We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.

Your Digital Commerce Experts
Nexcess Logo

Website Privacy Policy Requirements: Build a GDPR-Compliant Website Policy

April 06, 2022

Please note: this article does not constitute legal advice. It is meant only to educate.

Learning about website privacy policy requirements isn't top-of-mind when website owners launch an online business. However, if you're handling users from countries with strict data protection laws, a website policy statement is an important part of the legal process.

What Is a Website Policy?

A website policy (more often referred to as a privacy policy) is a statement that discloses your website’s practices regarding the collection, use, and handling of your site visitors’ personal data. It is mandatory if you're collecting personally identifiable information or use data to identify specific persons.

Examples of these types of information include:

  • First and last names
  • Contact information such as shipping or billing addresses
  • Email addresses
  • Birthdates
  • Social Security numbers
  • Financial information (i.e., credit card numbers)

A privacy policy also applies to “anonymous data.” This data isn’t personally identifying when used alone but can identify a user when used in connection with other data. IP addresses are a prime example. All the data collected in Google Analytics is another.

You should inform users if you’re sharing their data with third-party services.

In addition to making sure your website is PCI compliant to protect financial information, you need to follow website privacy policy requirements to keep your website visitors’ data secure.

Why You Need A Website Policy

Personal data is a big business. Companies like Google and Facebook made a fortune selling their users’ data.

Having a website policy is a legal requirement, especially in countries with strict privacy laws. In the U.S., government agencies including the Federal Trade Commission (FTC) and the statutes of individual states mandate the website privacy policy requirements. Most states base their privacy laws on the California Consumer Privacy Act (CCPA) and the European Union’s (EU) General Data Protection Regulation (GDPR).

You are legally obligated to follow these laws if your website visitors live in the countries they apply to. For instance, if your ecommerce store is in Asia, but you serve customers in California, you must comply with the CCPA’s website privacy policy requirements.

Having a website policy also keeps things transparent for consumers, who are now taking a more active role in understanding how businesses use and store their information.

Website Privacy Policy Requirements

Writing a privacy policy does not have to be a complicated affair; there are several privacy policy generators online that can help you out. A basic privacy policy details the following information:

  • Type of information collected
  • Methods for collecting information
  • Uses for the information
  • Measures to ensure information is secured
  • Disclosures on which third-parties the information is shared with
  • Controls users have over their information

However, GDPR compliance necessitates stricter website privacy policy requirements than other national or local policies.

GDPR Compliant Privacy Policy

For a privacy policy to be GDPR compliant, it needs to be written in a straightforward and easily understood way — don’t fill it with legalese or jargon that would confuse a layperson. Be clear about how you use and protect your users’ data and think in terms of information accessibility. Here are some sections to include when writing a GDPR-compliant privacy policy:

  • Introduction
  • Definition of terms
  • Principles for processing data
  • User’s rights under the GDPR
  • Your legal basis for processing data

1. Introduction

Every data privacy policy starts with basic information. Your introductory section should include:

  • Legal name and business address of your company
  • What the privacy policy is about
  • The date the policy takes effect
  • Name and contact number of your data controller
  • Name and contact number of your data protection officer (DPO)

Data controllers and DPOs are responsible for ensuring data complies with the applicable data protection laws. The difference between them is that the data controllers do not necessarily have to be from the organization they’re monitoring.

“Data controller” is a general term that refers to the person responsible for data security. For instance, if you collect personal information for your or another company’s use, you can be considered a data controller.

Data controller and processor

2. Definition of Terms

According to Article 12 of the GDPR, an accessible privacy policy is clear and easy to understand. Thus it is vital to include a definition of terms.

Website privacy policy

3. Principles for Processing Data

Article 5 of the GDPR includes six principles by which personal data must be processed:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

This section isn't mandatory. How you share it in your privacy policy depends on you. Some companies simply share a list and declare their compliance, while others take a personal approach.

Coca Cola shares their principles for data collection and processing in a fun graphic.

Coca Cola website policy

4. Users’ Rights Under the GDPR

Users should be made aware of their eight rights under the GDPR:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making and profiling

AEG shares users’ rights on their privacy policy:

AEG privacy policy

5. Your Legal Basis for Processing Data

Article 6 of the GDPR only allows you to process data on these six legal bases:

  • Consent: The subject has permitted their data to be processed.
  • Contract: Data processing is necessary to fulfill a contract.
  • Legal obligation: Processing of data is required by law.
  • Vital interest: The state of someone’s life depends on the data being processed.
  • Public task: The data processed is required to protect or execute a situation of public interest.
  • Legitimate interest: The data is processed for legitimate interests; fundamental rights or freedoms are not infringed.

Shopify’s privacy policy includes a section on their legal basis for processing data:

Shopify privacy policy

Where to Put Your Privacy Policy Disclaimer?

Once you have drafted a complete website privacy policy, place it in the most conspicuous areas of your website, such as:

  • Website footer: This is usually where all your navigation links are located.
  • About section: This is where many visitors check for a privacy policy.
  • Web forms: Web forms are used to collect personal information, making them the perfect place to ask for consent to process customers’ data.

Consider using a GDPR plugin to initiate a cookie consent popup so that users can opt to disable cookies and protect their private data as these privacy laws intended.

Final Thoughts: Website Privacy Policy Requirements

Websites that process data from persons living in countries with strict data protection laws must comply with a website policy. You can write your policy from scratch or use a free privacy policy generator, but make sure you are legally protected.

If you’re a busy entrepreneur, take the worry of data security off your list of concerns. Get your website in a compliant hosting environment with Nexcess today.

Check out our hosting plans to get started today.

Maddy Osman
Maddy Osman

Maddy Osman is a WordPress expert and WordCamp US speaker. She is a WordCamp Denver organizer and also operates The Blogsmith, an SEO content agency for B2B tech companies that works with clients like HubSpot, Automattic, and Sprout Social. Learn more about The Blogsmith's process and get in touch to talk content strategy: www.TheBlogsmith.com