/ / The Complete Template for a Blogger’s Privacy Policy
| | |

The Complete Template for a Blogger’s Privacy Policy

This is your one-stop resource to compile a Privacy Policy for your blog, with a little cut and paste. I am a WordPress girl – no lawyer! This is not legal advice. I hope to help you by offering a starting point for your privacy policy. If you get sued, it’s not my fault!

If you’d like a printable policy, completed for you – skip to the form here. Complete the blanks and a text email will be sent to you along with a PDF version. Yes – its completely free.

WordPress 4.9.6 includes a privacy tab and a Privacy Policy template.  It also has new tools to export or erase users data! We’ll go over that another time. Today we’re covering the creation of that Privacy Policy and making sure that it complies with the Cookie Law. First – an easy way to group cookies together for easy handling.

What kinds of cookies do I have?

The most common classification system for cookies, was proposed and developed by The UK International Chamber of Commerce (ICC). The ICC proposes these four classes of cookies:

  1. Strictly Necessary Cookies
  2. Performance Cookies
  3. Functionality Cookies
  4. Targeting/Advertising Cookies

Strictly necessary cookies

“These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.

Performance Cookies

“These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. [emphasis mine]

Functionality Cookies

“These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance…  these cookies can be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Targeting/Advertising Cookies

“These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.

Having such a classification makes it easier for us, as bloggers, as well as visitors to our sites. We can now explain how we handle cookies in groupings, instead of each individual cookie – which gets technical and long-winded. To help with the explanation of the cookies in groupings, I’ve written some examples that you can include in your blog’s privacy policy.

How to write a Privacy Policy for a Blog

As I understand it, GDPR requires some common sense stuff. We must answer these questions in language that the average user can understand:

  • what personal information about me do you collect?
  • how is my personal information used?
  • to whom is my personal information shared?
  • how do I opt out of cookies?

Earlier this week, I recommended the passive/implied consent approach. But with WordPress 4.9.6, it is far easier to export and erase user data on request. And it’s not cost prohibitive to get active and informed consent.

Our recommendations have changed this week to the following:

Start with the default WordPress privacy policy template

New with WordPress 4.9.6 is a privacy tab under “Settings” in your dashboard. Login, navigate to Settings >> Privacy.

On the Privacy tab, select your privacy page, if it is already created. If not – and this is the course of action I recommend – click on “Create New Page”.

The automatically created page will give you a great template as a starting point. It looks something like this:

Edit the WordPress Privacy Policy Template

At this point, things need to get customized for each bloggers’ site. This is where you need to declare your cookies (or groups of cookies), why you need them, what they do, and how one can opt out. First there’s a blank section for Contact Forms.

Contact Forms

The first section is left blank so you can complete it with your particular contact form usage and policies. This requires a paragraph like the one below, and a link to that plugin’s privacy policy (check the bottom of this post for a list of common contact form carriers).

To assist with sending you requested information, we use ______ to collect and store your email address. _______ outlines their use of your personal data and anonymized data [link here]here. You may opt out of the collection of your data by unsubscribing (we will remove your data) and contacting them using the instructions on their privacy page[link here].

Find out what cookies you use

Now we can add the cookie information. First you need to know which are in use on your site! The easiest way to do this is to get the free report from CookieBot.com. It will scan a limited number of pages. Be aware that if you add code from advertisers, youtube, or anywhere else to single pages or posts, those cookies will only show up on those pages. I’ll show you what to do with that a little later.

It can take a couple hours for your report to arrive. Be patient. When it comes, it will look something like this:

Once you have a list of cookies used on your site, you can group them and use paragraphs like this in your privacy policy:

Strictly Necessary Cookies

Consent to use strictly necessary cookies is not needed. (source) A Strictly Necessary Cookie is anything required to carry out the transaction that the user requested. If they went to your site to shop, it doesn’t make sense to ask them if they want the shopping cart to work (it won’t work without cookies).

Functionality & Performance Cookies

Most of these cookies will be found in the “marketing section” of the CookieBot report. These are cookies set to help your site serve your visitors better – language, mobile, liking, caching, anti-spam, logins. These remember the user’s language, whether they’ve liked/shared a post, etc.

It would be appropriate to include a paragraph like this:

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Without these cookies, certain functionality may become unavailable.

Cookies in use: _ga, _gat, _gid, _pinterest_cm, _ck_form, collect, onesignal-pageview-count, visitor_info1_live, gps

Advertising/Tracking Cookies

If you have cookies that are “unclassified” you can view where they’re coming from for clues. Oftentimes it is quite obvious. A couple of mine say, “Convertkit”, and “Youtube”… In the description it says what they’re used for. For example, the YouTube cookie is used to discover the bandwidth of the device to serve a better user experience. It is separate from the YouTube cookie that tracks their history of viewed videos for marketing purposes.

Analytics Section of the Privacy Policy

Back to the Privacy Policy template. This section is blank and to be completed with the help of your particular analytics provider. Most bloggers use Google Analytics. Here is a sample paragraph you can use to explain Google Analytics Cookies. If you use another analytics provider let us know in the comments and we’ll do our best to find the cookies and policies for it.

See this page for Google Analytics security and usage of data.

Who We Share Your Data With

This is a good time to say you don’t! I got this section from the ConvertKit website and edited it for my use. You’ll have to edit some of it for your situation – if you don’t offer a service, some of it will not apply to you!

Who we share your data with

  • Service Providers, application development, site hosting, maintenance, data analysis, infrastructure provision, IT services, customer service, email delivery services, payment processing, marketing, analytics, and enforcement of our Terms of Service Agreement and other agreements;
  • We will never sell, rent, or lease your Personal Data to a third party.

How Long we Retain Your Data

To the end of this section, you can add the date that you chose when you edited the Google Analytics settings last week. (see this tutorial) And you’ll want to ask your contact form plugin how long they keep data for on your site. Something like this will do nicely:

Google Analytics data is retained for  ______. Contact forms and comments cookies are held for one year. We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.

What Rights You Have Section

“What Rights You Have Over your Data” is a section in the template that outlines how the user can control or request deletion of their data. In another tutorial, I’ll show you how to comply with any requests sent your way.

For now, as you’re compiling your privacy policy, this is a great paragraph to include to empower users to take control of their data.

Most advertising networks offer you a way to opt out of Interest Based Advertising. If you would like to find out more information, please visit http://www.aboutads.info/choices/ or http://www.youronlinechoices.com.

If people want to remove cookies from third parties, they will have to take it up with the third party themselves, or use the browser extension mentioned above.

Where We Send Your Data

The comment/spam thing is a good idea – as noted in the template, but I’d also add this if you use tracking software, comment forms, or advertising:

 Third parties have access to your data as noted within this agreement.

Other Information

As I’ve already stated, I’m not here to give legal advice. I’m only offering suggestions that you might want to use as a starting point. I found this in one of the privacy policies I studied and have included it in my own.

Users under 13 years of age

Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact us at ________________. By using the Services, you are representing to us that you are not under the age of 13.

Protection of Personal Data

Assuming you have an anti-virus program on all computers with administrative access to your website, you have anti-spam and security measures on your website, you use a reputable host, and keep your plugins and software up to date, I’d say that is reasonable protection. That means you’re doing everything that is reasonably expected of a website owner to protect their data. I’d say this includes using an SSL certificate! If that isn’t done yet -get on it!

With all those pieces in place, I would use a paragraph like this:

We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.

Another section under “additional” that I found is this gem:

  • Changes to this Privacy Policy

Industry regulatory disclosure requirements

I believe this section is for lawyers, accountants or any professional that answers to a governing authority. The standard disclaimer should go here. This may be a good place to put your affiliate disclosure information.

Index of Plugin Cookies & Policies

Each link below points to a privacy policy by the company in question. The privacy policy describes which cookies are used, why, and how to opt out. Use these links to help your users opt-out of these cookies.

Privacy Policy Template

Complete these fields and we’ll send you a template that you can use on your blog. As always please remember that this is not legal advice.

Leave this field blank

Privacy Policy

Last Updated:

Our website address is . Privacy information is controlled by who can be reached at .

COMMENTS

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser to help prevent spam.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here. After approval of your comment, your profile picture is visible to the public in the context of your comment.

CONTACT FORMS

To assist with sending you requested information, we use to collect and store your email address. You may opt out of the collection of your data by:

  1. unsubscribing (we will remove your data) and

  2. contacting them using the instructions on their privacy policy:

EMBEDDED CONTENT FROM OTHER WEBSITES

Articles on this site may include embedded content (e.g. youtube, pinterest, wordpress.org, etc.).

Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged into that website.

ANALYTICS

We use Google analytics to record information about the pages a user has seen, for example the URL of the page, time of day, device used, etc. The information that we collect anonymized and sent to Google Analytics for analysis. Google Analytics mainly uses first-party cookies to report on visitor interactions on this website. Users may disable cookies or delete any individual cookie. In addition, Google Analytics supports an optional browser add-on that – once installed and enabled – disables measurement by Google Analytics for any site a user visits. Note that this add-on only disables Google Analytics measurement. Google Analytics also collects Internet Protocol (IP) addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from (also known as “IP geolocation”). See this page for Google Analytics security and usage of data: https://support.google.com/analytics/answer/6004245

The data collected may be shared with:

  • service providers and others who help with our business operations and assist in the delivery of our products and services including, but not limited to, application development, site hosting, maintenance, data analysis, infrastructure provision, IT services, customer service, email delivery services, payment processing, marketing, analytics, and enforcement of our Terms of Service Agreement and other agreements;

  • Other users of the site to identify you to anyone to whom you send messages or make comments through the Services;

  • Persons or entities with whom you consent to have your Personal Data shared;

  • Third parties in order to prevent damage to our property (tangible and intangible), for safety reasons, or to collect amounts owed to us;

  • Merchants and payment processors;

  • and third parties as we believe necessary or appropriate, in any manner permitted under applicable law, including laws outside your country of residence

We do this to:

  • comply with legal process;

  • respond to requests from public and government authorities, including public and government authorities outside your country of residence;

  • enforce our Terms of Service Agreement and other agreements;

  • protect our operations;

  • protect our rights, privacy, safety or property, and/or that of our affiliates, you, or others;

  • and allow us to pursue available remedies or limit the damages that we may sustain.   

We will never sell, rent, or lease your Personal Data to a third party.

If you leave a comment, the comment and its metadata are retained for one year. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Analytics data is retained indefinitely.

Contact forms are held for one year.

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you.

This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Visitor comments may be checked through an automated spam detection service. Third parties have access to your data as noted within this agreement.

We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.

Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact us at .

By using the Services, you are representing to us that you are not under the age of 13.

We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.

i. The types of Personal Data we collect and why we collect it, are described in Section 2 of this Privacy Policy.

ii. See section 5 to remove your data from this site.

We may change this Privacy Policy at any time. The most recent version of the Privacy Policy is indicated by the “Last Updated” date at the top of the Privacy Policy. All changes are effective immediately upon posting. Please review this Privacy Policy frequently to stay updated on changes that may affect you. Your continued use of this website signifies your continuing consent to be bound by this Privacy Policy.

25 Comments

  1. Hey Cathy, thanks for this very helpful post!

    I am in the midst of prepping a privacy policy for my WP site so this should be a great help.

    BTW, what has your experience been in complying with CASL regs in Canada? Somewhat similar to upcoming GDPR?

  2. This has been invaluable! Thank you so much for such an easy to read detailed description! Awesome!

  3. I’m in the process of getting a blog up and running. Thank you so much for this helpful post – a privacy policy was something I was aware I needed but had no idea what I needed in it. Thank you!

  4. Hi Cathy,
    Thanks for this post, it’s really a gem!
    Although I’m still quite lost with writing an appropriate privacy policy for users from my country and other countries.
    For example, from my research, most English Priacy Policies have a section talking about ‘information transfer’.
    I’m very confused as I do not find this in the Privacy Policy I found from my country, which is Taiwan. But thought to still unclude it as my website may have visitors from oerseas. May I ask for your help to clarify it?
    My concern is that ‘where exactly the location where information will be transferred and be held to is’? is it where my service(website) holder located? or is it where my computer or business located??
    Many of my friends say there are many details in a privacy policy is not so important to an individual website owner, is it so? Because I would like to do things right at once, so I don’t have to worry about it any time later..
    I’m not sure if it is ok to ask things like this here, my appologies in advance if it is inappropriate.
    P.S. My web site is not released to public yet.

    1. To be honest, this policy is mostly useful for the North American Audience. I know the UK demands are different but I’m not sure what they are – I’m Sorry I can’t be more help!

  5. Thank you so much for this – really useful! Honestly wouldn’t have known where to start without this guide. The only one I’m not completely sure is okay on my website is the Google AdSense part as I couldn’t find any examples online, however I think I have covered what I need to.

  6. This was such a blessing. Very straightforward. I was overwhelmed as I read other articles on it until your article. I was able to compose the privacy policy for my blog from start to finish using your information. Thank you so so much.

  7. Thanks for sharing this form and your knowledge! Privacy policy and cookies are so confusing to beginners! This was a major help to format one.

Leave a Reply

Your email address will not be published. Required fields are marked *