Privacy Policy Template for your Blog
Every paragraph that a blogger needs for a Privacy Policy is below.
You’ll find the most-common sections like Who We Are, and What Information We Collect – this gets tricky for bloggers who use a database, email marketing, ad performance company and more. So we start with the blog WordPress Privacy Policy Template.
Included below is sample text that you can copy and paste into your blog/website. If you prefer a fill-in-the-blanks privacy template, we got that too! It’s free to download at the end of this article.
First – the cover-my-butt caveat.
I am a WordPress Expert – not a lawyer. Especially for those in the EU – we recommend getting legal advice.
I am a WordPress girl – no lawyer! This is not legal advice.
This article has a copy/paste sample template, question & answer form and resources index for a blogger to create their own Privacy Policy. (See the bottom of the article for a list of sources that you can use for help).
What’s the difference between Disclosure, Privacy and Cookies?
There are several different legal documents that are required to be on your site. Here’s a brief overview of the differences.
(Skip to the next section to create your privacy policy.)
The laws surrounding disclosure statements for bloggers have been evolving over the years. In the United States, the Federal Trade Commission (FTC) first issued guidelines for endorsements and testimonials in 1980, which required advertisers to disclose any material connections they had with endorsers. In 2009, the FTC updated its guidelines to include bloggers, requiring them to disclose any material connections they had with brands they were endorsing.
The most recent update in 2020 requires bloggers to disclose any connections they have with brands or products they promote, such as compensation or free products.
This statement is required to be plainly visible on any page that endorses a product/service or brand.
The requirement for websites to have a cookies policy and provide a way for users to opt out is governed by data protection and privacy laws, which vary depending on the country and region.
In the European Union, for example, websites have been required to obtain user consent before storing or accessing cookies on their devices since the implementation of the EU Cookie Law in 2011.
The EU General Data Protection Regulation (GDPR), which came into effect in May 2018, strengthened the requirements for websites to obtain user consent for the use of cookies and other forms of online tracking.
In the United States, the regulations for cookies policies are less prescriptive and are governed by a patchwork of federal and state laws. The California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020, requires businesses that collect personal information about California residents to provide them with certain rights, including the right to know what personal information is being collected and the right to opt out of the sale of their personal information.
The requirement for websites to have a cookies policy and provide a way for users to opt out has been evolving over the years and continues to be shaped by new laws and regulations. This policy is usually entered on a separate page on your blog. And then referred to, in your privacy policy, under the section “What data we collect”.
Finally, let’s talk about privacy policies specifically for blogs. A privacy policy is a document that explains how a website collects, uses, and shares personal information about its users. This is the document we will create in this guide.
A privacy policy is required by law in many countries, including the European Union and the United States. The purpose of a privacy policy is to inform users about what happens to their personal information when they use a website.
The purpose of a privacy policy is to inform users about what happens to their personal information when they use a website.
If you’d like a free printable policy (pdf), completed for you – skip to the form here. Complete the question-and-answer form and an email will be sent to you with a free PDF version of the Privacy Poilcy. Yes – its completely free.
WordPress 4.9.6 includes a privacy tab and a Privacy Policy template. It also has new tools to export or erase users data! We’ll go over that another time. Today we’re covering the creation of that Privacy Policy.
How to write a Privacy Policy for a Blog
The GDPR requires some common sense stuff. We must answer these questions in language that our users can understand:
- what personal information about me do you collect?
- how is my personal information used?
- to whom is my personal information shared?
- what and how do I request deletion of my personal data?
Passive Consent vs. Informed Consent
Years ago, we recommended the passive consent approach. A passive consent is implied by using the site. The user does not have to click ‘yes’ or ‘no’ to the collection of personal information. But we have a better way! With WordPress 4.9.6, we can export and erase user data with one click!
And – now we can use plugins, hosted services or our own policy (like we’re creating today) to get informed consent, which by definition, is far more inline with the intent of the law. The services are no longer cost prohibitive – a lot of services offer free plans for websites with little traffic.
We now recommend starting with the default WordPress privacy policy template and editing it as noted below.
Start with the default WordPress privacy policy template
Since WordPress 4.9.6 is a privacy tab under “Settings” in your dashboard. Login, navigate to Settings >> Privacy.
On the Privacy tab, select your privacy page, if it is already created. If not – click on “Create“.
The automatically created page will give you a great template as a starting point. It looks something like this:
Edit the WordPress Privacy Policy Template
At this point, things need to get customized for each bloggers’ site. This is where you need to declare what information you collect. We’ve compiled a list of the most common services bloggers use (see index below). Starting with each section, let’s go through an example that you might want to copy and paste into your blog’s Privacy Policy.
Section 1: Who We Are
Before this section, also include the last date updated.
Date updated: –/–/—-
All the data on the Privacy Officer, and how to reach him/her – including a mailing address at the bottom of the form – are mandatory. The Privacy Officer can be you.
Our website address is—–. Privacy information is controlled by —- who can be reached at — .
Section 2: What Data We Collect and Why
This section is broken down into a bunch of common services to bloggers. You can use the paragraphs/services that you need. Each of these services has a reason to collect personal data, they are responsible for what they do with it and you are responsible to letting your visitors know about:
- who collects the data
- what data they collect
- why they collect it
- how to opt-out
- how it is kept secure
In Short: We collect personal information that you provide to us. Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our website.
Data from Email Forms
Most of you use an email marketing service provider(EMS). They give you little forms to collect email addresses. The emails are then sent to the EMS and stored there, securely. From that point, your EMS provides for the security and use of the emails and other personal data. EMS also regularly collect your subscribers’ IP number, location, device, browser, time and other personal details by which to group users and help you analyze the types of people who sign up.
You will need to let your users know, that this information is collected if they choose to submit their personal email address, they are asking for you to keep it. And you are sharing this with a third-party: your EMS. They have rights to govern their own data at your EMS.
To complete this section, you will need:
- the name of the email marketing service
- the link to their privacy policy (see index below for common ones)
To assist with sending you requested information, we use ______ [EMS] to collect and store your email address. Privacy Policy outlines their use of your personal data and anonymized data [link here]here. You may opt out of the collection of your data by unsubscribing (we will remove your data) and contacting them using the instructions on their privacy page[link here].
Data from Comments
If comments or ‘allow registrations’ are turned on – under WordPress general Settings tab – then you are saving the email address, and other information in your website. It is your duty to identify what information you keep, why and provide a way for them to opt-out. WordPress saves this and will delete it too when requested – through a setting in your privacy screen under settings.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser to help prevent spam. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Data collected for Analytics – Google Analytics
Most bloggers use Google Analytics. If you do not, you’ll need to edit this to suit your analytics service and what they collect and what they do with it. Here is a sample paragraph you can use to explain Google Analytics.
We use Google analytics to record information about the pages a user has seen, for example the URL of the page, time of day, device used, etc. The information that we collect is anonymized and sent to Google Analytics. Google Analytics mainly uses first-party cookies to report on visitor interactions on this website.
Users may disable cookies or delete any individual cookie from your browser settings tab.
In addition, Google Analytics supports an optional browser add-on that – once installed and enabled – disables measurement by Google Analytics for any site a user visits. Note that this add-on only disables Google Analytics measurement.
Google Analytics also collects Internet Protocol (IP) addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from (also known as “IP geolocation”). See this page for Google Analytics security and usage of data: https://support.google.com/analytics/answer/6004245
Data for Tracking Readers
This is the place where you tell them about cookies – and link to your cookies policy. (Use the Cookies Template)
We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice: —
Data sent to Advertisers
If you use advertising, you are embedding content from another site. Most advertising companies require a blurb in your privacy policy to empower users to control their personal data.
Below is a few of the most common advertisers, click on the tab and copy the corresponding paragraph and link to their privacy policy. There is a generic blurb that you can use, if you have a different company.
This Site is affiliated with Google Adsense for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about Google Adsense data usage, click here: https://policies.google.com/privacy?hl=en
This Site is affiliated with CMI Marketing, Inc., d/b/a Raptive (“Raptive”) for the purposes of placing advertising on our site, and Raptive will collect and use certain data for advertising purposes. To learn more about Raptive’s data usage, click here: https://raptive.com/creator-advertising-privacy-statement/
This Site is affiliated with SheMedia LLC and Penske Media Corporation for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about SheMedia LLC and Penske Media Corporation data usage, click here: https://www.shemedia.com/ad-services-privacy-policy
Mediavine Programmatic Advertising (Ver 1.1)
The Website works with Mediavine to manage third-party interest-based advertising appearing on the Website. Mediavine serves content and advertisements when you visit the Website, which may use first and third-party cookies. A cookie is a small text file which is sent to your computer or mobile device (referred to in this policy as a “device”) by the web server so that a website can remember some information about your browsing activity on the Website.
First party cookies are created by the website that you are visiting. A third-party cookie is frequently used in behavioral advertising and analytics and is created by a domain other than the website you are visiting. Third-party cookies, tags, pixels, beacons and other similar technologies (collectively, “Tags”) may be placed on the Website to monitor interaction with advertising content and to target and optimize advertising. Each internet browser has functionality so that you can block both first and third-party cookies and clear your browser’s cache. The “help” feature of the menu bar on most browsers will tell you how to stop accepting new cookies, how to receive notification of new cookies, how to disable existing cookies and how to clear your browser’s cache. For more information about cookies and how to disable them, you can consult the information at https://www.allaboutcookies.org/manage-cookies/
Without cookies you may not be able to take full advantage of the Website content and features. Please note that rejecting cookies does not mean that you will no longer see ads when you visit our Site. In the event you opt-out, you will still see non-personalized advertisements on the Website.
The Website collects the following data using a cookie when serving personalized ads:
- IP Address
- Operating System type
- Operating System version
- Device Type
- Language of the website
- Web browser type
- Email (in hashed form)
Mediavine Partners (companies listed below with whom Mediavine shares data) may also use this data to link to other end user information the partner has independently collected to deliver targeted advertisements. Mediavine Partners may also separately collect data about end users from other sources, such as advertising IDs or pixels, and link that data to data collected from Mediavine publishers in order to provide interest-based advertising across your online experience, including devices, browsers and apps. This data includes usage data, cookie information, device information, information about interactions between users and advertisements and websites, geolocation data, traffic data, and information about a visitor’s referral source to a particular website. Mediavine Partners may also create unique IDs to create audience segments, which are used to provide targeted advertising.
If you would like more information about this practice and to know your choices to opt-in or opt-out of this data collection, please visit https://thenai.org/opt-out/. You may also visit http://optout.aboutads.info/#/ and http://optout.networkadvertising.org/# to learn more information about interest-based advertising. You may download the AppChoices app at https://youradchoices.com/appchoices to opt out in connection with mobile apps, or use the platform controls on your mobile device to opt out.
For specific information about Mediavine Partners, the data each collects and their data collection and privacy policies, please visit https://www.mediavine.com/ad-partners/
This Site is affiliated with Ezoic Inc. for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about Ezoic Inc. data usage, click here: https://www.ezoic.com/privacy-policy/
This Site is affiliated with —[company name] for the purposes of placing advertising on the Site, and they will collect and use certain data for advertising purposes. To learn more about [company’s]— data usage, click here: [link to privacy policy]—–.
Data from Embedded Content
Embedded content involves a plugin (or copy/paste method) that fetches content from places like YouTube or Instagram and displays it on your site. This is how you will display videos hosted elsewhere (YouTube) on your site.
Embedded content usually has trackers so if a visitor to YOUR site views it, that information is relayed back to the original site for tracking. Since your readers’ information is shared, you need to empower them with that knowledge, as well as how to opt-out. This is easier than you think!
Use this paragraph to send readers to the original site’s privacy policy.
Articles on this site may include embedded content (e.g. YouTube, Pinterest, WordPress.org, Ads etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged into that website. To learn how to control that information and request deletion, visit the Privacy Policy of the original website.
Section 3: Who We Share Your Data With
It is impossible to not share your data. There is no such thing as a standalone WordPress website that does not track data – at least not without some effort. For example, if you have a webhost, your visitors’ data is stored in your hosting account, in two places usually – sometimes in the control panel, sometimes in your database server (part of your hosting).
If you use a plugin, they all track at least some data in order to help when things stop working.
All of this is normal.
Here is a pretty exhaustive list of services that could be on your site, you can use this list as is, or delete the ones that don’t apply to you. If you do not sell anything on your site, several (marked with *) will not apply to you.
The data collected may be shared with service providers and others who help with our business operations and assist in the delivery of our products and services including, but not limited to:
- application development,
- site hosting,
- maintenance,
- data analysis,
- infrastructure provision,
- IT services,
- customer service,
- email delivery services,
- *payment processing,
- marketing,
- analytics, and
- enforcement of our Terms of Service Agreement and other agreements;
- Other users of the site to identify you to anyone to whom you send messages or make comments through the Services;
- Persons or entities with whom you consent to have your Personal Data shared;
- Third parties in order to prevent damage to our property (tangible and intangible), for safety reasons, or to collect amounts owed to us;
- * Merchants and payment processors;
- Third parties as we believe necessary or appropriate, in any manner permitted under applicable law, including laws outside your country of residence.
Next you need to state why you collect allll this information. These are generic terms and apply to nearly everyone: we collect it to provide services, to understand our audience – which helps us provide services, and to run our business. We also need to comply with the legal requirements wherever we live.
Something like this will do nicely:
We do this to:
- comply with legal process;
- respond to requests from public and government authorities, including public and government authorities outside your country of residence;
- enforce our Terms of Service Agreement and other agreements;
- protect our operations;
- protect our rights, privacy, safety or property, and/or that of our affiliates, you, or others;
- allow us to pursue available remedies or limit the damages that we may sustain.
And always include a promise not to be nasty if you can.
We will never sell, rent, or lease your Personal Data to a third party.
Section 4: How Long we Retain Your Data
To the end of this section, you can add the date that you chose when you edited the Google Analytics settings (see this tutorial).
And you’ll want to ask your contact form plugin how long they keep data for on your site. In WooCommerce settings you’ll want to set the length of time you keep that data too.
Use this section in your privacy policy:
If you leave a comment, the comment and its metadata are retained for one year. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
Analytics data is retained indefinitely.
Contact forms are held for one year.
For all other services, we will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.
Section 5: What Rights You Have Section
“What Rights You Have Over your Data” is a section in the WordPress Privacy template that outlines how the user can control or request deletion of their personal data. In another tutorial, I’ll show you how to comply with any requests sent your way.
For now, as you’re compiling your privacy policy, this is a great paragraph to include to empower users to take control of their data.
Most advertising networks offer you a way to opt out of Interest Based Advertising. If you would like to find out more information, please visit https://www.aboutads.info/choices/ or https://www.youronlinechoices.com.
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
If people want to remove cookies from third parties, they will have to take it up with the third party themselves, or use the browser extension mentioned above.
Section 6: Other Information
I found this in one of the privacy policies I studied and have included it in my own. I think it is a great idea to cover-ya-butt.
Users under 13 years of age
Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact the Privacy Officer. By using the Services, you are representing to us that you are not under the age of 13.
Protection of Personal Data
We want to be able to say that we are doing everything in our power to be responsible with people’s private information. So be sure you’re doing these basic things, then you can use the paragraph below to say the same.
- an active anti-virus program on all devices with administrative access to your website
- anti-spam measures on your website
- use a reputable host,
- keep your plugins and software up to date
- use ssl certificate from host
I’d say that is reasonable protection. That means you’re doing everything that is reasonably expected of a website owner to protect a user’s data.
With all those pieces in place, I would use a paragraph like this:
We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.
Industry regulatory disclosure requirements
I believe this section is for lawyers, accountants or any professional that answers to a governing authority. The standard disclaimer should go here. This may be a good place to put your affiliate disclosure information.
Done for You Template: Complete the Form
That is all the sections that need to be on there, as far as I can tell. See the sources below for getting legal advice and creating a legally sound policy.
Complete the form – and we’ll send you a done-for-you Privacy Policy – with similar information as is in this guide.
Index of Third Parties that Collect Personal Information
Each link below points to a privacy policy by the company in question. The privacy policy describes which cookies are used, why, and how to opt out. Use these links to help your users opt-out of these cookies.
Email Marketing
- Mailerlite
- Active Campaign
- ConvertKit
- Mailchimp
- Constant Contact
- Vertical Response / now Delux
- Emma /Marigold
Affiliate Marketing
If you use these programs, you need to check with the individual affiliate program for their privacy policy. Where one exists, I’ve linked to it
Advertising
Sources for this article:
Beginner Checklist
If you’re starting out, you’ll love our comprehensive 52 point checklist for your website! Read through once, and then work on items one at a time as it comes up!
Cathy Mitchell
Single Mom, Lifelong Learner, Jesus Follower, Founder and CEO at WPBarista.