Many companies and website owners have questions about privacy policies. When building a business or operating a website, this is not the most exciting part to be working on, but it is important to check this box. To make your life easier, we compiled a list of things you should take into account.
- A note on terminology
- What is the purpose of a privacy policy?
- Do I need a privacy policy for Google Analytics?
- How do you write a privacy policy?
- An example of a layered privacy policy
- Google Analytics privacy policy template
- When should my privacy policy be displayed?
- What information should my privacy policy contain?
- Update: new guidance on cookie banners
- Final Thoughts
Let's dive in!
A note on terminology
In everyday language, a privacy policy or privacy notice is a document that includes a bunch of legalese about the use of personal data. The two terms are often used interchangeably, but they are not exactly the same in legalese: a privacy policy is an internal document, while a privacy notice is written for users/customers/visitors etc.
When people talk about a company's privacy policy, they are more often than not referring to a privacy notice. Even companies sometimes refer to their notices as policies: for instance, the privacy section of Google's terms is referred to as a privacy policy.
In this blog we will say "privacy policy" because we are not fans of strict legalese- but it is still good to know that policies and notices are not exactly the same.
What is the purpose of a privacy policy?
The primary purpose of a privacy policy is to inform the reader of what you do with their data, how, and why. In the case of the website, a privacy policy will notify the visitor of the processing of their data and the purposes of the processing (website optimization, market analytics, etc.).
You should tell the reader what data you are processing, on what legal basis, for what purpose, and so on. You should also inform the reader about their rights under the GDPR (such as requesting the erasure of the data and filing a complaint). And you must facilitate the exercise of these rights by providing a point of contact for any requests or questions they might have.
Keep in mind that a privacy policy directly addresses the user of your service, or the visitor of your website. The information should be as clear and accessible as possible, so use plain language and leave the jargon to the lawyers!
Do I need a privacy policy for Google Analytics?
Yes, you do. Google Analytics collects cookies and IP addresses which are personal data under the GDPR. You also need consent to process cookies because they fall under the ePrivacy Directive. This is the case for both first-party and third-party cookies (the latter are associated with a domain different from the one the user is visiting and tend to be more privacy-invasive).
How do you write a privacy policy?
It's not rocket science, but it is not simple, either. Your privacy policy needs to include many specific pieces of information to comply with Art. 13 GDPR. At the same time, it must be concise, accessible, and clear to comply with Art. 12(1) GDPR.
It can be hard to include all the information required while keeping your policy simple and accessible, but a layered approach can help you strike a balance. A layered privacy policy provides the most crucial information upfront. It refers the reader to other resources for more detailed information (for example, by linking to different pages or maybe to the relevant headers of a single, more extended notice).
An example of a layered privacy policy
First, a necessary disclaimer: this is not legal advice and should not be taken as such. Every notice needs to be tailored to a specific website. Please don't copy-paste your notice from us or from anywhere else on the Internet! If you have some knowledge of privacy law, write one yourself. Otherwise, have an expert draft one for you.
That being said, here's an example template for a layered privacy policy:
We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.
With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for 6 months. To learn more about Google's data transfer policies, click here.
You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click here to read more about your rights and to find how you can get in touch with us.
Please express your cookie preference:
- I consent to the processing of non-essential cookies
- I refuse the processing of non-essential cookies We will not read or write cookies without your consent.
Google Analytics privacy policy template
We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.
You must include all the purposes for which you process the data and clearly distinguish between them. This is just an example: if you collect personal data for other purposes as well, you should mention that.
With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for x months. To learn more about Google's data transfer policies, click here.
The link is where you can explain that Google Ireland Ltd. transfers data to Google LLC and that they are using standard contractual clauses to safeguard the data. You should clarify what that means in plain language. For example:
Standard contractual clauses are legal clauses written by the European Commission. They are part of a contract between Google Ireland Ltd. and Google LLC, and Google LLC must follow them. Standard contractual clauses tell Google LLC what it can and cannot do with your data.
There is no need to reproduce the content of the clauses, but you could provide a link to Google's own documentation.
Please note that providing this information does not make the data transfer lawful. Google Analytics is practically banned in four EU countries (Austria, France, Italy and Denmark) because the data transfers between Google Ireland and Google LLC were found to violate Chapter V of the GDPR, and more countries may follow. There is nothing you can realistically do about this: if you use Google Analytics, you are accepting a compliance risk. We wrote more about the topic here.
As a result of this, a debate has sparked on whether all version of Google Analytics are found to be unlawful or only the current version (universal analytics).The short answer is that the violations apply to both versions of Google Analytics. We've written about this more extensively in this blog.
(Update: the situation is a little more unclear now due to a new EU-US data transfer framework implemented in 2023. The long legal saga of data transfers is not quite over yet, as the new framework has already been challenged before the EU Court of Justice. In all likelihood, the framework will not survice the Court's scrutiny, and we will all be back to square one- with data transfers being a major problem for EU companies)
You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click here to read more about your rights and to find out how you can get in touch with us.
This is where you can include information on the right of access, the right to withdraw consent, the right to erasure, the right to lodge a complaint in the Member State where the reader lives or works, and possibly the right to object. If you are processing personal data without consent, be careful to specify which categories of data the user can request you to erase. And clarify that you are responsible for handling requests, not Google.
You always need to provide contact information for your organization, and if you have a DPO and an EU representative, you must also provide a contact for them. Contact information is really important in practice. Don't just fill in an email and forget about it: make sure requests are forwarded to someone who will actually handle them! Companies are often fined for failing to respond to requests promptly.
If you have a DPO, direct the user to them for any requests- handling them is part of the DPO's job. If you don't have a DPO, then it is good practice to make someone in your organization responsible for responding to requests. Provide a direct contact for them in your privacy policy so that requests don't get overlooked among the organization's mail.
Please express your cookie preference:
- I consent to the processing of non-essential cookies
- I refuse the processing of non-essential cookies We will not read or write cookies without your consent.
This choice must be presented in clear, non-deceiving terms: yes or no. If the user says "no," respect their decision and don't show them the cookie banner again.
A user might want to agree to cookies for specific purposes; for example, they may accept first-party cookies for website optimization and refuse third-party marketing cookies. Including a "customize" option is acceptable if the option to refuse all cookies is visible, easily accessible, and clearly worded. Don't force users to run through five different cookie settings to say "no," and don't force confusing choices like "accept" versus "customize."
Many companies don't design the cookie banners themselves and rely on a consent-management platform instead. The same suggestions apply: in a nutshell, make sure your cookie banners are clear and allow users to refuse consent easily.
Finally, if you collect some personal data without consent, you should also include that information. For example, you could add a last bit such as:
We will still collect some data if you do not consent. Click here to learn more.
In the link, you can specify what data you collect and on what legal basis.
When should my privacy policy be displayed?
If you are using Google Analytics, your privacy policy should be displayed as soon as the user lands on your website. You should also include it on your website so that returning users can access the information easily.
From a practical standpoint, it makes sense to merge your policy with your cookie banner, as we did in our template. You need a cookie banner anyway, and one annoying pop-up is better than two.
On a side note, under the GDPR, withdrawing consent should be as easy as it is to give it. So your website should allow users to withdraw consent easily in some way. It doesn't really matter how, as long as the option is hassle-free and easily accessible. So it might be convenient to include an opt-out button or a similar option in the policy displayed on your website. But please remember that this opt-out mechanism cannot itself collect consent: you still need to do that in your cookie banner!
What information should my privacy policy contain?
Your privacy policy should contain all the information required by Art. 13 GDPR. In Google Analytics' case, that would be:
- the purpose and legal basis for the processing
- contact details for the controller, the DPO, and the EU representative (if applicable)
- the reader's data rights (including the right to file a complaint with a privacy authority)
- whether the data will be disclosed to third parties
- whether the data will be transferred outside the US, and with what safeguards
- how long the data will be stored
You can think of Art. 13 as a checklist you can go through to ensure your policy is compliant. In fact, we wrote our template with this article in mind. But covering all of the information is not enough: as we said, this information needs to be provided in a clear and accessible form.
Update: new guidance on cookie banners
In 2023 the European Data Protection Board (that is, the body that brings European privacy watchdogs together) issued some recommendations on cookie banners. If you want to use Google Analytics on your website, these recommendations (and our blog about them) are a worthwhile read.
Bottom line: the Board (more exactly, its task force) did not reach complete consensus, but the majority agreed that cookie banners need an easily visible and clearly worded "reject button" in the first layer. In other words, you need to give users a fair and transparent choice rather than nudging them to accept everything through convoluted and deceiving interface design.
This aligns nicely with what we wrote beforehand about not forcing confusing choices on your users. We don't have a crystal ball: all of this is really common sense. And it's nice to see that the EDPB is finally taking a stance against consent Jujutsu practices that have been commonplace for years.
Final Thoughts
Our template provides the information as part of a cookie banner because it's convenient. But to be clear, a privacy policy is not just about cookies: if you are collecting any other personal data, you must also inform the user about that.
One last word: when it comes to privacy, there is a big gap between theory and practice. Many websites provide less comprehensive information than required, and very few websites allow consent to be withdrawn easily. So you might get away with it, but you would still not be GDPR compliant.
Bottom line: Omit the required information at your own peril (and feel bad about yourself).
... what if (most of) this isn't necessary in the first place?
...what if there is an analytics tool that provides web analytics without the need for an extensive privacy policy?
...what if you can gather insights into your website traffic without needing a cookiebanner?
Yep, that's possible... we created Simple Analytics with this in mind. We wanted to create a web analytics tool that provided insights into website traffic without needing cookies to collect personal data. We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to give us a try.