Website privacy policy template

This is a 'boilerplate' privacy policy template that can be easily edited for any UK hosted website.

It can also be used for apps and offline.

As well as complying with data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), it will help reassure your customers and website visitors that you protect their personal data and take privacy seriously.

We provide this document for download and use completely free of charge.

Suitable for use in: England & Wales and Scotland
  • Solicitor approved
  • Plain English makes editing easy
  • Guidance notes included
  • Money back guarantee
About
Preview
Why from us
Ask a question
Customer reviews

About this privacy policy template

This template provides you with the wording you need to create a policy for your website or app.

Most modern websites collect data about the people who visit them. Often it might be clear to visitors when this happens, for example, when they buy from you or sign up for your services, but sometimes it might be less obvious, such as when you track their browsing behaviour.

In May 2018, data protection law came into force that strengthens the rights of individuals to know what personal data about them is collected, used and managed. This privacy policy template helps you comply with every aspect of the law.

Alternative privacy policy templates for specific industries

This document has been written to be suitable for use on any website.

If you work in one of the following specific professional service providers, you'll be able to download a version specifically for your business:

Free to download and use

This is a completely free privacy policy template.

We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.

Features and contents

The template is written in plain language that is visitor friendly and is structured so that it is both easy to read and easy to edit.

The first part of the notice explains the legal bases you have chosen for processing different types of information and how these types are used.

The second part deals with specific uses – less designed to comply with the GDPR and more for the purposes of reassuring customers and protecting you under different laws (for example, regarding copyright).

The third part sets out requirements under the GDPR and DPA once again: whether data is shared with other organisations; how it can be reviewed; and other miscellaneous matters.

In places, we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may need a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.

This notice can be used by a wide range of types of business. Examples of those currently using it include:

  • solicitors, accountants and other business consultants
  • e-commerce sites
  • service providers such as career development coaches and fitness trainers
  • blogs and information sites
  • web hosting providers
  • hotels
  • community projects
  • not for profit organisations and charities

The contents of the document cover:

  • Categories of information collected and used, organised by the legal basis for use
  • Visitor contributed content
  • Payment information, whether debit and credit card information or other financial information
  • Cookies
  • Other personal identifiers from browsing activity
  • Advertising, including use of remarketing
  • Data transfers and processing outside the EU
  • Access to personal information
  • Removal of personal information
  • Data retention
  • Complaints

Why do I need a privacy policy?

If you collect, use or store personal data for non-personal use then UK and EU law requires that you tell that person what data you 'process' and how.

Personal data is any data that identifies an individual. It commonly includes first and last names,  contact information such as an email address or delivery address and payment information such as credit card information. It may also include data that you may not have considered such as an IP address logged by your web server or video footage taken by a security camera on your premises.

The usual way to disclose the required information is to publish a privacy policy on your website, particularly if you collect personal data through use of your website.

In addition to legal compliance, there are other good reasons to publish a privacy policy:

  • Other third party businesses whose services you use may require you to as part of your contract with them. For example, if you use Google AdSense or Google Analytics, Google requires you to tell your website visitors.

  • A well-written privacy policy will help you build trust with customers who may not know your business and who may be wary to buy from you. By disclosing your privacy practices, you'll reassure your customers that their personal data is in safe hands. A website that clearly links to its legal policies (for example, in the website footer) is likely to present a professional image.

If you don't have a website

Because it is easy to post a privacy policy online, we associate a privacy statement with a website.

However, the law requires you to disclose how you collect,use and store personal data even if you don't have a website or if you process information by other means.

Whether you need a privacy policy is not determined by what technology you use, whether you are in business in a particular industry.

If you publish a mobile app, you can (and should) use the same privacy policy on your website and on your app. Apple, Google and Facebook will all reject your app at review if you don't have a privacy statement, or if it is not clearly labeled. So if you are app developer, whether you develop for iOS, Android or Facebook (or even desktop), you can and should publish a privacy policy

If you process information offline, the law also still applies. A good example is if you're a landlord letting a house to tenants. In dealing with the tenants you collect personal data. The tenants will have privacy rights if you're 'in business' as a landlord. Whether you're 'in business' and therefore whether you need a privacy policy or not depends on the circumstances. However, it's often safest to provide information than not.

Writing your privacy policy

Your privacy statement should reflect the way your organisation collects and uses personal data. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.

By giving you the wording for different common situations, we hope that we have done as much of the work for you as we can. We also include our guidance notes, which explain how to edit the privacy policy for your website.

However, you will need to spend time editing this privacy policy template. There are advantages to this.

Your obligation under UK law is not just to publish a statement about personal information you collect,  but also to put in place policies and procedures that your website visitors and users never see. While considering how data is collected, used, and managed, the task of editing should prompt you to think about your privacy practices overall and how other parts of your organisation might need to change.

For example, you might need to put in place more secure data transfer processes between two teams or you may be able to reduce the data you collect.

Additionally, a well-written privacy notice is likely to demonstrate your willingness to comply with the law, even if your organisation falls short in some areas.

One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.

Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.

Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well-written notice is therefore likely to reduce the likelihood of immediate punitive action.

The steps you should follow

Download the sample privacy policy template. It is in Microsoft Word DocX format, which can be edited in most word processing software.

Read the guidance at the end of the document. You'll need to refer back to them as you edit, but having read them first, you'll have a better idea as to how to edit.

Make a list of the types of people who you collect personal information about: website visitors, users, customers, employees, contractors and suppliers, business partners, other third parties.

For each of the types of people, make a list of the personal information you collect, use or store. It may be information they provide to you themselves, or it may be information a third party provider (such as a credit reference agency) provides, or it may be data that you collect from your interaction with them.

Be aware that some user data needs to be treated more carefully than other information. 'Special Category Data' is defined by the law as information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and trade union membership. It also includes health, genetic and biometric data. If you do process Special Category Data, you need to make sure that you disclose that you do.

Decide on the granularity of your disclosure. It may seem right to disclose every item of data. But that may give users more information than perhaps is useful to them. We suggest you group information into types, such as 'contact information' and 'payment information' and give examples of the types of data in each group. For example, "'Contact Information' is information that we use for the purposes of communicating with you and may include your postal address, your telephone numbers and your email address."

Decide on the basis or bases on which you process personal information. As described further down this page, there are six bases and you are required by law to tell users which ones you use. Most organisations will use at least three of the six ('Consent', 'Legitimate Interests' and 'Legal Obligation'), and possibly four or five. Again, you can give detailed information about which basis is used for each item of data, but it may be more practical to give examples of which groups are processed under each basis.

Work your way through the remaining paragraphs in the privacy policy template. You'll need to make sure that each is relevant for your organisation. Most just require light editing.

When the privacy policy reflects your business practices you should publish the text to your website, through your content management system or directly after converting it to HTML.

The bases for processing data covered in this template

GDPR requires you to choose and communicate (such as in a privacy notice) under what legitimate basis you process personal data. There are six possible bases. Of these, most businesses and organisations are likely to choose one of four, so this privacy policy template gives you the options to use those.

Some data could be processed under one basis, and other data under another. Additionally, a basis might change over time.

Consent

For marketing purposes, Consent is likely to be the basis used.

For example, a website visitor could enter his or her email address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.

The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use data you collect about him or her.

Contract

Contract as a basis can be used where processing the data is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process data. A contract has the same definition as under contract law.

Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.

Legal Obligation

Legal Obligation can be used as a basis where there is statutory law that requires you to store or use data. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.

Legitimate Interests

Legitimate Interests is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.

For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm to an interest, then Legitimate Interests cannot be used as a basis.

Examples of where Legitimate Interests might be used include:

  • to obtain insurance for the business to protect against a fraudulent claim

  • to notify members of an organisation of a change of which if they were not aware, might cause harm

Do I need a separate cookie policy?

Cookies are often used to provide website functionality across multiple pages. A cookie is a file that is placed on the user's device that records information collected or generated from a previous page.

Whether you do so within your privacy policy or whether you have a separate cookie policy is a question of presentation.

The law doesn't regulate use of cookies specifically, but technology that places information on users' devices is.

In addition, cookies may contain personal data, and even if they don't, their purpose may be linked to processing personal data.

This privacy policy template allows you to comply with your legal obligations to disclose whether you use cookies.

You may wish to read more about disclosure requirements for cookies before deciding how much information about them to disclose.

To summarise that article:

The law only requires you to disclose information and obtain consent to use cookies that are non-essential for the operation of your website or app.

You should tell your website users sufficient information for them to understand the implications of consenting to use cookies. However, what is sufficient is subjective and it can be impractical to provide and maintain detailed information.

Do I need to comply with privacy laws outside the UK?

Other legal jurisdictions have similar privacy laws to the Data Protection Act.

You may have been told that you need to comply with the Privacy Act; the Personal Information Protection and Electronic Documents Act (PIPEDA) or the California Online Privacy Protection Act (CalOPPA).

While every enforcement authority would like the reach of their legislation to be global, enforcing privacy laws outside their jurisdiction is very difficult unless your business or organisation has some assets in that jurisdiction.

So while it may be a good idea to comply with Californian law if many of your website visitors are from California (for non-legal reasons), your obligations to comply with UK law do not require you to make your privacy policy compliant with the law of any other country.

In any case, because the DPA sets such a high standard for disclosure, if you comply with UK law, particularly in respect of 'openness', you're likely to meet most of the requirements of other countries around the world by default.

How do I make my privacy policy enforceable?

Your privacy policy is not technically 'enforceable' in the same way that contracts are. Your users don't need to agree to the terms as they would your website terms of use or conditions for sale.

A privacy policy is a disclosure statement or a notice, not a 'privacy policy agreement'.

However, you do need to make sure that users have an opportunity to read it. So it is a good idea to follow common practice and link to it from an expected location such as your website's footer.

You can also provide links to it whenever a user gives personal data. This should remind the user that you take data privacy seriously and that he or she can trust you. As examples, you might do so on email newsletter sign-up forms, 'contact us' forms, account creation forms and e-commerce checkout pages.

On mobile apps, you might link to your privacy policy page within your menu (perhaps within a 'Legal' or 'About' menu item.

Do I also need a data protection statement, GDPR policy or data processing agreement?

Privacy policies are also known as privacy statements or privacy notices. The statement discloses the policy of the organisation in so far as it is a 'controller' of personal information.

You may also hear about 'data protection statements' or 'GDPR policies'. These are usually documents with a different purpose and audience - to tell employees or third party contractors of the internal business processes that protect the customer's privacy and rights. They are usually appended as a schedule to a contract for services or form part of the staff handbook.

In addition, your business may use a 'data processing agreement' to make sure that if a third party processes personal information, it complies with the law. Doing so is a requirement of the GDPR. Certain clauses are mandatory, others expand on them for specific data or circumstances.

For your website or app, you just need a (website) privacy policy. If you enter into other types of arrangements, as part of your obligation to protect privacy, you may need one of these other documents as well.

Draftsman

This document was written by a solicitor for Net Lawman. It complies with current English law.

What Our Clients Say
  • "I was really pleased with my recent experience of using Net Lawman. I was able to obtain important legal documents, needed to support my small business. Net Lawman understood my needs and provided fast and efficient service without incurring the significant costs of a traditional law firm. I would both recommend and use Net lawman again"

    Shireen Arthur
  • "Quoted £1000 by my companies law firm - paid £10 with Net Lawman."

    Spicer and Moore Ltd.
  • "Makes me wonder why I have spent so much for so long with lawyers who charge £200+ per hour and take ages to make something complex!"

    Kevin Jones