How to create a privacy policy for your facebook page
Privacy Policy for Facebook Pages
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
So, you need a privacy policy. Maybe it’s for your website, maybe it’s for your app, either way, it probably sounds near impossible to create one on your own! Well, what if we told you, it’s actually quite straightforward? We’ll walk you through the different ways you can create one, including the steps on how to write one yourself.
Disclaimer:
Nothing in this guide is legal advice, we’re simply providing you with the tools you need to create a compliant policy, it’s up to you to do the research required to ensure legal compliance.
It’s likely that all of you reading this are at different stages of acquiring a privacy. Decide which of the following statements describes your situation to head straight to the information you’re searching for.
Good luck!
Is it okay to write your own privacy policy, or should you hire a lawyer to do it? Great question! Let us start by saying, hiring a lawyer isn’t the only alternative. Actually, you have 4 options: Hiring a lawyer, using a policy generator, following a template and writing your own. The best solution depends on what’s most important to you. Do you want to spend as little time on it as possible? Do you want to spend as little money as possible? How important is the quality of the policy itself?
Time: 3/5, Cost:1/5, Quality:5/5
Hiring a lawyer is always going to be the best way to create a privacy policy, it ensures compliance, and your policy will be tailor made to your business. On the flip side, it’s also super expensive, and in most cases, complete overkill. If you’re running a small business, there are better options for you right now.
That said, even for small businesses, we would suggest that you consult a lawyer to write your privacy policy if any of the following applies to your business’s operation.
If none of the above apply to you, the next 3 options might be a better fit
Time: 5/5, Cost:4/5, Quality:4/5
Privacy policy generators are specifically designed to make writing a privacy policy a 5-minute task. A trustworthy privacy policy generator like GetTerms gets you ready for compliance with global privacy laws in the time it takes to make a cup of coffee.
By asking carefully constructed questions about your business, document generators are able to tailor your policy to perfectly fit your operations. They also keep your policy up to date with changing privacy laws. This means you won’t need to pay for extra legal advice each time the laws change.
When it comes to cost, they’re also extremely affordable, with both free and paid options available online. Some paid options also come with a range of documents like terms and conditions, return policies, and EULAs. Ours even includes a cookie banner and cookie consent management platform!
When it comes to free options, just know that not all of them are truly compliant with privacy laws like the GDPR and CCPA and lack features like support for affiliate links and google analytics. Make sure you check this, or just play it safe and try GetTerms! (We also have a free tier for personal use)
Try our Privacy Policy Generator
Time: 4/5, Cost:5/5, Quality:1/5
Privacy policy templates are great for personal use, the main downside is that they still require a lot of work.
With a template, you’ll just need to just replace some placeholder text with information about your business. The hard part is understanding which clauses apply your business and knowing when to remove the ones that don’t.
A template will always be a one size fits all approach, which is usually fine for personal use, but we don’t recommend them for businesses. Business’s put themselves at far greater risk of fines if their policy isn’t compliant.
Try our privacy policy template
Time: 1/5, Cost: 5/5, Quality: 3/5
If none of the above work for you, all that’s left is writing your own. As with templates, we only recommend this for personal use.
The upside of writing your own policy is that once you’re done, you’ll have a policy tailored to your business and it won’t have cost you a dime.
The downsides are 1) the amount of time involved and 2) the risk that you miss something critical and open yourself up to legal issues. Remember, you don’t just need to create the document, you’ll also need to spend time understanding which laws apply to you, making sure your policy meets their requirements.
If you’re up for, we’re here to make your life easier by showing you the ropes. Just remember who helped you out if you ever decide you’re ready to try a more professional option ;).
If you’ve decided to write your own privacy policy, then time is of the essence, let’s get started. Make sure you follow each step carefully!
The purpose of a privacy policy is to provide a window through which your website’s users can look to see how your business handles their personal information. Some data privacy laws have some extra requirements, but we’ll get to that part later. For now, just remember that the goal is to be open about how you handle personal data, covering all aspects relevant to your operations and data collection practices.
When it comes to writing an important legal document such as a privacy policy, you might think you need to be extremely dry and technical. This is absolutely not the case, just take a look at the BBC’s privacy policy.
Here at GetTerms, we’ve written over 500,000 privacy policies. In our opinion, the most important thing is that your policy is in plain language that people can understand. We recommend avoiding legal jargon or complex terms – just use clear, simple language that explains how your business handles personal information. Your aim is just as much to build trust as it is to meet all legal requirements.
Before you start writing, you’ll need to gather some information.
There are several privacy laws around the world, each of them has their own requirements which we will tell you about later. For now, take a look at your analytics and identify which regions your users live in. You’ll need to abide by the laws of their countries, not yours.
If you don’t have analytics, you might need to take an educated guess here or just take into account global privacy laws.
More than 20 countries require you have a privacy policy, many of them also have additional requirements you’ll need to consider. We’ve included the biggest privacy laws around the world below. Do some research and identify which laws apply to you and take a look at our guide to global privacy laws!
Next, you’ll need to make a list of all the types of personal data your website is collecting. Personal data is any information that can be used to identify a person. This includes things like name, phone number, location, or email address.
If you have a marketing agency, ask them whether they use any of the following services. At a minimum, they’re probably using Google Analytics.
If you manage your website on your own, just know that your site is collecting personal data if you have a contact form, collect emails for a newsletter or use third-party services like Google Analytics, Google Ads, Meta Ads etc.
With all of the above covered, please open your document editor of choice and grab a coffee. We’re going to show you how to write the essential clauses your privacy policy will need to include.
What is a clause?
A clause is a specific section within a legal document that explains the rights, responsibilities, and rules that parties must follow. In the context of a privacy policy these are the specific sections or statements that explain one particular aspect of how an organization handles personal information.
Your opening section prefaces the rest of your policy, it’s where you introduce your business and provide some information that helps readers understand the rest of the document.
Here you’re defining the different ways you collect data. This falls under two categories: “voluntarily provided” information and “automatically collected” information.
“Voluntarily provided” information refers to any information your users knowingly and actively provide to you, be it through a contact form or when using or participating in any of your services and promotions. If your website collects data that is provided voluntarily, you’ll need to state that your website may collect data when it is “Voluntarily provided” in your policy.
“Automatically collected” information refers to any information automatically sent to you by your users’ devices in the course of accessing your products and services. If your site uses cookies, or tracking services, this applies to you. If your website collects data automatically, you’ll need to state that data is “Automatically collected” in your policy.
You can use our privacy policy’s ‘information we collect‘ section as a guide, just make sure to tailor it to your business.
This section forms the most important part of your whole privacy policy. This is where you add your list the types of personal data that your website collects, a requirement of most privacy laws and regulations around the world.
Personal data is categorized as device data, personal data or sensitive data. You’ll need to use these categories in your policy and list the types of personal data you collect within them. Take a look at our privacy policy to see how we handle it.
Does your website collect any device data? if so, list it in your privacy policy.
This might include:
Note: If you use Google Analytics 4, by default you’re collecting the following device data:
Does your website collect any personal data via forms or account signups? If so, list it in your policy.
This might include:
Does your website collect any sensitive information? It is imperative that you add this to your privacy policy as sensitive information often requires additional data protection measures.
This might include:
Here you’ll need to inform your users about situations when you might collect their personal information. Try to think hard about this. To get you started, here are some of the common collection events.
You might collect personal information from your users when they:
Here you’ll need to inform your users when and how you might use the personal data you collect. If you’re sure that you’ve listed everything, it’s worth stating that you don’t use personal data to do anything outside of the purposes you’ve stated.
Typically, most businesses use personal data they collect personal data to:
This section explains how your business protects customer data and clearly states your security responsibilities, as well as your users’ own responsibilities for securing their personal data. Take a look at our privacy policy’s section on ‘storing and protecting your personal information‘ as an example.
“We protect your personal information within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. However, while we use the best available security tools, no storage system is 100% secure, so we cannot guarantee absolute security of your data. You also play a role in keeping your account safe by choosing strong passwords and keeping them private.”
This section tells your users how long you keep their information and why.
“We only keep your information while we need it for our services. After that, we delete it or make it anonymous by removing your name and any details that could be used to identify you. The only time we may retain your personal information for longer is if we are required to do so for compliance with our legal, accounting, or reporting obligations.
If your business specifically and intentionally collects personal data from children under the age of 13, then you skipped over our recommendations on when to speak with a lawyer, its time to hit the pause button. Laws like the Children’s Online Privacy Protection Act (COPPA) have very specific requirements around the handling of your personal data. We cannot provide guidance on this.
However, if your business does not specifically and intentionally collect personal data from children under the age of 13, you’ll still need to disclose this.
State that you do not aim any of your products or services directly at children under the age of 13 and that you do not knowingly collect personal information about children under 13.
If you share any personal information with third parties, you’ll need to disclose who in this section.
Here are some examples of typical third parties you might be sharing information with.
Laws like the GDPR, CCPA, PIPEDA and The Privacy Act require you to clearly state the individual rights of your users and provide instructions for your users to follow if they wish to exercise their rights.
The below rights should cover most jurisdictions, adapt each of them to suit your needs and include them in your policy.
We can’t promise the above list covers your needs. To be safe, make sure you know the rights of your users, defined by their given country’s privacy law.
Cookies and cookie consent are now heavily regulated in many countries. Most privacy laws and regulations require you to include the following cookie related information in your privacy policy:
If you’re not sure what cookies are active on your website, our compliance pro package comes with an automatic website cookie scanner that does this for you (and everything else for that matter).
This section is where you disclose the extent of your privacy policy. This limits your exposure to potential legal issues. You’ll mainly want to explain that your privacy policy only applies to your business and that you have no say over any other business’s data processing practices, even if you mention or link to them on your website.
For example, we know that not everyone cares about privacy as much as we do, but, on occasion we need to link to external sites. Some of these sites might not take good care of our users’ data. To protect ourselves, and inform our readers, we state in our privacy statement that “Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices”.
Here, you’ll need to clearly state that you will notify your users if you update your privacy policy, and how you will do so. This is a requirement of the GDPR, CCPA, CalOPPA, and PIPEDA.
Your chosen notification method can be as simple as a clause in your privacy policy, stating the date your policy was last updated. You might also use an email announcement, or a pop-up notice on your website. Whatever your choice, just let your users know in your privacy policy.
In this section, you’ll need to provide contact details for the person you’ve made responsible for responding to inquiries regarding personal data – aka a Data Protection Officer (DPO). You’ll also need to provide instructions on how your users can contact you if they have any queries regarding the use of their personal data.
Depending on which privacy laws apply to you, you’ll need to add a few disclosures to your privacy policy for compliance with the relevant data privacy laws.
For businesses operating in, or collecting personal data from, citizens of California, Colorado, Delaware, Florida, Virginia, and Utah, you’ll need to add a few clauses to your privacy policy.
Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked.
While this isn’t widely supported yet, you’ll still need to state whether or not your website has the ability to stop tracking when it sees a “Do Not Track” signal. If not, you can say something along the lines of “At this time, we do not respond to browser “Do Not Track” signals.”
California residents have specific privacy rights under CCPA/CPRA, including the right to know about data sharing for marketing and the possibility of financial incentives in exchange for personal information. You’ll need to include a few points addressing this.
You’ll need to include a list of the different categories of personal information you’ve collected in the past 12 months as per the CCPA/CPRA requirements.
You’ll need to disclose all California residents’ rights to request information about how their data is collected, used, and shared, as well as their right to request deletion of personal information as per the CCPA/CPRA’s transparency requirements.
This section addresses California Civil Code requirements for businesses to disclose how they share personal information with third parties for direct marketing purposes
For businesses operating in or collecting personal data from citizens of the European Union, you’ll need to include a few disclosures in your privacy policy.
The GDPR distinguishes between organizations that process personal information for their own purposes (known as “data controllers”) and organizations that process personal information on behalf of other organizations (known as “data processors”).
You’ll need to provide a definition for a data controller and data processor and state which of these your organization falls under.
You’ll need to explain the reasons that provide a business with “lawful basis” for collecting personal information: consent, contractual obligation, legitimate business needs, and legal obligation.
You’ll need to outline how you protect any personal data when moved outside the European Economic Area
Here you’ll need to detail what rights and control your users have over their personal information, under the GDPR this includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.
For businesses operating in or collecting data from citizens of the United Kingdom you’ll need to include the following disclosures to comply with the UK GDPR.
As with the EU GDPR, you’ll need to state whether your business is a data controller or a data processor
Explain how your business collects information about its users from other sources, like partner businesses or public social media profiles
Outline how your business uses personal information for marketing research and improving your website’s experience
Describe what happens to your user’s data when it’s no longer needed – whether it is deleted or anonymized. You’ll also need to provide exceptions to the rule, for example when you’re legally required to keep it.
As with the EU GDPR here you’ll need to outline the reasons that provide a business with “lawful basis” for collecting personal information: consent, contractual obligation, legitimate business needs, and legal obligation.
List the rights of your users over their personal information. As per the UK GDPR, users have the right to
For businesses operating in Australia or collection personal data from Australian citizens, you’ll need to include the following disclosure
Warn users that when their data is shared with organizations outside Australia, these organizations might not follow Australian privacy laws, limiting users’ legal protections.
For businesses operating in Canada or collecting data from Canadian citizens, you’ll need to include the following disclosures.
You’ll need to explain that personal information includes more than just identifying details – it covers your financial data, opinions, appearance, and any communications with you.
Here you’ll need to describe how and when you can use your users personal information, emphasizing that your users must understand what they’re agreeing to and can withdraw permission at any time.
Here you’ll need to state that while you prefer keeping data in Canada, you might sometimes use services in other countries, noting that privacy laws may vary the countries where these services are located.
In this section you’ll need to outline the basic rights of your users, under PIPEDA, these rights are
Next, you’ll need to state your commitment to following Canada’s privacy law framework, PIPEDA and its 10 principles of privacy.
The PIPEDA’s ten principles of Privacy are:
Finally, you’ll need to state your commitment to responsible email marketing, promising no spam, no selling of email addresses, and proper handling of your user’s personal data.
Hopefully, the above helps you write a privacy policy you’re confident with. It’s not an easy feat, so give yourself a pat on the back once you’re done! If you’re left feeling less confident that you’re ready to write your own, try our privacy policy generator, we even have a free tier to give you an idea of how it works.