The ultimate guide to website privacy policies - everything you need to know (including a lawyer-drafted template)

What is a website privacy policy?

A website privacy policy (also known as a privacy notice) is a document that sets how you collect, use, disclose and manage a customer's or visitor's data when they browse and interact with your website. It tells individuals how and why you collect personal data about them, your legal basis for doing so, who you share their data with and how long you will keep it for.

Why does my business need a website privacy policy?

1. Legal requirement

   Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR and a legal requirement under data protection laws.

   Under Article 13 of the UK GDPR, organisations are required to provide certain information to individuals when they collect personal data from them. This information should be provided at the time that the personal data is collected, so it is usually provided via a website privacy policy / privacy notice. Failure to comply with this legal requirement could lead to an ICO investigation, monetary fine or claims from data subjects, as well as reputational damage to your business.

2. Transparency

   A website privacy policy demonstrates your commitment to transparency and openness with your website visitors and customers. It informs them about how you collect, use, and protect their personal information, so they know exactly how their personal data will be used.

   Using personal data without people's knowledge can introduce potential risks to your business. If individuals do not know how their personal data is being used, they could be subject to discrimination or disadvantage. It also hinders their ability to exercise their rights under data protection laws effectively. Embracing transparency through a clear and comprehensive website privacy policy can protect against these potential risks.

3. User trust

   Being transparent with website visitors and customers through a website privacy policy can help build their trust. A well-drafted website privacy policy can enhance your business's reputation by demonstrating your commitment to protecting your website user’s privacy. User trust can be essential for online businesses, and a privacy policy is one way to help build and maintain it.

What should I include in a website privacy policy?

Article 13 of the UK GDPR includes a prescribed list of the information that must be given to individuals. This includes:

• Controller details - the identity and the contact details of the controller (which will usually be the website owner for a website privacy policy);

• Data protection officer (DPO) - if the company has a DPO, the contact details of the DPO must be included in the website privacy policy;

• Purpose and lawful basis - the website privacy policy must set out the intended purposes of the processing of personal data as well as the lawful basis for the processing (and where legitimate interests are relied upon as the lawful basis, details of the specific legitimate interests);

• Data sharing - details of the recipients or categories of recipients of the personal data, if any, should be clearly set out;

• International transfers - where applicable, the website privacy policy should include the fact that the controller intends to transfer personal data to a third country or international organisation, including reference to the appropriate or suitable safeguards being used for the transfer;

• Retention period - the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period must be included;

• Data subject rights - a website privacy policy must tell data subjects what their rights are under data protection laws. This includes the right to request access to and rectification or erasure of personal data, the right to request the restriction of processing concerning the data subject or to object to processing, the right to data portability, the right to withdraw consent at any time and the right to lodge a complaint with the ICO; and

• Automated decision-making - if automated decision-making, including profiling, is being used by your company, you must tell data subjects about it in your website privacy policy.

Find out more about the key information to include in your website privacy policy by using this checklist.

How do I give my website privacy policy to website visitors?

The website privacy policy must be easily accessible and brought to the user’s attention at the point their personal data is being collected - it cannot be hidden away or hard for website visitors to locate. If you provide individuals with a link, you should ensure that you direct them straight to the relevant privacy information and do not have to seek it out amongst other information (e.g. if they are hidden within website terms of use).

It is also important that the website privacy policy is drafted in a way that follows the following ICO recommended principles:

• Conciseness – keep your sentences and paragraphs short. Omit any irrelevant or unnecessary information.

• Transparency – don’t hide information from people; make sure that you clearly bring to people’s attention any uses of data that may be unexpected, or could have significant effects on them.

• Intelligibility – your privacy policy needs to be understood by the people whose personal data you collect and obtain.

• Ease of access – individuals should not have to look for your privacy policy, it must be easy for them to access:

• Clear and plain language – ensure that the words and phrases you use are straightforward and familiar to your intended audience.

Find out more about how to draft your website privacy policy by reading this guide.

What else do I need to do on my website for data protection compliance?

A website privacy policy is just one of the documents that you should have on your website. Other relevant documents for your website include:

1. Cookies notice: almost every website uses some form of cookies (which are tracking technologies). As cookies collect personal data, you are required to tell website visitors about the types of cookies that you use and also get their consent to cookies being used. For more information, read this comprehensive guide to cookies.

2. Website terms of use: your website should also contain terms that cover how a website visitor can use the website, and any restrictions you want to impose on their use. You should have separate website terms of use in place to deal with that.

Find out more about website compliance by reading these FAQs.

Do I need to give a privacy policy to other types of individuals too?

Any type of individuals that you collect personal data about should be provided with a privacy notice telling them how you will use their personal data. This could include:

1. Employees - to cover personal data that you collect and process about your employees during their employment e.g. address, salary data, sickness and disability data.

2. Job candidates - to cover personal data that you collect and process about job candidates during the recruitment process e.g. contact details, CV data, disability data.

3. Shareholders / investors - to cover personal data that you collect and process about shareholders in your company e.g. contact details and financial information.

How can Docue help? Use our template!

You can easily and quickly generate a privacy policy for your website using Docue’s website privacy policy template. All you need to do is answer a series of simple questions and you’ll have a fully customised website privacy policy in no time.

The website privacy policy template includes model clauses designed by data protection lawyers to help you draft the notice yourself and tailor it to your needs. And don’t worry if you get stuck along the way - Docue’s lawyer-drafted guidance notes are there to help you, with detailed guidance on each section and question.

Sign up now to use Docue's template.