Ultimate Guide to Understanding a Privacy Policy - Your Online Choices matter

Tim Carter

Editor-in-chief

It’s probably the most ignored text on the internet. Admit it: you’ve absent-mindedly clicked the ‘Accept cookies’ button dozens of times without reading the accompanying text. But what is it you’ve agreed to by accepting these cookies? How much of your personal information is being gathered and for what purpose? Can you browse the internet without unreasonable impingement on your privacy? How much useful information can you collect if you’re the owner of a website? How can you protect your company as well as assure your customers that your data collection is benevolent?

Lurking behind that ignored text is a lot of potential scary stuff. To make it less frightening, let’s look at what happens to data when someone is browsing online. Your online choices matter more than you think!

what is privacy policy


What is behavioural advertising? - Becoming a Target

Behavioural advertising is the process of targeting users based on their actions while browsing online. Simply by being on the internet, your data is being collected. Most data collection serves behavioural advertising.  And the most financial gain on the internet comes from sharing that data with advertisers.   For example, a person doing a Google search for car prices would receive ads related to auto shopping. This customised ad serving is accomplished via the collection of browsing data, which is mined and analysed for any potential buying behaviour.

The data related to that particular search can then be matched to other users looking for the same things. Say, for example, that several other users searching for new cars also happen to search for picnic baskets. Any correlations with other searches or purchases can then create targeted advertising that one user might not have considered searching for yet. This means you might get targeted ads for picnic baskets under the assumption that your behaviour will be similar to that of those other car shoppers. 


Is a behavioural advertising a good thing?

The most significant advantage behavioural advertising is that it's targeting (theoretically) only individuals with a mission to purchase a specific product. It also provides the ability to have a subset of other possible products for that audience to buy, that you know they may already be interested in purchasing.


Remarketing and retargeting

Once that data is collected, there’s tremendous value in saving it for remarketing or retargeting. These two terms get intermingled often, which makes sense as they’re both concerned with repeat advertising to users. Specifically, remarketing is targeting an ad to the same person multiple times, no matter what media. Think of a billboard that you pass every day on your drive to work. Retargeting is a subset of this, specifically the use of the web for that targeting. If you were shopping for cars last week, you'd continue to get ads for cars in the hope that you'll continue this search until making a final purchase. All of that collected data has tremendous value and needs to be stored.

So how is that data collected? Through cookies.


What are Cookies?


“Cookie" is probably one of the most recognisable terms from web technology, and yet your average user perhaps couldn't define it. A cookie is a bit of data sent by any visited site that is then stored locally by your browser.

what are cookies

Originally cookies served to hold temporary information to make browsing more convenient. For example, it is keeping track of the saved items in your shopping cart while browsing through pages on an eCommerce site. This is called a session cookie, and these session cookies are deleted once the session is complete (i.e., you close your browser). But what happens when you choose to, say, save your username on a specific login screen? This type of collected data uses a so-called permanent or persistent cookie: one that keeps its data until a specified time determined within the code of the cookie itself.

Cookies can collect much more sophisticated types of data and serve as a means of communicating that data back and forth between your machine and the server, and consequently, the owner of the website you are visiting. A third-party or tracking cookie is one that collects data from your online movements. These are the cornerstone of behavioural marketing. They also present some apparent opportunities for exploitation. What can be done to monitor this? 


What is GDPR Compliance? - Taking Protective Measures

The General Data Protection Regulation (GDPR) is a set of rules for citizens in the EU to have more control over the use of their personal data online.

Also, it provides for the cleaning of collected data to protect privacy (i.e., disconnecting search histories from identifiable individuals), the assurance of data breach notifications, and requiring large companies to appoint a data protection officer to maintain compliance. GDPR is probably the most well known and widest-reaching internet legislation currently in existence. Even if you don't participate in any immediate connection to websites or customers in the EU, the GDPR guidelines are good 'best practices' to follow.

GDPR Rights

Specifically, the rights granted under GDPR are:


  1. The Right to Be Informed
  2. The Right of Access
  3. The Right to Rectification
  4. The Right to Erasure
  5. The Right to Restrict Processing
  6. The Right to Data Portability
  7. The Right to Object
  8. The Right to Avoid Automated Decision-Making

These are elaborated on in the GDPR guidelines, well worth a look to see what the expectations are.


So, What can I do to Protect my Website as Well as It’s Visitors?

Now that you know the mechanics of what happens to a person's web browsing data, what do you need to do to protect your best interests? The odds are good you fall into one of two categories: website owner or website customer (and maybe you fall into both). Both have complementary - but not necessarily competing - interests. The most important way to protect both parties is - you guessed it - a clear and accurate privacy policy.


What Should a Privacy Policy for Websites Contain?


Fundamentally, a privacy policy should state how the owners of a site will collect, store, protect, and use any personal data they collect from their users. This policy is necessary for any website that collects any personal data, even if it’s seemingly innocuous.


What a privacy policy will specify will depend to some extent on the site, but there are a few general guidelines.

  • A list of all the information that is collected from users. Beyond obvious demographic information (i.e., email addresses or phone numbers), this includes any location tracking, web navigation, etc. Even if something seems obvious (like the fact that entering a name on a form means your name is saved), this needs to be itemised. One, there's no telling what another person might find unclear and two, this needs to be treated like a legal document. List everything.
  • A list of all 'under the hood' information collected for troubleshooting and bug reports. This information could include IP addresses, web browser used, operating systems, etc. Although this would be information, the user doesn't touch or wilfully submit, in the interest of total transparency it should be included (along with the reasons for doing so).
  • Show where the data is collected on the site itself, at a URL level. It can be difficult to connect a request for what seems like a random piece of personal data with the workings of a site. For example, a user might not realise that their current location aids in accurately listing out stores near them.
  • An indication if and what cookies are used on the site. The user should be informed of how to opt-out of the cookies and what this would mean for their user experience. In the interest of being a helpful citizen, it might be useful to educate your users on the use of cookies in general.
  • What is being done with any collected information, particularly if it is shared with any third parties? Again, if the means are there for a user to opt-out of this external use, they would need to be informed as to what it would mean for their user experience. It should also explain how this data is being protected.
  • What specific laws, if any, you are adhering to that shape your policy. These would include what rights users have regarding their data, i.e., the ability to have an audit of data, asking for all data to be destroyed upon their request.

These guidelines protect the customer. How would a robust privacy policy protect the website owner? You may notice that a thorough privacy policy resembles a legal document, and that's no accident. It's a way of getting everything in writing in case of future problems. You may think your site won't be the target of a lawsuit, but isn't that something you'd want to avoid, if at all possible?


But don’t hide behind legalese with your privacy policy. Yes, you need to clearly specify what your site will and will not do, but the keyword here is "clearly". Present the user with a document that informs and comforts them.


For as fast and loose as users can be with their personal information, there's an expectation of criminal intent when sending data on the internet. Users regularly expect to be hacked, and their data compromised. The transparency of a good privacy policy, while certainly not erasing that threat, does foster goodwill between you and your customers. Users want to know what a company is doing and what their plans are for customer data, as well as the fact that they take customer privacy seriously.

Technical guidelines of a privacy policy

There are a couple of technical guidelines you can follow as well, depending on the tools you use:

  • WordPress is one of the most popular content management systems used for the web. It is estimated that a third of all websites use WordPress in some capacity. There’s a whole market of GDPR-compliant plugins specifically for WordPress sites available for safely and legally tracking users’ information. We won’t recommend specific ones here, but a Google search will provide plenty of 'best plugin lists’ for you. There are also good practices to follow regarding incorporating your policy on the site itself.
  • Google Analytics is one of the most used tools for tracking user data. Combined with Google AdSense and you have a powerful tool for behaviour advertising with your users. Google requires an explicit privacy policy for the information that these tools gather. Given the amount of attention Google and Facebook have faced in the news regarding privacy, this is no surprise. Look to Google's guidelines for a more in-depth explanation.

What Can I Do as a Customer?


Everything specified here seems very beneficial to business and not the consumer. Why would an average person browsing the web want targeted marketing? Why would I give up my privacy? Isn’t that creepy and intrusive?


Well, it can be, but it doesn't have to be.  Think of it this way: advertising is not going away from the web. There's nothing a user can do to remove every single ad experience.  So wouldn’t it be better to receive ads that might actually align with what you want? This means websites need to know a bit about you. This requires balancing your privacy with what you’re willing to divulge.


What is "Your AdChoices" and how does it help you?

what is your adchoices

Your Adchoices is a self-regulated online advertising program that enables users to control their behavioural advertising experience.


A good first step in managing your web browsing privacy is to control your cookie settings. The means for doing so are different for each browser (and remember that you’d need to adjust them separately if you’re using multiple browsers. See point four here for a good overall guide.), but fundamentally that control comes down to 1) how often you’ll purge existing cookies and 2) if there are any sites for which you’d want to keep cookies longer (so as to keep your information available on Amazon, for example). A good collected source of information on managing this can be found here.


Most importantly (and also taking the most effort), take the time to read those policies. You don’t have to sit down with a lawyer every time you go to a website, but it’s worth scanning through while armed with your newly acquired knowledge to see if a site is operating within bounds that you’re comfortable with. And if not, maybe don't visit that site. This will send the message that overreaching or opaque data collection can send potential customers elsewhere.