What Should I Include in a Boilerplate Privacy

Policy?
A basic privacy policy template includes the what, when, who, why, and how of your
data collection practices. While every website and business should have a policy
tailored to its own operations, even the most simple privacy policy will include the
following information:

What Information You Collect

At the heart of your website’s privacy policy is a disclosure of what data you collect
from users. Some common types of data that you’ll find in website privacy policy
templates are:

 Personal data (like names and email addresses)

 Derivative data (like IP addresses and browser types)
 Financial data (like credit card details)
 Social network data (like Facebook login information)
 Mobile data (like mobile device IDs and manufacturers)
 Third-party data (like social network friends lists)

Both the GDPR and CCPA state that privacy policies should disclose what types of
information a website collects. The above are only some basic examples of what
types of information may mean for your site.

When assessing your data collection practices, carefully inspect each of your web pages for
potential collection sites. Signup pages, login modals, and checkout screens are some of the
most common points of data collection.
Why You Collect Information

Another legal necessity under various privacy laws, your data collection needs an
explicit purpose — and that purpose needs to be written out in your privacy policy.

Here are just a few examples of ways you may use the user data you collect:

 To send marketing materials or newsletters

 To process orders
 To complete transactions
 To enter users in sweepstakes, contests, or surveys
 To create and maintain user accounts
 To prevent fraudulent activities
If you engage in any of the above activities — or others that require the collection of
data — you need to list them in your privacy policy.

Whether You Disclose Data to Third Parties

It’s not uncommon for a website to be integrated with other sites and services. For
example, nearly 30 million live websites use Google Analytics. Given this online
ecosystem, it’s only to be expected that your website might need to transfer data to
third parties to operate smoothly.

To stay compliant with the law and maintain a transparent privacy policy, you must
disclose the categories of third parties with whom your site may share information.
Some common categories of third parties include:

 Service providers
 Ad vendors & networks (like Google Adsense)
 Social networks
 Business partners
 Affiliates
 Other site users

Along with which categories of third parties you may share information with, you
should note the purposes behind the data exchange. Here’s an example of how we
accomplish this in the downloadable privacy policy template below:

Third-Party Service Providers

We may share your information with third parties that perform services for us or
on our behalf, including payment processing, data analysis, email delivery,
hosting services, customer service, and marketing assistance.

Marketing Communications

With your consent, or with an opportunity for you to withdraw consent, we may
share your information with third parties for marketing purposes, as permitted by
law.

Interactions with Other Users

If you interact with other users of the Site [and our mobile application], those
users may see your name, profile photo, and descriptions of your activity,
 including sending invitations to other users, chatting with other users, liking
posts, following blogs.
.
The green text highlights the type of third party that user information could be
shared with, while the blue section gives a brief explanation of how and why that
information may be shared.

User Rights Over Their Data

Your privacy policy should have a section outlining what rights users have over their
data, and how they can act on those rights.

For example, users from the EEA or California have the right to request access to
data that has been collected about them. Specify this right in your privacy policy,
including instructions on making such requests.

Check out how it’s done in Airbnb’s privacy policy:

This section of Airbnb’s policy goes on to specify four more data rights, and includes
links to pages with more information on acting on those rights.

Links to Other Policies

Many sites label their network of legal policies collectively as their “Terms.” Your
site’s terms will most likely include a privacy policy, terms of use, and disclaimer.
Not sure about the difference between these three critical documents? Check out our guide to
the differences between a privacy policy, disclaimer, and terms and conditions.
Also gaining increasing popularity and legal necessity are cookie policies. All of these
documents should link to one another, so users can always find answers to their
questions about your site’s operations.