Skip to content ↓ | Skip to navigation ↓

As a business owner, you’re no stranger to the myriad moving parts that keep the day-to-day business going. In all the bustle, it can be easy to overlook important tasks such as creating a privacy policy because you’re unsure where to start or which elements to include.

Earlier this year, the EU’s GDPR—the General Data Protection Regulation—went into effect, delineating how companies handle consumer data for EU citizens. Because the internet is accessible worldwide, most companies have had to update their privacy policies in case they get visits from EU citizens.

Even if you think the GDPR doesn’t affect your business (though Forbes notes it probably does), your privacy policy should be updated to protect your business and to show your customers you’re trustworthy when it comes to handling their private information.

Listed below are five key components to include in your company privacy policy—and tips to take customer privacy beyond the policy. Including these elements will help you create a set of terms that gives your customers peace of mind so they’ll stay on your site longer and feel safe referring family and friends.

Types of Data You Collect

If your business collects personal data, you may be required by state law or federal guidance to itemize the types of personal data you collect. Let your customers know all types of data collected, including the following:

  • Name
  • E-mail address
  • Birthdate
  • Mailing Address
  • Phone Number
  • Credit Card Information

Many businesses collect information from their customers for varying situations. Privacy laws require businesses to collect only personal data that is needed and indicate why they need it. For example, a mailing order would likely require the customer name, address and potentially phone number.

Don’t forget about phone data, either. Customer service and sales are often required to gather private information from clients via telephone, so detail why data could be collected from those calls.

Beyond the Policy: If your company collects data through other devices, be as transparent as possible about it. Disney, for instance, collects user data through its MagicBand wristband, and it has an entire section of its site built to answer user questions about what data that system collects and why.

How the Data Is Used (Including Cookies)

Spell out how you use the data you collect so customers are clear on why they are giving you their information. Everything from website logins to online customer service access requires personal data collection.

Data sharing with third-party partners should also be disclosed. If your company hands any data off to any other companies, be sure you’ve invested in highly secure partnerships and platforms—your customers deserve to know you’ve done due diligence to protect their information if and when you have to pass it on.

If your site uses cookies to track visitors to your website, be clear about that. These temporary text files are placed on visitor’s computers by your site or third-party sites to customize a visitor’s experience. While cookies can make browsing easier, they can also be used to track how customers use the internet. You can learn more about data gathered for advertising (and how to use it responsibly) via the Digital Advertising Alliance (DAA) Self-Regulatory Program.

Beyond the Policy: The EU’s recent privacy regulation update led to a lot of companies being more up front about their cookie policies in the form of homepage popups, but not every company does it well. Follow Channel 4’s example (which you can see at the top of its homepage), and create cookie notifications that are transparent and understandable.

Storage and Security Policies

On top of how data is used, don’t forget to let users know if your company stores their data and, if so, what security measures you’ve taken to keep that information safe.

This point is especially crucial for any type of payment information. The Payment Card Industry Data Security Standard was designed so merchants who accept and process credit card payment information do so in a secure environment. If you accept payments via website for services or products, ensure you are PCI compliant and list the compliance on your site. Best practices range from encryption to employee procedures, so mention your compliance in the footer of your site and advise your customers during their checkout.

Beyond the Policy: If your company regularly deals with or processes sensitive information, consider adding a dedicated page to explain your security protocols. Mailchimp’s Security page is a good model to start from.

Opt-Out Procedures & Company Contact Info

Companies that send out commercial email marketing campaigns are required by the FTC to have opt-out options listed in each email. You should also have an opt-out policy listed in your privacy statement so customers know how to control their information.

Allowing your customer to access your opt-out process quickly will help them have faith that you have their best interest when it comes to marketing to them or collecting their data.

Additionally, detailing your company’s name, website, address and contact email gives your customer all of your contact information up front in case they have any questions about your privacy policy or how you use their personal information.

Beyond the Policy: If you haven’t already, consider setting up a reliable and accessible customer support line and make the line hours and contact information easily accessible online. Go Verizon has a good example of a dedicated customer service page with clearly posted hours and phone number.

Indicate the Effective Date

Always include an effective date for your privacy policy so your customers see how recent your policies are. You’ll more than likely be updating your policy often as technology and collection practices change.

Beyond the Policy: Consider sending email updates to your clients when you change your privacy policy or terms of service. Just make sure the update is human and aligned with your brand—Ticketmaster is a great example of how to do term email updates right.

Whether you’ve already got a privacy policy in place or you’re just starting to develop one, these tips will help you craft a privacy policy that establishes trust with your customers.

If your company uses cloud-based software and contact management systems, be sure to check out our article on Ensuring Security in the Cloud.

About the Author: Elaine is a digital journalist whose work has been featured in various online publications, including VentureBeat, Women’s Health, and Home Business Magazine. She writes about sustainability and tech, with emphasis on business and personal wellness. 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.