The Complete Template for a Blogger’s Privacy Policy

This is your one-stop resource to compile a Privacy Policy for your blog, with a little cut and paste. I am a WordPress girl – no lawyer! This is not legal advice. I hope to help you by offering a starting point for your privacy policy. If you get sued, it’s not my fault!

If you’d like a printable policy, completed for you – skip to the form here. Complete the blanks and a text email will be sent to you along with a PDF version. Yes – its completely free.

WordPress 4.9.6 includes a privacy tab and a Privacy Policy template.  It also has new tools to export or erase users data! We’ll go over that another time. Today we’re covering the creation of that Privacy Policy and making sure that it complies with the Cookie Law. First – an easy way to group cookies together for easy handling.

What kinds of cookies do I have?

The most common classification system for cookies, was proposed and developed by The UK International Chamber of Commerce (ICC). The ICC proposes these four classes of cookies:

  1. Strictly Necessary Cookies
  2. Performance Cookies
  3. Functionality Cookies
  4. Targeting/Advertising Cookies

Strictly necessary cookies

“These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.

Performance Cookies

“These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. [emphasis mine]

Functionality Cookies

“These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance…  these cookies can be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Targeting/Advertising Cookies

“These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.

Having such a classification makes it easier for us, as bloggers, as well as visitors to our sites. We can now explain how we handle cookies in groupings, instead of each individual cookie – which gets technical and long-winded. To help with the explanation of the cookies in groupings, I’ve written some examples that you can include in your blog’s privacy policy.

How to write a Privacy Policy for a Blog

As I understand it, GDPR requires some common sense stuff. We must answer these questions in language that the average user can understand:

  • what personal information about me do you collect?
  • how is my personal information used?
  • to whom is my personal information shared?
  • how do I opt out of cookies?

Earlier this week, I recommended the passive/implied consent approach. But with WordPress 4.9.6, it is far easier to export and erase user data on request. And it’s not cost prohibitive to get active and informed consent.

Our recommendations have changed this week to the following:

Start with the default WordPress privacy policy template

New with WordPress 4.9.6 is a privacy tab under “Settings” in your dashboard. Login, navigate to Settings >> Privacy.

On the Privacy tab, select your privacy page, if it is already created. If not – and this is the course of action I recommend – click on “Create New Page”.

The automatically created page will give you a great template as a starting point. It looks something like this:

Edit the WordPress Privacy Policy Template

At this point, things need to get customized for each bloggers’ site. This is where you need to declare your cookies (or groups of cookies), why you need them, what they do, and how one can opt out. First there’s a blank section for Contact Forms.

Contact Forms

The first section is left blank so you can complete it with your particular contact form usage and policies. This requires a paragraph like the one below, and a link to that plugin’s privacy policy (check the bottom of this post for a list of common contact form carriers).

To assist with sending you requested information, we use ______ to collect and store your email address. _______ outlines their use of your personal data and anonymized data [link here]here. You may opt out of the collection of your data by unsubscribing (we will remove your data) and contacting them using the instructions on their privacy page[link here].

Find out what cookies you use

Now we can add the cookie information. First you need to know which are in use on your site! The easiest way to do this is to get the free report from CookieBot.com. It will scan a limited number of pages. Be aware that if you add code from advertisers, youtube, or anywhere else to single pages or posts, those cookies will only show up on those pages. I’ll show you what to do with that a little later.

It can take a couple hours for your report to arrive. Be patient. When it comes, it will look something like this:

Once you have a list of cookies used on your site, you can group them and use paragraphs like this in your privacy policy:

Strictly Necessary Cookies

Consent to use strictly necessary cookies is not needed. (source) A Strictly Necessary Cookie is anything required to carry out the transaction that the user requested. If they went to your site to shop, it doesn’t make sense to ask them if they want the shopping cart to work (it won’t work without cookies).

Functionality & Performance Cookies

Most of these cookies will be found in the “marketing section” of the CookieBot report. These are cookies set to help your site serve your visitors better – language, mobile, liking, caching, anti-spam, logins. These remember the user’s language, whether they’ve liked/shared a post, etc.

It would be appropriate to include a paragraph like this:

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Without these cookies, certain functionality may become unavailable.

Cookies in use: _ga, _gat, _gid, _pinterest_cm, _ck_form, collect, onesignal-pageview-count, visitor_info1_live, gps

Advertising/Tracking Cookies

If you have cookies that are “unclassified” you can view where they’re coming from for clues. Oftentimes it is quite obvious. A couple of mine say, “Convertkit”, and “Youtube”… In the description it says what they’re used for. For example, the YouTube cookie is used to discover the bandwidth of the device to serve a better user experience. It is separate from the YouTube cookie that tracks their history of viewed videos for marketing purposes.

Analytics Section of the Privacy Policy

Back to the Privacy Policy template. This section is blank and to be completed with the help of your particular analytics provider. Most bloggers use Google Analytics. Here is a sample paragraph you can use to explain Google Analytics Cookies. If you use another analytics provider let us know in the comments and we’ll do our best to find the cookies and policies for it.

See this page for Google Analytics security and usage of data.

Who We Share Your Data With

This is a good time to say you don’t! I got this section from the ConvertKit website and edited it for my use. You’ll have to edit some of it for your situation – if you don’t offer a service, some of it will not apply to you!

Who we share your data with

  • Service Providers, application development, site hosting, maintenance, data analysis, infrastructure provision, IT services, customer service, email delivery services, payment processing, marketing, analytics, and enforcement of our Terms of Service Agreement and other agreements;
  • We will never sell, rent, or lease your Personal Data to a third party.

How Long we Retain Your Data

To the end of this section, you can add the date that you chose when you edited the Google Analytics settings last week. (see this tutorial) And you’ll want to ask your contact form plugin how long they keep data for on your site. Something like this will do nicely:

Google Analytics data is retained for  ______. Contact forms and comments cookies are held for one year. We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.

What Rights You Have Section

“What Rights You Have Over your Data” is a section in the template that outlines how the user can control or request deletion of their data. In another tutorial, I’ll show you how to comply with any requests sent your way.

For now, as you’re compiling your privacy policy, this is a great paragraph to include to empower users to take control of their data.

Most advertising networks offer you a way to opt out of Interest Based Advertising. If you would like to find out more information, please visit http://www.aboutads.info/choices/ or http://www.youronlinechoices.com.

If people want to remove cookies from third parties, they will have to take it up with the third party themselves, or use the browser extension mentioned above.

Where We Send Your Data

The comment/spam thing is a good idea – as noted in the template, but I’d also add this if you use tracking software, comment forms, or advertising:

 Third parties have access to your data as noted within this agreement.

Other Information

As I’ve already stated, I’m not here to give legal advice. I’m only offering suggestions that you might want to use as a starting point. I found this in one of the privacy policies I studied and have included it in my own.

Users under 13 years of age

Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact us at ________________. By using the Services, you are representing to us that you are not under the age of 13.

Protection of Personal Data

Assuming you have an anti-virus program on all computers with administrative access to your website, you have anti-spam and security measures on your website, you use a reputable host, and keep your plugins and software up to date, I’d say that is reasonable protection. That means you’re doing everything that is reasonably expected of a website owner to protect their data. I’d say this includes using an SSL certificate! If that isn’t done yet -get on it!

With all those pieces in place, I would use a paragraph like this:

We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.

Another section under “additional” that I found is this gem:

  • Changes to this Privacy Policy

Industry regulatory disclosure requirements

I believe this section is for lawyers, accountants or any professional that answers to a governing authority. The standard disclaimer should go here. This may be a good place to put your affiliate disclosure information.

Index of Plugin Cookies & Policies

Each link below points to a privacy policy by the company in question. The privacy policy describes which cookies are used, why, and how to opt out. Use these links to help your users opt-out of these cookies.

Similar Posts