How to Write an Effective Website Privacy Statement

The Campus Online Activity Policy states:

"Technology service providers who collect data via website interfaces must adhere to the provisions of the Privacy Statement for UC Berkeley Websites and must post a privacy statement to notify users regarding the types and uses of data that is gathered. Online service providers may further refine the standard campus privacy statement to include additional privacy provisions, but may not reduce the level of their activities' compliance."

Your privacy statement must accurately reflect your site's data collection and use.

  • Your privacy statement should be clear, direct, and easy to understand.
  • Keep technical jargon and legal terminology to a minimum.
  • If you decide to modify how you use personal information, you must inform your users.
  • A company’s privacy policy is only as strong as the staff that implements it.

How to write a privacy statement to reflect your site's data collection and use

1) Determine what types of information you collect from visitors to your website.  Is the information personally identifiable? For example, does your site collect:

  • names
  • addresses
  • phone numbers
  • e-mail addresses
  • IP addresses
  • access dates and times

2) Why is this information collected? Is the data collection appropriate to the activity or transaction? If not, why do you collect it?

3) By what means is this information collected?

  • cookies
  • weblogs
  • surveys
  • web forms
  • registration for an event or course
  • newsletter sign-up
  • to place an order
    • credit card # ((Note: Billing and Payment Services approval is required to handle credit card transactions.)
    • SSN (As of July 1, 2010, Campus policy requires approval for all electronic processes that collect, use, or store SSNs.)

4) What will this information be used for and who will have access to it? (Campus policy prohibits sharing, redistributing, or selling personal information collected on webservers.)

  • Do you have the user's consent to collect and use the information?
  • Does the user have the option to prohibit such collection and use?
  • Is the site hosted by an outside vendor? What will they do with the information?
  • Does the site use any kind of analytics? If so, have you informed the user and provided directions to disable analytic tracking?
  • How long will the collected information be stored?

5) How will users be informed if your privacy policies change (including changes to how the information will be used)?

  • Via email?
  • Will you post a privacy statement modification date?

The Fair Information Practice Principles of transparency and consent require that consent is obtained prior to collection. Additionally, users must be informed if their information is used for any purpose other than for which consent was given.

6) How can visitors with questions about your site's privacy statement contact someone?

  • Have you provided a webmaster contact address?
  • Have you provided a departmental contact telephone number?

7) How is user information protected?

  • Computer safeguards?
  • Secured files and physical access controls?
  • If the site is not intended to handle confidential information,  have you informed users?
  • Are there alternate ways for users to provide confidential information, such as via staff phone numbers?
  • Is SSL activated?

Customizable Privacy Statement Templates

If your website does not collect analytics or other personal information, this sample Privacy Statement can be customized (with revision dates, and contact information) for use on your UC Berkeley website.

If your website collects analytics or other personal information, this sample Privacy Statement can be customized for use on your UC Berkeley website.

Some Campus Examples