Personally Identifiable Information
A website collects personally identifiable information (PII) in a variety of ways. For example, a user may send PII directly to a company through a contact form. Also, a website may automatically collect PII quietly in the background, such as identifying the IP address of a user.
- Introduction – Provide a friendly introduction to your policy, such as “protecting your personal information is important to us.” Identify the parties that the policy applies to.
- Collection of PII – Identify the personal data that the website collects from users, such as first and last name, address, email, etc. List any data that the website automatically collects, such as in website logs and traffic analyzers. Include explanations of any methods that automatically collect data (using cookies, etc.).
- Use of PII – Describe how you use the personal information that you collect. Explain where you keep the data and how long you keep it.
- Sharing with Third Parties – Explain if you share personal data with any third parties. Also, explain when you are legally required to share data, such as responding to an information request from law enforcement or a judicial authority.
Consenting and Communicating
- Contact information – Provide contact information with an email link, such as firstname.lastname@example.org, so that users can communicate with someone about their concerns.
- Updates to the policy – Explain how users are notified when the policy is updated.
- E-mail communications – Explain your policies with contacting users via email, such as when they submit a contact form or subscribe to a newsletter.
- Opt-out of sale or disclosure of PII to third parties – Explain how users can opt-out of having their PII shared with others.
- Opt-out or unsubscribe from third party communications – Explain how users can opt-out of subscription emails and third-party subscriptions made through the company.
- Do Not Track requests – Explain how your website responds to a Do Not Track (DNT) request when users choose to have their browsers send a DNT request when they are browsing the web.
- Right to deletion (“right to be forgotten”) – Provide a procedure to allow users to delete their data once the company no longer needs it. You should also explain the circumstances of when (and why) data is retained.
- Security of your PII – Explain how the company secures data. Provide an accurate overview of any security features.
- Disconnecting an account from third party websites – If you allow logins through a third-party platform, explain how the user can disconnect from the service.
- External data storage sites – Explain how the company stores data, such as using web servers located in another country.