From contact forms to analytics, advertisements, and social media integration, your typical website gathers a ton of information. Disclosing all of your data collection isn’t always straightforward, but it is a legal requirement.
An introduction to privacy policies (and how your site can benefit from one)
Most website owners collect a lot of information about their audience. It may include data that people explicitly choose to share with your site, such as the information they enter into a form:
It may also include data you gather using tracking tools. For example, you might use Google Analytics or advertising programs such as Google AdSense.
Even if you’re not located in the European Union (EU), the internet is international. As such, there’s a very high chance that EU users will visit your site at some point.
If you fail to comply with the GDPR, you could be fined up to €20 million, or 4 percent of your organization’s annual global turnover. In severe cases, the violation may even result in a prison sentence.
Step 1: Identify all the data you collect
Before you dive in, we recommend carefully considering what you need to include in your policy. Doing this can help ensure that nothing gets overlooked and potentially lands you in legal hot water.
During this planning phase, it’s wise to take stock of the data you collect and consider whether it’s absolutely necessary. Having access to lots of information about your target audience can supercharge your advertising and marketing campaigns.
However, laws such as the GDPR mean there’s a significant overhead associated with acquiring and storing data. For example, you’ll need to record consent for every piece of personal information that you collect.
It’s easy to fall into the habit of asking for data just because you can. However, it isn’t always necessary. For example, if you operate an online mailing list, you don’t necessarily need to know a subscriber’s postal address.
Step 2: Describe how you collect and use data
Some data collection will be pretty straightforward and obvious, such as user-submitted forms. However, other points may be more subtle.
To avoid missing out on hidden collection points, we recommend checking out some third-party policies. Social media privacy disclosures are excellent examples, as these sites tend to record a lot of information.
Simply reading through policies from companies such as LinkedIn and social network giant Facebook may help you identify hidden collection points on your own website:
After identifying all of the information you gather, it’s wise to explain why it’s required. By justifying your data collection, you can build trust with your visitors. It can also be helpful to evaluate whether you’re still saving any unnecessary data.
Wherever possible, try to write the data disclosure section to emphasize how your collection benefits the visitor. For example, you might stress that tracking tools help you provide a more personalized experience.
You should also disclose any information that you plan to share with third parties. Don’t forget to detail the circumstances under which you’ll allow this third-party access.
Step 3: Add a data protection policy
Your typical internet user is extremely worried about their information falling into the wrong hands. If a malicious third party managed to access this personal data, they could wreak havoc.
For example, the attacker might hack into their accounts, purchase products using stolen credit card details, or perform other fraudulent activities.
For this reason, it’s vital that you add a section confirming how you protect visitor information. However, you don’t necessarily need to detail the specific methods you use to keep your content safe.
For example, some companies keep their data protection clause reasonably short:
However, going into some detail may help put your audience at ease. If you decide to write a longer data protection clause, we recommend you avoid being too specific. The less a potential hacker knows about your security procedures, the better.
You should also bear in mind that not every internet user has the same level of technical knowledge. Providing a detailed run-through of your encryption methods may confuse some of your less tech-savvy customers. Alternatively, you can simply state that you use an encryption method without more detail about specific security provisions.
Step 4: Ensure visitors know their rights
Even if you’re not explicitly targeting GDPR-compliance, it’s still a good idea to clarify what rights visitors have over their data.
However, it’s not enough to simply state the visitors’ rights. The most effective privacy policies detail how people can exercise these rights. For example, you might link to the page where users can request copies of their data.
Step 5: Consider accessibility
Most people who visit your site won’t have in-depth, specialist knowledge about data collection and protection laws. For this reason, you should avoid using complex language.
Even if you publish your policy in multiple languages, some of your visitors may not access it in their native tongue. A second language, combined with technical legalese, may make your disclosure extremely difficult to understand.
Your typical internet user also has a short attention span. Although the concept is hotly debated, TIME magazine famously published an article implying that humans now have attention spans of just eight seconds:
Moreover, accessibility is more than just the kind of language you use. Even when dealing with large amounts of text, formatting can make your policy privacy more accessible:
It’s important to use a straightforward and navigable format. Text-heavy pages are rarely appealing. However, you can also utilize paragraphs, bullet points, and multiple subheadings to divide your policy into more palatable, bite-sized chunks.
To access this default policy, navigate to Settings > Privacy. You can then view the automatically-generated page by selecting Use This Page:
When you’re happy with the information you’ve entered, simply click on Publish. This button posts your page with the default URL of /privacy-policy appended to your site’s domain: