- Your name (or business name), location, and contact information
- What personal data you are collecting from users (i.e. names, email addresses, IP addresses, and any other information)
- How you collect it
- Why you collect it
- Whether you share it or not
- How you protect it
- Whether it’s optional for them to share their information
- How they can opt-out, and the consequences of doing so
- And any third-party services you’re using to collect, process, or store that information — such as:
- a contact form,
- e-mail newsletter signup form,
- google analytics,
- eCommerce purchase,
- blog post submission,
- advertising network like Google AdSense, PPC,
- social media sharing,
- any other plugin that obtains info for signup/registration,
Examples of General Privacy Policies for WordPress
Who We Are
This Privacy Notice applies to information we collect when you use [www.yourdomain.com] and any other websites, mobile applications (“app(s)”), or services that post a link to this Privacy Notice (collectively, the “Service”). This Privacy Notice describes how [Company Name], [Address] (“[Company Name],” “Company,” “we,” or “us”) collects, uses, and shares Service-related information about you.
What personal data we collect and why we collect it
- We collect contact information to be able to communicate with you. For example, if you sign up for a mailing list, create an account, apply for a job, or enter a promotion, you may be asked to provide your name, address, email, cell phone number, and/or date of birth. We retain this information for [X amount of time] and do not use this information for any marketing purposes.
- We collect personal data to process and ship your orders, inform you about the status of your orders, correct addresses and conduct identity verification and other fraud detection activities. This involves the use of certain Personal Data and payment information.
- We collect personal data when you interact with our third party social networking features, such as “Like” or “Share” functions, to serve you with advertisements and engage with you on third party social networks. You can learn more about how these features work, the profile data that we obtain about you, and find out how to opt out by reviewing the privacy notices of the relevant third party social networks.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
In this section you should name and list all third party providers with whom you share site data, including partners, cloud-based services, payment processors, and third party service providers, and note what data you share with them and why. Link to their own privacy policies if possible.
We do not sell our users’ private personal information.
We share information about you in the limited circumstances spelled out below and with appropriate safeguards on your privacy:
- Third Party Vendors: We may share information about you with third party vendors who need to know information about you in order to provide their services to us, or to provide their services to you or your site. This group includes vendors that help us provide our Services to you (like payment providers that process your credit and debit card information, payment providers you use for your ecommerce operations, fraud prevention services that allow us to analyze fraudulent payment transactions, postal and email delivery services that help us stay in touch with you, customer chat and email support services that help us communicate with you, registrars, registries, and data escrow services that allow us to provide domain registration services, and your hosting provider if your site is not hosted by Automattic), those that assist us with our marketing efforts (e.g. by providing tools for identifying a specific marketing target group or improving our marketing campaigns), those that help us understand and enhance our Services (like analytics providers), and companies that make products available on our websites (such as the extensions on WooCommerce.com), who may need information about you in order to, for example, provide technical or other support services to you.
Below are some privacy policies you can review or link to if you are using them:
How long we retain your data
In this section you should explain how long you retain personal data collected or processed by the web site. While it is your responsibility to come up with the schedule of how long you keep each dataset for and why you keep it, that information does need to be listed here. For example, you may want to say that you keep contact form entries for six months, analytics records for a year, and customer purchase records for ten years.
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
How to opt out of data collection
If you have a [Business Name] account, you can opt-out of receiving our marketing communications by modifying your preferences in the “view or change my profile” section of our Sites. You can also opt-out by modifying your email or SMS subscriptions by clicking on the unsubscribe link or following the opt-out instructions included in the message. Alternatively, you can contact us using our contact form to ask us to delete your information.
Additional Privacy Policies for Commercial Sites or more Complex Processing of Data
How we protect your data
In this section you should explain what measures you have taken to protect your users’ data. This could include technical measures such as encryption; security measures such as two factor authentication; and measures such as staff training in data protection. If you have carried out a Privacy Impact Assessment, you can mention it here too.
While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so, such as hosting our website with a secure webhost that monitors the servers for potential vulnerabilities and attacks, keeping up-to-date with our plugins, themes, and WordPress, and through installation of a SSL (Secure Socket Layer) certificate.
What data breach procedures we have in place
In this section you should explain what procedures you have in place to deal with data breaches, either potential or real, such as internal reporting systems, contact mechanisms, or bug bounties.
What third parties we receive data from
What automated decision making and/or profiling we do with user data
If your web site provides a service which includes automated decision making – for example, allowing customers to apply for credit, or aggregating their data into an advertising profile – you must note that this is taking place, and include information about how that information is used, what decisions are made with that aggregated data, and what rights users have over decisions made without human intervention.
Industry regulatory disclosure requirements
If you are a member of a regulated industry, or if you are subject to additional privacy laws, you may be required to disclose that information here.
Additional Privacy Policies for certain services
- WooCommerce & WooCommerce Subscriptions
- Other WooCommerce Services like Taxjar, USPS/Fedex/UPS Shipping Rates, Shipping Labels
- Stripe & PayPal
- Device information: We collect information about the device and applications you use to access emails sent through our Services, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
- Product usage data: We collect usage data about you whenever you interact with emails sent through the Services, which may include dates and times you access emails and your browsing activities (such as what pages are viewed). We also collect information regarding the performance of the Services, including metrics related to the deliverability of emails and other electronic communications our Members send through the Services. This information allows us to improve the content and operation of the Services, and facilitate research and analysis of the Services.
If you have opted in to our marketing emails, you can opt out of receiving marketing emails from us at any time by clicking the “unsubscribe” link at the bottom of our marketing messages.
Google Remarketing/Retargeting, Google Display Network Impression Reporting, Google Analytics Demographics and Interest Reporting
You must include:
- The Google Analytics Advertising tools that you use, and how and why you use these features.
- A notice that cookies are used by third-parties to display relevant advertising to the user.
- Instructions on how users can opt-out of the Google Analytics Advertising features through Google’s Ad Settings.
You must include the following in an informed consent pop-up or banner that alerts users and allows them to block this if they wish:
- Information on Google’s DoubleClick cookies.
- Instructions on how users can opt-out of the use of DoubleClick cookies through Google’s Ad Settings.
California Online Privacy Protection Act (CalOPPA)
If your website collects any personal information from residents of the state of California, even though your business resides there or not, you must comply with the California Online Privacy Protection Act (CalOPPA) which means you must provide a Do Not Track policy like the one below:
“Do Not Track”
California law requires us to let you know how we respond to web browser Do Not Track (DNT) signals. Because there currently isn’t an industry or legal standard for recognizing or honoring DNT signals, we don’t respond to them at this time. We await the result of work by the privacy community and industry to determine when such a response is appropriate and what form it should take. To learn more about DNTs and how to turn on/off your DNT settings via your browser settings visit this webpage.
The EU’s General Data Protection Regulation (GDPR)
GDPR also requires that you alert users whenever cookies are being used on a website/app. They require that users must give their informed consent, before any cookies may be placed on that user’s device. Active consent, also called informed consent, involves requiring the user to confirm consent with a checkbox or an “I agree” button via a popup at the bottom of the webpage. This includes listing the different types of cookies that are used, details of any cookies from third parties that may be used, and why cookies are used and how they are placed on devices.
There are other Privacy Policies in Canada, Australia, and the UK but they seem pretty similar to what is required above.
Disclaimer: I am not a lawyer and do not intend to provide legal advice through this post. I am only making suggestions as a guideline for my clients to become educated on what is needed for their websites.