No one reads a Privacy Policy or Terms & Conditions, why should I bother? When it comes to Privacy Policies, the short answer is because it’s THE LAW.


via GIPHY

Psh! Rules are meant to be broken, aren’t they? Well, yeah…except when they could bring some hefty fines.

To be clear, the U.S. federal government has not laid down specific laws requiring you to have a privacy policy on your website, although it has set down laws governing privacy policies for specific situations, like the Children’s Online Privacy Protection Act (COPPA). COPPA basically says if you collect personal data on kids, you have to have a privacy policy.

BUT…States have the freedom to create their own laws. California, for example, has a pretty strict privacy policy law that extends way out of CA state lines. It’s called CalOPPA (California Online Privacy Protection Act). CalOPPA’s main thing is that any website collecting personal data from California residents has a privacy policy on it.

Yeah, well, I don’t live in Cali. If you live in New York but someone from California clicks on your website and you collect their “personally identifiable information,” it applies to you. And by the way, CalOPPA says “personally identifiable information” is:

  • First and last names
  • Physical addresses
  • Email addresses
  • Phone numbers
  • Social Security numbers
  • Any other contact information shared with a business (online or physically)
  • Birthdates
  • Details of physical appearance (height, hair color, weight)
  • Any other information stored online that may identify an individual

If you use cookies on your site, you definitely want a privacy policy AND you want to ask permission from each site visitor.

Google’s stand on Privacy Policies and Terms & Conditions Pages

Google has been really pushing for all websites to have Privacy Policies and Terms and Conditions. In the good news department, there are no laws requiring you to have a Terms and Conditions on your site. So technically, you could get away with it (legally, that is). But you may want to think twice about that, because Terms and Conditions are how you make the rules. With a Terms and Conditions page publicly accessible on your site, you call the shots.

What Is a Terms & Conditions Page?

A Terms & Conditions page tells your website visitors how they are and aren’t allowed to use your website. Whether or not they actually read it, is out of your control, but if you ever get dragged to court over something (and believe me, this is not as far-fetched as it might seem), you can point right back to your Terms and Conditions to help keep you from being liable. This document can also help protect the content you put on your website from being used in ways you disapprove of. Plus, Facebook now refuses to let you display your events or feeds on your business page if you don’t have a valid link to both a Privacy Policy and a Terms & Conditions page.

GDPR – important even if you’re not in the EU

If you live in the European Union, you must include GDPR as well. But GDPR can be interpreted to include companies who aren’t in the EU. According to a PwC survey, “92 percent of U.S. companies consider GDPR a top data protection priority.”

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).

According to CSO Online, GDPR (General Data Protection Regulation) “is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.”

Unfortunately, GDPR isn’t crystal-clear on what it requires. For example, it says that companies must give a “reasonable” amount of protection to personal data, but it never tells us exactly what “reasonable” is (or isn’t).

However, it does say that the following is considered personal data that must be protected by companies:

  • Basic ID info, like names and addresses
  • Race and ethnicity
  • Political opinions
  • Web data, such as the data cookies gather, IP address, and RFID tags
  • Health and genetic data
  • Biometric data
  • Sexual orientation

It also calls out companies who absolutely must comply with GDPR:

  • Companies with a presence in an EU country
  • Companies who process personal data of European residents, even if they don’t have a presence in the EU
  • Companies with over 250 employees
  • Companies with less than 250 employees, but whose “data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.”

(That last point basically means nearly every company.)

So even if you’re a two-person agency in the American midwest, including GDPR in your privacy policy and terms and conditions is something you should seriously consider.

How To (And How NOT TO) Write Privacy and Terms Pages

What? Like it's hard to create a Privacy Policy?
via GIPHY

Fortunately, it’s ok to leave the “legal speak” behind and keep it in plain English. Make it easy for people to understand what you’re saying. Check out how Apple did this in their Terms and Conditions:

“Our Services may allow you to submit materials such as comments, pictures, videos, and podcasts (including associated metadata and artwork). Your use of such features must comply with the Submissions Guidelines below, which may be updated from time to time. If you see materials that do not comply with the Submissions Guidelines, please use the Report a Concern feature. You hereby grant Apple a worldwide, royalty-free, perpetual, nonexclusive license to use the materials you submit within the Services and related marketing, and Apple internal purposes. Apple may monitor and decide to remove or edit any submitted material.

Submissions Guidelines: You may not use the Services to:

    • post any materials that you do not have permission, right or license to use;
    • post objectionable, offensive, unlawful, deceptive or harmful content;
    • post personal, private or confidential information belonging to others;
    • request personal information from a minor;
    • impersonate or misrepresent your affiliation with another person, or entity;
    • post or transmit spam, including but not limited to unsolicited or unauthorized advertising, promotional materials, or informational announcements;
    • plan or engage in any illegal, fraudulent, or manipulative activity.”

TIP: Use a table of contents at the beginning of your privacy policy and terms and conditions so they’re easy to navigate. And make good use of bullet points and white space so it’s even easier to read.

This is what a section of Spotify’s privacy policy looks like (notice how the language is easy to understand):

“3. Your rights and your preferences: Giving you choice and control
You may be aware that a new European Union law, called the General Data Protection Regulation or “GDPR” gives certain rights to individuals in relation to their personal data. Accordingly, we have implemented additional transparency and access controls in our Privacy Center and Privacy Settings to help users take advantage of those rights. As available and except as limited under applicable law, the rights afforded to individuals are:

    • Right of Access – the right to be informed of and request access to the personal data we process about you;
    • Right to Rectification – the right to request that we amend or update your personal data where it is inaccurate or incomplete;
    • Right to Erasure – the right to request that we delete your personal data;
    • Right to Restrict – the right to request that we temporarily or permanently stop processing all or some of your personal data;
    • Right to Object –
      • the right, at any time, to object to us processing your personal data on grounds relating to your particular situation;
      • the right to object to your personal data being processed for direct marketing purposes;
    • Right to Data Portability – the right to request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service; and
    • Right not to be subject to Automated Decision-making – the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

In order to enable you to exercise these rights with ease and to record your preferences in relation to how Spotify uses your personal data, we provide you with access to the following settings via your Account Settings page:

    • Privacy Settings – allows you to control some of the categories of personal data we process about you, enables you to access your personal data via a ‘Download my Data’ button, and includes a link to the Privacy Center on spotify.com where you can find out more information about how Spotify uses your personal data and what your rights are; and,
    • Notification Settings – allows you to choose which communications you receive from Spotify, manage your publicly available personal data, and set your sharing preferences.”

Online Privacy Policy and Terms & Conditions Generators

Who wants to build a Terms & Conditions or Privacy Policy from scratch? There’s no need to recreate the wheel. Get one delivered to your inbox instead with these dead simple resources.

  1. TermsAndConditionsTemplate.com will help you generate a template based Privacy Policy or Terms & Conditions page for free. Just follow the prompts and punch in your business’ details.
  2. PrivacyPolicies.com helps you create your own privacy policy without getting lost in a bunch of legal jargon. They have simple step-by-step questions and options they walk you through, so they know what to include in your customized template. While most of it is free, they do charge one-time fees to include certain things if you want an international privacy policy.
  3. GetTerms.io will generate a basic Terms of Service and Privacy Policy for free. A custom document is $5 and a comprehensive one that’s “GDPR ready” is $15. After a few simple questions to determine what you need and want, they tell you how much yours will cost.
  4. Termageddon.com is different from the first three. With the others, you pay a one-time fee for a Privacy Policy or Terms and Conditions. If you need to make changes to it after that, you have to do it manually. With Termageddon, you purchase a monthly subscription that automatically updates your privacy policy or terms and conditions as the laws change. As a super cool bonus, if you are an agency who helps clients with things like Privacy Policies, you can apply to get a free Termageddon install on your site. The process is painless (and the welcome email has a flaming gif!).

Fun Fact: Our FocusWP Privacy Policy is generated and automagically updated by Termageddon. It took about 15 minutes max to generate and publish on our site, and that was with the learning curve of never having used their service before.

Your Next Steps

You now know that you need to put a Privacy Policy and Terms & Conditions page on your website if you want to help keep your business out of legal trouble, get the most out of your Facebook account, and keep The Mighty Google satisfied.

Here’s Your Privacy and Terms To-Do List

  • Use an online service to generate and customize your Terms and Policy. (Be sure it’s easy to read and understand!)
  • Run it by a legal professional to make sure you worded it correctly and included everything necessary.
  • Put it up on your website in an easy-to-spot-and-access place.
5 Steps to a Successful Website Project

Get Your Free Guide On The 5 Steps That Are Crucial For A Successfull Website Project

Subscribe to learn how to make your next website project a successful one, starting with this free guide.

(Unsubscribe with one click at any time. No hard feelings.)

Your E-book is on its way! If you don't see it in your inbox in the next few minutes, please check you spam folder.