6 Tips to Draft And Incorporate a Privacy Policy For Your Business
• read
If you collect customer personal data, then you need to protect that data. No matter the field you’re in, or the size of your business, once they hand it over it’s your responsibility. And how you deal with it affects the trust your customers will have in you.
Whether you’re gathering basic info such as name and address or more sensitive details like banking or credit card information, you need to be able to disclose what you do with it and demonstrate that you have taken steps to protect it.
The first step to this is creating a privacy policy. That can take different forms according to your business type and the information you store, but at its heart it demonstrates to your customers that their data is safe in your hands.
Wondering where to start? Just as you might use a letter of intent template, think of these tips as a way to build a template for your privacy policy.
What is a privacy policy?
As the term suggests, a privacy policy is a written policy that lets your customers know how you collect their data, what that data is, what it is used for, who it will be shared with, what their rights are, and how you will both store it and protect it. It should always be included on your website and at the point of collection on Apps and may be labeled as a privacy notice or in a section called simply ‘privacy’.
One thing to note is that there are now many regulations and laws that govern how you protect data, including laws such as HIPAA in the US or GDPR in the EU. Make sure you’re aware of any required compliance in any region you operate in, not just where your head office is based.
Do you really need a privacy policy?
In nearly every case, yes. If you collect any sort of personal data from your customers, then you not only need an easy to understand privacy policy, clearly displayed so that customers can find it. Ensure that it is updated regularly and rigorously enforced.
The reality is that many people may not read your privacy policy in full. However, knowing you have one and knowing there are privacy laws and regulations governing how you handle data is usually enough to satisfy most people. That doesn’t mean you should ‘skimp’ on details when publishing such a policy; it should be clearly written and in language people can understand. Remember, if you say it in your privacy policy you must do it in practice.
6 top tips to drafting a privacy policy
While some companies’ privacy policies may differ slightly and contain specialized clauses, there are general commonalities that most companies should work from. You wouldn’t draft a shareholder agreement without using something like a PandaDoc shareholders’ agreement template, so don’t start from scratch here either. Instead, make sure to incorporate the following:
1. Introduction
This is a section every privacy policy should have. You want to inform customers who you are as a company and why you need this privacy policy. It should be a fairly short section but should include the following info:
- Your company name and contact information
- Any laws and regulations (and the applicable regions) that your policy complies with
- Glossary of any main terms used such as ‘personal data’
- Who the policy applies to, who ‘we’ and ‘you’ refers to, and identification of any third parties that are included in your policy.
- When the policy was last updated
2. Data information
This is perhaps the most crucial part of your privacy policy. It should include:
- What data you collect
- How you collect it
- How you will use it
- If you share or sell that data
- How you will store it (for example, do you use data integration software?) and protect it
- When you may transfer that data to others.
- How to exercise your privacy rights
- Data retention practices
- Where applicable how data is transferred outside of the EEU
- Where applicable how children’s data is used
- How updates to the policy are communicated
- Where applicable State specific language (i.e. CPRA)
Customers will focus on this part as it gives details on how you use their personal data. To avoid confusion, you should split this part into sections that deal with different aspects of how you collect, store, and use data.
Here is a sample privacy policy from Apple:
2a. Data collection
This section lets the customer know what data you collect and where you collect it from. The latter part can include webforms or from the checkout process. Some examples of the data you might collect includes:
- Name, email address, and physical address
- Phone number
- Age and sex or gender.
- Nationality and race
- Login information
- Financial info such as credit card details
- IP address and browser or device type
What you also have to consider is that some of the data you collect may come from third party services such as Google Analytics. When that is the case, you should advise customers and direct them to that third party’s own privacy policies as well.
2b. Data use
Your next section should inform people as to how you will use their data. This may be a requirement under certain laws but it is something you should be telling people anyway. Of course, there are many different ways you might use a customer’s info but some of the most common are:
- Security and identity verification
- To target advertising according to tastes and previous behavior
- Sending relevant and personalized marketing
- Customer service and/or tech support reasons
- Delivery of products and/or services
2c. Data sharing
You may be sharing some customer data with third parties or partners. If this is the case, then you need to let the customer know who you might share with, how it will be shared, and why you are sharing it. This may have already been covered under the ‘third party’ section of your introduction. You should also advise here when you have to share info with government departments or similar.
2d. Data sales
Thankfully, this is mostly a thing of the past and in most locations, you can’t sell on any customer data. However, some areas – such as California – still allow the selling of such info so you should advise people of this, who it might be sold to and, most importantly, give them the choice of opting out of their data being sold. If you have no intention of selling their data, make that clear.
3. Data retention and deletion
People also want to know how long you plan on keeping their data in your system. So, you should advise them if you have set time limits on data retention or whether there are legal limits on how long you can keep it. You should also include what happens at the end of the process; will their info be completely deleted or will it be anonymized.
4. Children
Parents (rightfully!) worry whether data will be collected on their children. The legal definition of children can vary from area to area, so be guided by the relevant legislation. Most businesses will not collect information about children so you should make that clear and have a disclaimer included in your policy.
5. Personal rights
This is another factor that differs from region to region so be sure you are aware of the different laws and regulations that apply where you operate. Let your customers know what rights they have in the area they live in and how they can apply those rights if they want to see what info you hold on them.
If you want them to give up certain rights, for instance, via an NDA, it’s worth looking if you can find a non-disclosure agreement template available for free. That way, you have somewhere to start from.
6. Changes and complaints
Sometimes, changes are unavoidable. New data privacy regulations may be introduced, or existing ones may be updated. Indeed, you may decide to use customer data in a different way. It’s important to include how you will update people in that scenario. It’s also crucial that you highlight your complaints process and include all relevant contact information.
The takeaway
Every business has multiple things to consider, from inventory management development to automation of email marketing. However, no matter what type of business you operate, some form of privacy policy is essential.
The important thing to remember is that you may have to comply with many different laws and regulations according to the territories you operate in. This means that while you may have a general policy on privacy, some parts of that policy have to acknowledge those differences and inform your customers what they are.
Yauhen is the Director of Demand Generation at PandaDoc. He’s been a marketer for 10+ years, and for the last five years, he’s been entirely focused on the electronic signature, proposal, and document management markets like Pandadoc sponsorship proposal template. Yauhen has experience speaking at niche conferences where he enjoys sharing his expertise with other curious marketers. And in his spare time, he is an avid fisherman and takes nearly 20 fishing trips every year.