Definition

privacy policy

Gavin Wright

By

Gavin Wright

What is a privacy policy?

A privacy policy is a legal document that explains how an organization handles any customer, client or employee information gathered in its operations. It will include how data is collected, stored, used, shared and protected and the user's rights in connection to the data. It is required by law in the European Union, the State of California and other jurisdictions.

A privacy policy might be required for privacy compliance.

A privacy policy should specify any personally identifiable information (PII) that is gathered, such as name, address and credit card number, as well as other information like order history, browsing habits, uploads and downloads. The policy should also explain if data can be left on a user's computer, such as cookies. The policy should disclose if data can be shared with or sold to third parties and if so, what the purpose is.

For simple privacy policies, the first statement found in an online privacy policy is one to the effect that, by visiting the webpage (which you are doing if you're reading the policy), you agree to the details of the site's privacy policy. Some jurisdictions now require that the consumer give active consent, meaning that this type of clause is no longer binding.

Many sites now use a clickwrap (click through) agreement to prove user agreement to a privacy policy. These are much more defensible in court than policies that rely on passive agreement, such as by simply using a site. Clickwrap agreements often pop up at the bottom of a site with an accept or reject prompt. Adding a checkbox affirming that the consumer read and understood the terms of the privacy policy can further protect the organization. The date, time and identifying information of the acceptance should be tracked.

Sources of customer personal data diagram — A privacy policy includes how personal data is collected, stored, used, shared and protected.

Privacy policy and cookie policy

A privacy policy covers all aspects of how a service collects and uses consumer data. A cookie policy only applies to website cookies, which can be used for consumer identification. It is now common for a service's privacy policy to also contain a cookie policy. These can be separate documents in some cases though.

What should a privacy policy include?

Privacy policies need to be written in simple-to-understand language. They should not use complicated legal terms and jargon. Most privacy policies are written and enforced in English, even if it is not the official language of the country. It is good practice though to provide high-quality translations of a privacy policy in every language in which a service is used.

A privacy policy should include the following information:

Types of data collected -- name, date of birth, location, etc.
How data is collected -- user entry, cookies, etc.
How the data will be used -- marketing, usability, service functionality, etc.
If the data will be shared or sold -- third-parties, partners, etc.
How the data will be stored and protected -- service locality, encryption, etc.
How to opt out and request deletion, including how to file requests and privacy questions.
Date the policy comes into effect.
Contact information for privacy-related requests.
Other information that might be required according to the consumer's jurisdiction.

Privacy policy jurisdictions and enforcement

The United States currently has no federal laws that directly require or enforce privacy policies. The FTC (Federal Trade Commission) is promoting industry self-regulation and enforcement of current laws. Current U.S. laws mainly protect medical personal health information with HIPAA and children's privacy with COPPA (Children's Online Privacy Protection Act).

Several U.S. states have enacted laws protecting consumers' digital privacy. California has passed several such laws, such as the California Consumer Privacy Act (CCPA).

The European Union has passed many consumer data privacy laws. The most notable being the General Data Protection Regulation (GDPR). This protects all EU citizens, even if the business is not located in the EU. It strictly defines how companies collect and store data and includes fines for non-compliance.

Other countries including Australia, Canada and India have laws that might require a privacy policy.

Even though they are not required for every country, it is now best practice for every service to have a public privacy policy to cover consumers in jurisdictions that require them. Privacy policies might include language to cover specific requirements of some of these laws and have sections dedicated to each of them.

Check out the top 10 customer data privacy best practices and how data anonymization best practices protect sensitive data. See how to use a data privacy framework to keep your information secure and overcome GDPR compliance challenges. Explore privacy controls to meet CCPA compliance requirements and how to comply with the CCPA.

This was last updated in November 2023

Continue Reading About privacy policy

Business benefits of data protection and GDPR compliance

Enterprise database security best practices

How to secure data at rest, in use and in motion

How to create a data security policy, with template

The intersection of privacy by design and privacy engineering

Search Networking

What is network traffic?
Network traffic is the amount of data that moves across a network during any given time.
What is network availability?
Network availability is how long a network system is in uptime over a specific time interval.
What is NFV MANO (network functions virtualization management and orchestration)?
NFV MANO (network functions virtualization management and orchestration), or just MANO, is an architectural framework used to ...

Search Security

What is risk exposure in business?
Risk exposure is the quantified potential loss from currently underway or planned business activities.
What is ransomware? Definition and complete guide
Ransomware is malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and ...
What is crypto ransomware? How cryptocurrency aids attackers
Crypto ransomware is a form of ransomware that uses cryptography to encrypt computer files so that the victim cannot access them....

Search CIO

What is a quantum engineer?
Quantum engineering is a technological field that focuses on the principles of quantum physics.
What is business transformation?
Business transformation refers to fundamental changes in an organization’s operations, strategy or structure to improve ...
What is quantum machine learning? How it works
Quantum machine learning (QML), also called quantum-enhanced machine learning, blends the computing power of quantum systems with...

Search HRSoftware

What is talent management? Definition, basics and strategy
Talent management is a strategic approach organizations use to attract, develop, retain, and optimize employees.
What is employee experience?
Employee experience is a worker's perception of the organization they work for during their tenure.
What are performance appraisals? A how-to guide for managers
A performance appraisal is the structured practice of regularly reviewing an employee's job performance.

Search Customer Experience

What are customer service and support?
Customer service is the support organizations offer to customers before, during and after purchasing a product or service.
What is quality of experience (QoE or QoX)?
Quality of experience (QoE or QoX) is a measure of the overall level of a customer's satisfaction and experience with a product ...
What is voice of the customer? A guide to VOC Strategy
Voice of the customer (VOC) is the component of customer experience (CX) that focuses on customer needs, wants, expectations and ...

Close