Privacy Policies Explained – What Should They Contain?

Posted On: 26th January 2022
Read Time: 5 Minutes

We get it – privacy policies can be a little complex. There’s plenty to think about when it comes to privacy – it’s enough to make anyone’s head spin. However with this article, you should have all your burning questions answered so you can set-up the perfect privacy policy and ensure your website is GDPR-compliant. While we’re not legal experts here at Echo, this guide is designed to point you in the right direction based on our industry experience.

What is a privacy policy?

A privacy policy is designed to communicate to your website users exactly what types of personal data you handle and give details of how you track, store, share and use their personal information. Sounds simple, right?

From our home address and mobile phone number to our browsing and purchase history – we hand over a great deal of information to websites and it’s not always obvious how much information companies have, and what they do with it. Now more than ever, the onus is on website owners to handle this information responsibly, but to also be transparent about the way they use it.

In fact, transparency is increasingly considered a trust signal for consumers. Consumers value privacy and over the past few years the laws have evolved to favour people’s right to privacy – the introduction of GDPR in 2018 being a prime example.

What is personal information?

Personal information is data that can in itself, or when combined, identify someone. Below is an example, rather than an exhaustive list.

  • Name
  • Email address
  • Home address
  • Mobile/telephone number
  • Browsing activity
  • Purchase history
  • Location
  • Birthdays
  • Payment details
  • Photos

What areas of your website might collect personal data?

  • Analytics & Tracking – Google Analytics, Microsoft Clarity, or other tracking software & tools
  • Promotions and competitions
  • Email newsletter sign-ups
  • Contact forms
  • Online subscriptions / member account registration
  • Comment sections

If any of these apply to your website, you should include them in your privacy policy. Again, this is not an exhaustive list, so it’s important to check you’ve got everything covered.

Whenever a user makes a decision to hand over personal information, you should also display a clear tick box to get their permission to have their details stored by you.

When a customer makes a purchase with you, it’s important not to automatically sign them up to receive your email newsletter or other marketing materials – otherwise this could land you in trouble. They MUST give consent first. You should also make it clear to customers how they can unsubscribe from all non-essential communications, including email newsletters and text messages.

Is it a legal requirement to have a privacy policy in the UK?

If your website gathers any type of personal information from users, you will require a privacy policy. With the introduction of GDPR (General Data Protection Regulations) in 2018, it became a legal requirement in the UK to install a privacy policy notifying all website users how you collect and use their data. This is known as the ‘right to be informed’.

If your website doesn’t collect any data at all then you won’t need a privacy policy, although these days most websites do have some form of tracking – even the most basic ones.

This is what the Information Commissioner’s Office (ICO) has to say on the matter:

  • You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • You must ensure that you do not do anything with the data in breach of any other laws.
  • You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
  • You must be clear, open and honest with people from the start about how you will use their personal data.

What happens if you breach GDPR?

Every now and again, the national news brandishes a story of a large corporation or organisation breaching privacy laws. Stories such as the ‘Cambridge Analytica’ scandal can make businesses large and small feel a little uneasy and wonder whether their privacy is up to scratch.

Breaches of GDPR have legal implications, including financial penalties and detrimental impacts on reputation – something that businesses should avoid.

The Information Commissioner’s Office (ICO), is the UK’s independent authority set up to uphold information rights in the public interest.

‘The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.’

How do you get a privacy policy?

Now that you know you definitely need a privacy policy, you may be wondering how you get one. If you’d rather not write your own policy from scratch (we don’t blame you!), you have several options which include using an up-to-date template or getting a lawyer or website data expert to write one up for you.

Can I write my own privacy policy or do I need a lawyer?

Yes, you can write your own privacy policy. You don’t need a lawyer either. However, because the privacy policy is enshrined in privacy law, this isn’t something you’ll want to get wrong.

Can I copy and paste a privacy policy?

No two businesses are the same, and your privacy policy shouldn’t be either. If your privacy policy is exactly the same as another site’s it means you’ve taken a wrong step! Your policy should include how your website tracks, collects, stores and shares personal data – every business is different in this department, so while copying and pasting may seem a tempting, time-saver, it’s not likely to be correct for your website.

That being said. you can copy over the bare bones and structure of a policy if the website in question uses personal information in a similar way to you. Just remember to change the company name and details, and anything that doesn’t apply to your site.

Where to add a privacy policy on your website?

Best practices include adding a dedicated privacy policy page. This should be easily navigable from your footer links or homepage menu.

Privacy Policy Checklist: what should your privacy policy contain?

Whether you want to find a template or recycle another website’s privacy policy and personalise it for your site – here is a basic checklist of what you need to cover in your privacy policy:

  • Company details – including official business name, address and contact details
  • What personal data you collect
  • How you use the data
  • How long data is stored
  • Where the data is stored
  • What rights the customers have over their information
  • What information is sent to third parties
  • Who has access to the data
  • Details of any remarketing tracking

These are the basic sections that should be discussed in your privacy policy. This doesn’t need to be too technical – in fact if it’s riddled with legal jargon you will lose the transparency that you’re supposed to offer your customers. Remember the famous KISS principle!

The purpose of a privacy policy is to inform website users how you track, collect, store and share information about them.

Not sure you’ve got it right?

If you have any doubts about implementing privacy on your website, it can be worth getting a second opinion from a solicitor who specialises in this area of the law. They can review your website to make sure it’s 100% privacy compliant.

How does privacy differ between ecommerce and non-ecommerce websites?

It’s true that privacy policies will be more involved for ecommerce vs non-ecommerce websites. If your website takes payment details from customers then your privacy policy will be more complex than a basic informational or brochure-based website. This is simply because you are likely to be collecting more personal data.

How often should you update your privacy policy?

Now that you have the perfect privacy policy uploaded on your website, what happens now? As with many digital marketing related tasks, your online privacy policy will need to be regularly reviewed and updated. We recommend scheduling in an annual review as a minimum. This gives you the chance to update your third party cookies and ensure that you’re being 100% transparent about how you’re tracking, collecting, storing and sharing your customer’s data.

This should become part of your process. If you start using a new tracking software, this needs to be added to your privacy and cookie policy. This may sound tedious, so you may be relieved to hear that there are time-saving tools that can automate this process, such as CookieBot (you’re welcome!).

Is it enough to simply have a privacy policy?

A privacy policy is important, but if you don’t follow the GDPR rules it will be pointless. You should stick by the law and the points you make in the policy in order to stay credible and compliant. If you’re using cookies to enhance user experience, you will need a cookie policy. You also need to get permission from your website users whenever they’re handing over personal information.

This is an example of how we ask for permission to use cookies on our own website:

cookie policy notification

Privacy policy vs cookie policy – Do I need both?

Your privacy and cookie policy are both interconnected, but separate. You should have both.

You can choose to combine your privacy policy and cookie policy into a single page, or place them on separate pages. However, you should also add a cookie notice presented as a notification which gives your website users the option to change their cookie tracking settings, to either opt-in or out of inessential cookies. This should appear upon entry to your website.

A cookie notice should also give users control over what type of information you track. In other words, they should be able to accept all cookies, select some, or refuse all tracking cookies. This typically links to your cookie policy page.

Final thoughts on privacy policies

Here at Echo, we want to help website owners and ecommerce businesses find their way through the privacy maze to stay on the right side of the law and maintain the trust of their customers. Having a finely-tuned privacy and cookie policy are the first significant steps to staying GDPR compliant. Following the steps outlined in this guide will help you stay on top of your privacy game. Just remember, it’s a complex area of the law that’s constantly evolving – so it can be worth getting support from a legal professional just to err on the side of caution.

Contact Us Give Us A Call
Emma Gibbs at Echo Web Solutions
Emma Gibbs
SEO Content Writer
Writing is something that Emma has always loved, and enjoys using her passion for the written word to help businesses create easy to understand content that drives results.

Recent Posts

Read More

Harvesting Success: Unveiling the Power of Seasonal Marketing

In the annual calendar, you have the obvious dates: Christmas, Easter, Halloween, and Black Friday. For many ecommerce…

read more
Read More

Mastering Ecommerce: 12 New Website Must-Haves

In 2023, internet retail sales in Great Britain reached a value of over £3.1 billion. If you aren’t…

read more
Read More

Local vs National PPC Campaigns – What’s the Difference?

Should you choose a local or national PPC campaign? Hmmm – now that’s a question. In this guide,…

read more