What Goes in a Privacy Policy?
Your privacy policy is the larger document into which your TrueVault privacy notices should be placed. It may be governed by laws that are outside the scope of our product, such as COPPA (if your business processes children’s data), CalOPPA, and California’s Shine the Light Law.
Here is a quick overview of the types of information a typical privacy policy should include, along with links to privacy policies from other businesses to see what this looks like in real life.
- Information About Your Business
- Effective Date of the Privacy Policy and Notification Process
- Categories of Personal Information & Data Recipients
- Do Not Track Notice
- Shine the Light Disclosure
- Cookie Disclosure
- Vendor-Required Disclosures
1. Information About Your Business
A privacy policy should identify the business, provide contact information, and define the scope of the policy (e.g., it covers information collected when consumers visit your site and/or purchase your products).
Examples:
2. The Effective Date of Privacy Policy and Notification Process for Policy Changes
Post the date when the privacy policy was last updated. Also, let visitors know how they can stay aware of policy changes. Most businesses take a minimal approach to this second requirement, simply letting visitors know that they may make changes, after which they will update the effective date and perhaps post a notice on their website.
Examples:
3. Categories of Personal Information Collected and Categories of Third Parties
Give users a clear understanding of what’s being collected and how it is subsequently used. This information should be available in your data map.
Examples:
4. Do Not Track Notice
Do Not Track (DNT) was a proposed web standard first introduced in 2009, which would allow users to indicate they do not wish for their browsing activity to be tracked. DNT never gained much support and has essentially been abandoned. However, California’s privacy policy law, CalOPPA, requires businesses to disclose how they respond to DNT signals, leading to boilerplate language on many explaining that they do not respond to these signals.
Examples:
5. Shine the Light Disclosure
California’s Shine the Light law requires businesses to make certain disclosures upon request if they have disclosed consumers’ personal information to third parties who used the data for their own marketing purposes. Specifically, businesses must tell requestors the categories of personal categories they disclosed for those purposes, and the names and addresses of the third parties. On their privacy policy, businesses must provide some way of making the request, such as a mailing address, email address, or online form.
Examples:
6. Cookie Disclosure
Under CalOPPA, businesses must disclose whether they collect personally identifiable information “over time and across different Web sites.” This is typically accomplished via cookies, tracking pixels, and other similar technologies. Many businesses choose to provide more detailed information on the functioning of cookies and how users may exercise privacy choices, such as through browser settings and using third-party opt-out sites.
Examples:
7. Vendor-Required Disclosures
Some vendors (Google Analytics, for example) require businesses to include certain disclosures in their privacy policies.
Examples: