Privacy policy template – a definitive guide for SMEs

Posted on November 3, 2020
Posted by Frankie Mundy

privacy policy templateWhen your business collects personal information about people using its website or app, data protection laws apply. Your data protection obligations include telling your users what information you are collecting about them, and what you will do with it. A good privacy policy template will help you to do this. If you don’t properly comply with your data protection obligations, you can face serious fines and damage to your business’ reputation. To create your own privacy policy that’s customised to your data processing, use our privacy policy template

 

What is a privacy policy template?

When you do anything with an individual’s personal data you must tell them about your business’s use of that data. It is common to set this information out in a privacy policy which is easily accessed through your website. You can use our privacy policy template to get started. 

 

Do I need a privacy policy on my website or app?

Yes, you are required to provide important notifications to users of your website or app about what you will be doing with their personal data, using a privacy policy (you can tailor our privacy policy template to your own specific requirements). This policy sets out the various legal requirements that you must comply with when you process personal data. These obligations extend to any form of processing, including collecting, recording, storing, using and sharing personal data and will cover almost anything you may be doing with it.

Your data protection obligations do not end with putting a privacy policy on your website. See our guidance on data protection obligations and collecting personal data when selling from a website or app for information on your other key responsibilities.

 

What should my privacy policy template say?

When you collect personal data, you are legally required to provide certain key privacy information to individuals about how you will use their data. This includes:

  1. what personal data you will collect (and where from if you are not getting it from the individual directly), what you plan to do with the person’s data and your justification for using it;
  2. details about any plans to share the data;
  3. if you plan to keep the data, details about how long you plan to keep it; and
  4. information about individuals’ rights, eg the right to request access to information held about them and to ask for it to be amended or deleted.

See our Q&A on When to use personal data for a full list of the privacy information you need to provide. You must be transparent about the way in which you handle individuals’ personal data and it is  common to set out all of the above information in a single privacy policy. 

Your privacy policy itself must be clear, concise, easily accessible and written in plain language. You should not use complex and technical language and you should not bury the information among other terms and conditions. Particular care must be taken to ensure that any information addressed to children or vulnerable people is provided in a clear and easily understood way.

 

What happens if I don’t have a proper privacy policy?

Failure to comply with data protection law can have significant financial and reputational consequences for your business, including fines of up to €20 million or 4% of your global annual turnover, whichever is higher in the worst cases. It is therefore important to take your obligations seriously.

 

Do I need to provide any other information to website users?

Yes, to comply with the law there is other information that you will need to provide to users of your website or app. This includes a cookie policy if you will be using cookies on your site! See our guide on cookie policies for guidance and a customisable template.

To make sure your website has everything it needs, see our Checklist of information to include to ensure your website is legally compliant. You can also use our starting an online business toolkit for access to all of the documents you need to make sure your sales website is legally compliant. 

 

Where to publish your privacy policy template

 

How do I make my website or app users aware of my privacy policy?

You cannot discharge your legal obligations simply by putting your privacy policy on your website for people to find – you must draw their attention to the relevant parts of it at the time that they give you their personal data.

The ICO recommends you present the information in a variety of ways to make it easier to understand than a big block of text. For example, if you are collecting information through an online order form, the form could explain what each piece of information will be used for as the customer goes through it and provide a link to your full privacy policy (or relevant part of it ) for more detail. Alternatively, you could provide an accessible short summary of the key points in your privacy policy with links to expand on each part to give full information.

The Government recommends that in order to help improve customers’ understanding of privacy information, businesses could consider the following approaches:

  1. using a FAQ format to present key terms, eg ‘What will you use my email address for?’;
  2. illustrating key terms with icons;
  3. providing terms in a text box that the customer can scroll through;
  4. providing certain privacy information when it is most relevant (eg when a customer provides their email address, explain what it will be used for);
  5. using illustrations and comics to explain certain processes;
  6. letting customers know how long it will take to read your privacy and cookie policies; and
  7. telling them when it is their last chance to read it.

Bear in mind that if your website is likely to be accessed by children, you may need to comply with the ICO’s age appropriate design code when providing your privacy information (see below). 

 

If I change how I use the data I collect through my website, do I have to change my privacy policy template?

Yes. If you wish to use personal data for any new purpose that is not currently covered by your privacy information, you will need to update your privacy policy template before doing so and ensure that you proactively bring the change(s) to your users’ attention. Note also that if your new use of the data is not compatible with the original reason you collected it, you will need to get the consent of the people whose data it is to your new use of it, before you can start to use it that way.

 

How do I know if users are aware of my privacy policy?

The ICO recommends that you carry out user testing across a sample of your customers to find out how they accessed your privacy information, whether it was easily understandable by them, or whether they noticed any errors. The results of the feedback you receive can help you to ensure that your privacy information is achieving its purpose. The ICO also recommends keeping your privacy information under regular review to ensure that it continues to accurately reflect your use of personal data and to analyse complaints from the public about both your use of their personal data and how you explain that use.

 

Do I need my own privacy policy if I only sell through online marketplaces?

No. If you sell your goods or services through an online marketplace (eg Amazon or eBay), then you will have signed up to that website’s privacy policy and you do not need your own; see Online marketplace versus own website for further information about selling in this way.

 

Will Brexit affect my privacy policy?

Following the UK’s exit from the EU on 31 January 2020, we are in a transition period until 31 December 2020 during which the EU and the UK are negotiating their future relationship. During this period, there are no immediate changes to data protection law in the UK and you should comply with the current GDPR requirements regarding privacy and cookie policies.

During the transition period, you should review your privacy policy template to identify any references to the EU or EU law so that your business is prepared to make any changes required when the transition period ends. You should also review any provisions about sharing personal data outside the UK (either to the EEA or countries outside the EEA); see Sharing personal data inside and outside the EEA for further guidance. For further guidance about how Brexit will affect your data protection obligations, see Data protection obligations.

 

Privacy policy templates and children

 

What are the rules about privacy policies and children?

If your website is used by children, you may need to consider the Age Appropriate Design Code (or Children’s Code). This is a statutory code of practice that is relevant to ‘information society services which are likely to be accessed by children‘. This means that it can apply to you even if your service was not specifically designed to be used by children and covers most online services, including websites selling goods or services, games, apps, online marketplaces, streaming or other content services etc.

It came into force on 2 September 2020, giving businesses 12 months to comply. Although the Code is not technically law, the Information Commissioner must take compliance with the code into account when considering whether a business has breached its data protection obligations.

 

What do I need to do if my website is likely to be used by children?

If your website or app provides online products or services which are likely to be used by children (ie under-18s) in the UK and it processes their personal data, you should comply with the Age Appropriate Design Code, or the ‘Children’s Code’.

The Code contains 15 flexible standards which set out out what measures websites and apps need to put in place to ensure that children’s personal data is safeguarded. These include:

  1. putting the best interests of the child first when designing and developing your website;
  2. doing a data protection impact assessment;
  3. making sure children have high privacy settings by default;
  4. ensuring that privacy information is age appropriate;
  5. providing children with age appropriate tools to help them to help them to exercise their data protection rights; and
  6. putting appropriate policies and procedures in place.

See our guide on on privacy and children for more information about how to comply with these standards.

 

How should I provide privacy information to children who use my website or app?

In addition to your general obligations (see above), if you process children’s personal data on your website or app, you must provide them with privacy information in a way in which they can understand it. This requirement is reinforced in the Age Appropriate Design Code, which you will need to comply with if your website or app provides online products or services which are likely to be used by children. If your business falls within the scope of the Code, the ICO has recommended a number of steps that you should take when providing privacy information to children. These include:

  1. providing privacy information in a clear and prominent place and presenting it in a child friendly way (eg using pictures, symbols or interactive content);
  2. providing ‘bite-size’ explanations at the point at which children give you their personal data or at other appropriate times. You might also suggest that they check with an adult before proceeding, depending on their age range;
  3. making sure you use child-friendly explanations alongside any legal language; and
  4. considering how you can tailor the information to the age of your users (ie will one set of privacy information work for everyone or do you need to consider different developmental needs?). For example, if your service is likely to be accessed by very young children, you are more likely to need to rely on parental support and to encourage children to check with a trusted adult before proceeding.

Equally, if you provide parental controls on your website or app, you must give children age appropriate information about this (eg by providing them with an obvious sign that they are being monitored). The ICO also recommends that you provide the parents with information about their child’s right to privacy.

 

What else do I need to comply with data protection law?

When your business is processing personal data, your legal obligations extend beyond having a privacy policy on your website or app. To find out more and to get access to template GDPR policies you can customise for your business, check out our GDPR policy guide.

 

The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.