Privacy Policy must explain how you use the cloud service provider (CSP) and how customer personal information is dealt with by this CSP. In addition, many cloud service provider (CSP) will also require that you have a Privacy Policy that discloses your use of their service.

Your Privacy Policy should outline the relevant information in one section about sharing personal data with third parties, and one about transfers of personal data. You should also make sure that you display your Privacy Policy in a clear and accessible way that is obvious to users, and get their active consent.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy