The Ultimate Privacy Policy Guide

The Ultimate Privacy Policy Guide - Ligalio

Before diving into the details about privacy policy specifics, let's first have a look at why this topic is relevant to businesses today.

You should know by now that there is no such thing as FREE services or products. You either pay your money or you pay with your data.

Not so long ago, the Cambridge Analytica scandal was revealed regarding their misuse of personal data. It's only a question of when someone else will take your data and misuse it or sell it again.

That's the main reason why we are having new regulations now, the most famous being the GDPR. Since misuse of personal data can significantly impact people's lives, regulators are introducing new measures to protect people's personal data rights. Among those measures, one key document that businesses must have is a privacy policy!

The main idea of this article is to explain how a business can protect itself from being fined, at the same time benefiting its users. It also gives a brief overview of how you can get a privacy policy and why you can't copy it from your competitors or use the FREE versions.

What Is a Privacy Policy?

When using personal data, you must tell your users what you are using their data for, how you use their data, and what are your users' rights.

You should provide this information in a clear, open, and honest way. It’s best to have this written down in a document called a privacy policy.

Having a privacy policy is required by the GDPR if you use any personal data. If you do not have a privacy policy, you may be fined by data protection authorities and damage your reputation.

Also, many service providers now require that customers must publish a privacy policy. It is a requirement of App Store, Google Play, Google Analytics, Facebook, and many more.

Privacy Policy vs Privacy Notice - What Is the Difference?

Neither privacy policy nor privacy notice is mentioned as specific terms in the GDPR. In practice, both terms can be used interchangeably.

The main purpose of both documents is to notify individuals how their personal data is used. However, currently, most websites and apps call this document - a privacy policy.

What Is Personal Data?

Personal data is information that can identify an individual (natural person). It can be a name, a number, an IP address, a cookie identifier or a person’s business email.

Business data that does not relate to any specific individual (such as email info@website.com) is not personal data.

More examples of what is personal data can be found on the European Commission website.

What is the GDPR and Why Is It Relevant?

The GDPR (General Data Protection Regulation) is a law of the European Union, which was put into effect on May 25, 2018. It is safe to say that it is the toughest data protection and security regulation in the world and it applies to all sizes of businesses.

In short, the GDPR regulates how organisations collect, store, share and otherwise use personal data. Having a privacy policy is part of the GDPR requirements.

For your reference, here is the full GDPR text.

Does the GDPR Apply to Non-European Companies?

First, the GDPR can apply to you if you use personal data and have an establishment in the EEA. An establishment in the EEA can be your company, branch, subsidiary, employee or agent in the EEA. If you use personal data in the context of the activities of such an establishment, the GDPR applies to you.

Second, the GDPR also applies if you are not located in the EEA and use the personal data of individuals in the EEA in relation to:

  • offering products or services (including digital products and services) to them; or
  • monitoring their behaviour as their behaviour takes place within the EEA.

That means that the GDPR may apply to you even if you are not a European company unless you happen to be a very rare business that does not use the personal data of EEA citizens or residents in the above-described ways.

Offering Products and Services to Individuals in the EEA

If you do not have any establishment in the EEA but you have a website or application available to individuals in the EEA, it does not automatically mean that the GDPR applies to you.

However, if you intend to offer products or services to individuals located in the EEA, then the GDPR will apply. For example, if you have launched marketing campaigns directed at an EEA country audience or if you have special contact details for clients from an EEA country.

In such cases, the GDPR will apply irrespective of whether your products or services are free or paid.

Monitoring the Behaviour of Individuals in the EEA

The monitoring may take place, e.g., by tracking the individuals on the internet by cookies or through wearable or other smart devices. Here again, an important criterion is whether you specifically intend to monitor the individuals in the EEA. If yes, the GDPR will apply.

What Are The GDPR Fines?

If you don't comply with the GDPR, you may face a fine of up to €20 million or 4% of global revenue (whichever is higher), plus any compensation for damages that your users may claim.

The relevant authority will look at various factors to determine the amount of the fine, including how serious and long was the violation, whether the violation was intentional or done by accident and many other factors.

One of the largest fines was imposed against WhatsApp, which received a fine of €225 million on August 20, 2021, because their privacy policy was not clear enough among other reasons.

Do I Need a Privacy Policy if I Have ZERO Revenue?

The requirement of having a privacy policy is not related to revenue. If you use personal data, then you must have a privacy policy.

For example, if you own a blog that uses analytical tools or collects readers' emails, you must have a privacy policy, even if you haven't registered a company and generate no income from the blog.

The good thing for a small business or a blog is that most likely you don't use a lot of data. It should be easy and cheap to generate a custom privacy policy and comply with the applicable laws.

Where Can I Get a Privacy Policy?

There are many ways to create a privacy policy for your website or app. Here are some options:

  • Hire a lawyer: the best option, but usually costs the most
  • Use an online privacy policy generator: affordable and quick way. But be careful! Many generators (especially the free ones) often are not GDPR compliant and generate “generic” policies
  • Hire a freelancer: a great option if you can get a data protection specialist for cheap
  • Use ready-made templates: usually provide a “generic” version of a privacy policy that will not suit your business needs since every business needs a different privacy policy
  • Write the policy yourself: Unless you are a lawyer and understand the GDPR, you should avoid doing this

For a small business, a great option is to use a privacy policy generator and then check if the result matches the ways you use personal data.

We suggest not using the FREE options! We have checked almost all of them and they are not GDPR-compliant and many are outdated.

Privacy policies are dynamic documents that need to be updated regularly. It is important that you use a generator that follows the latest changes in privacy laws and practices, and allows you to update your policies regularly, such as Ligalio.

Also, make sure to check if you use special category data - then you will have stricter obligations (check for more info on special category data at the end of this article).

What Should Be Included in a Privacy Policy?

It can be quite an extensive list. Below, we have included a few examples that are most common.

  • Your identity (such as your business name)
  • Your contact details so that your users can reach you in case of any personal data-related questions
  • To which particular website, app or activities does the policy apply
  • What personal data do you collect about your users
  • How do you use the personal data
  • Why do you use the personal data
  • Legal basis for using personal data
  • Your users' rights with respect to their personal data
  • Where do you collect users' personal data, in case you do not collect it directly from the users
  • How long do you store the personal data
  • To whom you may disclose your users' personal data and if you transfer the personal data outside the EEA
  • How users can complain in case of concerns about misuse of their personal data

What Are the Benefits of Having a Privacy Policy?

  • Your business complies with the law (GDPR) - the main reason why we all must have privacy policies.
  • Build trust with your customers - a business that treats users' data with care will generate much more revenue in the long run than a landing page that just cares about a one-off sale and uses customers' data without care. By having a proper policy you also minimise your reputational risk.
  • Avoid unexpected fines and legal issues - unless businesses start paying more attention to the protection of their user data, the fines are likely to grow. As of Mar 2022, the total amount of GDPR-related fines has reached €1.61bn.
  • Comply with 3rd party conditions - for example, payment providers or app stores may require you to submit a privacy policy so that you can use their services.

How Often Do I Need to Update My Privacy Policy?

The privacy policy is a dynamic document. As soon as you change something about your personal data collection practices or uses, you must update your policy.

In an ideal world, you should update your policy after every change you make regarding personal data practices. However, we suggest reviewing your policy at least every quarter. Definitely make sure to update it in case you make any major changes, such as adding new functionalities to your products or services.

Businesses That Should Take Privacy Policies and the GDPR Very Seriously!

There are types of data that qualify as special category data and need more protection due to their sensitive nature. If you use any special category data, your business will have to comply with additional GDPR obligations.

Special category personal data examples:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for identification purposes)
  • Health data
  • Data concerning a person’s sex life
  • Data concerning a person’s sexual orientation

Additional care should also be taken when using personal data regarding criminal convictions and offences.

If you use or wish to use any of the data listed above, we strongly advise you to consult with a lawyer regarding GDPR-compliance and creating a privacy policy.

Where to Place Your Privacy Policy on Your Website or App?

The GDPR does not state where exactly you need to put your privacy policy on your website or app. However, the privacy policy must be always easily visible and accessible to your users.

For websites, the most popular place to put a privacy policy is in the footer. Other places may be checkout pages, sign-up forms and separate banners on a landing page.

For apps, the best places are in-app store listings (which usually link back to the privacy policy on your website), menus within the app, at the bottom of the app's settings section or on the website that promotes your app.

Other Ligalio blog posts you may be interested in:

Is Google Analytics Illegal in the EU?

Google Play Store Privacy Policy Requirements

Article 6 GDPR and How to Apply It

If you need a privacy policy, check out our privacy policy generator! 🚀