Getting a privacy policy for your website
A privacy policy is a document that details how a company or organization handles any information it gathers. It should reveal the information it plans to collect such as site visitor name, address, credit card number, etc. If data is to be left on a user’s computer (such as cookies), this should be specified alongside information on whether the customer’s data will be shared or sold to third parties.
When are privacy policies mandatory?
Regulated by the Federal Trade Commission (FTC), the laws surrounding privacy policies in the United States are complex and vary from state to state. While laws are relaxed in certain areas, the state of California, for example, has strict laws requiring all owners of commercial websites to include a privacy policy. This strict set of consumer privacy guidelines has been in place since 2003 and was enacted by the California Online Privacy Protection Act (CalOPPA) and was the first law in the United States to establish far-reaching consumer data handling laws for online businesses. Website operators living in the US should, therefore, take care to ensure that their site is in accordance with their respective state’s laws. However, federal law does require that specific companies and websites provide privacy policies. These include websites targeted at children under 13 years old, health care service websites, and financial institutions.
The issues surrounding data collection are certainly controversial. A great deal of data is saved automatically, often without the user’s knowledge. For example, web servers record IP addresses in log files, integrated social media icons pass on personal details relating to social network profiles, and cookies save information about users and their online behavior. The data security issues surrounding website analytics tools, such as Google Analytics, are also controversial, as the tool records data like IP addresses. Website operators can avoid requiring users’ consent for gathering data by abbreviating the IP address down to the last set of digits, which thereby anonymizes data.
When it comes to IP addresses, the legal situation has been unclear for a long time. Recently, however, the European Court of Justice has found that it is possible to trace a link between an IP address and real personal data through an individual’s Internet provider. This means that IP addresses should also be treated as personal data, seeing as they can be used to create someone’s digital footprint whilst browsing online.
Since most websites collect data these days, every website should contain a privacy policy. In this way, operators remain on the safe side legally and provide an important service for their visitors.
On May 25, 2018, the EU’s General Data Protection Regulation came into force. This may be of interest to you if you do business in Europe. You can find out what companies and website operators need to pay attention to in the future in our GDPR checklist.
What are the sanctions for non-compliance with privacy policy laws?
Those found guilty of breaching data security laws can receive extensive penalties and sanctions. In addition to prosecution costs, injunctions, and compensation costs, offenders who do not provide adequate data security could also receive fines of up to $16,000 under the FTC Act. However, punitive measures vary widely depending on the actions of the perpetrator, the severity of the violation, and the number of people affected.
For example, fraudulent collection or distribution of personal data can also result in further penalties and a jail sentence of up to five years. This can increase to ten years and a fine of up to $500,000 for an individual or $1 million for a company if the crime has been committed in conjunction with further violations, or if the perpetrator has sold data for personal profit.
Under the Health Insurance Portability and Accountability Act (HIPAA), health care providers, pharmacies, and other institutions or companies that handle medical information can be subject to fines ranging from $100 to $1.5 million, depending on the severity of the offense.
Incorporating a privacy policy into your website
If you are required to have a privacy policy on your website, you should ensure it is as accessible as possible. The privacy policy used by IONOS can be easily found on the website under Terms and Conditions, or you can simply jump straight to the privacy policy statement. You should present the statement as a separate page with a clearly marked link on the main menu. It is also essential that the privacy policy is easy to understand, so it is advisable to use simple language and avoid complex legal or technical terms. In terms of content, it is vital that the information is accurate and unambiguous. This is also the case if you have an imprint on your website if you do business in Germany, Austria, or Switzerland. Ensure that the links set for this purpose are not obscured by other elements such as banners and that the privacy policy is visible in different browsers and on all end devices (PC, tablet, smartphone, etc.).
It is also important to include the following information in your privacy policy:
- A summary of the technical data collected and/or passed on (i.e. IP addresses, email addresses, etc.)
- A summary of the personal data collected and/or passed on (i.e. name, address, etc.)
- Data transferred from browsers (e.g. browser history)
- Information about special features, like sweepstakes, online advertising, etc.
- If required, information on the use of web analytics tools such as Google Analytics
- Actions taken to ensure the security of data
- Information about the user’s right of objection
Representative contact details
Some state legislation may require your privacy policy to provide contact information should a customer have a query regarding the policy or their data use. Despite this not being a federal law, it is becoming more and more common and considered best practice to include a point of contact. Privacy policies may include the name, postal address, email address, or telephone number of the privacy policy representative. Here is a sample of what the relevant paragraph in your privacy declaration may look like:
Sample contact details:
Name of the individual(s) responsible
1562 Main St
Eureka, CA
95502
Tel: (telephone number)
Email: sample@email.com
Support with privacy policies: templates and generators
Many free online solutions help with generating privacy policies for websites. Existing templates are available and it is easy to find one that is suitable online. Prewritten templates are another option. These include valuable information on the protection of user data and can be applied to social networks, cookies, or newsletters. This gives users the added advantage of receiving data protection statements from Google Analytics or other analysis tools. These are delivered in filled-out forms and include links for users who object to their data being delivered to third parties.
In addition to the many templates that are available, some websites also offer free privacy policy generators which assemble sample texts to produce a final statement. The result is usually given as an HTML code.
Templates and generators make it easy to draft a suitable privacy policy for your website. However, it is important to be diligent to ensure that the results are relevant to your specific website. Templates can provide a great basis for your statement, although there are often details that need changing or elaborating on. If you are unsure whether your privacy policy is correct, it is advisable to seek advice from a legal expert.
Changes in EU law: the GDPR
The General Data Protection Regulation (GDPR)
is a regulation in EU law on data protection and privacy and affects those within the European Union (EU) and the European Economic Area (EEA). The main goal of this regulation is to give citizens and residents more control over their data and what happens to it. With all EU countries adhering to the same regulations, it makes business between countries a lot easier. All companies doing business in the EU or EEA must store personal data using pseudonymization or full anonymization, as well as the highest privacy settings possible. It cannot be publicly available without the individual giving prior consent. If a data breach occurs, businesses must report it within 72 hours in case customer data is at risk.
Although the GDPR was adopted on April 14th, 2016, it wasn’t enforced until May 25th, 2018. Since it is a regulation, it doesn’t require a national government to decide on any legislation.
The 54,000-word document can be summarized into these points:
- Companies must obtain users’ permission in much more detail before using any of it for marketing or advertising purposes.
- Users must be able to download their own data in a format that they can take to a competing service. This is known as “data portability”.
- Users must be able to inspect all the data collected by the company and amend anything if needed as well as having the option to delete it if they don’t want the company to possess it anymore.
- Users are now able to challenge algorithmic decisions that affect them and request that humans make these decisions instead.
What do the EU changes mean for the US?
The US doesn’t have any legal equivalent to the GDPR since most states have their own laws governing data breaches and notification requirements. Normally, only a limited amount of data is used, namely social security numbers and health or financial information.
Although establishing a Data Protection Agency has been proposed to the US Senate, it has not been acted upon as of yet. This means that the United States is one of the few democracies in the world that does not have a federal data protection agency. This is quite shocking since the United States was once a global leader on privacy, especially when the Fair Credit Reporting Act was passed in 1970. Since then, the US has been overtaken by the EU when it comes to privacy laws.
Although these GDPR changes are for countries in the EU, companies in the US will have to adapt to them if they do business in any European countries. It makes sense to rewrite your privacy policies for Europe, otherwise you could find yourself being fined for not adhering to them.
Are you a IONOS customer? Here you can find a Checklist especially for IONOS customers with all the information website operators need to bear in mind so that their website complies with the General Data Protection Regulation.
Facebook is an example of a company that needs to comply with these laws. In April 2018, Facebook CEO, Mark Zuckerberg testified before the US Congress about data privacy. The subject of GDPR came up quite often, but EU officials weren’t satisfied with the answers he gave to many of the questions. At the beginning of 2018, at least 87 million Facebook users had their data leaked to third parties. In 2019 Facebook had to pay the FTC an eye-watering $5 billion fine for its various privacy violations. All the more reason to adhere to the GDPR laws, which aim to protect users from future data leaks and give them more control over what happens to their personal information.
The changes state that if there’s a data breach, users should be notified within 72 hours. An example of a company that needs to act differently this time around is Equifax, a consumer credit reporting agency, which spent weeks in 2017 trying to stop a data breach attack and deciding what to do about the damage before the company even thought to notify customers. If this were to happen now the GDPR is in place, the company could be handed a hefty fine – just like Facebook was. Here are some sample privacy policies that US website operators dealing with EU users can take into consideration to ensure that they are compliant with GDPRs. In order to be compliant, your privacy policy must cover the following aspects.
Legal foundations for data processing
It is your duty to inform uses of the legal basis for collecting and processing personal data. To do this, at least one of the following conditions must be fulfilled in accordance with Article 6 of the GDPR:
- The subject has given their consent
- Processing data is necessary to fulfil a contract with the subject or for carrying out pre-contractual operations
- The controller fulfils a legal obligation to which they are subject
- The purpose of processing is to protect the vital interests of the data subject or another person
- The data processing is in the public interest
- It is necessary to safeguard the legitimate interests of the controller or of a third party (provided that the fundamental rights and freedoms of the subject are not infringed).
Sample of providing a legal basis
Insofar as we have obtained the consent of the subject for the processing of personal data, Article 6(1)(1a) of the GDPR applies as the legal basis.
Where the processing of personal data is necessary to fulfil a contract with the subject or for pre-contractual measures initiated by the data subject, Article 6(1)(1b) of the GDPR provides the legal basis.
If the data processing is the result of a legal obligation to which we are subject, we refer to Article 6(1)(1c) of the GDPR as the legal basis.
Where personal data is processed in order to protect the vital interests of the subject or another natural person, Article (6)(1)(1d) of the GDPR serves as the legal basis.
If the data processing as a task serves the public interest or takes place in exercise of official authority, we refer to Article 6(1)(1e) of the GDPR as the legal basis.
Insofar as the processing of personal data is necessary in order to safeguard the legitimate interests of the controller or a third party without jeopardizing these interests, fundamental rights or fundamental freedoms of the subject, Article 6 (1)(1f) shall apply as the legal basis.
Purposes of data processing
In addition to the legal basis, you must list the purposes for processing the relevant data-related information in your privacy statement. In order to achieve transparency, we recommend that you disclose any components of your website that collect this data, including:
- Contact forms
- Newsletter subscription
- Input fields (e.g. for entering bank details in a shopping cart)
- Tracking codes
- Third-party plugins (e.g. social buttons)
- Third-party content (e.g. YouTube videos)
- Competitions
- Cookies
When it comes to embedding external content, you will need to exercise even more caution in the future, since the GDPR increases the need to inform the user before data processing. However, third-party content like YouTube videos transmit data by default when the website is accessed. Google has already reacted to this and implemented an “extended data protection mode” in YouTube’s embedding options. If you enable this, you will generate an embed code that will not transmit data until the video is viewed.
If the previously mentioned Article 6(1)(1f) of the GDPR is relevant to your website, you should also reveal your legitimate interests in your privacy policy. When doing this you should check whether you are protecting the interests and rights of your website’s users in the best possible way. Typical purposes are, for example, analyzing visitor behavior to optimize the website, to deliver personalized content for marketing purposes.
Template for indicating the purposes of data processing
In order to make your visit to our website as user-friendly as possible, and to provide you with all the available features, we collect specific data from the device you used to access our website. This data includes your:
- IP address
- Operating system
- Browser type and version
- Date and time of access
- …
An evaluation of this data for marketing purposes will not take place.
Recipients of personal data
If you pass personal data along to third parties, you must also inform your users of this as part of the data protection declaration. For example, if you run an online shop, you are very likely to include other service providers such as suppliers or payment services in your business process.
This segment also includes implementations of third-party cookies and extensions, the use of which has always been linked to the disclosure of personal information. These include tracking codes and social media buttons. In both cases, you can indicate a legitimate interest to justify the use – however, it is advisable to also obtain the visitors’ consent (in the case of social media buttons, the use of a data protection compliant procedure like the two-click solution is a good idea).
You should also include advertising services like Google AdSense or AdWords as recipients if you use them for Internet users to find your website.
Sample of specifying embedded third-party vendors (example: “Facebook Plugin”)
This website uses a Facebook social plug-in developer by Facebook Inc. (1 Hacker Way, Menlo Park, California 94025 USA) and is recognizable by the Facebook logo. The plugin establishes a direct connection between your browser and the Facebook servers once it has been activated. This requires a click on the appropriate button. We have no influence whatsoever on what kind and to what extent your data is transmitted to Facebook Inc. A statement by the social media company on this topic can be found via the following link.
If you intend to disclose personal information to a recipient in a third country or to an organization that operates internationally, you should also disclose this intention in your privacy policy.
Duration of data storage
In order to make data processing as fair and transparent as possible, you should also disclose how long personal data will be stored for. If no clear value can be formulated for this, you can instead present the criteria that influence the period of data storage. As a rule, for example, you can provide concrete information for the storage of anonymized IP addresses in the log-files if you have configured automatic deleting after a certain period of time. If, on the other hand, you work with cookies that make the visitor identifiable for the duration of the session, the length of that data storage is linked to each individual session duration.
Sample of a data storage duration specification
All personal data that we have collected during your visit through the use of session cookies is automatically deleted as soon as the purpose for its collection has been fulfilled. The session data is therefore stored until you end your session (by leaving or closing the website).
If you store the personal data on servers outside the EU, this must be stated in the data protection declaration of your website – including reference to possible different data protection regulations in the server’s location.
Reference to the data subject’s rights
All EU users from whom you collect personal information have several rights, also known as “data subject’s rights”. For example, the right of access specified in Article 15 GDPR grants detailed information on processing purposes, possible recipients, storage period and origin. In addition, users have the right to rectify personal data under Article 16 GDPR and – under certain conditions – the right to delete personal data under Article 17 GDPR.
Sample of reference to data subject’s rights
According to the GDPR, you are considered a data subject if you are an EU visitor to our website and personal data concerning you is processed by us. For this reason, you can make use of various data subject rights which are laid out in the General Data Protection Regulation. These are the right to access information (Article 15 GDPR), the right to erasure (Article 18 GDPR), the right to object (Article 21 GDPR), the right to lodge a complaint with a supervisory authority (Article 77 GDPR) and the right to data portability (Article 20 GDPR).
Clarification of legal or contractual obligations to collect data
To the extent that the provision of personal data is required by law or contract or is indispensable to completing a contract, you must inform your users accordingly. It is also necessary for you to provide information about the consequences of not providing such information.
Sample of clarifying data collection obligations
The collection of your personal data is indispensable for completing a contract, as well as fulfilling contractual obligations and services. If you do not provide us with the requested information, neither a successful conclusion of a contract, nor further contractual services are possible.
Information on the use of automated decision-making (including profiling)
If you use automated decision-making, including profiling, you are required to provide meaningful information about the underlying logic. It is essential that you identify the desired impact and scope of this kind of data processing on the data subject. The background is that, in principle, your users have the right “not to be subjected to a decision based exclusively on automated processing – including profiling” as stated in Article 22 GDPR. However, this right does not apply if the respective automated procedure is necessary to conclude or carry out the contract, is permitted by EU and member state legislation or is carried out with the express consent of the person concerned.
Sample reference to automated decision making or profiling on your website
Before concluding your contract, we will carry out a fully automated credit assessment to determine your credit worthiness…
Representative Contact Details
Best practice requires your privacy policy to have contact information available should a customer have a query regarding the policy or their data. Privacy policies may include the name, postal address, email address or telephone number of the privacy policy representative. Here is a sample of what the relevant paragraph in your privacy declaration may look like this:
Sample contact details:
Name of the individual(s) responsible
1562 Main St
Eureka CA
95502
Tel: (telephone number)
Email: sample@email.com
Does my company need a Data Protection Officer?
The GDPR stipulates that if your business deals with customers in the EU (including the UK despite Brexit), whether for business transactions or data processing, you will need to comply with their Data Protection Officer (DPO) requirements. The job of the Data Protection Officer is to safeguard personal information gathered through transactions with EU customers. This includes any sensitive information that could range from credit card information to something that can help you identify a person’s ethnicity, location, religion, sexual orientation, etc.
The GDPR stipulates that all public authorities and private companies that are involved in large-scale, regular data processing of EU residents comply with these regulations. If you are unsure whether your company fits this description, the best course of action is to seek legal counsel as the repercussions for failing to adhere could be severe. More information about data processing officers can be found here.
If you need to hire a DPO, you must include their contact information in your website’s privacy policy. Here is a sample of what their contact information could look like in your privacy policy:
The data protection officer of this company is:
Name of the individual(s) responsible
1562 Main St
Eureka CA
95502
Tel: (telephone number)
Email: sample@email.com
Many free online solutions provide assistance for generating privacy policies for websites such as the solution from FreePrivacyPolicy. Existing templates are available, and it is easy to find one that is suitable for your needs with a simple Google search. Prewritten samples are a further option. These include valuable information on the protection of user data, and can be applied to social networks, cookies, or newsletters. This gives users the added advantage of receiving data protection statements from Google Analytics or other analysis tools. These are delivered in filled-out forms and include links for users who object to their data being delivered to third parties.
In addition to the many templates that are available, some websites also offer free privacy policy generators, which assemble sample texts to produce a final statement. The result is usually given as an HTML code.
Templates and generators make it easy to draft an adequate privacy policy for your website. However, it is important to take care and ensure that the results are relevant. Samples can provide a great basis for your statement, although there are often details that need changing or elaborating on. If you are unsure whether your privacy policy is correct, it is advisable to seek advice from a legal expert.
GDPR: A summary of the most important points
The General Data Protection Regulation makes data protection in EU countries more transparent, understandable and secure. The need for a complete, comprehensive privacy statement is at the heart of this – especially for website operators who have to deal with vast amounts of personal data. If you have already drafted a privacy statement in the past, you will have noticed the disclosure of legal bases and the reference to users’ rights as major innovations in the above points.
Of course, these two aspects are by no means the only things distinguishing the revised or newly created data protection statements following the GDPR standard from older versions. Now, more than ever, you have the responsibility of explaining the purpose of data processing in a detailed, comprehensive way that leaves no open questions for your users. If your users do have questions, however, you or your DPO must be available to answer them. The GDPR emphasizes that users must be informed as early as possible – always before data is collected.
You are welcome to use our new GDPR-compliant privacy policy as a source of inspiration for your own privacy policy.
If your website deals with EU visitors, it is important to make sure your privacy policy covers the GDPR regulations. However, be sure not to neglect local state and federal laws. As always, consult a legal professional so you know that your privacy policies are legally watertight for the regions you interact with, and so that you don’t accidentally break the law and incur considerable legal penalties.
Click here for important legal disclaimers.