Website privacy policy template

This is a 'boilerplate' privacy policy template that can be easily edited for any UK hosted website. We provide this document for download and use completely free of charge.

It can also be used for web and mobile apps and by businesses that operate offline.

As well as complying with data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), it will help reassure your customers and website visitors that you protect their personal data and take privacy seriously.

Suitable for use in: England & Wales and Scotland
  • Solicitor approved
  • Plain English makes editing easy
  • Guidance notes included
  • Money back guarantee
About
Preview
Why from us
Ask a question
Customer reviews

Why you need a privacy notice

In May 2018, enhanced data protection law came into force. It strengthens the rights of individuals to know what personal information about them is collected, used and managed (or otherwise 'processed').

The DPA applies widely: to small businesses and sole traders as well as large multinationals, and whether you have an online business or work completely offline. The key deciding factors as to whether you need a compliant privacy policy are:

  • whether you process personally identifable information that could be linked to a private individual (known as a 'data subject'); and

  • whether data subjects are citizens or residents of the UK or European Union member states.

The requirements of the DPA are not just that you protect personally identifiable information but that you also inform users about how your business collects and processes personal information and data subject rights.

Technically, a privacy notice is the means by which you communicate your privacy policy. However, because it is common to do so, we use the two terms interchangeably to mean the method of disclosure.

One of the core functions of many websites is to present a professional image of the business. Simply put, one of the main reasons to publish a privacy notice is because the general public expects you to do so. Not having one can put off potential customers from buying from you.

A sound template for your app or website privacy notice

This privacy policy template provides you with the wording you need to create a notice for your website or mobile or desktop app.

Most websites and apps collect personal data about the people who use them.

While it might be clear to visitors or users when this happens, for example, when they provide credit card details to buy from you or otherwise sign up for your services, sometimes it might be less obvious, such as when you track their browsing behaviour or transfer data to third parties.

It meets the requirements for disclosure for app stores including Facebook Apps, Google Play and the Apple App Store, and for advertising platforms including Google Adsense.

Alternative templates for specific industries

If you work in one of the following specific professional service providers, you'll be able to download a version specifically for your business:

Features and contents

Free to download and use

This is a completely free privacy policy template.

We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.

Easy to understand & fast to edit

The template is written in clear and plain language that is visitor friendly, easy to read and easy to edit.

It is structured so that you can disclose all the necessary information legally required for GDPR compliance.

The introduction gives information about your business: the name and address and, if you have appointed a data protection officer, the name and contact details of the DPO.

The first part of the notice explains the legal bases you have chosen for processing different types information collected by you and how these types are used.

The second part deals with specific uses – less designed to comply with the General Data Protection Regulation and data protection law, and more for the purposes of reassuring customers and protecting you under different laws (for example, regarding copyright). In this part, you can describe

The third part sets out requirements under the General Data Protection Regulation and data protection law once again: whether the information is shared with other organisations; how it can be reviewed; and other miscellaneous matters.

In places, we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may need a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.

Contents

The contents of the document cover:

  • Categories of collected personal information and how it is used, organised by the legal basis for use
  • Visitor contributed content
  • Payment information, whether debit and credit card information or other financial data
  • Cookies
  • Other personal identifiers from browsing activity
  • Advertising, including use of remarketing
  • Data transfers and processing outside the EU
  • Access to personal information
  • Removal of personal information
  • Data retention
  • Complaints

Suitable for many types of business

This notice can be used by a wide range of types of business. Examples of those currently using it include:

  • solicitors, accountants and other business consultants
  • e-commerce sites
  • service providers such as career development coaches and fitness trainers
  • blogs and information sites
  • web hosting providers
  • hotels
  • community projects
  • not for profit organisations and charities

Why do I need a privacy policy?

If you collect personal data or use or store personal information for non-personal use, then UK law requires that you tell that person what data you 'process' and how.

Personal information is any data that identifies an individual. It commonly includes first and last names, contact information such as an email address or delivery address and payment information such as credit card information or credit card details. Personal data may also include data that you may not have considered such as an IP addresses logged by your web server or video footage taken by a security camera on your premises.

The usual way to disclose the required information is to publish a privacy policy on your website, particularly if you collect personal data through use of your website.

In addition to legal compliance, there are other good reasons to publish a privacy policy:

Most of the third party services used by businesses to improve their user experience or deliver targeted advertising, require them to publish their website privacy policy. So if you want to use such third party services, you may be required to publish your website privacy policy as part of your contract with them. Some of the most popular third party services including: Google AdSense, Google Analytics, and Google.

A well-written privacy policy will help you build trust with customers who may not know your business and who may be wary to buy from you. By disclosing your privacy practices, you'll reassure your customers that their personal information is in safe hands. A website that clearly links to its legal policies (for example, in the website footer) is likely to present a professional image.

If you don't have a website

Because it is easy to post a privacy policy online, we associate a privacy statement with a website.

However, the law requires you to disclose how you collect,use and store personal information even if you don't have a website or if you collect personal data by other means (for example, a mobile app).

Whether you need a privacy policy is not determined by what technology you use, whether you are in business in a particular industry.

If you publish a mobile app, you can (and should) use the same privacy policy on your website and on your app. Apple, Google and Facebook will all reject your mobile app at review if you don't have a privacy statement, or if it is not clearly labeled. So if you are app developer, whether you develop for iOS, Android or Facebook (or even desktop), you can and should publish a privacy policy.

If you process information offline, the law also still applies. A good example is if you're a landlord letting a house to tenants. In dealing with the tenants you collect personal information. The tenants will have privacy rights if you're 'in business' as a landlord. Whether you're 'in business' and therefore whether you need a privacy policy or not depends on the circumstances. However, it's often safest to provide information than not.

Writing your privacy policy

Your privacy statement should reflect the way your organisation collects and uses personal information. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.

By giving you the wording for different common situations, we hope that we have done as much of the work for you as we can. We also include our guidance notes, which explain how to edit the privacy policy for your website.

However, you will need to spend time editing this privacy policy template. There are advantages to this.

Your obligation under UK law is not just to publish a statement about personal information you collect,  but also to put in place  security measures, policies and procedures that your website visitors and users never see. While considering how personal information is collected, used, and managed, the task of editing should prompt you to think about your privacy practices overall and how other parts of your organisation might need to change.

For example, you might need to put in place more secure personal data transfer processes between two teams or you may be able to reduce the personal data you collect.

Additionally, a well-written privacy notice is likely to demonstrate your willingness to comply with the law, even if your organisation falls short in some areas.

One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.

Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.

Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well-written notice is therefore likely to reduce the likelihood of immediate punitive action.

The steps you should follow

Download the sample privacy policy template. It is in Microsoft Word DocX format, which can be edited in most word processing software.

Read the guidance notes at the end of the sample privacy policy template. You'll need to refer back to them as you edit, but having read them first, you'll have a better idea as to how to edit.

Make a list of the types of people about whom you are collecting personal information: site visitors, users, customers, employees, contractors and suppliers, business partners, other third parties.

For each of the types of people, make a list of the users personal information you collect, use or store. It may be information they provide to you themselves, or it may be  a third party provider (such as a credit reference agency) provides, or it may be personal data that you collect from your interaction with them.

Be aware that some user data needs to be treated more carefully than other information. 'Special Category Data' is defined by the law as information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and trade union membership. It also includes health, genetic and biometric data. If you do process Special Category Data, you need to make sure that you disclose that you do.

Decide on the granularity of your disclosure. It may seem right to disclose every item of data. But that may give users more information than perhaps is useful to them. We suggest you group information into types, such as 'contact information' and 'payment information' and give examples of the types of data in each group. For example, 'Contact Information' is information that we use for the purposes of communicating with you and may include your postal address, your telephone numbers and your email address."

Decide on the basis or bases on which you process personal information. As described further down this page, there are six bases and you are required by law to tell users which ones you use. Most organisations will use at least three of the six ('Consent', 'Legitimate Interests' and 'Legal Obligation'), and possibly four or five. Again, you can give detailed information about which basis is used for each item of data, but it may be more practical to give examples of which groups are processed under each basis.

Work your way through the remaining paragraphs in the privacy policy template. You'll need to make sure that each is relevant for your organisation. Most just require light editing.

When the privacy policy reflects your business practices you should publish the text to your website (clearly linking to it at prominent place such as website footer), through your content management system or directly after converting it to HTML.

The bases for processing data covered in this template

GDPR requires you to choose and communicate (such as in a privacy notice) under what legitimate basis you collect data. There are six possible bases to collect personal data. Of these, most businesses and organisations are likely to choose one of four, so this privacy policy template gives you the options to use those.

Some personal information could be processed under one basis, and other personal information under another. Additionally, a basis might change over time.

Consent

For marketing purposes, Consent is likely to be the basis used.

For example, a website visitor could enter his or her email address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.

The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use personal information you collect about him or her.

Contract

Contract as a basis can be used where processing the personal information is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process personal information. A contract has the same definition as under contract law.

Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.

Legal Obligation

Legal Obligation can be used as a basis where there is statutory law that requires you to store or use personal information. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.

Legitimate Interests

Legitimate Interests ('LI') is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.

For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm to an interest, then LI cannot be used as a basis.

Examples of where LI might be used include:

  • to obtain insurance for the business to protect against a fraudulent claim

  • to notify members of an organisation of a change of which if they were not aware, might cause harm

Do I need a separate cookie policy?

Cookies are often used to provide website functionality across multiple pages. A cookie is a file that is placed on the user's device that records information collected or generated from a previous page.

Whether you do so within your website's privacy policy or whether you have a separate cookie policy is a question of presentation.

The law doesn't regulate use of cookies specifically, but technology that places information on users' devices is.

In addition, cookies may contain personal data, and even if they don't, their purpose may be linked to processing personal data.

This privacy policy template allows you to comply with your legal obligations to disclose whether you use cookies.

You may wish to read more about disclosure requirements for cookies before deciding how much information about them to disclose.

To summarise that article:

The law only requires you to disclose information and obtain consent to the use of cookies that are non-essential for the operation of your website or app.

You should tell your website users sufficient information for them to understand the implications of consenting to use cookies. However, what is sufficient is subjective and it can be impractical to provide and maintain detailed information.

Do I need to comply with privacy laws outside the UK?

Other legal jurisdictions have similar privacy laws to the Data Protection Act.

You may have been told that if you are collecting personal information, you need to comply with the privacy laws of those jurisdiction such as the Privacy Act; the Personal Information Protection and Electronic Documents Act ('PIPEDA') or the California Online Privacy Protection Act ('CalOPPA').

While every enforcement authority would like the reach of their legislation to be global, enforcing privacy laws outside their jurisdiction is very difficult unless your business or organisation has some assets in that jurisdiction.

So while it may be a good idea to comply with Californian law if many of your website visitors are from California (for non-legal reasons), your obligations to comply with UK law do not require you to make your privacy policy compliant with the law of any other country. In fact, CalOPPA only applies to California residents.

In any case, because the DPA sets such a high standard for disclosure, if you comply with UK law, particularly in respect of 'openness', you're likely to meet most of the requirements of other countries around the world by default.

How do I make my privacy policy enforceable?

Your privacy policy is not technically 'enforceable' in the same way that contracts are. Your users don't need to agree to the terms as they would your website terms of use or conditions for sale.

A privacy policy is a disclosure statement or a notice, not a 'privacy policy agreement'.

However, you do need to make sure that users have an opportunity to read it. So it is a good idea to follow common practice and link to it from an expected location such as your website's footer.

You can also provide links to it whenever a user gives personal information. This should remind the user that you take data privacy seriously and that he or she can trust you. As examples, you might do so on email newsletter sign-up forms, 'contact us' forms, account creation forms and e-commerce checkout pages.

On mobile apps, you might link to your privacy policy page within your menu (perhaps within a 'Legal' or 'About' menu item.

Do I also need a data protection statement, GDPR policy or data processing agreement?

Privacy policies are also known as privacy statements or privacy notices. The statement discloses the policy of the organisation in so far as it is a 'controller' of personal information.

You may also hear about 'data protection statements' or 'GDPR policies'. These are usually documents with a different purpose and audience - to tell employees or third party contractors of the internal business processes that protect the customer's privacy and rights. They are usually appended as a schedule to a contract for services or form part of the staff handbook.

In addition, your business may use a 'data processing agreement' to make sure that if a third party processes data, it complies with the law. Doing so is a requirement of the GDPR. Certain clauses are mandatory, others expand on them for specific personal data or circumstances.

For your website or app, you just need a (website) privacy policy. If you enter into other types of arrangements, as part of your obligation to protect privacy, you may need one of these other documents as well.

Draftsman

This document was written by a solicitor for Net Lawman. It complies with current English law.

 
What Our Clients Say
  • "I was really pleased with my recent experience of using Net Lawman. I was able to obtain important legal documents, needed to support my small business. Net Lawman understood my needs and provided fast and efficient service without incurring the significant costs of a traditional law firm. I would both recommend and use Net lawman again"

    Shireen Arthur
  • "Fits requirements. Easy to find. Good value."

    Tellurion OSS Pvt. Ltd.
  • "Brilliant. I am most grateful to Net Lawman. Your service standard is unparallel. I would strongly recommend any individual or organisation to Net Lawman."

    Dr. Smarajit Roy