This is the blogger’s one-stop resource to compile a Privacy Policy for your blog. We’ve gone through the main sections that are required in most of the world. (except the EU). There’s an example that you can copy and paste into your website for each section. We’ve also created a template that you can use instead.
Let’s get started! First – the cover-my-butt caveat.
I am a WordPress girl – not a lawyer. Especially for those in the EU – we recommend getting legal advice.
I am a WordPress girl – no lawyer! This is not legal advice. This article is your starting point if you are writing the Privacy Policy on your own. (See the bottom of the article for a list of sources that you can use to help).
Disclosure, Privacy & Cookies – Oh My!
There are several different legal documents that are required to be on your site. Here’s a brief overview of the differences. Skip to the next section to start your privacy policy.
The laws surrounding disclosure statements for bloggers have been evolving over the years. In the United States, the Federal Trade Commission (FTC) first issued guidelines for endorsements and testimonials in 1980, which required advertisers to disclose any material connections they had with endorsers. In 2009, the FTC updated its guidelines to include bloggers, requiring them to disclose any material connections they had with brands they were endorsing.
Since then, there have been several updates and revisions to the guidelines, with the most recent update coming in 2020. The guidelines require bloggers to disclose any material connections they have with brands or products they promote, such as compensation or free products.
This statement is required to be plainly visible on any page that endorses a product/service or brand.
The requirement for websites to have a cookies policy and provide a way for users to opt out is governed by data protection and privacy laws, which vary depending on the country and region.
In the European Union, for example, websites have been required to obtain user consent before storing or accessing cookies on their devices since the implementation of the EU Cookie Law in 2011.
The EU General Data Protection Regulation (GDPR), which came into effect in May 2018, strengthened the requirements for websites to obtain user consent for the use of cookies and other forms of online tracking.
In the United States, the regulations for cookies policies are less prescriptive and are governed by a patchwork of federal and state laws. The California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020, requires businesses that collect personal information about California residents to provide them with certain rights, including the right to know what personal information is being collected and the right to opt out of the sale of their personal information.
The requirement for websites to have a cookies policy and provide a way for users to opt out has been evolving over the years and continues to be shaped by new laws and regulations. This policy is usually entered on a separate page on your blog. And then referred to, in your privacy policy, under the section “What data we collect”.
Finally, let’s talk about privacy policies. A privacy policy is a document that explains how a website collects, uses, and shares personal information about its users. This is the document we will create in this guide.
A privacy policy is required by law in many countries, including the European Union and the United States. The purpose of a privacy policy is to inform users about what happens to their personal information when they use a website.
The purpose of a privacy policy is to inform users about what happens to their personal information when they use a website.
If you’d like a printable policy, completed for you – skip to the form here. Complete the blanks and a text email will be sent to you along with a PDF version. Yes – its completely free.
WordPress 4.9.6 includes a privacy tab and a Privacy Policy template. It also has new tools to export or erase users data! We’ll go over that another time. Today we’re covering the creation of that Privacy Policy.
How to write a Privacy Policy for a Blog
As I understand it, GDPR requires some common sense stuff. We must answer these questions in language that the average user can understand:
- what personal information about me do you collect?
- how is my personal information used?
- to whom is my personal information shared?
- what and how do I request deletion of my personal data?
Earlier this week, I recommended the passive/implied consent approach. A passive consent is implied by using the site. The user does not have to click ‘yes’ or ‘no’ to the collection of personal information. But we have a better way! With WordPress 4.9.6, we can export and erase user data with one click!
And – now we can use plugins, services or our own policy (like we’re creating today) to get informed consent, which by definition, is far more inline with the intent of the law. The services are no longer cost prohibitive – a lot of services offer free plans for websites with little traffic.
We now recommend starting with the default WordPress privacy policy template and editing it as noted below.
Start with the default WordPress privacy policy template
New with WordPress 4.9.6 is a privacy tab under “Settings” in your dashboard. Login, navigate to Settings >> Privacy.
On the Privacy tab, select your privacy page, if it is already created. If not – and this is the course of action I recommend – click on “Create New Page”.
The automatically created page will give you a great template as a starting point. It looks something like this:
Edit the WordPress Privacy Policy Template
At this point, things need to get customized for each bloggers’ site. This is where you need to declare what information you collect. We’ve compiled a list of the most common services bloggers use – and listed, in plain English what personal data they collect, why, and how to manage the users’ personal data.
Section 1: Who We Are
Before this section, also include the last date updated.
Date updated: –/–/—-
All the data on the Privacy Officer, and how to reach him/her – including a mailing address at the bottom of the form – are mandatory. The Privacy Officer can be you.
Our website address is—–. Privacy information is controlled by —- who can be reached at — .
Section 2: What Data We Collect and Why
This section is broken down into a bunch of common services to bloggers. You can use the paragraphs/services that you need. Each of these services has a reason to collect personal data, they are responsible for what they do with it and you are responsible to letting your visitors know about:
- who collects the data
- what data they collect
- why they collect it
- how to opt-out
- how it is kept secure
In Short: We collect personal information that you provide to us. Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our website.
Email Forms
Most of you use an email marketing service provider(EMS). They give you little forms to collect email addresses. The emails are then sent to the EMS and stored there, securely. From that point, your EMS is what is determining the safety and use of the emails and other personal data. EMS also regularly collect, IP number, location, device, browser, time and other personal details by which to group users and help you analyze the types of people who sign up.
You will need to let your users know, that that when they submit their personal email address, they are asking for you to keep it. And you are sharing this with a third-party: your EMS. They have rights to govern their own data at your EMS.
To complete this section, you will need:
- the name of the email marketing service
- the link to their privacy policy
To assist with sending you requested information, we use ______ to collect and store your email address. _______ outlines their use of your personal data and anonymized data [link here]here. You may opt out of the collection of your data by unsubscribing (we will remove your data) and contacting them using the instructions on their privacy page[link here].
Comments
If comments are turned on, or registration – under WordPress general Settings tab, then you are saving the email address, and other information in your website. It is your duty to identify what information you keep, why and provide a way for them to opt-out.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser to help prevent spam. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Analytics – Google Analytics
Most bloggers use Google Analytics. Here is a sample paragraph you can use to explain Google Analytics Cookies. If you use another analytics provider let us know in the comments and we’ll do our best to find the cookies and policies for it.
We use Google analytics to record information about the pages a user has seen, for example the URL of the page, time of day, device used, etc. The information that we collect anonymized and sent to Google Analytics for analysis. Google Analytics mainly uses first-party cookies to report on visitor interactions on this website.
Users may disable cookies or delete any individual cookie.
In addition, Google Analytics supports an optional browser add-on that – once installed and enabled – disables measurement by Google Analytics for any site a user visits. Note that this add-on only disables Google Analytics measurement.
Google Analytics also collects Internet Protocol (IP) addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from (also known as “IP geolocation”). See this page for Google Analytics security and usage of data: https://support.google.com/analytics/answer/6004245
Tracking Technologies
This is the place where you tell them about cookies – and link to your cookies policy. (Use the Cookies Template)
We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice: —
Advertising
If you use advertising, you are embedding content from another site. Most advertising companies require a blurb in your privacy policy to empower users to control their personal data.
Below is a few of the most common advertisers, and a generic blurb that you can use, if you have a different company.
This Site is affiliated with Google Adsense for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about Google Adsense data usage, click here: https://policies.google.com/privacy?hl=en
This Site is affiliated with CMI Marketing, Inc., d/b/a CafeMedia (“CafeMedia”) for the purposes of placing advertising on the Site, and CafeMedia will collect and use certain data for advertising purposes. To learn more about CafeMedia’s data usage, click here: https://www.cafemedia.com/publisher-advertising-privacy-policy
This Site is affiliated with SheMedia LLC and Penske Media Corporation for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about SheMedia LLC and Penske Media Corporation data usage, click here: https://www.shemedia.com/ad-services-privacy-policy
Mediavine Programmatic Advertising (Ver 1.1)
The Website works with Mediavine to manage third-party interest-based advertising appearing on the Website. Mediavine serves content and advertisements when you visit the Website, which may use first and third-party cookies. A cookie is a small text file which is sent to your computer or mobile device (referred to in this policy as a “device”) by the web server so that a website can remember some information about your browsing activity on the Website.
First party cookies are created by the website that you are visiting. A third-party cookie is frequently used in behavioral advertising and analytics and is created by a domain other than the website you are visiting. Third-party cookies, tags, pixels, beacons and other similar technologies (collectively, “Tags”) may be placed on the Website to monitor interaction with advertising content and to target and optimize advertising. Each internet browser has functionality so that you can block both first and third-party cookies and clear your browser’s cache. The “help” feature of the menu bar on most browsers will tell you how to stop accepting new cookies, how to receive notification of new cookies, how to disable existing cookies and how to clear your browser’s cache. For more information about cookies and how to disable them, you can consult the information at https://www.allaboutcookies.org/manage-cookies/
Without cookies you may not be able to take full advantage of the Website content and features. Please note that rejecting cookies does not mean that you will no longer see ads when you visit our Site. In the event you opt-out, you will still see non-personalized advertisements on the Website.
The Website collects the following data using a cookie when serving personalized ads:
- IP Address
- Operating System type
- Operating System version
- Device Type
- Language of the website
- Web browser type
- Email (in hashed form)
Mediavine Partners (companies listed below with whom Mediavine shares data) may also use this data to link to other end user information the partner has independently collected to deliver targeted advertisements. Mediavine Partners may also separately collect data about end users from other sources, such as advertising IDs or pixels, and link that data to data collected from Mediavine publishers in order to provide interest-based advertising across your online experience, including devices, browsers and apps. This data includes usage data, cookie information, device information, information about interactions between users and advertisements and websites, geolocation data, traffic data, and information about a visitor’s referral source to a particular website. Mediavine Partners may also create unique IDs to create audience segments, which are used to provide targeted advertising.
If you would like more information about this practice and to know your choices to opt-in or opt-out of this data collection, please visit https://thenai.org/opt-out/. You may also visit http://optout.aboutads.info/#/ and http://optout.networkadvertising.org/# to learn more information about interest-based advertising. You may download the AppChoices app at https://youradchoices.com/appchoices to opt out in connection with mobile apps, or use the platform controls on your mobile device to opt out.
For specific information about Mediavine Partners, the data each collects and their data collection and privacy policies, please visit https://www.mediavine.com/ad-partners/
This Site is affiliated with Ezoic Inc. for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about Ezoic Inc. data usage, click here: https://www.ezoic.com/privacy-policy
This Site is affiliated with — for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about — data usage, click here: —–
Embedded Content
Since embedded content is adding your visitors’ information to the source website/service, you need to empower your users with the information that they collect, as well as how to opt-out. This can be done easily with a link to their data protection and privacy policy.
Articles on this site may include embedded content (e.g. YouTube, Pinterest, WordPress.org, Ads etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged into that website.
Section 3: Who We Share Your Data With
It is impossible to not share your data. If you don’t know this already, your visitors’ data is stored in your hosting account, some data is retained in WordPress, analytics and tracking is put on your site by nearly every plugin – in order to help when things stop working. All of this is normal.
Here are some of the ways that you share data, you can use / remove any of these scenarios, as needed. If you don’t offer a product or service, some of it will not apply to you!
The data collected may be shared with service providers and others who help with our business operations and assist in the delivery of our products and services including, but not limited to:
- application development,
- site hosting,
- maintenance,
- data analysis,
- infrastructure provision,
- IT services,
- customer service,
- email delivery services,
- payment processing,
- marketing,
- analytics, and
- enforcement of our Terms of Service Agreement and other agreements;
Other users of the site to identify you to anyone to whom you send messages or make comments through the Services;
Persons or entities with whom you consent to have your Personal Data shared;
Third parties in order to prevent damage to our property (tangible and intangible), for safety reasons, or to collect amounts owed to us;
Merchants and payment processors; and
Third parties as we believe necessary or appropriate, in any manner permitted under applicable law, including laws outside your country of residence.
Who we share your data with
Next you need to state why you collect allll this information. These are generic terms and apply to nearly everyone: we collect it to provide services, to understand our audience – which helps us provide services, and to run our business. We also need to comply with the legal requirements wherever we live. Something like this will do nicely:
We do this to: comply with legal process; respond to requests from public and government authorities, including public and government authorities outside your country of residence; enforce our Terms of Service Agreement and other agreements; protect our operations; protect our rights, privacy, safety or property, and/or that of our affiliates, you, or others; and allow us to pursue available remedies or limit the damages that we may sustain.
- We will never sell, rent, or lease your Personal Data to a third party.
Section 4: How Long we Retain Your Data
To the end of this section, you can add the date that you chose when you edited the Google Analytics settings last week. (see this tutorial) And you’ll want to ask your contact form plugin how long they keep data for on your site. Something like this will do nicely:
Google Analytics data is retained for ______. Contact forms and comments cookies are held for one year. We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.
Section 5: What Rights You Have Section
“What Rights You Have Over your Data” is a section in the WordPress Privacy template that outlines how the user can control or request deletion of their personal data. In another tutorial, I’ll show you how to comply with any requests sent your way.
For now, as you’re compiling your privacy policy, this is a great paragraph to include to empower users to take control of their data.
Most advertising networks offer you a way to opt out of Interest Based Advertising. If you would like to find out more information, please visit http://www.aboutads.info/choices/ or http://www.youronlinechoices.com.
If people want to remove cookies from third parties, they will have to take it up with the third party themselves, or use the browser extension mentioned above.
Section 6: Where We Send Your Data
The comment/spam thing is a good idea – as noted in the template, but I’d also add this if you use tracking software, comment forms, or advertising:
Third parties have access to your data as noted within this agreement.
Section 7: Other Information
As I’ve already stated, I’m not here to give legal advice. I’m only offering suggestions that you might want to use as a starting point. I found this in one of the privacy policies I studied and have included it in my own.
Users under 13 years of age
Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact us at ________________. By using the Services, you are representing to us that you are not under the age of 13.
Protection of Personal Data
Assuming you have an anti-virus program on all computers with administrative access to your website, you have anti-spam and security measures on your website, you use a reputable host, and keep your plugins and software up to date, I’d say that is reasonable protection. That means you’re doing everything that is reasonably expected of a website owner to protect their data. I’d say this includes using an SSL certificate! If that isn’t done yet -get on it!
With all those pieces in place, I would use a paragraph like this:
We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.
Industry regulatory disclosure requirements
I believe this section is for lawyers, accountants or any professional that answers to a governing authority. The standard disclaimer should go here. This may be a good place to put your affiliate disclosure information.
Done for You Template: Complete the Form
That is all the sections that need to be on there, as far as I can tell. See the sources below for getting legal advice and creating a legally sound policy.
Complete the form – and we’ll send you a done-for-you Privacy Policy – with similar information as is in this guide.
Index of Third Parties that Collect Personal Information
Each link below points to a privacy policy by the company in question. The privacy policy describes which cookies are used, why, and how to opt out. Use these links to help your users opt-out of these cookies.
Email Marketing
- ConvertKit
- Mailchimp
- Constant Contact
- Vertical Response
- Emma (Email Marketing)
Advertising Firms
- Google ads
- Gourmet Ads
- BlogHer
- Sovrn
- Amazon.com
Sources for this article:
- CookiePedia
- CookieLaw
- Developers.Google.com
- PrivacyPolicies
Beginner Checklist
If you’re starting out, you’ll love our comprehensive 52 point checklist for your website! Read through once, and then work on items one at a time as it comes up!
Cathy Mitchell
Single Mom, Lifelong Learner, Jesus Follower, Founder and CEO at WPBarista.