Sample Privacy Policy Template and Examples

Privacy is a fundamental right and has become a hot topic with the rise of the digital age, with people knowingly, and sometimes unknowingly, sharing a large quantity of personal information online.

Regulating privacy is a challenge, with new websites popping up every day and customers located all over the globe, where privacy laws may vary from country to country.

As a website owner that collects personal information, you need to do your part by having a detailed and easily accessible privacy policy. This article will guide you through this seemingly complex topic.

You’ll learn the best practices for creating trust and transparency with your customers and find examples of how other businesses get compliant with the laws. We also put together a free privacy policy template you may download and use as a starting point when writing your own.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 150,000 businesses.

What is a Privacy Policy?

A privacy policy is a document contained on a website that explains how a website or organization will collect, store, protect, and utilize personal information provided by its users.

The exact definition of personal information will vary depending on the piece of legislation but, generally, the following are included:

  • Names
  • Dates of birth
  • Addresses (postal and email)
  • Payment details (credit card numbers)
  • Location (IP address, geolocalization)
  • Social Insurance Numbers

In addition to outlining how the company will use the information, it also includes how it will meet its legal obligations, and how those sharing their data can seek recourse should the company fail to meet those responsibilities.

Is Privacy Policy Required by Law?

Yes, a privacy policy is required for your website by law in most countries. The specifics and clauses that should be in the policy will be different depending on many factors such as your location, your target audience, etc.

Some of the most notable privacy laws include the following:

European Union

The European Union is known for having some of the strictest privacy laws in the world. The cornerstone of privacy legislation, the General Data Protection Regulation (GDPR) provides detailed information in articles 12, 13, and 14 in regard to privacy policies and the importance of facilitating the exercise of the rights that your users have over their data.

Wherever your company is located, if you operate in Europe or process the personal information of users located in Europe, you will need to comply with the GDPR and thus have a privacy policy that is easy to understand and access. You must also ensure that you have your users’ unambiguous and affirmative consent before you start collecting any personal information.

To be found GDPR-compliant, a privacy policy must contain some very specific elements. Unlike some other privacy laws, the GDPR is actively being enforced and the stakes are high for businesses that choose not to comply, with hefty fines in the millions of dollars.

California, USA

While there is, to date, no privacy legislation at the federal level in the United States, the state of California has enacted its own in order to protect its constituents’ privacy.

The California Online Privacy Protection Act (CalOPPA) provides that any commercial website that collects or uses personal information from Californian residents must have a conspicuously placed privacy policy that details how it is collected, used, and shared.

In addition, the California Consumer Privacy Act (CCPA) came into force in 2020 to supplement the CalOPPA. While its scope of application is more limited – as it is notably targeted to businesses that either have annual gross revenue of more than $25 million, make at least half of their revenue selling personal data of its users, or that sell, buy, share or receive personal information from at least 50,000 households, consumers or devices annually – it should still be taken into consideration.

This piece of legislation encourages transparency and notably requires that businesses serve users with a notice at collection or before the time that it starts collecting personal information. That notice at collection should link to a privacy policy that is to be updated at least every year as well as have the option to opt-out.

Australia

Australia regulates how businesses should handle personal information through its Privacy Act of 1988.

Organizations that need to comply with the Australian Privacy Principles i.e. generally businesses that have an annual turnover of more than $3 million (in addition, some other smaller organizations need to comply, such as those that buy or sell personal information or provide health services – make sure that you consult with a lawyer) notably need to have an up-to-date and clearly expressed privacy policy that is available free of charge, in an appropriate format and that contains all the information required under this Act.

Other Countries

These examples are solely used to show you what some countries across the globe require when it comes to collecting personal information from their residents but many other privacy laws and regulations exist and they each have their own particularities.

It is imperative that you make sure you are complying with the sets of laws and regulations applicable to your website before you start collecting and processing any kind of personal information.

Why Does Your Website Need a Privacy Policy?

Besides being required by law, there are some other reasons to have a privacy policy on your website. Some of these reasons include the following:

It’s Required by Third-Party Services

You may not be aware of this, but most of the third-party services commonly used on websites require that you have a valid privacy policy in place in order to comply with their terms of service.

If you are using Google AdSense or Google Analytics, for example, you must have a privacy policy that includes all the information that they require (including a clause regarding your use of cookies). Failure to do so means violating their terms, which could lead to you not being able to use their services.

It Helps You be Transparent

Having a privacy policy is also essential from a business perspective in order to be transparent with your website visitors and build a relationship of trust, especially since people increasingly value their privacy.

A website that does not inform its users that it collects data or that hides its policy may look untrustworthy – don’t let this be the reason why you lose business to your competitor.

What are the Penalties for Non-compliance?

As mentioned, businesses and online pages are required by law to provide and display a privacy policy on their web pages. Otherwise, they might face legal consequences for not doing so. Depending on where you live, there are different types of ramifications that come with not following the rules set for privacy laws.

To help you understand how important complying with such laws is, here are some of the penalties that come with non-compliance that you should be aware of:

CalOPPA (USA)

California Online Privacy Protection Act seeks to oversee the collection of data and private information in the United States. Violations will incur a penalty of $2,500 each.

General Data Protection Regulation (EU)

Failure to comply with this will result in two tiers of fines. The first tier will have you surrender 2% of your company’s annual turnover or 10 Million Euros, whichever is higher.

For a tier 2 violation, you’ll have to surrender 4% of your company’s annual turnover or 20 Million Euros, whichever is higher. In both cases, you’ll definitely lose out financially if you fail to comply with this law.

EU Cookies Directive

The penalty for violating this law includes monetary fines that can reach up to £500,000. Smaller penalties include notices and enforcement being sent to your company to alert you of your violation.

PIPEDA, Canada

The Personal Information Protection and Electronic Documents Act is pretty straightforward, but the fines that come with this are not cheap. Companies that knowingly breach PIPEDA requirements can be fined up to $100,000 for each violation.

As a responsible business, you should comply with data privacy acts religiously to avoid hefty fines from governments. Read up more on your local data privacy laws now to make sure that your privacy policy is in line with the standards of your local laws.

What to Include in Your Privacy Policy?

What you should include in your privacy policy will depend on the nature of your business, where you operate and where your customers are located, and the laws applicable to you as the third-party services that you use.

However, some terms are fairly standard and can be found in most privacy policies.

Personal Information

Logically, your privacy policy should start by telling your users exactly what type of personal data you wish to collect, whether directly or indirectly, automatically, from names to locations and phone numbers to email addresses, list it out.

If you are collecting data that you consider essential for your users to be able to use your website, mention it so that they can make an informed decision in regards to what information if any, they wish to share with you.

Collection Process

You should be transparent and explain how you intend to collect personal data from your users. If you are collecting usage data, tracking geographical location, or using any third-party services, for advertising and retargeting purposes, for example, you should mention it, as your users may not realize that you are collecting data in the background.

Usage

At this point, your users know that you will be collecting their personal information but what will you be doing with it?

This is probably the most important section of your privacy policy as using this data to offer a better and more customized experience on your website is different than selling that data to third parties. If you have European users, this is also where you would specify the legal basis for the collection.

If you are operating an eCommerce website, for example, you should specify that personal information will be used to process payments and ship products to customers. In that case, there is a good chance that their personal information may be processed by a third party: an online payment processing service provider or your shipping partner, for example. This should all be disclosed to your customers.

Security

You should let your users know how you intend to protect their personal information from unauthorized access, which you could do by explaining your processes and where the information is stored.

You may wish to include a statement that confirms that, while you use your best efforts to safeguard your users’ data, you cannot guarantee that your website will not be subject to malware or unauthorized access and that there is always a risk when storing and sharing personal information.

Storage & Sharing

Your users should know where you will be storing their data, for how long it will be retained, and if it will be transferred internationally (this could be the case if your servers are located abroad, for example).

Along the same lines, you should be transparent about whom you share the user data that you have complied with and for what purpose. If you use analytics or advertising services, for example, you should make this clear and link to these third-party companies’ respective privacy policies.

There are many other types of third parties – affiliate companies, social media networks, and service providers – make sure that you consider all of them before writing your privacy policy.

Cookies

If you are using cookies, you should disclose it in your privacy policy as well as a link to the page on your website where your cookie policy is hosted. Your users should be given the option to opt-out. You may wish to explain how their user experience may be affected if they do.

Opting Out & Data Subject Rights

You should explain that sharing personal information is not mandatory and that users can limit what they share, opt out, or revoke their consent at any time. If this would affect their experience with your product or website, then you may wish to explain how.

This section should detail all the rights that users hold over their data, which can be country or region-specific, under the GDPR, for example, users have the right to request a copy of all the data that has been collected about them.

Contact Information

You should encourage your website visitors to contact you should they have any questions or concerns in regard to your privacy policy. Include your email address, street address, and phone number, along with the contact details of your data protection officer if your website is subject to the GDPR.

And more

Depending on the nature of your business, you may need to add some additional terms to your privacy policy. You will want to study applicable laws as well as the terms and conditions of all the third-party services that you use, as some require that you have specific clauses in your policy.

You should regularly examine and update your privacy policy to comply with ever-evolving privacy laws and take into account any changes on your website. Let your users know by sending notices and requesting fresh consent when any significant changes are made to your policy.

Where to Display Your Privacy Policy?

Your privacy policy should not be hidden in the legal section of your website. Your website visitors must know that it exists and thus it should be conspicuous and hard to miss. For example, this is how it’s done by Google:

a screenshot of Google searching homepage with a red box on "Privacy Policy" Link in Google.com Footer

In addition to including a link to it in your website footer, it is good practice to remind your users that it exists at various steps in their journey.

You could, for example, mention it and request their acceptance when they first create an account on your website and again during the checkout process, if you operate a transactional website.

Register sign-up form with "privacy policy" highlighted in red below the form.

Having a checkbox that needs to be ticked to confirm that they have read and agree to your terms and conditions as well as your privacy policy is good practice, as this will ensure that you have their consent and can retain evidence of such.

You should also be mentioning and linking to your privacy policy in your terms and conditions and cookie policy so that your users are given as many chances as possible to review and accept your privacy practices.

Privacy Policy Examples You Can Learn From

Here are some privacy policy examples from different industries and website types to give give you a better idea of what kind of clauses your own privacy policy has to include.

Robinhood

Commission-free trading platform Robinhood needs to have a strong privacy policy in place, as it collects a lot of personal information from its users: from names to banking details, and addresses to social security numbers, the stakes are high.

The company refers to its privacy policy in its website footer:

Robinhood's website footer on black background.

In addition to the typical information that a financial institution needs to collect from its customers in order to allow them to trade securities, Robinhood warns its users that some personal information is automatically collected, including through the use of cookies.

That information includes location data, notably for fraud prevention purposes, and usage and device data in order to provide a better user experience and to aid in the targeted advertising of its services on other platforms.

"Personal Information Collected Automatically" clause in Robinhood's Privacy Policy on white background.

Robinhood also warns its customers that it obtains personal information from other sources and third parties, which it combines with the data that it has already collected from its users. In other words, this gives the company a pretty good portrait of its customers:

"Personal Information from Other Sources and Third Parties" clause in Robinhood's Privacy Policy on white background.

The company goes on to explain how it uses that information using easy-to-read bullet points and specifies under which circumstances it would share personal data with third parties, all while specifying that it does not sell or rent personal information.

Typical of a standard privacy policy, it lets users know that it allows third-party online advertisers, social media companies, and other service providers to collect information so that they may deliver targeted advertising and reporting, attribution, analytics, and market research services. It links to the companies’ respective privacy policies (Google Analytics).

Keeping in mind that this company only operates in the United States, this is a good example of a privacy policy that has been tailored for a business that operates in a very regulated and specific industry, namely financial services.

Airbnb

Holiday rental platform Airbnb operates all over the globe and has customers located in various jurisdictions.

Its privacy policy can be found in the Help Center and can be accessed through a hyperlink in its website footer:

Airbnb's website footer links in gray highlight and white background.

Potential website users are also warned during the sign-up process that creating an account involves agreeing with Airbnb’s privacy policy and terms of service:

Airbnb's sign up form on white background with red "Agree and continue" button.

Its privacy policy itself is fairly straight-to-the-point. Unsurprisingly, Airbnb collects a large quantity of information from its users in order to be able to provide its services. This includes names, phone numbers, postal addresses, email addresses, dates of birth, profile photos, photos of government-issued IDs, and payment information – and this is only the basic information required in order to be able to use the platform.

How Airbnb shares personal data is very specific to the nature of its business. Indeed, the policy states that information may be shared between members of the platform in order to facilitate booking and interactions.

"Sharing Between Members" clause in Airbnb's Privacy Policy on white background.

This makes sense, as it is essential in order for the hosts and the guests to be able to coordinate their bookings – but a good example of why you cannot simply copy and paste another website’s privacy policy, as it may not well be applicable to yours.

Airbnb is transparent about how users can exercise their data subject rights and facilitates the process of submitting a request by having a dedicated page on its website, which is linked in the privacy policy.

If you are a US-based company with affiliates and customers across the globe, have a look at how Airbnb has structured its privacy policy – especially for its international users – as it manages to take into account various complex global privacy laws requirements and make it readable and understandable.

Wayfair

Online furniture retailer, Wayfair, operates one of the biggest eCommerce websites on the Internet, shipping furniture to customers across the United States and internationally.

Reference to its privacy policy appears in its website footer, with a link to a separate, dedicated page:

Wayfair's website footer on white background.

Customers are also reminded of its existence during the checkout process as they are warned that by placing an order, they are agreeing to both the Wayfair privacy policy and terms of use:

"Cart Summary" item checkout details on white background.

The privacy policy itself is fairly standard and includes the following main sections:

  • Scope of application
  • Information collected and how it is used
  • Information automatically collected by using the website or application
  • Information collected from third parties (linked social media accounts, for example)
  • Sharing of information
  • Cookie policy
  • Direct marketing and behavioral advertising practices
  • Security measures
  • Data storage
  • Children’s privacy
  • Information specific to California residents and visitors from outside of the United States
  • Changes to the privacy policy
  • Contact information
"Information We Collect and How We Use Your Information" clause in Wayfair Privacy Policy on white background.

The company includes a statement in its privacy policy in which it addresses the security measures used to protect its customers’ personal information, all the while encouraging them to take reasonable measures to protect their passwords and prevent unauthorized access to their accounts.

"Our Security Measures" clause in Wayfair Privacy Policy on white background.

It also warns customers that changes to the policy may be made periodically and as needed, with customers given notice of significant changes that could affect their information through the website, app, or by email.

"Changes to this Privacy Policy" clause in Wayfair Privacy Policy on white background.

Wayfair hosts its privacy policy and its terms of use on the same page, which makes it easy for the customer to read them together or one after the other – after all, acceptance of both is implied when placing an order on their website.

Sample Website Privacy Policy Template

Creating your own privacy policy may be intimidating for most people especially when it’s so easy to make mistakes. To simplify this task for you we put together this website privacy policy template you may use as a starting point.

Feel free to download it in your preferred format and personalize it to suit your needs. Don’t forget to add any clauses that may be required depending on where you’re located, your audience, and other factors discussed in this article.

Sample website privacy policy template

How to Easily Create a Privacy Policy for Your Website?

If you’re getting stressed just by trying to read legal documents let alone writing one, consider using our professional generator to create a compliant privacy policy for your website without breaking a sweat.

It’ll automatically put together all the required elements based on your needs and requirements and keep it up to date with the ever-changing laws so you won’t have to worry about it yourself.

Create a Privacy Policy using WebsitePolicies

Take the guesswork out of the legal jargon with our smart generators & create a privacy policy personalized to your needs in minutes. Here’s how:

Step 1: Navigate to the privacy policy generator.

Step 2: Answer some questions about your business and how you operate.

Smart legal policy generator preview

Step 3: Create an account and publish or copy your personalized privacy policy.

Drafted & backed by attorneys. Trusted by 150K+ businesses.
Olivia Adams

Article by

Olivia is an experienced data privacy compliance consultant with years of experience. Throughout her career, she helped hundreds of small to mid-size businesses with comprehensive advice on compliance with privacy laws.