GDPR, web analytics and do I need a privacy policy for my website?
TL;DR: A privacy policy is recommended for all sites if you want to be transparent and open to your visitors. If you’re not collecting or processing any personal data and not using cookies, you may not legally need a privacy policy. For all other use cases, a privacy policy is legally required.
- Why should I create a privacy policy?
- Do I need a privacy policy on my website?
- Do I need a privacy policy because of Plausible Analytics?
- How do I create a privacy policy for my website?
Why should I create a privacy policy?
A privacy policy is a legal document that informs your website visitors and explains what kind of personal data you collect about them, how you do it and what it’s used for.
Having a privacy policy in place when you collect or store personal information is required by many laws around the world, including the US and the EU.
In addition to this, many third-party services commonly used on websites (analytics providers, advertising companies, payment processors and so on) also require a privacy policy to be made available according to their terms of use.
Do I need a privacy policy on my website?
The chances are that you most probably do need a privacy policy for your website. If your website collects any personal data directly or indirectly using third-party services, you legally need a privacy policy.
Most websites do collect some type of personal data. Sometimes you, as a site owner, may not even be aware that a third-party service you make a call to collects personal data or places cookies on the devices of your visitors.
This is why it is recommended to add a privacy policy to your website. Even though you may be very careful about what third-party services you use on your site and that you do not collect any personal data, it is still recommended to include a privacy policy.
If for no other purpose than to explain to your audience the steps you’ve taken to not intrude on their privacy. This tells your visitors that you are open, transparent and take their privacy and personal data seriously.
The information in this post is here to help give you an introduction to privacy policies. It may not cover all the laws you are subject to. We encourage you to discuss specific issues with your lawyer if you have any concerns, want to determine whether this applies to you and what actions you need to take.
Google Analytics requires you to have a privacy policy
Google Analytics itself specifies the requirement for a privacy policy in its terms of service. If you use Google Analytics and don’t have a privacy policy on your site, you’re using Google Analytics illegally and you’ve breached your contract with Google:
“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies, identifiers for mobile devices or similar technology used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data”
Do I need a privacy policy because of Plausible Analytics?
Plausible Analytics is a privacy-first web analytics tool. It is built to be compliant with the different privacy regulations, such as GDPR and CCPA. Plausible doesn’t use cookies and doesn’t collect any personal data whatsoever.
If you’re not collecting or processing any personal data and if you’re not using cookies, you may not legally need a privacy policy for your use of Plausible Analytics.
Still, we recommend you have a privacy policy on your site and add a note about your use of Plausible Analytics to it. You can explain how you use Plausible and what data Plausible gathers about your visitors on your behalf.
You could link to our data policy page or take any of the information from our data policy.
You could even open up your Plausible dashboard to the public and link to it from your privacy policy page or another location on your site. This way your site visitors will have access to all the same data that you have.
Here’s an independent legal assessment on GDPR-compliant web analytics without consent written by an experienced data protection expert and lawyer.
Privacy policy examples
Here are some examples of Plausible Analytics customers who’ve mentioned their use of Plausible in their privacy policies.
Here’s how Oatly mentions us:
All users visiting our website - including visitors clicking ”No thanks” Anonymous analytical data will be stored to Plausible, in order to track the usage of a website without collecting any personal data or personally identifiable information. Cookies are not set and all data is in aggregate only.
Here’s how System76 discloses their use of Plausible:
Our website uses Plausible Analytics to help us understand visitor trends and the effectiveness of our marketing outreach. We chose Plausible Analytics because it is a privacy-focused company and platform that eschews personally identifiable information in favor of anonymous aggregate data. See the Plausible Analytics Data Policy.
And how the Steve Jobs Archives website does it:
Analytics Partners. We use analytics services such as Plausible Analytics to collect and process certain analytics data. To help us understand how you use our Services and to help us improve them, we automatically receive information about your interactions with our Services, like the pages or other content you view and the dates and times of your visits.
And an example from the privacy policy of The Scottish Government:
Additionally, we use Plausible Analytics on this site to collect some anonymous usage data for statistical purposes. This is to track overall trends in our website traffic, not to track individual visitors.
And The Rails Foundation in their privacy policy:
The Rails Foundation is committed to ensuring the privacy of our website visitors. To achieve this, we use Plausible as our web analytics tool.
Another example from elementary OS:
We use the open source Plausible Analytics routed through our stats subdomain to count website visits, downloads, etc. You can see the same data we can see on the public dashboard. No cookies are used and no personal data—not even an IP address or browser user agent—is stored. For more information, see the Plausible Data Policy
And the Coalition for App Fairness in their cookie policy:
We use Plausible Analytics to track overall trends in the usage of our website. Plausible Analytics collects only aggregated information, which does not allow us to identify any visitor to our website. For more information, please visit the Plausible Analytics Data Policy.
Or Andrew Mason on his personal website:
I am using Plausible Analytics, which is a GDPR, CCPA and cookie law compliant site analytics tool. I don’t care who you are, I just am curious how you are using the site, so that is why I chose a privacy focused tool and for that reason, I have made my analytics dashboard public so that you can see exactly what is being gathered.
Here is an alternative way to disclose your usage of Plausible Analytics. A “How Many People Are on This Site?” page or /stats/
page as seen on the website of Gergely Orosz:
I integrated Plausible analytics on this site. On top of the very small footprint of the analytics script (under 1KB) and no-tracking-and-not-selling-your-data-for-advertising part, a really neat thing is how you can make your dashboard public. Here is the dashboard for The Pragmatic Engineer with public (and live) visitor information, and historic stats.
How do I create a privacy policy for my website?
Here’s a look at some of the things to consider when creating your privacy policy.
What should privacy policy include?
Different laws require different disclosures. Your goal should be to describe what personal data you collect, how you do it and what you use it for. List third-party services that you use, what you use them for and link to their privacy policies for further details.
Here are some of the things you should consider to include in your privacy policy:
- your official business name
- your contact information
- disclosure of personal data that you do collect
- disclosure of cookies that you use
- reasons why you collect personal data
- how you collect personal data and whether you use any services for that
- what you use personal data for and how you use it
- whether you share any personal data with any third-parties
- how you secure the personal data and how long you store it for
- how visitors can opt out of personal data collection
- how visitors can download any personal data already collected about them
- the date that the privacy policy was last updated
Where should I put the privacy policy on my website?
Your privacy policy should not be a document that is hidden away. Make your privacy policy easily discoverable. Put it in your site footer or include a link to it on your about page.
Your privacy policy should be easy to read
Privacy policy written in a straightforward and human-friendly way builds trust. According to the GDPR, you should communicate information about your collection and processing of personal data in a clear and user-friendly way. This information should be:
- concise
- transparent
- intelligible
- easily accessible
- in clear and plain language
- delivered in a timely manner
- free of charge
Privacy policy template
Basecamp has been kind enough to open source its privacy policy, terms of use and other legal documents.
You’re free to use their policies for your purpose under the Creative Commons Attribution license. That could be the privacy policy template you start with and then you would need to edit and adapt it to your needs.