For many, the small print on websites is often ignored. But for a privacy pro or anyone interested in how their data is being used, the small print matters most.

As Siteimprove’s general counsel, the first place I go when I’m vetting a data-processing vendor is their privacy policy. And thanks to highly publicized game-changers like the GDPR, website owners will probably see more and more visitors reading their website privacy policies.

In the past few months, many companies have gone from outdated and misinformed privacy policies to ones that present an actual understanding of data privacy and the GDPR. (You’ve probably seen the flood of privacy policy updates hitting your own inbox.) No matter your organization or where it’s based, it’s never too early to get a revised privacy policy up on your website.

So, what is it that I’m looking for when I go through these policies? And how can you get your privacy policy as up-to-date and transparent as possible?

When writing your own, keep the classic journalistic approach in mind: who, what, where, why, and how.

But first, there are a few major takeaways I’d like to point out:

  • Look how similar companies structure their privacy policies, but never copy/paste—it’s a fact-intensive document and won’t necessarily apply 100% to you (think third-party processors).
  • Keep it updated! If you haven’t updated your policy since 2017, privacy-savvy companies and visitors won’t want to work with you. Plan to update your privacy policies once a year at the bare minimum, and always update as soon as possible with a substantive change.
  • Cookie notices are hugely important, and will only become more important when the EU’s ePrivacy Regulation finally enters full force. In fact, they deserve their own attention on your website, so this blog post does not go into the how-to’s of a cookie notice. Check out Siteimprove’s cookie notice for quick inspiration.

Download Privacy Policy Template

What to Include in Your Website Privacy Policy

Here are six things I look for in a good website privacy policy:

  1. First, I want to see a date that is 2017 or 2018. Anything older tells me that the organization isn’t on top of data privacy obligations. I won’t completely shut down the possibility of working with them, but I will question their integrity if they say things like “data privacy is really important to us,” but their privacy policy was last updated more than 18 months ago.

  2. Next, a contact email. The GDPR gives data subjects the right to know who has their data and what they’re doing with it. If I need to scour a website to find an email address just to ask a question, then I wonder whether the people behind the website understand their obligations.

  3. A main reason your website visitors will visit your privacy policy is to know why and how you’re collecting and processing their personal data. If that information isn’t there, then I know an organization has missed the mark. I recommend breaking it down by the types of data subjects you’re targeting. For reference, in Siteimprove’s website privacy policy we break it down by:
    • Website visitors
    • Prospective customers
    • Job applicants
    • Vendors

  4. Like us at Siteimprove - or any B2B or B2C organization - you probably rely on third-party processors for things like marketing efforts, talent acquisition, payment processing, etc. After you break down your data subject types above, list all third-party processors in those categories and explain their exact purpose. (Don’t overthink the purpose. A simple description like “marketing contact management system” will do.)

  5. I also want to see something about how the organization treats personal data. If I see “Safe Harbor”, I run fast. Safe Harbor was a US-privacy framework that was invalidated in 2015, so anyone who still lists it is much too outdated. If I see Privacy Shield, that’s a plus. If they also outline their commitment to the GDPR and link to their Data-Processing Agreement, that’s a major plus.

  6. I also want to see that there is some acknowledgement of a data subject’s rights and the process they should follow to exercise those. For example, one of the best-known rights beneath the GDPR is the right to erasure/right to be forgotten. The process should be clear when someone asks you to delete them from your email database and the steps that come after that. A contact email address is simplest, but if you’re anticipating a lot of data subject requests, then consider setting up a form that asks for all the information you need up front.

Making sure your privacy policy clearly covers these bases is a major step in letting the world know that your website and company understand data privacy principles.

Remember that website privacy policies are not one-size-fits-all. However, a customizable privacy policy is a great place to start—and a time-saver for you and your team. Download this free website privacy policy template and get started on yours. 

Download Privacy Policy Template 

Angelo G. Spenillo earned his law degree from Georgetown University Law Center and started his legal career with the United States Justice Department. A lifelong desire to be a rock star prompted him to take a year off from law to record a CD, tour, and spend his days as a manager in a national guitar chain. The need to pay bills prompted his return to the law where he practiced as a litigator in an employment firm, then he spent many years at Thomson Reuters in roles ranging from Account Management to Marketing to Product Development. As a Product Developer, he was part of the team that created Thomson Reuters’ first legal news mobile apps. With his strong interest in technology, Angelo began working as a Solutions Engineer at one of the biggest custom software development companies in Minneapolis. Despite thinking he had left law behind, the combination of technology and his prior legal experiences made him realize that an in-house career was his calling. He convinced the owners to allow him to establish a legal department which he headed for several years. Then in 2015, Angelo was brought on by Siteimprove to provide global support and create a legal department.