If you’re building an online business and want to protect your website with no fuss and no muss, this ultimate privacy policy guide is for you! After reading this guide, you’ll know how to create a privacy policy for your website and understand what the heck it means. 

As an added bonus, you won’t be lulled to sleep with boring legalese… because we’ll be keeping things light and maybe even a bit amusing. 

Since you’re here reading this post, I’m gonna take two wild guesses about you…

First, you’re building an online business. 

That’s a pretty easy one because there aren’t a lot of offline business owners (or people who aren’t business owners at all) reading guides about creating a website privacy policy! 

(If you are not an online business owner and you’re reading a post about online business legal stuff, seek help…)

Second, I’m gonna go out on a limb and say that the idea of having to create a privacy policy has you somewhat confused, overwhelmed, and maybe a wee bit scared. 

I mean, freaking lawyers like their legalese even more than they like dressing up in boring suits, and they always tend to make things harder to understand than they really need to be…

If my guesses were right (or even close), then you’re going to love this post. After reading this guide, you’ll know exactly how to create a privacy policy and actually understand what the different parts of it mean. 

You’re welcome. 😉

What is a privacy policy?

If you want the definition of a privacy policy in lawyer-speak, it would be something like this: 

A privacy policy is a legal document that sets out what information you collect from website visitors, how you collect that information, why you collect that information, how you use that information, who you share that information with, and what visitors can do to limit your use or collection of that information. 

But since I’m guessing you’d like to avoid hearing from Lawyer Man (insert charismatic superhero voiceover here for full effect), how about we put it into plain English…

Your privacy policy helps your website visitors understand what the heck is going on with their data and information when they visit your website. 

Your privacy policy shouldn’t include any stilted language or legalese. Now, there will be some technical language (about pixels, cookies, tracking codes, and the like…), but not a lot of legal-sounding words.

Your privacy policy is supposed to provide clarity and transparency to your website visitors, most of whom aren’t lawyers. So you don’t need to talk to them like one! 

Unless you serve lawyers, in which case… I’m sorry for you. But I digress. Moving on! 

Why is a privacy policy important?

There are a few reasons why your privacy policy is important to your business. 

First… because the law says so!

But I’m betting you want more of an explanation as to why you’re legally required to have one (because you are… just in case that wasn’t clear). 

We’ll cover that in the next section. 

Second, a well-written policy can build trust for your brand. 

Look, I’m not going to oversell this because the reality is that most people are never going to read your privacy policy or even give it a second thought. 

But let’s get real for a second, given all the scammy crap that happens on the internet, it’s a good idea to do everything you can to create trust with your website visitors. 

Having a privacy policy that is well written (and not simply copied and pasted from someone else) is one of those trust-building indicators. 

Third, most online advertisers won’t let you run ads without a privacy policy.

Yep, you read that right. Many online ad sellers (think Facebook and Google) won’t let you advertise on their platforms if you don’t have a privacy policy on your website. 

So… unless your goal is to break the law while building a scammy looking site that can’t advertise, you’re gonna need to create and post a privacy policy on your website. 

Is a privacy policy required?

Short answer… yes.

If you are collecting any “personally identifiable information” about your website visitors, you are legally required to have a privacy policy on your site. 

Apologies for the fancy sounding phrase “personally identifiable information,” but that’s a word that pops up in a lot of the privacy policy laws so I kinda had to use it!

Before you ask, “personally identifiable information” is a really broad term. Basically anything that you could use to identify a person (alone or when combined with other info) qualifies. 

It includes the obvious things like names, email addresses, addresses, and the like. Here’s hoping you are (or plan to) collect this stuff ‘cause converting visitors into leads and leads into buyers is kinda the whole point of being online, right? And you kinda need their information to do that. 

But it also includes the not-so-obvious things that your website is probably collecting in the background, like IP Addresses and information collected by the cookies and pixels you have installed for tracking purposes.

We could get all nuanced and technical, but that wouldn’t do you any good. Let me just say this simply: If you are building an online business, you are collecting personally identifiable information. 

Because you’re collecting that information on your website, there are various laws that might come into play to require a privacy policy (or other privacy disclosure), including:

• California Online Privacy Protection Act (CalOPPA)
• The United States Child Online Privacy Protection Act (COPPA)
• The European Union’s General Data Protection Regulation (GDPR)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) 
• The Australian Privacy Law

Reading that list, you might be thinking: “Woohoo! I don’t live in one of those jurisdictions, so I don’t have to worry about creating a privacy policy.”

Not so fast, my friend. 

These laws don’t only apply to businesses located in those places. Under these laws, if you collect personal information from people who live or are present in those places, you are subject to the privacy requirements. 

You read that right. It’s not about where YOU are… it’s about where your website VISITOR is.

Again, we could get all technical about it, but let’s keep it simple: if you are building an online business, you'll be collecting information from people in at least one of these jurisdictions. 

The end result is that you are (or will be) legally required to create a privacy policy. 

What’s included in a standard privacy policy?

Although it might seem kinda overwhelming when you look at a standard website privacy policy, it doesn’t need to be. 

Your privacy policy will include some boilerplate language, but is mainly about including clauses related to the purpose of a privacy policy.

Or really, the purposes… because yes, there are many.

Remember that technical-sounding definition of the term privacy policy above? The one where I said it sets out:

• What information you collect from website visitors
• How you collect that information
• Why you collect that information
• How you use that information 
• Who you share that information with
• What visitors can do to limit your use or collection of that information

Broadly speaking those are the major topics you include in your policy. 

See, there is a method to the madness of this guide! I included the boring, technical definition of the term because it helps you understand what to include.

And call me crazy, but I think business owners should be able to easily understand their legal policies. (I’m pretty sure other lawyers hate me for this, but whatevs.)

Beyond those clauses, there are a few specific things nearly every policy will include. 

Here in the US, it is illegal to collect personal information from children who are younger than 13 without the express consent of their parents. 

With that in mind, standard privacy policies should include a clause saying children under 13 are not to use the site and providing an email address for parents to reach out if there is an issue. 

The EU’s regulation sets out certain rights that people have and requires us to tell people about those rights. Kinda like the Miranda warnings that cops have to give, but related to privacy rights. 

So, your privacy policy needs to set those rights out for people.  

Rather than bore you to tears with all the details, the easiest way for you to understand what to include is to see an example of a privacy policy. Here’s the policy on my website. 

Should I copy and paste a privacy policy?

Gotta be honest here. Few things scare me more than when I see an online discussion where one business owner tells someone else to just go “copy” someone else’s legal policy. 

(It scares me whether it’s a privacy policy or any other policy or agreement!)

That “copy and paste” mentality is how I once saw a Canadian homebuilder with a website terms of service that said that Swedish law would apply to its music streaming services. 

Music. Streaming. Services… on a home builder website. 🙄

I was utterly perplexed until I realized that someone had literally copied the Spotify terms of service and posted them as the website policy for this Canadian homebuilder. 

No bueno, my friends. 

Aside from these kinds of comical results, the other problem is that you have no idea whether the policy you’re copying and pasting is any good. 

True story, one of the sites that has a privacy policy generator (and appears on the first page of Google results) is giving out policies that CLEARLY do not comply with the GDPR… even though it says it does!

Yikes! 

Not to mention the other laws mentioned above that they don’t comply with. 

The key takeaway here is that you should NOT copy and paste a privacy policy or any other legal document for your business from another business.

You should make sure your privacy policy comes from a reputable and knowledgeable source and that it’s customized for YOUR business.

No copying and pasting the privacy policy from Spotify, your favorite influencer, Wal-Mart, or any other place. Mkay?

Should I use a privacy policy template?

While copying and pasting is a horrible idea, using a good template is a great idea!
There is literally no reason you should try to write a privacy policy from scratch. 

Seriously. Don’t. Your time is more valuable than that.

Heck, I don’t know any lawyers who would craft a privacy policy from scratch. We would start with our own templates and modify them for our clients needs. (The truth is out, lawyers! #sorrynotsorry)

This is probably the ONLY time you’ll ever hear me say this…

Be like lawyers!

As annoying as we lawyers are, we have certainly mastered the art of not reinventing the wheel, and you should follow suit. 

Find yourself a great privacy policy template to use to create your own policy. 

With the Plainly Legal™ Agreement Generator, you can draft your privacy policy in minutes, ensuring your website and business are legally protected!

‍