Need a data compliant Privacy Policy?

We cannot provide legal advice, and recommend consulting qualified legal counsel regarding your specific business and data processing situation.

However, if your website collects the personal data of customers or visitors that reside in a country or region protected by data privacy regulations, especially if that data is shared or sold, then you most likely do need one. Small blogs can need a Privacy Policy page as much as a huge company’s website or ecommerce operation does.

If your website is hosted by a third-party company, or if you use plugins, social media or analytics tools, etc., then you are setting cookies and collecting user data that is potentially personal data.

Personal data is information from or about people that can identify them. On websites it could include anything from name, email address, or credit card number, which a user could provide, to information that cookies collect, like IP address and browsing activities.

Depending on what regulation(s) you need to comply with, the Privacy Policy will contain some variances in information. It should be in clear language that is understandable to the average person. Most commonly required in a privacy notice or policy are the specific details about what data you collect, by what means, and for what purposes. It is also common to provide information about users’/consumers’ rights and how they can exercise them (and contact you to do so).

Having a clear and comprehensive Privacy Policy is also an excellent way to build trust with users and show respect for their rights and consent choices.

We cannot provide legal advice, and recommend consulting qualified legal counsel regarding your specific business and data processing situation. You should also review the Privacy Policy requirements of whichever privacy regulations are relevant to you. (E.g. for the GDPR.) However, there are a number of types of information that are commonly required in a Privacy Policy.

A Privacy Policy should be:

• presented in a format that is transparent, concise, understandable, and easily accessible
• written in clear, plain language (especially if children’s data is processed and privacy information must include them)
• delivered in a timely manner (note that under some regulations, users must be informed before providing or declining consent, and both of these things must happen before data is collected)
• provided free of charge

As noted, your Privacy Policy’s contents will be specific to your organization’s regulatory responsibilities and data processing, however, the requirements laid out by the GDPR are comprehensive and a good guideline.

• identity and contact details of the organization, its representative, and its Data Protection Officer (if the organization has a such an Officer)
• purpose for the organization to process an individual’s personal data and its legal basis
• legitimate interests of the organization (or third party, where applicable)
• any recipient or categories of recipients of an individual’s data
• details regarding any transfer of personal data to a third country and the safeguards taken
• retention period or criteria used to determine the retention period of the data
• existence of data subject’s’ rights
• information about the right to withdraw consent at any time (where relevant)
• information about the right to lodge a complaint with a supervisory authority
• whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
• existence of any automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences

As a Privacy Policy typically needs to communicate information about the categories of personal data the website collects, for what purposes, and for whom it’s shared, it is necessary to know and be able to communicate all of the technologies, like cookies, that are collecting personal data on your website.

Companies should keep track of this information, but if it changes often, or if the website uses third-party hosting or tools or services, it may not have full visibility into what those tools do or when they change. Changes or additions to this information also need to be updated in the Privacy Policy in a timely manner.

Cookiebot CMP deep scans your website, finding and reporting on all the cookies and other tracking technologies in use. This enables you to notify users about them accurately. Regular scanning enables you to maintain the accuracy of this information. The Cookiebot CMP also enables you to block the use of cookies and trackers until you receive user consent for them, thus enabling privacy compliance with some regulations.

Try it and scan your website for free.

The requirement to notify users about data collection and processing is a standard one, and this is what a Privacy Policy does. Data privacy regulations provide consumers with certain rights, and even if these rights differ among regulations, the requirement to notify users about their rights and how to exercise them is also standard.

Even if a website does not directly or substantially make money from data processing, if personal data is collected, there is a good chance privacy compliance is required, and the notification use of a Privacy Policy is part of that. The transparency a privacy notice provides and its demonstration of respect for users’ rights and consent choices also builds trust and encourages higher engagement and long-term relationships.

Yes, there are. We cannot provide specific recommendations, but an online search will provide a good selection of results. Some are free and some are paid. Review them carefully, as not all templates or Privacy Policy generators will enable compliance with the GDPR or other specific laws that may apply to you. Do not just directly copy another company’s Privacy Policy, even if it seems to be a similar business with similar privacy regulation responsibilities to yours. It can be an example, but should not be more directly used than that.

We strongly recommend you consult with qualified legal counsel regarding your specific business and data processing situation, and we cannot provide legal advice, but you can use a template to add your specific data privacy and data processing-related information and contact details to your Privacy Policy.

A consent management solution, like Cookiebot CMP, will also detect all the cookies and trackers your website is using, which enables you to include an accurate list of them in your Privacy Policy and keep it updated.

Under the GDPR, legal bases or the “lawfulness of processing” are legally acceptable reasons for companies or other organizations to collect and process personal data.

User consent is one legal basis, though the GDPR lists six in total. A “data subject” is a person whose personal data is processed, e.g. ecommerce customers, website visitors, app users, etc.

• the data subject (e.g. user) has given consent
• to fulfill a contract with the data subject
• to comply with a legal obligation to which the data controller (e.g. company) is subject
• to protect the vital interests of the data subject or of another natural person
• in the public interest, or where the data controller is exercising official authority
• legitimate interests pursued by the data controller or a third party, e.g. for individual, commercial or societal benefit

Legitimate interest is often used to justify data processing, but can be difficult to prove adequately. The safest legal basis for many types and purposes of data processing is obtaining and securely managing user consent, as with a consent management solution.

Generally, personal data can refer to any information that relates to an individual that would enable that person to be directly or indirectly identified. It could mean obvious data like names, ID numbers, or email addresses, or less obvious data that may not be identifiable except combined with other data, like IP addresses or browser cookie information.

There is also an additional category of “sensitive” personal data, which is information that is identifying, but could also cause harm if misused. This can include data like gender, religious beliefs, political affiliation, or medical information. Some technical information like biometric or geolocation data can also qualify if the intent is to use it to identify a person.

We cannot provide legal advice, and recommend consulting qualified legal counsel regarding your specific business and data processing situation.

Overall, it is important to know what regulations you need to comply with. Your responsibilities may differ under the UK GDPR compared to the EU’s GDPR or the privacy laws in the United States, for example.

However, in addition to legal requirements, being transparent with users about data collection and use, as well as requesting and respecting their consent choices creates great user experiences, which build trust with your company and help develop higher engagement and longer-term relationships.

For companies doing business in multiple regions or countries, it is entirely possible that you may need to comply with multiple regulations. Your Privacy Policy would need to reflect that. It can be possible to use geolocation functions on your website to show regional and regulation-specific information to users depending on where they are from.

Achieving compliance with the GDPR would be quite different from privacy compliance with the state-level laws in the United States, for example, due to their specific requirements and different models for consent. We cannot provide legal advice and recommend consulting qualified legal counsel regarding your specific business and data processing situation.

A consent management solution like the Cookiebot CMP can scan, detect and present all of the cookies and tracking technologies your website is using, and from there you can use that information to craft and maintain your Privacy Policy so that it complies with relevant privacy regulations.

We cannot provide legal advice or guarantee privacy compliance with any regulation, and recommend consulting qualified legal counsel regarding your specific business and data processing situation. However, knowing which regulations you need to comply with is important, and what their requirements are regarding consumer rights, notification, consent, and data use. Also knowing what cookies and other tracking technologies are in use on your website is important to ensure correct consent can be obtained. Then all of this information can be accurately and comprehensively presented on your website and maintained in your Privacy Policy.

Ensuring that users are clearly informed about your organization and contacting you, the processing of their data, their rights, and their consent choices is important, as is presenting all choices equally. Dark patterns and other elements to nudge or trick users into consenting should not be used.

Additionally, ensure that only as much data as is necessary is collected and processed only for the purposes communicated. Ensure data is kept accurate and only stored for as long as it is needed to fulfill the processing purpose. Maintain the required standards of security and privacy, and ensure processes are in place to uphold accountability.

A consent management platform (CMP) can help you not only obtain and store consent correctly, but can also help you ensure that you provide and maintain accurate and up to date information about data processing services in use (e.g. cookies).

That doesn’t have to happen, though we cannot make guarantees on the performance of individual CMP implementations. There are many ways to optimize your consent management platform (CMP) to increase consent rates and data flow. Having a great user interface that matches your corporate branding, has clear messaging and user-friendly functionality is important. Making it easy for users to understand your data processing and make consent choices is also very valuable.

The Cookiebot CMP also has tools like analytics to help you analyze the CMP’s performance and optimize it to maximize data capture. It should also be noted that many premium advertisers are increasingly insisting on proof of consent before doing business with companies, so not obtaining correct consent can affect ad revenues.

The Free plan does not include the following Premium plan standard features:

• customize banner
• customize declaration
• multiple languages
• data export
• geolocation
• Cross-domain Consent Sharing
• consent statistics
• internal domain alias for development, test and staging

Check out our Plans & Pricing page to get more information or do a full comparison.

We don’t have any contracts for Cookiebot CMP and there are no hidden fees or long-term commitments. You can cancel your subscription at any time.

It depends on your business needs and the number of domains and subpages you have.

Check out our Plans & Pricing page to get more information for your company’s specific needs.

Yes, at any time you can cancel your free trial or your plan if you previously signed up. You can do this via your “My account” page. Downgrade or cancel actions take effect at the end of your current billing period.