- Notice: Tell your readers all of the personal information you’re collecting about them throughout the site.
- Choice: Explain whether the visitor can opt-out of their information being collected and used, and how to do so.
- Access: Provide any links where readers can see the data you’ve collected and correct it if they want to.
- Security: Detail the security measures you have in place to protect any user data you’ve corrected.
You don’t need to include an entire section for each of these topics in your policy, but you should try to make sure all of the information is included in some format.
It should also detail what information the reader will learn from reading it. Insert the name of your service or website wherever you see “(website)” in the text.
- Forms (contact info)
- Login or signup information (names and passwords)
- Ad scripts running on any pages of your site (demographics)
- Cookies (web browsing history)
- Commenting scripts (IP address and location)
- Social media integration (friends and family)
Most blogs, forums, and even larger websites use ad networks, commenting plugins, and other scrips that either directly or indirectly collect information about users.
For example, if your site uses Disqus, it requires visitors to type in their email address. But what many users are not aware of (unless you let them know) is that it also logs the IP address of the computer they’re using to leave a comment on your site.
It’s best to create a separate section for each form of data collection that exists on the site. Describe how that tool collects information and what information it collects.
Tailor the text of each example below to match the information that your own site is collecting.
Most websites today provide visitors a link to send an email or a contact form visitors can fill out to send you a message.
This is a form of personal information that you’re collecting, so disclose this to your visitors with privacy notice text like the following example:
“Some of the services on this website allow you to send us an email. We will use the information you provide, such as email address or phone number, only to respond to your inquiry. Keep in mind that email transmissions are not encrypted by default, so we suggest you do not send sensitive information such as Social Security numbers, credit card numbers, or bank account information via such contact forms.
If such information is required, it will be via a web page that clearly states the page and its transmission of information is secure and encrypted. All electronic messages received from visitors are deleted when no longer needed.”
As you can see, the statement describes exactly what information you’re collecting, and how it will be used.
Third-Party Websites and Applications
Any plugin or service you use to add features to your website may give you access to your visitor’s personal information.
Some examples are commenting services (like Disqus) or social media plug-ins that integrate with a visitor’s social account.
Even if you don’t directly receive that information, if that service lets you log into an account that lets you see or collect that information, you need to disclose that to your visitors.
“(website) uses commenting and social media plug-ins and third-party websites. We use those third-party services to interact with visitors and to build our community on social media. We also uses these third-party services to measure the number of visitors to our website, to interact with visitors on the site, and to make our website more useful to visitors.
In such cases, the third-party application may request an email address, username, password, internet protocol (IP) address, and geographic location for account registration or sign-in purposes. (website) does not use those third-party websites or services to collect personal information from individuals. Any personal information collected by the third-party website will not be stored or transmitted by (website). (website) has no control over or access to specific login information or any other sensitive personal information provide to third-party websites.”
Ultimately if that third-party service gets into legal trouble for misuse of information, like Facebook’s recent Cambridge Analytica scandal, you will be protected from any of those issues.
This can also build trust with your readers that even if other websites aren’t good at protecting their privacy, you can still be trusted.
Information for Tracking and Customization (Cookies)
Almost every website online uses some form of analytics or advertising script to measure users session information.
These scripts collect a lot of personal information about the visitor, even though they don’t specifically identify those users by name.
(website) collects and temporarily stores certain information about your visit to help us to better align our content and the website design with your needs. The information these cookies collect includes:
1. The domain you access our website from
2. Your computer’s IP address
3. The date and time you accessed the site
4. The operating system of your computer
5. The browser you’re using to access our site
6. The Universal Resource Locators (URLs) of the pages you visit on our website
7. Your username, if you’ve logged into the site
8. The URL of site you came from, if you clicked a link there that brought you to our website
We may share this information internally with (website) employees or third-party contractors as needed. This information is only used to to improve the website and enhance our visitors’ experience. Raw data logs are only retained temporarily site management purposes.”
It’s important (and legally required) to be transparent about that information and how you use it. To learn more about the “Do Not Track” feature , check out our guide.
Now that you’ve detailed the information you collect through your website, it’s time to add another section that should put your visitors’ minds at ease.
This is where you detail all of the security steps you’ve taken to protect your visitors’ information
Here’s a sample of what that section might look like. Again, replace “(website)” with the name of your own site, and tailor this template text to fit your situation:
“(website) takes the security of your personal information very seriously. We take many precautions to ensure that the information we collect is secure and inaccessible by anyone outside of our organization. These precautions include advanced access controls to limit access to that information to only internal personnel who require access to that information. We also use numerous security technologies to protect all data stored on our servers and related systems. Our security measures are regularly upgraded and tested to ensure they are effective.
We take the following specific steps to protect your information:
(1) Use internal access controls so only limited personnel have access to your information.
(2) Anyone with access to user information is trained on all relevant security and compliance policies.
(3) Servers that store visitor information are regularly backed up to protect against loss.
(4) All information is secured through modern security technologies like secure socket layer (SSL), encryption, firewalls, and secure passwords.
All access safeguards described above are in place to prevent unauthorized access by outsiders to information stored on or transmitted by our systems.”
The important thing when explaining security to your visitors is that you don’t go into too much detail. Remember, not all of your visitors are tech-savvy. They only need to know the general security measures you’re taking to protect their information.
It covers what options the visitor has to access the information and to opt-out of you collecting their information. It also covers filing a complaint if they ever discover you’ve violated your own privacy policies.
All three of these are usually covered by offering visitors an option to contact you via email. You might craft this statement as follows:
“You can do the following at any time by contacting us via the email address or phone number given on our website:
(1) Ask for a list of personal information we have about you, if any.
(2) Request a change, correction, or deletion of your personal information.
(3) Request that we avoid collecting anything in the future (opt-out).
If you do not wish to have cookies stored on your machine, you have the option to turn cookies off in your browser. However, keep in mind that turning off cookies may impact how this website functions. Disabling browser cookies will also impact how other websites you visit store browser cookies as well.
Whenever we collect any sensitive information (such as social security numbers or credit card information), the information is encrypted and securely transmitted. You are able to confirm this by looking for the ‘lock’ icon in the browser address bar, and also confirm that the URL link starts with ‘https.’
As you can see, this entire section handles how to access personal information, as well as how to opt-out, and how to seek out redress if there are any problems.
However, if you prefer to end on a more personal note, you could always add another paragraph welcoming feedback or comments. Also consider providing your physical mailing address.