You’ll need this if you…
Not sure what you need? Let us help you decide.
What it is
To explain how you collect, use, and share personal information.
A Privacy Policy says what personal information you collect about a person and why you need it, how and when you collect that information, who you will share it with, how you will use it, and where you store the information. Not only are Privacy Policies a good way to build confidence with your customers and website visitors, they’re also legally required in many areas of the world.
See what's included in a Privacy Policy
Your Privacy Policy covers a lot of good privacy things:
- what types of personal information you collect and how collect it
- any categories of sensitive information you collect
- how you use personal information
- when you use personal information, for example using information with consent, to complete a contract you have with the person, and to meet legal obligations, but also to improve your website, services, app, and business
- what will be considered aggregated or anonymized data and how you might use that data, like to create new products and services
- how you share information, like when you share it with your subcontractors and services providers or use it for advertising your business
- data and privacy rights that people have and how you respond to those rights
- specific notices and disclosures that are required by the laws of some countries, provinces, and states, if they are applicable to you
- where you store personal information
- your data security practices
- any automated decision making (e.g., AI) technology you use when collecting, processing, and using personal information
- disclaimers and notices about children and privacy
- how to contact you about privacy questions
We’ll cover all these topics when you make your Privacy Policy.
Not just for websites.
Privacy Policies are a common part of websites, but that’s not the only place you use them. Your Privacy Policy is an important part of all your contracts in your business. It applies to any mobile or web apps you provide. If you run an e-commerce store, your sales terms and conditions should say that your Privacy Policy applies to all sales you make. Your Privacy Policy should also be referred to in any services contract where personal information is collected or used by someone on your behalf, like an independent contractor, sales representative, or consultant.
Who needs it
When you need one
You collect personal information.
If you collect personal information, then you need a Privacy Policy. What is “collecting personal information”? It’s really quite broad. Under privacy laws – from Canada, to the US, to Europe’s GDPR – personal data is any information about a human being that can identify the person. So if you track how website visitors use your website, your app asks for personal details of a person, or you ask for any personal information when providing your services, then you’re collecting personal information and should have a Privacy Policy.
Whenever you get personal information from someone else or share it with another business or person.
Many businesses use personal information given to them from others. For example, a shipping company gets a customer’s address from a business so it can deliver products. Software-as-a-Service (SaaS) companies may link their platform to third-party services and share personal information so that their integrations work. If you’re a freelancer, you might get personal information about your client’s customers to make a marketing plan, build out a dashboard, or provide data analytics. Whenever you’re swapping personal information with someone else, whether you’re getting the personal information or sharing it, you need a Privacy Policy.
You store personal information.
If you’re storing personal information on your own systems or cloud-based services you subscribe to, like AWS or Google Cloud Platform, then you should have a Privacy Policy. It will say that you store personal information, include some details on where you host or store data (e.g., in which countries, provinces, or states personal information is stored by you), and give some important disclaimers and notices about personal information protections and rights.
FAQs
What is personal information?
“Personal information”, often called personal data as well, is very broadly defined in privacy laws as information about an identifiable individual. Being able to identify the individual is the key part. So, anonymous information or de-identified or aggregated information that can’t be linked back to a person is not personal information.
What will my Privacy Policy include?
Your Privacy Policy covers a lot of good privacy things:
- what types of personal information you collect and how collect it
- any categories of sensitive information you collect
- how you use personal information
- when you use personal information, for example using information with consent, to complete a contract you have with the person, and to meet legal obligations, but also to improve your website, services, app, and business
- what will be considered aggregated or anonymized data and how you might use that data, like to create new products and services
- how you share information, like when you share it with your subcontractors and services providers or use it for advertising your business
- data and privacy rights that people have and how you respond to those rights
- specific notices and disclosures that are required by the laws of some countries, provinces, and states, if they are applicable to you
- where you store personal information
- your data security practices
- any automated decision making (e.g., AI) technology you use when collecting, processing, and using personal information
- disclaimers and notices about children and privacy
- how to contact you about privacy questions
We’ll cover all these topics when you make your Privacy Policy.
What is a Cookie Policy?
A Cookie Policy tells website visitors, customers, and others how you track their use of your website through cookies and other tracking technologies.
What is anonymized or aggregated data?
Anonymized personal data is information about a person that’s been anonymized so that it can’t be linked back to that person on its own or by combining it with other data.
Aggregated data is that personal information combined with other data, usually in a way that makes it difficult or even impossible to identify a person. Aggregate data can be very useful because it gives businesses key insights about products, market demand, and other analytics that can help the business grow. Sometimes, aggregate data can be sold to others as benchmark reports, insights, or market analytics.
Your Privacy Policy explains that you may anonymize and aggregate personal information to use it for other things, like improving your products, services, or app.
Do you cover General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) requirements? What about other provinces and states with specific privacy law requirements?
Yes, when you make your Privacy Policy through Made It Legal we’ll cover GDPR and California privacy topics. We also cover some other provinces and states that have specific privacy law requirements, including Quebec. But please do keep in mind that this doesn’t replace the need to get legal advice.
Is personal information and personal data the same thing?
Without getting into a law school style lecture on the topic, yes, you can think of them as the same thing. Some laws call data about an identifiable person “personal information” and other laws call it “personal data”. There are some differences in laws about what exactly is considered personal information or personal data, but you can think of these two terms as meaning the same thing.
Do companies have privacy rights?
Privacy laws apply just to individuals. That is, real human beings. Corporations, businesses, and organizations may have confidentiality rights under a contract with you (for example, a Confidentiality Agreement or Non-Disclosure Agreement) and their information may be protected by intellectual property rights, but privacy laws don’t protect their information.