- What data you collect
The first thing you’ll need to disclose in your policy is what personal data you collect about visitors to your blog. ‘Personal data’ includes information such as names, email addresses, location, and more – so have a think about all the different types of data you’re collecting.Does your blog collect people’s personal information through subscription forms and comment sections?
What about any sensitive personal data, such as through online polls and surveys of your readers?
- Collection of log data. This is data that is automatically generated by your website’s server provider, which captures information such as a visitor’s IP address and geolocation. This must be disclosed in your policy.
- Collection of device data. This is data generated by a person’s browsing device which could be used to personally identify them. Given that your blog’s web analytics may be tracking device data in the background, you’ll need to disclose whether or not this is being collected.
- User-generated content. You should include a disclosure about how content generated by users (such as through written comments, photos, and other content they share on the blog or with you) is used and protected, given that they have copyright over any original content they create.
- How you collect and use people’s information. You must disclose the different methods and technologies used to collect people’s data, such as cookies or tracking pixels.
- How long you keep personal information. You must disclose whether and for how long you retain copies of personal data.
- How you protect children’s privacy online. While your blog may not be intentionally targeted to children, you still have a responsibility to protect their privacy online.For instance, you may need to demonstrate compliance with privacy laws such as the Children’s Online Privacy Protection Rule.
- Whether you disclose personal information to any third parties. While visitors to your blog may be happy to share information with you, this doesn’t mean they consent to it being shared with third parties. If your blog uses or processes personal data through third parties such as Google Analytics or Mailchimp, you will need to disclose these in your policy.
- Data rights. A common principle of major privacy laws such as the GDPR and California Consumer Privacy Act (CCPA) is that users are entitled to certain rights around their personal data, which must be respected and upheld by websites and organisations that they interact with. As the owner of a website that collects a range of data from visitors, you must inform users upfront about their rights and how they can take action to protect their privacy.
- Any additional legal disclosures. for other privacy laws, such as legitimate reasons you have for processing people’s personal information and do not track
- A note about changes to your policy. As your blog grows, you may choose to monetise it with targeted ads. Or, maybe a new privacy law is introduced a few years down the track.As your privacy practices are bound to change in the future, you should include a note in your policy about how users can expect to be notified of any changes.
- How users can contact you with any concerns. Last but not least, you should include a point of contact for users to get in touch about any questions or complaints they may have about their data.
While this already looks like an extensive list of things to include in your policy, it doesn’t end there!
Depending on where you’re based and where your website is accessible, there may be more necessary disclosures and privacy practices you’ll need to take on board to maintain compliance.