Your website and mobile app requires a Privacy Policy throughout most of the world.

You cannot avoid doing business in the U.S. without coming across the California Online Privacy Protection Act or the Child Online Privacy Protection Act.

The U.K., Canada, and Australia laws also require Privacy Policies.

As a business, you're subject to these laws and your business must have a Privacy Policy agreement if you collect and use personal information from users:

  • Names
  • Email addresses
  • Birth dates
  • Job titles
  • Or any other type of identifying information

Here are the essential clauses you need for your Privacy Policy agreement.

Clause 1: Types of information collected

Describing the information you collect from users is a good way to start your Privacy Policy agreement.

This kind of clause makes it clear to users what personal information you need for your website or mobile app to function properly and allows users to determine whether they are comfortable giving that information to you.

A "Types of information collected" clause protects your business from liability too because if you are forthright about the information required in your Privacy Policy, no one can claim you used that information without authorization.

Sometimes, a Privacy Policy describes what personal information is collected in simple definitions.

An example of this approach is offered by Trello in its Privacy Policy agreement:

Trello Privacy Policy: Types of information definitions

Other Privacy Policies contain more detail. SurveyMonkey gives a complete list in its agreement:

SurveyMonkey Privacy Policy: Types of information collected definitions

The more sensitive the information you collect, the more detail you'll want to provide in your Privacy Policy.

A detailed but incomplete list of types information collected can work against your business more than broadly described information types.

Clause 2: How information is collected

All Privacy Policy agreements should include provisions on how personal information is collected by your company (through the website and/or through the mobile app).

Even if you only collect and use information users provide directly to you, your Privacy Policy should have provisions describing that.

Under its section "How We Collect Information", Trello explains that it collects information in two ways:

  1. The use of services
  2. And the information provided by users

Like the type of information collected, these are also detailed sections.

Clauses regarding information collected just by using the Trello app mention Google Analytics and IP addresses. The clause also clarifies that this collection usually collects non-identifying personal information:

Trello Privacy Policy: How we collect information through service use

Information provided directly by users could seem self-explanatory. After all, many businesses request names, email addresses, user names, and payment information.

Trello explains that it requires this information and failing to provide it could mean limited access to the app. Trello's Privacy Policy also indicates that data may be used to verify accounts, however permission from the user is secured first:

Trello Privacy Policy: Information is provided directly

Clause 3: What you do with collected information

Explaining why you collect data and what you do with it also provides additional liability relief. Depending on your business, you may have several purposes for collecting information from users.

The "What we're doing with the collected information" section is best written in detail since you do not want to be accused of using personal data inappropriately.

SurveyMonkey explains the 9 uses for the data it collects. These are listed in detail in SurveyMonkey's Privacy Policy:

SurveyMonkey Privacy Policy: How does SurveyMonkey use information collected

Clause 4: Cookies policy

When a website or a mobile app uses cookies frequently, it's a good idea to have a separate Cookies Policy.

In many cases, it's appropriate to include these provisions related to your Cookies Policy in the Privacy Policy agreement too.

Trello does not have a separate "Cookies Policy", but in its section on collecting information, it mentions cookies. It explains that cookies help with analytical data and users have an option to refuse them (but by doing so there's a likelihood that Trello may not work properly).

Trello Privacy Policy: Cookies references

Kissmetrics dedicates an entire section to cookies in its Privacy Policy. It starts by explaining how cookies work and how the the Kissmetrics app benefits from using cookies.

KissMetrics Privacy Policy: Use of Cookies

The Privacy Policy of Kissmetrics also informs users about the option to refuse cookies before accessing the app. However, much like with Trello, this has the impact of limiting the scope of app to users who make that decision:

Kissmetrics Privacy Policy: Refuse cookies

It's important that you cover cookies in your Privacy Policy or in a separate policy. The EU Cookies Directive, for example, requires disclosures on cookies for any EU-based company or any foreign company interacting with EU citizens.

Clause 5: Third party access to information

Advertisers, analytics apps, and social networking apps (Facebook, Twitter) are third parties who may access the collected data or collect data through your website or mobile app.

When you integrate these third parties on your website or app, you need to cover access to data by these third parties in your Privacy Policy.

Generally, the Privacy Policies of these parties control how they handle your users' information. But you still need to mention them in your Privacy Policy so users are informed that you allow this access.

You need to address third party use in your Privacy Policy even if the third parties have their own privacy practices and their own agreements.

AOL addresses this regarding advertisers but also third parties that help the AOL website function:

AOL Privacy Policy: Third party access

Clause 6: Dispute resolution

Unlike Terms & Conditions, Privacy Policies do not normally contain provisions on governing law.

That said, privacy is often a contentious issue and disputes can arise. For that reason, "Governing Law" provisions are replaced with clauses regarding dispute resolution.

Dropbox contains provisions for dispute resolution in its Privacy Policy:

Dropbox Privacy Policy: Dispute resolution section

Clause 7: Business transfer clause

If your company merges with another or is acquired by a larger entity, your users will likely feel concerned about the continued handling of their information.

You can protect yourself from liability and offer reassurance by adding a "Business Transfer" clause to your Privacy Policy.

A "Business Transfer" clause merely states that users' data will be protected as it was before under the previous Privacy Policy. Even if you don't anticipate a sale or transfer, market may change quickly and you never know when selling your business becomes a possibility.

Even Twitter covers this ground its Privacy Policy.

Twitter Privacy Policy: Business Transfer section

Clause 8: Changes to Privacy Policy

If your Privacy Policy changes, you must announce Privacy Policy changes to your users.

The method you chose for notifying your users about changes can be described by you in the agreement.

Twitter addresses this at the end of its Privacy Policy. Twitter indicates that change announcements are done through email and its own feed:

Twitter Privacy Policy: Changes and announcements

When you choose a method to inform users about Privacy Policy changes, choose one that works for you. It's important to only mention methods you plan to use.

Clause 9: Email marketing

Due to anti-spam laws in several nations, such as CAN-SPAM in the US, you need to be careful sending users unwanted email.

Microsoft includes a section to comply with CAN-SPAM in its "Privacy Statement":

Microsoft Privacy Statement: Email marketing opt-out

When you include a section like this in your Privacy Policy, you can also provide a link to the opt-out page. You also need to provide this opt-out link in your emails so users have the option to opt-out from every email you send.

Clause 10: COPPA compliance

The Child Online Privacy Protection Act (COPPA) is a U.S. law that places additional requirements on web service providers who cater to children. COPPA applies to children under 13 who live in the U.S.

Websites or apps that are only available to adults or those over 13 generally include that there's no intention to collect information from those under 13.

Instagram offers a good example of this in its Privacy Policy:

Instagram Privacy Policy: Children Privacy under COPPA

If your website or app is for children under 13, you need to take a completely different approach to your privacy practices and Privacy Policy.

The Public Broadcasting Service (PBS) runs a "PBS Kids" page designed for children. A detailed COPPA page explains that data is only collected with the consent of parents or guardians and extra protection is taken in account:

PBS Kids: COPPA Privacy page

You can mention that you don't collect data from the 13-and-under users or adapt your Privacy Policy to be COPPA compliant.

Clause 11: Data retention

Users can delete their accounts with you or you may act on your Terms & Conditions and deny access to a user who violated your rules.

This issue of deleting or suspending user accounts must also be addressed in the Privacy Policy. This content is found in a "Data Retention" clause like this one from Match.com in its "Privacy Statement":

Match.com: Privacy Statement and Data Retentio.

The normal course of action is to retain personal information only as long as necessary and destroy at the end of that time period, but compliance requirements may compel you to keep it longer.

Clause 12: Contact information

Every Privacy Policy also needs a section letting users know how to get answers to questions about matters related to their data privacy.

Large companies generally afford to have separate departments for these inquiries, especially if the company takes a Privacy By Design approach.

Facebook guides users to an easy-to-read Privacy Basics page and also includes email and mailing addresses for questions. There's a separate contact information section based on where users live:

Facebook Privacy Policy: Contact Facebook

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy