Written by Jim Babb

At the very beginning of 2021, I checked off a resolution I should have dealt with months ago: I finalized a privacy policy for Part and Sum’s website. You can read it right here (there's pet photos involved).

I’ll be the first to admit that a privacy policy was not front of mind when we relaunched our website last summer. There were so many other details to juggle, from menu layouts to fonts to client case studies—all while keeping business running smoothly. It was only later, when Wes wrote this guide to CCPA compliance, that I realized we needed to prioritize our own privacy documentation.

We learned a lot in the process, so I thought I’d share it with you.‍

Do I really need a privacy policy?‍

Short answer: Yes. Longer answer: Yes, and here’s why. Even if you’re not subject to GDPR or California privacy laws right now, that could change as regulations (and your business) evolve. Furthermore, a good privacy policy—even if it’s not technically required—establishes trust by letting customers know that you value transparency and data security.‍

What should a website privacy policy include?‍

The specifics will depend on your data collection and usage practices, but at minimum, you’ll need to disclose:

• What types of information you collect
• What you do with this information
• How the information is stored
• How you keep information secure
• How long the information is retained
• Which third-party apps or services have access to information you collect
• Whether or not you sell or exchange information for any reason
• How people can contact you if they have questions or concerns about your data policies, or if they want their information removed—it’s best to provide an email address, mailing address, and phone number

Creating a privacy policy requires input from people throughout your organization, including marketing, sales, business development, and IT. The first draft of our policy included several question marks—I don’t know every detail of our website’s back-end analytics tools. Looping others in early helped fill in those blanks and gave me a better sense of how the document should be structured.

This technical information may be complex, but the language you use to describe it shouldn’t be. (GDPR Article 12 specifies that customer-facing communication about data and privacy should be “concise, transparent, intelligible and easily accessible... using clear and plain language.”) In fact, a privacy policy is an excellent opportunity to show off your brand voice: Think of it as a one-on-one conversation with customers about something that really matters. Part and Sum’s voice is honest and straightforward, and we prefer speaking like humans, instead of getting bogged down in jargon. So, that’s the approach we took with our privacy policy, too.‍

Can I use an online privacy policy template?‍

Search “privacy policy generator” or “free privacy policy” and you’ll see plenty of results. These generic services—many of which are free—can be a good place to start, but you’ll still need to make sure the final language accurately describes your data practices. If you have a static brochure-style website, this might not be very complicated. If you run an ecommerce business, there’s more to consider, from how you track purchasing behavior to how you retain and protect customers’ checkout information.