Expressvpn Glossary
Privacy policy
What is a privacy policy?
A privacy policy is a legal document or statement that details how a company or other entity collects, stores, and uses user data. Most reputable websites, apps, and online platforms have privacy policies to let users know how their data may be collected and managed. Privacy policies are crucial for transparency, credibility, and compliance with data laws, like the General Data Protection Regulation (GDPR).
What information does a privacy policy contain?
Privacy policies vary but will typically include the following sections and key pieces of information:
- Types of personal data collected: The specific personal data the site or entity collects.
- Use of data: Why the company collects data and how it uses it.
- Cookies and tracking: The company’s cookie and tracking practices.
- Third-party sharing: Whether the company shares user data with other entities.
- Data retention and deletion policies: How user data is stored and when it’s deleted.
- Contact details and user rights: How to contact the company and what rights users have regarding their data.
Why is a privacy policy important?
Privacy policies matter for both companies and their users. The companies need them to comply with regulations like the GDPR and the California Consumer Privacy Act (CCPA) and to build trust among their users.
Users, meanwhile, benefit from privacy policies in the following ways:
- Transparency: Privacy policies help users understand how their data is collected and used, giving them the information they need to make informed decisions about which sites to use and trust with their personal details.
- Control: Privacy policies help users understand and exercise their rights over their data. They can read the policy, and if they disagree with any elements or have any other concerns, they’re free to back out and avoid submitting any of their data.
- Legal protection: While privacy policies are not legally binding contracts everywhere, they are often required by law and can be enforceable under data protection and consumer protection regulations.
How to read a privacy policy
Privacy policies can be quite lengthy documents, and users may not want to read every line of every policy they encounter. Instead, they may prefer to scan the document and focus on the most important areas for them, such as which pieces of data are collected, how data is stored, and who has access to that data.
Scanning a privacy policy can also help (prospective) users spot red flags, which can indicate whether the policy was rushed, copied and pasted from elsewhere, lacks the necessary depth and clarity, or involves questionable data practices. These warning signs include:
- Policy is excessively long or short, without clear headers and structure.
- No contact information.
- Vague phrasing.
- Contradictions between sections.
- The policy is out of date.
Further reading
- What is the GDPR? Simple guide to EU data protection
- What is data privacy and why it matters: A complete guide
- Cache vs. cookies: What they store and how it affects you
- 18 top tips to protect your online privacy
FAQ
What makes a good privacy policy?
A good privacy policy should be clear and comprehensive and include all key pieces of information users need to know, such as which pieces of data are collected, how the data is stored and used, and whether or not the site uses cookies, plus contact details and information about users’ rights.
Are privacy policies legally binding?
The legal status of privacy policies varies worldwide. They’re not universally considered legally binding documents but are legally required and enforceable in many countries and regions.
Can a company change its privacy policy without notice?
It depends on the laws of the country in which the company operates, as well as the details of the policy itself. Some policies specifically include clauses that say they are subject to change at any time, but organizations are generally encouraged to be transparent and fair in their privacy policies and provide some notice, especially for major policy changes.
Does a VPN provider need a privacy policy?
Yes, virtual private network (VPN) providers should have privacy policies and comply with relevant data laws in the regions in which they operate. They should provide policies that explain what user data, if any, they collect, how it’s used, and what rights users have in relation to their data.
