When you hear someone mentioning privacy and data protection, you might think it affects you only when your privacy is at stake. However, as soon as you start your business’ online presence and even more when you actively start doing business online (as well as offline), certain obligations to protect individuals’ privacy start to exist for you.

Many people are not aware that the EU has stricter privacy and data protection rules compared to the USA for example – that is to say that here, in good old Europe, we take privacy very seriously.


Here are several tips as to why you need to implement a Privacy Policy on your website:

  • You are required by law to inform users about certain aspects of processing personal data;
  • You are required by some of your providers to have a Privacy Policy (e.g. when you use Google Analytics, PayPal, etc.);
  • You need a way to obtain users’ consent about the personal data processing you do;
  • It makes you (look) more transparent and honest to customers/business partners, i.e. it creates trust.


  • Keep it simple

Do not use too sophisticated legal language – all that legal mumbo-jumbo sounds great for lawyers, but everyone else finds it really hard to read and understand. And a well-kept secret is that even lawyers are often bored and confused by excessive legal terminology.

  • Be specific and include details (not to the extreme)

At the same time you need to include specific details about the way you process personal data, the types of data you process, etc. Including a privacy policy that is way too vague and fails to provide your website users with specific information about the way their data is handled would be pointless.

  • Do not just copy it from another website

Make sure to include information about the type of personal data you indeed process, the purposes and the protection measures you really take. Other websites’ privacy policies reflect data protection measures taken by someone else and chances are you do not do privacy the way they do. Plus, Privacy Policy is part of your Terms which are basically the agreement between you and your users, so you do not want to have misleading and untruthful clauses in the agreement that rules your online business.

  • Consult with other people/departments within your organization about what you really do with personal data

In some companies, Privacy Policy would be written by a lawyer or an employee who may not necessarily be deeply involved in the data protection process. For example, lawyers usually are not aware about the types of cookies you use on your website and yet, such details need to be included in the Privacy Policy. Thus, do not simply write some legal text, but go check with the people who are involved in all privacy related steps.

  • Update it every time something privacy related changes

Needless to say, everything changes with time, even data protection measures taken by a company. Maybe you started collecting more personal details (e.g. bank accounts) due to an expanding line of business. Or you are now using further Google Analytics functionalities. Either way, your Privacy Policy must reflect the real data protection situation, so policy updates should be made regularly.


There is no strict recipe regarding what to put in a Privacy Policy, as it depends on national data protection laws, your type of business and your specific data protections measures, yet the following list makes a good starting point:

  • What kind of personal information you collect – e.g. name, birthdate, e-mail, bank details, etc.
  • How you collect it – through website registration, Facebook log-in, google analytics, etc.
  • For what purposes you collect it and how you process it – e.g. to provide your service, to organize events, to administer users’ requests, etc.
  • How you protect it – encryption, operational procedures, etc.
  • Do you provide it to 3rd parties and if yes, why, what protection measures are taken, etc.
  • How can users access and correct their personal data – in the EU you must provide users with such access.
  • How will the policy be changed and users notified of the changes.


If you use Google Analytics (and you most probably do), you are obliged by Google Analytics’ terms to have a Privacy Policy.

As a bare minimum, you should include:

  • What kind of data you collect through Google Analytics – e.g. Cookie and Usage Data.
  • What features/services of Google Analytics are used – e.g. Display Advertising, Google Analytics Demographics and Interest Reporting, etc.
  • Provide users with an opt-out link from certain Google Analytics services (such as Display Advertising) or cookies (such as the DoubleClick cookie) – more info here: https://www.google.com/intl/en/analytics/learn/privacy.html


The ePrivacy directive requires you to ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts using them.

For users’ consent to be valid, it must be:

  • informed,
  • specific,
  • freely given and
  • must constitute a real indication of the individual’s wishes.

This means that users should willingly agree to such use of cookies, which is not the case with a browse-wrap Terms remotely hidden on the bottom of the website and never accessed by users. They should specifically agree to your use of specific cookies.

Luckily, some cookies are exempt from this requirement:

  • Cookies used for the sole purpose of carrying out the transmission of a communication, and;
  • Cookies that are strictly necessary in order for the provider of an online service explicitly required by the user to provide that service.

Examples of the clearly exempt cookies include user-input cookies (session ID), authentication cookies, user centric security cookies, multimedia content player cookies, load balancing cookies, user-interface customization cookies, etc.



*Featured image by Nenov Borthers, www.dollarphotoclub.com