A Privacy Policy if No Personal Data is Collected

Written by Francesca Edwards (FreePrivacyPolicy Legal writer) and last updated on 03 July 2023.

A Privacy Policy if No Personal Data is Collected

One of the primary functions of a Privacy Policy is to state which types of personal data are collected from website and app users, and how the company uses this information. But what if your company doesn't collect any personal data? Is your company still legally required to have a Privacy Policy?

Legally, no. However, there are plenty of reasons to have one.

This article aims to cover why your website or app needs a Privacy Policy, even if it doesn't collect any personal information from its users.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



What is Personal Data?

In general, personal data is anything that could be used to identify an individual.

This includes (but is not limited to): first and last name, home address, telephone number, date of birth, email addresses, bank account details, financial history and any other information that relates to an individual and could be used to identify them.

Even a person's IP address could be considered personal information.

It's essential to carefully consider whether your company collects any information that could be considered personal data from website or app users.

Since there is no standard definition, it's important that your Privacy Policy includes a definition to show exactly how your business defines personal data.

To avoid any confusion, Startpage provides a clear explanation of what it regards as personal data. The company explains that it uses a broad definition to maximize the user's privacy. Not only does this help to avoid misunderstandings, it also gives the impression of a more trustworthy and open company:

Startpage Privacy Policy: Definition of Personal Data section

Now that you've considered the definition your company uses to describe personal data, let's assume that your website or app collects no personal data and look at the big question:

Why Does A Company That Doesn't Collect Data Need A Privacy Policy?

Why Does A Company That Doesn't Collect Data Need A Privacy Policy?

The main reasons are that people expect websites and apps to have a Privacy Policy and may distrust a company who doesn't have one. If a business does not have a Privacy Policy, it may be constantly asked to prove that it doesn't collect data.

A business that doesn't require a Privacy Policy may require one in the future and it is far easier to update an existing policy than to draft a whole new one.

Finally, a company may use intermediaries that collect data on their behalf.

Let's break these down further:

People Expect to See a Privacy Policy

When's the last time you visited a reputable website and didn't see a Privacy Policy? It's become common practice to include a Privacy Policy in a website's footer and users will often scroll down expecting to see a link. A user is likely to be taken aback if they can't find this link and they may feel a sense of mistrust towards the business in question.

Rudd Studio shows the link to its Privacy Policy in its website footer even though it doesn't collect any personal data:

Rudd Studio website footer with Privacy Policy link highlighted

Data collection can be a controversial topic and privacy is very important to website and app users. A business with a Privacy Policy that is easy to locate and clearly states it doesn't collect data will appeal to users.

In addition, many people may not understand that it's not a legal requirement for a business to have a Privacy Policy if they don't collect data. The last thing any business owner wants is for potential customers to view their company as a shady operation or hold the misconception that the company is less reputable than others. These fears can be easily alleviated by placing a Privacy Policy on your website or app.

Legal authorities will also expect to see a Privacy Policy if they check your website or app, in spite of the fact that it isn't a legal requirement if you don't collect personal data. It is far better to provide a policy that clearly states no personal data is collected than to arouse the suspicions of legal authorities.

For example, Startpage's Privacy Policy makes it immediately clear that it doesn't collect or share any personal data of its users by putting this at the very top of its Policy:

Startpage Privacy Policy intro section

Just a short, simple statement like this makes a world of difference when it comes to how your users and the authorities view your privacy practices.

Avoid Accusations of Data Collection

You may face queries and accusations if your company doesn't have a Privacy Policy. People may think you have something to hide, which could lead you to having to prove that your business doesn't collect personal data.

It's better to have a Privacy Policy saying your website or app doesn't collect data, than to have to respond to the same questions over and over again.

It's quite rare to find a company that doesn't collect any data and privacy conscious users will appreciate this. Use this to your advantage and provide an explanation of why your business doesn't collect any data alongside a definition of what personal data is.

Following on from Startpage's 'In Short' Privacy Policy is the 'longer version' which explains why the company doesn't collect any personal data. Startpage uses this as an opportunity to build trust with users by stating that the company believes privacy is a 'fundamental human right' and adds the slogan: 'It's your data. Not big data!'

startpage-privacy-policy-longer-version-intro-section

Rudd Studio notes that it doesn't collect or store any information, and only uses essential cookies:

Rudd Studio Privacy Policy excerpt

Address Third Party Data Collection

A further reason to have a Privacy Policy is if someone else collects data as a result of their connection with your company. If a third party or intermediary stores user's data on behalf of your business, this should be clearly stated in your Privacy Policy.

For example, an ecommerce site may not collect data from their customers. However, if the site hires a third party to process their customers payment information, it is likely that the intermediary will collect billing and payment information.

You can see this addressed in the last screenshot above from Rudd Studio, where it's noted that a third party the site works with does use cookies, and links to the other company's Cookies Policy.

It's important to find out if any intermediary stores user information and to inform users about this if they do.

Paypal is an example of a third party payment processor that collects and stores personal data. Therefore, if your site allows people to pay via Paypal, you should inform customers that they may collect their data and ideally provide a link to Paypal's Privacy Policy to enable users to look at this for themselves.

Disconnect has a Privacy Policy which states that it uses two intermediaries in order to process payments and makes it clear that users are subject to the Privacy Policies. The company also provides a link to both of the third party's websites:

Disconnect Privacy Policy: Third-party payment processing section

Even if you don't collect personal information yourself, don't overlook the fact that the third parties you work with may. You can use your Privacy Policy simply to link to the third-party Privacy Policies and state that users should refer to them to find out more.

Save Time in the Future as Your Business Grows

Your business is bound to grow and evolve over time. Having a Privacy Policy gives you a template that you can mold if you start collecting any type of personal data in the future or if you start working with an intermediary who collects data. It would be far simpler to update an existing policy instead of starting from scratch.

Exceptions

Think carefully about any information you do collect that could be considered personal data. Also, consider if there are any circumstances where you may collect personal data even if it isn't done routinely.

For example, do you store a user's email address if they send you an email? If so, how long do you store their email address for? This is an exception that needs to be clearly addressed in your Privacy Policy.

Green Alliance's Privacy Policy states that the company does not collect personal data:

Green Alliance Privacy Policy and Cookies: Section stating that no personal data is collected

However, the Policy goes on to identify a few exceptions, such as that the company does store personal data that is provided voluntarily, information shared by third parties, data that is publicly available and website user's IP addresses:

Green Alliance Privacy Policy and Cookies: Excerpt of Information Collected clause

Global Dro also makes an exception for data that is volunteered to the company:

Global Dro Privacy Policy: Intro statement about no data collected

Disconnect's Privacy Policy is a great example of a 'no data collection' policy with a couple of small exceptions that have been clearly communicated to the user.

The policy makes it clear that the website does not collect personal data - including user's IP addresses and geolocations. However, the website will collect user's email addresses, provided the address has been volunteered by the user. The policy makes it clear that there is no requirement to provide an email address:

Disconnect Privacy Policy: Disconnect never collects personal info except to communicate with you clause excerpt

Disconnect goes on to state that even though the company collects email addresses that have been volunteered, this information is only retained for a short amount of time, namely 30 days:

Disconnect Privacy Policy: Clause stating Disconnect retains volunteered personal info for one month

Summary

Your business should have a Privacy Policy even if it doesn't collect any data from users.

Having a Privacy Policy that is easy to locate will make your website or app look more professional and trustworthy.

Your policy doesn't need to be as long and complicated as a business that collects personal information. It just needs to state that your company does not collect any personal data and include a definition of personal data so that users are clear about what you don't collect.

Your Privacy Policy should also state if any third parties are collecting the user's data and if there are any exceptions to your policy, such as IP addresses being collected and nothing else.