How to craft a winning privacy policy for a WordPress website
Does online privacy exist or matter anymore? In an era where your data and information is collected more than ever before, it can often seem that the answer to that question is “no”. In fact, the answer is a resounding yes. For most people, ensuring that their privacy is offered some form of protection is more important than ever before.
People tend to think of online privacy as most important when it comes to how they browse and interact with websites. With more than 1.5 billion websites available, it’s staggering to think that some 455 million of those are powered by WordPress.
Image sourced from searchlogistics.com
With around one third of all websites being WordPress ones, it means that having a good privacy policy for a WordPress website should be an important part of any website owner’s plans.
Just what is a privacy policy? How do you start to build a privacy policy for your WordPress website, and what should it contain? If you plan to start a new website, and you’re choosing to use WordPress, then having a robust privacy policy acts as a foundation you can build trust and relationships on.
What is a privacy policy?
When you’re making a WordPress website checklist, you can think of your privacy policy as a statement of intent that tells potential customers and website users various data-related information.
Primarily, you’re informing people about the following factors:
- How you intend to collect data from their interactions with your website and organization.
- What data you will collect.
- How you will store and protect their information.
- Any relevant laws and regulations you need to comply with.
- Any circumstances under which you may disclose or share that information.
The types of data that a business may collect can vary between organizations, but some of the most common types of personal information include:
- Name
- Date of birth
- Contact details including physical address, email address, phone number(s), and other identified ways of contacting them.
- Previous history—including transactions—with your business.
Other data may be retained depending on options offered to the customer and the type of business. This can include the following:
- Banking information that can include credit or debit card details.
- Medical history.
- Financial details and credit status.
The big problem with privacy policies is that many people simply don’t read them and just tick the box to accept what it is. If you think about it, how many times have you just ticked a box for terms and conditions on an application or similar?
When you’re planning your WordPress website, then you need to include a privacy policy, and you want people to read all the details you have included.
Another thing to note is that privacy policies will often reflect the particular laws and regulations that may apply not only where your business is based, but also where they operate. So, for example, if you operate a business that trades within the EU, then you need to ensure that you comply with the GDPR.
Why do you need a privacy policy for your WordPress website?
Image sourced from truelist.co
Whether you’re a commercial or non-commercial website, if your website collects any type of personal information from visitors to your site, then you need a privacy policy. You may think you’re not collecting data but every website collects data in some form or another. Ergo, you definitely need some type of privacy policy.
With people now aware of how intrusive data collection can be (though it’s not always the case), some people simply don’t want that data collected, stored, or used. By providing a clear and understandable privacy policy, you enable visitors to your site to make an informed decision when it comes to data collection.
Although there are standard clauses you’ll want to include in any privacy policy, there may also be aspects of it that are governed by particular factors.
These can include things such as the sector you operate in, the main location of your business, and the jurisdictions of where you operate. So, for example, if your website was offering a cloud phone system to customers, then you may have to look at telecommunications regulations as well as the other usual factors.
The other thing to consider—if you’re operating an ecommerce website—is what requirements any third-party apps may demand of you.
If you want to use an extremely useful third-party app such as Google Analytics to track metrics, then they require that any user has a clearly-defined privacy policy. You need to thus consider all requirements from every angle that may affect your final privacy policy.
How might you collect data?
One important thing to communicate to customers involves the various ways in which your organization might collect their data and personal information.
Making them aware of these different ways allows them to make a more informed choice about how they interact with you and what information they want to disclose. Those methods can include:
- Signing up to an email or newsletter list and giving their name and email address.
- Leaving their name and email address on comments (for example, on your blogs).
- Registering as a customer (information in this section may vary from business to business).
- Information you may collect via linked social media platforms. This can even include liking one of your Facebook posts.
- Any tracking and analytics that may be utilized by various WordPress plugins.
- Tracking by GA (Google Analytics).
- Contact forms when the customer has a query.
- Your use of advertising programs such as Google Ads which will track certain information about the customer.
As you can see, there are multiple ways in which you might collect customer information, so ensuring they’re fully aware of these methods can be crucial to offering good privacy and protection to all your customers.
Things to think about when planning your WordPress website privacy policy
Image sourced from gitnux.com
When you’re at the planning stage of your WordPress website, you’ll have many different things to think about. One of the advantages you have is that WordPress is relatively easy to use. As well as actual content, there are two other things you should be thinking about; length and readability.
While there may be no prescribed length, you should make any privacy policy as succinct as possible. If it is too long, then people may fall into the “not reading” category.
Similarly, think about the readability of your policy. Explain technical terms that people may not be aware of. For example, if you are discussing SOX controls, give some sort of explanation as to what they do and how they might impact your customers.
What should you include in your WordPress website privacy policy?
As with anything related to your business, a good privacy policy should be well thought out and planned. You should make a comprehensive list of what has to be included in your policy. One thing you should remember; this privacy policy is both a legal requirement and legally-binding. If your policy does not comply with relevant laws and regulations, then you could face punitive action.
Of course, a privacy policy may look very different for one business than it does for another. For example, if you choose to operate a website with a UK domain name, then it will have to comply with the UK’s 2018 Data Protection Act, as well as any other relevant legislation.
It may sound straightforward but covering all your bases is an essential part of your planning and your final privacy policy.
1. Who you are
You need to let people know exactly who the privacy policy represents. This can mean including the name of your company (plus any “trading as” information), the relevant website’s name and URL, and also the physical address of your company (this might be a head office address if you operate multiple locations).
It doesn’t matter whether you’re a company offering virtual PBX or a website for gaming, a good privacy policy is required.
2. Data details
Again, this information may vary from organization to organization, but it’s essential that people know what data you plan on collecting.
This may be as simple as name and address (or an email address for marketing), but it can also include more involved data such as IP address, banking information, and more.
3. Collection of data
As was covered earlier, there are numerous ways in which you might collect customer information. It’s important that your customers know not only what data you collect from them, but also where you collect it from.
Letting them know every touchpoint that also acts as a data collector is crucial to any privacy policy for WordPress websites.
4. Storage and protection
This is perhaps the most important aspect of your privacy policy. In most cases, customers accept that you will both collect and store data. However, they want to know that any data is stored securely and that you have robust security measures in place.
This can include details such as cloud or offsite storage. They will also want to know if there are any circumstances under which you will share or disclose data and who any third parties might be.
5. Relevant laws and regulations
Customers can be reassured when they know that it’s not only you protecting their data, but also that any protection is covered by appropriate laws and regulations.
These can include the aforementioned GDPR and Data Protection Act as well as US-centric laws such as the California Consumer Privacy Act of 2018. There are also specialized laws and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Financial Modernization Act of 1999.
6. The whys
People also want to know why you’re collecting their data. The reasons for you collecting information can again vary.
In some cases, it might be so that you can improve your site’s performance to make the customer journey better. In other cases, it may be purely for marketing purposes. Whatever the reason, giving your customers clarity can allow them to make informed decisions when it comes to sharing information with you.
7. Opt outs
Not everyone will consent to sharing information, or at least sharing information they may view as sensitive. That means that your privacy policy has to offer a clear path to opting out of some or all of your collection methods or the storing of their data.
Offering an opt out option at any relevant points in the customer journey makes your entire organization more transparent and trustworthy.
What about privacy policies for under-18s?
One thing you have to consider is whether your website will attract a significant number of under-18s or even under-13s. If you think it will, for whatever reason, then you need to construct a privacy policy that includes those two groups. This can be quite a complicated area to address properly.
Image sourced from digitalinformationworld,com
Now you may be thinking that children won’t use your service. However, if you provide anything like music streaming services or gaming apps, then there’s a good chance that under-18s will use those services. And, even when there is no direct remuneration for any service, there is a very good chance that you will fund those services through some form of advertising.
So, if under-18s are using your site in any way, then you’ll be collecting data from that user group and you need to consider a standalone policy for those children. You also need to look at what the relevant laws and regulations say about data collection and consent in order to craft a well-written policy.
For example, the GDPR states that only children aged 13 or over can confirm consent when it comes to collection and use of their data. If they’re under 13, then that consent must be provided by an adult who has parental responsibility for that child. You also need to make an effort to confirm that the person giving that consent does actually have parental responsibility.
Once you’ve checked what your particular responsibilities are in relation to these age groups, then you can begin to construct a privacy policy for your WordPress website that addresses them sufficiently.
As you can probably guess, the need for clarity and understandable language is even more important here. There are several things you should consider when writing this age-specific privacy policy:
- Write in plain and age-appropriate language. Now, this may be slightly ambiguous as there is no clearly-defined age guide. However, if you’re aiming for 13-18 year-olds, then you should ensure that your privacy policy is readable for an average 14-year-old.
- Present information in a “child-friendly” way. There’s little point in presenting under-18s with a long, text-based privacy policy. Use age-appropriate cartoons, diagrams, icons, and symbols to more efficiently impart the information.
- Use videos. Videos can be a great way to explain to children why you’re collecting data and what you plan on doing with it. Children may be more likely to listen to an explanation on video rather than reading an entire policy, regardless of how age-appropriate the language is.
- Two policy plans. Where you’re seeking parental consent for the child to use your website, then you should have two separate privacy policies; one aimed at the holder of parental responsibility and one aimed at the child themselves.
- Explain everything. Although you’re offering a more simplified privacy policy, you should still explain everything involved in the data process, from how you will collect data to how you will use it and, perhaps most importantly, how you will store and protect that data.
- Rights. One thing you have to include in your privacy policy is a clear explanation of what the user’s rights are. This can include what relevant laws or regulations apply to use of your site.
- Opt out. As with a privacy policy aimed at adults, one for children should include very clear directions as to how they can opt out of your data processes now or in the future.
How much will creating a privacy policy cost you?
Of course, when it comes to adding anything to your website, from a third-party app to a tracking tool, you will want to know what it will cost you. The good news is that it can be free if you have an in-house legal team or if you utilize free online templates to build a robust privacy policy.
However, if you have to outsource the writing of your privacy policy to a specialist contracts lawyer, then costs can vary according to where you’re located as well as the length of the contract and how complex it is. If you do hire a contracts lawyer, ensure they have knowledge and experience in this area as mistakes in your privacy policy could prove costly.
Be sure that they’re up to date when it comes to any laws and regulations that govern digital processes. Digital privacy laws can be at state or country level, regional (as in the case of the EU’s GDPR), or global.
Ask any prospective contract lawyer how knowledgeable they are in this area. Always remember that if you trade internationally or globally, then the laws of any areas you do trade in will be important to know.
When you have a properly written privacy policy, then you have your bases covered when it comes to any dispute from a customer.
If there are mistakes in it, then you could face a costly lawsuit that may also damage your brand’s reputation. While there is no definitive figure when it comes to the cost of using an external lawyer for your privacy policy, the average cost is around $980.
Do you need legal input for your WordPress privacy policy?
This isn’t a simple yes or no question. It’s going to depend on a variety of factors as to whether you will want to consult lawyers.
Bigger organizations may want more complex privacy policies that fully protect them from any possible disputes. However, larger businesses are also more likely to have in-house legal counsel or to retain the services of an external law firm.
You can also think of there being three distinct parts of the privacy policy process that may require some legal input:
1. Drafting your WordPress website privacy policy
The thing to note here is that your privacy policy is an essential document that, when drafted correctly, provides protection to you and your customers. It can also help your organization avoid potentially costly lawsuits in the future.
That said, smaller businesses may want to avoid the cost and use the various guides (such as this one) and free templates available online.
2. Reviewing your privacy policy
While using guides and free templates may provide you with a basic privacy policy, you need to be sure that it ticks all the boxes required.
It may be advisable to have your policy reviewed by a specialist lawyer to ensure that it does in fact meet all the legal requirements it has to.
If you’re looking for the best tools to manage multiple WordPress sites efficiently while ensuring compliance with privacy policies, there are third-party plugins and services that offer comprehensive features like automatic updates, centralized dashboard, security monitoring, and more.
Use these tools to streamline management, maintain consistent privacy policy implementation, and align data practices with guidelines. They also provide data management, consent tracking, and cookie management features, aiding privacy regulation compliance and enhancing data transparency. Effectively manage WordPress sites while prioritizing privacy and demonstrating commitment to user data protection.
3. Privacy policy disputes
This is hopefully a scenario you’ll never encounter, but if your policy does, for whatever reason, fall short of meeting every legal requirement, then there is the possibility of a dispute arising at some point.
As these can be costly, both in terms of punitive damages to the user and fines from the relevant regulatory bodies, then you should be looking for expert legal advice to fight your corner.
Cover all your bases when creating a privacy policy for WordPress websites
While your initial focus when launching a WordPress website may be on the content and how the site looks, you need to understand that a robust privacy policy is integral to how your site—and business—is viewed.
A good privacy policy not only engenders trust from your users, it’s a legal requirement and failure to include one could be a costly mistake.
More data is collected and used in more ways than ever before. That means you have both a legal and moral responsibility to ensure that your users are fully informed of how you collect, use, store, and protect their data.
Obtaining consent is crucial as it allows you to collect and use appropriate data in various ways.