Addressing Third Parties and Service Providers in a Privacy Policy

Many jurisdictions require businesses to maintain Privacy Policies that inform users how they handle their personal information. Your Privacy Policy should let users know what third parties and service providers you use and how you share users' personal information, among other information.

This article explains what a Privacy Policy is, common types of third-party service providers, and why it's important to address third parties and service providers in your Privacy Policy. It will also explain how to address third parties and service providers in your Privacy Policy, and how to display and get agreement to your Privacy Policy.

What is a Privacy Policy?

A Privacy Policy is a legal document that describes how you collect and process (use) users' personal information.

Many privacy and data protection laws require businesses that meet their criteria to maintain a Privacy Policy on their websites and apps.

A Privacy Policy typically includes the following clauses:

What types of personal information the business collects or processes
The business's reasons for collecting or processing personal information
A list of third parties the business shares personal information with
The categories of personal information shared with third parties
How the business keeps users' personal information secure
How users can exercise their privacy rights
The business's contact information

The table of contents for ClickUp's Privacy Policy lists the clauses the document contains, including the types of information it collects and why it needs users' personal data:

ClickUp Privacy Policy table of contents

What is Personal Information?

Personal information is any information that can be used to identify an individual.

Personal information can include:

Names
Birthdays
Email addresses
Mailing addresses
Credit or debit card information
Social Security or driver's license numbers

What are Third-Parties and Service Providers?

A third party is anyone other than the primary parties involved in a transaction. In the case of an individual visiting your website, anyone other than your business and the user is considered a third party.

A service provider is a company that offers a service to another party. For instance, companies that provide cloud storage, hosting services, or software as a service (SaaS) are considered service providers.

Third-party service providers are entities that assist businesses with specific tasks. Many companies outsource certain services-such as payment processing or cloud storage-through third-party service providers.

What are Common Third-Party Service Providers?

Common third-party service providers include:

Payment processors
Live chat support
Email marketing companies
Digital marketing agencies
Online advertising platforms
Web-hosting platforms
Analytics software providers
Contractors
Consultants

For example, Mailchimp is a third-party service provider that offers automated email marketing services based on users' online behavior.

Why Do You Need to Address Third Parties and Service Providers in Your Privacy Policy?

State, federal, and global privacy laws require certain businesses to maintain Privacy Policies that explain how they treat users' personal information.

Many privacy and data protection laws require applicable businesses to inform users about the third parties and service providers they interact with.

Depending on the privacy laws businesses are subject to, they must share information about:

The types of third parties they disclose users' personal information to
The categories of personal information they share with third parties
Whether they sell or share users' personal information or use it for targeted advertising purposes
Third-party links on their websites

Laws that require businesses to have a Privacy Policy include:

The European Union's (EU) General Data Protection Regulation (GDPR)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
The California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA)
The Virginia Consumer Data Protection Act (VCDPA)

How to Address Third Parties and Service Providers in Your Privacy Policy

You should include specific clauses within your Privacy Policy that describe your relationships with third parties and service providers and the types of personal information they collect or process.

Let's go over some essential clauses your Privacy Policy should include.

The Types of Personal Information You Collect or Process

Your Privacy Policy should let users know the types of personal information you collect or process, including information third parties process on your behalf.

Slack's Privacy Policy details the kinds of personal information it collects, including email addresses, phone numbers, passwords, domains, bank information, billing addresses, online behavior, IP addresses, and browser and device information.

Note that it explicitly mentions payment processors and third-party services here:

Slack Privacy Policy: Information collected clause excerpt

Bumble's Privacy Policy lists the types of personal information it collects, including names, email addresses, and financial information:

Bumble Privacy Policy: Information collected clause

Your Reasons for Collecting or Processing Personal Information

You should explain why you collect or process users' personal information. Common reasons for collecting users' personal information include communication, marketing, and order fulfillment purposes. It's also important to let users know if you sell or share their personal data or use it for targeted advertising purposes.

ClickUp's Privacy Policy explains that it shares personal data with third parties for analytics, error tracking, and advertising purposes:

ClickUp Privacy Policy: Data transferred clause

Bumble's Privacy Policy lists the purposes for which it uses data, the types of data it uses, where it gets the data it uses, and its legal basis for using the data, including using data about users' online activities to serve ads on third-party networks.

Bumble Privacy Policy: How data is used clause excerpt

The Types of Third Parties You Share Users' Personal Information With

This clause should list what kinds of third parties you share users' personal data with, such as advertising companies, hosting services, payment processors, and SaaS providers.

Slack's Privacy Policy explains that it may share users' personal information with third-party service providers that offer computing services, storage, and verification services, and includes a link to a list of its subprocessors:

Slack Privacy Policy: Third party clause

When users click on the link, they are taken to a separate page that displays Slack's subprocessors. This page lists each subprocessor's name, reason for processing personal information, location, and other pertinent details:

Slack Subprocessor information

Asana lists the types of third parties it shares personal information with, including third-party service providers that offer marketing, content, AI, analytics, and security services, and includes a link to a page describing the subprocessors it uses:

Asana Privacy Statement: Third parties clause

The Categories of Personal Information You Share With Third Parties

You should also inform users about the types of personal information you share with third parties, such as users' email addresses, financial data, or online activities.

Bumble's Privacy Policy lists the circumstances in which it shares data with third parties-including with service providers, moderators, and payment processing companies-and the types of data it discloses, such as names, user registration information, and financial data:

Bumble Privacy Policy: Disclosure of information clause

NortonLifeLock's Global Privacy Statement lists the types of personal data it discloses to third parties, including user and security data, diagnostic information, and third-party data. It includes links to the Privacy Policies of its third-party service providers:

NortonLifeLock Privacy Policy: Third party service provider clause

Third-Party Links

This clause lets users know that your website may contain third-party links. It can be used to explain that you are not responsible for how linked parties treat users' personal data.

ClickUp's Privacy Policy explains that it is not responsible for how other websites or services treat users' personal information:

ClickUp Privacy Policy: Other websites and services clause

JetBrains' Privacy Policy explains that its websites may contain third-party links and recommends that users read the Privacy Policies for those websites to understand how their personal data may be handled:

JetBrains Privacy Policy: Third party links clause

How You Keep Users' Personal Information Safe

You can use this clause to inform users about the steps you take to keep their personal information safe.

Security measures can include implementing technological, physical, and administrative security measures and responding to settings or signals used to control cookies (small files that are used to collect data about users and stored on their browsers).

Other ways to keep users' personal information safe include training all staff who handle users' personal information, installing security cameras and locks, and using encryption to protect sensitive information during online transactions.

Asana explains that it uses technical and organizational security measures to protect users' personal information, and includes links to its Trust page where users can find out more about its security strategies:

Asana Privacy Statement: Security clause

When users click on the link, they are taken to Asana's Trust page, which lets users know some of the ways it keeps their personal data safe, including through encryption, access restrictions, and two-factor authentication:

Asana Trust page excerpt

How Users Can Exercise Their Rights

This clause lets users know how they can exercise their privacy rights.

Users' rights vary depending on their location, but many privacy laws require businesses to give users a way to:

Access their personal information
Modify their personal information
Request to have their personal information deleted
Opt out of the sale or sharing of their personal information
Opt out of the use of their personal information for targeted advertising purposes

Bumble's Privacy Policy lists some of the rights different users may have-including the right to be informed about what personal information it processes and how users can opt out of certain data processing activities:

Bumble Privacy Policy: User Rights clause

NortonLifeLock's Global Privacy Statement lists the privacy rights users may have, including the right to opt-out of targeted advertising:

NortonLifeLock Privacy Policy: User rights clause

You can let users know if your business uses the Interactive Advertising Bureau's (IAB) Global Privacy Platform (GPP) to record and convey users' consent choices regarding the sale or sharing of their personal data, or if your website responds to Global Privacy Control (GPC) signals requesting that you not sell a users' personal data.

GitHub's General Privacy Statement explains how it responds to different tools that users can utilize to control cookies, including Do Not Track (DNT) and GPC signals:

GitHub Privacy Policy: Control Tools clause

Information About Cookies

You should let users know if you track their online behavior through the use of cookies or similar devices and provide options for how they can opt out of online behavior tracking.

37signal's Privacy Policy lets users know that it may use both first-party cookies and third-party cookies (cookies used by third parties for advertising purposes) and explains that users can adjust their cookie preferences via their browser settings:

37signals Privacy Policy: Cookies clause

NortonLifeLock explains that it shares personal data for targeted advertising purposes and includes a link to its Cookie Statement:

NortonLifeLock Privacy Policy: Advertising Partners clause

When users click on the link, they are taken to NortonLifeLock's Cookies and Third-Party Analytics page, which explains what cookies are and how it uses them, including third-party cookies:

NortonLifeLock Cookies page: Third party clause

How Users Can Contact You

You should give users a way to get in touch with you with any questions or concerns they may have about how you use their personal information. The more contact methods you can give the better, and some privacy laws require you to provide at least one electronic means of communication.

NortonLifeLock includes a link to its data subject rights request form and contains its mailing address, email address, and phone number:

NortonLifeLock Privacy Policy: Contact clause

AVG's Privacy Policy includes a link to its online privacy request form and its email address and mailing addresses:

AVG Privacy Policy: Contact clause

How to Display and Get Agreement to Your Privacy Policy

You should put a link to your Privacy Policy wherever you collect personal information from users, and anywhere users' personal data can go to a third party.

Common places to put a link to your Privacy Policy include:

Website footer
Checkout page
Account creation page
Newsletter subscription area

ClickUp's website footer includes a link to its Privacy Policy alongside links to its Security information and Terms agreement:

ClickUp website footer with Privacy link highlighted

Adobe users must enter their email to create an account before making a purchase. Adobe includes a link to its Privacy Policy below the email submission box:

Adobe email sign up form with Privacy Policy link highlighted

To get agreement to your Privacy Policy, you can have users check an "I Agree" checkbox, which is a checkbox next to a statement that says users have read and consented to your Privacy Policy.

Before users can create an account with Nintendo, they must check a box indicating that they have read and agree to its User Agreement and Privacy Policy.

Nintendo form with Privacy Policy link highlighted

Summary

A Privacy Policy is a legal document that describes how you collect and process users' personal information and explains how users can exercise their rights.

Common third-party service providers include payment processing services, email marketing and advertising companies, website-hosting platforms, contractors, consultants, and analytics software providers.

It's important to address third parties and service providers in your Privacy Policy as many privacy laws require applicable businesses to inform users if they sell their personal information to or share their personal information with any third parties.

An effective way to address third parties and service providers is to include clauses within your Privacy Policy describing the types of third parties and service providers you interact with and how users' personal information is shared with or used by third parties and service providers.

Once your Privacy Policy is written, it's important to display it somewhere users can easily find it. You should put a link to your Privacy Policy wherever you collect users' personal information, such as in your website footer or on your checkout page.

Users will also need to agree to your Privacy Policy. You can get agreement to your Privacy Policy by using a checkbox next to a statement that users have read and agree to it. Users must tick the checkbox before taking further action on your website.