Creating a privacy policy for your website can sometimes get backburnered because figuring out how to write a privacy policy isn’t exactly why you decided to become a business owner. 

The legal stuff is pretty stinking boring, and writing a privacy policy probably sounds like the ultimate snooze-fest… or worse, the kind of thing that has you waking up in a cold sweat. 

But here’s the thing…

You are legally required to have a privacy policy for your website, so skipping it could land you in legal hot water. 

The good news is that writing a privacy policy doesn’t have to be a daunting task. 

Whether you’re using a template generator or decide to write your privacy policy yourself, you should really know what’s in there… and why! 

That’s what we’ll cover in this post. 

Let’s dive in… 

Your Privacy Policy Needs To Include Provisions To Cover All The Privacy Policy Laws

A privacy policy is a legal document designed to outline what type of information you collect from your visitors and subscribers, how you use that information, and how you share it with third parties. 

Unfortunately, figuring out what to include in a privacy policy isn't as simple as looking at a single law... because there isn't one! 

Multiple countries and states have rules and regulations that set out who is required to have a privacy policy and what information has to be included in that policy. That can make it a pain to figure out how to write your website privacy policy (or to figure out what you need to make sure is included in a privacy policy template you use!).

While you could spend time trying to figure out which laws apply to you and which don't, that's probably not the best use of your time. As long as the rules don't impose too much of a burden, your best bet is to craft a privacy policy that complies with all of the different rules. 

When it comes to most businesses, you need to make sure you write your privacy policy to include all the provisions set out in three sources: the Children's Online Privacy Protection Act (COPPA), the California Online Privacy Protection Act (CalOPPA), and the General Data Protection Regulation (GDPR). 

Before we go through HOW to write your privacy policy, let’s take a quick look at the laws that your privacy policy needs to satisfy. 

Children’s Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act (COPPA) is the only federal law that governs online privacy in the United States, and it is one of the oldest online privacy laws on the books (it was passed in 1998). 

But COPPA is pretty limited. Its primary goal is to ensure that parents have control over the information collected about their young children by websites. Specifically, COPPA provides that websites are not allowed to collect personal information from individuals younger than 13 years old without first obtaining direct, verified consent from their parents to collect that information. 

If you've ever wondered why sites like Roblox ask if the user is younger than 13... COPPA is the reason! Under COPPA, a parent needs to be the one who initially signs the child up and who consents to the collection of information. 

If you are building a website or other online platform that is directed to children younger than 13, you should consult with a privacy law expert to craft the right policies and procedures to ensure you're complying with COPPA. That's beyond the scope of this post. 

Later in this post, we'll be talking about how websites that are NOT specifically intended for young children need to address COPPA compliance. 

The California Privacy Policy Law (CalOPPA)

The only other law in the United States that is relevant to website privacy policy for the vast majority of online businesses is the California Online Privacy Protection Act (CalOPPA), which has been around since 2004. 

Under the law, every website that serves California residents and collects personally identifiable information from them is required to provide a privacy policy on its website. This policy must disclose what information is collected, who the information is shared with, the effective date of the policy, how the site informs visitors of changes to the policy, and information about how the site will respond to "do not track" settings on your browser. 

You may have heard of a more recent law called the California Consumer Privacy Act (CCPA), but that law only applies to you if your revenue is more than $25 million, you're collecting information from more than 100,000 California residents a year, or you are a data broker who collects and then sells information. So... I'm guessing it doesn't apply to YOU!

(FYI: Other states have adopted laws similar to CCPA, but they are all focused on larger businesses. Unless you are pushing eight figures in annual revenue or collecting data from tens of thousands of people in any one state, chances are that you aren’t subject to those laws.)

The General Data Protection Regulation

Finally, let's talk about the General Data Protection Regulation (GDPR), which is the EU's privacy law that went into effect on May 25, 2018.

While the GDPR isn't specifically about privacy policies, it does have specific requirements for privacy policies that your website needs to follow. If you are collecting personal information from people in the EU (hint: you are), you're required to disclose certain things at the time of collection. You accomplish this with your privacy policy. 

The GDPR provides that the disclosure should use plain language so readers can easily understand what is happening with their data. 

Among other things, the GDPR requires us to tell people what information we're collecting, how we're collecting it, our legal basis for collecting it, what we'll do with it once it's collected, and who we share it with. 

The GDPR also requires you to inform visitors of certain rights that they have when it comes to their data. Think of it as something like the Miranda warnings that police officers are required to give... only you're the one who has to provide the warnings. 

What To Include When Writing Your Privacy Policy

Now that we’ve covered the legal requirements, let’s take a closer look at the different pieces you’ll need to include when you go to create your privacy policy. 

I know that examples are always better than just a description, so the discussion of how to write each section of your privacy policy will involve both a description and sample language from a privacy policy.

Start With An Introductory Section

Pretty much every privacy policy should start with an introduction setting out the name of your company, the name of your website, and the fact that agreeing to the terms of the privacy policy is a condition for using the site. 

After this introduction, you’re ready to write the meat of your privacy policy. 

Address Children Under 13 Using Your Site

Assuming that your site isn't intended for children under 13, you’ll want to include a provision saying as much… but also including a way for parents to contact you to request deletion of any information their children might share. 

For inspiration, this is the clause we have in our privacy policy: 

‍

Remember from the discussion of COPPA, that you have to provide a route for parents to seek deletion… so don’t skip this part of your privacy policy. 

Outline The Information You Collect

Next up, you’ll want to write sections in your privacy policy to comply with the requirements of CalOPPA and the GDPR that you disclose what you collect and how you are collecting it. 

You’ll want to craft multiple sections that fall under this general definition, starting with a broad explanation like this:

‍

You can also get more specific in the first section and lay out the particular types of information you collect (e.g., names, emails, addresses, etc.).

Beyond the general statement, you’ll want to include a cookie disclosure so that people understand you are using cookies and tracking pixels. Here’s an example:

The last paragraph in that section addresses CalOPPA’s requirement that you inform visitors how you’ll respond to do not track requests set on visitors’ web browser. The default is to not respond to them. 

Finally, you should include a section that covers how you handle information that people send you via email (or through any forms on the website): 

Taken together, these clauses will cover your bases when it comes to describing the information you collect from people. 

Explain Why You Collect The Information And How You’ll Use It

Once you’ve explained what information you’ll collect, it’s time to explain why the heck you’re collecting it. Both CalOPPA and the GDPR have provisions that are implicated here. 

To meet the requirements, you need to explain the purpose for collecting and using the information (the why), how you’ll use it, and a legitimate reason for you to be collecting it in the first place.

There are multiple reasons you might be collecting the information, including:

• To deliver a good or service
• To track preferences so you can deliver a better experience later
• Fulfilling contractual duties
• To send further marketing information to the user

The key here is to describe all the ways you’ll use the information collected. In my privacy policy, we start with a section titled Why We Collect Information:

That section is largely about explaining the motivation for collecting information… but you also need a section explaining how you use it once it has been collected. Here’s how we handle that:

When writing this section of your privacy policy, broadly describe the ways you might use the information. 

Alongside how we use your information is how long we retain your information. The next section includes this:

Explain Who You Will Share The Information With

Next up, you need to explain who (outside your company) may have access to the information people share with you. 

Many people default to saying that they won’t share the information with anyone… but that is not true. You will almost certainly be sharing information with third-party service providers who are helping you in your business. 

Moreover, you’ll want to leave room to share the information in certain legal contexts (e.g., a lawsuit against a customer, if you sell the company, or if you are required by law to do so). 

Here’s how we have addressed this disclosure requirement:

We crafted this section very carefully to simultaneously give people confidence that we aren’t going to be sharing their information willy-nilly while also protecting our backside if we need to share it for a legitimate reason. 

Explain EU Visitors’ Rights Under The GDPR

The last major component you’ll need to create when you’re writing your privacy policy is a section setting out certain rights that people in the EU have under the GDPR. 

This is one of the quirks of the GDPR (and one that the state privacy laws targeting larger companies have picked up). Your privacy policy has to include a section informing visitors of their rights. This section isn’t so much about your business practices; it is a recitation of rights. 

Here’s an example of how to handle this in your privacy policy:

While you generally only have to extend these rights to European residents, the easier path is to decide that you’ll honor these rights for all website visitors. If you choose to go that route (as we have at Plainly Legal™), you’d modify this section to state the rights more broadly as “Users’ Rights.” 

Don’t Forget These Odds-And-Ends

Your privacy policy also needs to include: (1) its effective date, (2) how you’ll notify visitors of changes to the policy, and (3) your contact information. 

These sections aren’t hard to write… but don’t forget them. 

How Should You Create Your Privacy Policy?

Now that we’ve covered the legal requirements and addressed the key sections you’ll need to create for your website privacy policy, the only question is how you should go about creating the darn thing. 

You can write your privacy policy from scratch. But, I wouldn’t recommend it. That is NOT a good use of your time. 

Instead, we recommend using the Plainly Legal™ Agreement Generator. With that generator, you can draft a rock-solid website privacy policy in minutes!

‍