Privacy policy

Why do I need a privacy policy?

The law probably requires that you publish a privacy policy (or similar document) on your website.  

Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website? 

If you do, EU and UK data protection law require that you provide information to individuals about how you use their data. The usual way of providing that information is via a privacy policy.

The key pieces of legislation include the GDPR and, in the UK, the Data Protection Act 2018. But these legislative requirements are not the only considerations in play. There are at least three other reasons to publish a privacy policy on your website.

• First, your contracts with services providers may require that you publish an appropriate privacy policy.  For example, the Google Analytics terms and conditions require that you "have and abide by an appropriate Privacy Policy ... You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data."
• Second, a clear and open privacy policy will help you to build trust with some of your users. Users may refuse to register with a website if they aren't confident that their personal data will be protected. Just as bad, they may provide unreliable information when doing so.
• Third, one of the key functions of many websites is the projection of a serious and professional image.  A website without the necessary legal documentation may have a negative effect on the image of the business behind it.

This website privacy policy template has been drafted with all of these goals in mind, although the legal compliance requirements are overriding.

Should I use a template or ask a lawyer to prepare a policy for me?

Data protection law is not straightforward. Indeed, since the coming into force of the GDPR, it is difficult for many organisations to be confident that they comply.

Ideally, all privacy policies would be prepared by, or under the supervision of, experts in data protection law. But data protection expertise can be expensive: you might pay anything from £500 to £5,000 or more for a UK data protection lawyer to prepare a privacy policy.

As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability. 

Is this the right template privacy policy for me?

A legal template is both never and always potentially suitable for a particular job.  Never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.

That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.

You should only use this template in relation to the following purposes if you are confident that you can make the necessary adaptations:

• the personal data of minors;
• sensitive personal data / special categories of personal data;
• large-scale processing of personal data;
• any complex or unusual personal data processing; and
• any personal data processing that is likely to have a significant impact on individuals' rights and freedoms.

What information should I provide in my privacy policy?

The core disclosures required by the GDPR are set out in Articles 13 and 14.

Article 13 sets out the information that must be provided where personal data are collected from the individual.  Article 14 sets out the information that must be provided where personal data are collected from some other source.

The main categories of information are:

• identity and contact information of the controller;
• where personal data is not collected from the individual, the source and nature of that data;
• the purposes of the processing;
• the legal bases for the processing, including details of applicable legitimate interests;
• the recipients or categories of recipients of the personal data;
• details of international transfers of personal data that require legal protections, and details of those protections;
• the periods for which the personal data will be stored, or at least the criteria used to determine those periods;
• individuals' legal rights with respect to their personal data;
• whether the provision of personal data is a legal requirement;
• the existence of automated decision-making, including profiling.

Our privacy policy template has been designed to help you to disclose the necessary information.

Should information about cookies be included in the privacy policy or elsewhere?

There's a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don't themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.

Because of this overlap, it is common to include cookie disclosures in a privacy policy, and this template does include relevant disclosures – although not in so much detail as in our premium privacy and cookie policy templates.

The key legal instruments currently applicable to cookies are:

• across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and
• in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended).

The latter is the UK's implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.

New legislation on cookies is currently going through the EU legislative process, but this is not expected to become law until 2020 at the earliest.

In addition to the information disclosure requirements, you may need to get user consent to cookies. This privacy policy template includes an optional statement to the effect that users consent to the use of cookies. However, this will not alone satisfy the cookies consent requirement under the cookie laws.

How do I edit the privacy policy?

After you have downloaded the policy, you will need to open it in your word processing software for editing.

The first thing you should decide is how to categorise the personal data that you process. Your categorisation should reflect how data is handled in practice. For example, you might differentiate between analytics data, enquiry data, customer relationship data and transaction data. The template privacy policy includes a suggested categorisation.

With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and - this is often the hard bit - the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.

You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.

Guidance notes are included in the template to help with the editing process.

After editing, you should add the privacy policy text to your website, either via your content management system or directly after converting it to HTML.

Why is your privacy policy is longer / more complicated than some other policy templates?

This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.

Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn't be needed.  In many cases, the guidance either overreaches or dodges the difficult issues.

Another reason for the length of our templates is that … they are templates.  They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.

If you do plan to use a simpler template from another website, you should take care to ensure that it covers all the necessary ground. If you can create a privacy policy from a template in a few minutes, there may well be something wrong with the template.

What other privacy and cookies documents are available?

We supply a range of privacy and cookie documents on our ecommerce websites, Website Contracts and Docular.

Title	Description	Get the document on...
Cookies policy	A simple policy covering cookies disclosures.
Privacy policy	A short-form privacy policy for data protection disclosures, identical to this policy except that it omits the SEQ Legal credit.
Privacy and cookies policy	A document combining the provisions of our privacy policy and cookies policy.

Do I also need a data protection or GDPR policy?

"Privacy policy" is not a term of art.

Documents with the same function will sometimes be called "privacy notices", "data protection statements", "personal data processing policies", "GDPR policies" - or something different entirely.

Worse, there is a different type of document that shares the same pool of possible names. 

Whilst our free privacy policy is concerned with the disclosure of information about personal data handling, this other type of document is concerned with specifying the policies and procedures that regulate how employees and non-employed personnel conduct themselves in relation to personal data handled by the organisation. This other type of document will typically form part of a staff handbook and/or the set of policies provided to freelances and other subcontractors engaged by the organisation to provide services.

I usually refer to this other type of document as a "data protection policy" – but don't assume that other professionals will do so.

In most cases, you will want to keep these documents separate.

Do I need a data processing agreement?

A privacy policy is concerned with an organisation's role as a controller of personal data; whereas a data processing agreement is concerned with an organisation's role as a processor of personal data.

This distinction can be confusing and tricky to apply.

Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?

The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.

An example might help.  A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.

In any case, if you are a processor, then the GDPR requires that you enter into a specific set of contractual clauses with your controller. A data processing agreement is a document that contains those clauses, sometimes elaborating and/or supplementing them.  Processors should not produce privacy policies with respect to that data because the production of a privacy policy is the responsibility of the controller.