A privacy policy must disclose all types of personal information collected from an individual. Even if the website is a simple blog and does not ask for an e-mail address or to register an account but has Google Analytics, the website collects personal information.

The most common types of personal information collected are:

• IP Address – Location data where the user is accessing the website.
• Browsing History – Knowing which pages on a website a user has accessed, links clicked, and for how long they have stayed on each page.
• Browser and Device Information – The device, such as a mobile phone or computer, of the user and the specific browser they are using.
• Sourcing Data – Gives the origination of where the user came from to access the website.   For example, if the user came from a Google search, Facebook, Youtube, etc.
• Demographic Data – The race, age, gender, and interests of the user. This can either be self-entered into the website or based on previous searches or browsing history.

The most common and general methods to collect personal information are:

• User Intake Form – This is through the creation of an account and requesting a user’s e-mail, first and last name, address, billing details, and any other information.
• Cookies and Log Files – This is generally through the use of Google Analytics or other related tracking installed on the website to collect data of its users.
• E-Commerce – If products or services are sold on the website, all data that is required to make a purchase and the order history of the user is collected on the website.
• Social Media Login – If the website has signup or login with a social media account, this may give access to a user’s posts, comments, and other personal data.
• Surveys, Polls, and Contests – If any type of voting system that collects the opinion of a user is collected.

If any of the above methods are used to collect personal data, it must be disclosed and shared with users.

This is to give users an understanding of why their personal data is being collected and required under CCPA, GDPR, and PIPEDA. Some of the common reasons listed should be for:

• To provide better services and products based on users’ activity and interactions.
• To communicate with users on how they can provide a better user experience and offer better offerings in the future.
• To comply with legal and regulatory requirements, for example, and under European law (GDPR), the lawful reason for collection must be obtained through one of the five collection methods.

Any type of data that is collected is shared with 3rd parties. Either it is shared due to using a service that collects the data on behalf of the website or when selling personal data.

• Sharing Data – Most common when collecting data through the use of Google Analytics, a CRM (like SalesForce), or by advertising with Google Ads. This type of sharing is common and does not allow the 3rd party holding the personal data to use and promote their own products and services.
• Selling Data – Selling personal data is legal under CCPA, GDPR, and PIPEDA if the website gives the proper access for users to opt-out either through the “Do Not Sell My Data” or “Right to Erasure” methods.

A user, at any time after their data is collected, has the right to have their personal information deleted or erased without it further being shared with 3rd parties. This also includes being used internally by the website.

This right to erasure or deletion is required under CCPA and GDPR.

The most common way to create a privacy policy is from a template using a text editor such as Microsoft Word or Google Docs. After downloading, fill in the areas where the brackets ([SAMPLE]) are located, and complete them with the website’s details and information.

---

WordPress Privacy Policy Template

Download: PDF, MS Word, OpenDocument

 

 

 

---

Find the Privacy Page

Go to the WordPress Dashboard and hover over Settings and click the Privacy link.

Click the “Create” Button

Click the Publish Button