How to Write a Privacy Policy

Any company aiming to comply with privacy laws and regulations has to start in one place: the privacy policy. That's where a privacy regulator will look to see if there's a concern about your data practices or if you experience a data breach. 

While these policies have a reputation as verbose, multi-page documents full of legalese that the average person has neither the legal degree nor patience to digest, they're changing. That's why it's important to know how to write a privacy policy that's both accessible and compliant.

In 2018, the EU enacted the General Data Protection Regulation (GDPR), which is seen as the gold standard in privacy law globally. 

Since the GDPR’s implementation, countries like Brazil (with its LGPD), China (PIPL), India (Digital Personal Data Protection Act), and Canada (Bill C-27) have passed or are in the process of updating similar privacy laws. 

Many U.S. states, including California (California Consumer Privacy Act, now amended by the California Privacy Rights Act), Texas, Colorado, Virginia, and Utah, have also passed their own data protection laws.

These legislative changes, combined with heightened consumer awareness of data privacy risks due to high-profile breaches, have pressured companies to implement strong personal data security programs. A key element of any robust data protection program is a well-documented and transparent policy for privacy of user data.

What Is a Privacy Policy?

In essence, a privacy policy is just that—a means of formalizing your privacy practices and serving to inform others what those privacy practices are.  A well-crafted privacy statement or privacy notice ensures transparency in your data handling practices.

While the GDPR requires companies collecting data to publish online privacy policies, in the U.S., they're mandated by state, local, and industry-specific regulations, especially as several states have enacted comprehensive privacy laws.

The country still doesn't have a federal privacy law, though discussions about one are ongoing, including considerations for acts like the California Online Privacy Protection Act (CalOPPA) and the need for a cookies policy. To ensure compliance, businesses often use a privacy policy template or privacy policy generator to craft a compliant privacy policy tailored to their needs.

It comes down to this: Do what you say, and say what you do.

Why Do I Need a Privacy Policy?

There are a few benefits to developing a privacy policy.

Obviously, there’s the benefit of meeting regulatory requirements. Without an accurate privacy policy, you’ll be liable to be penalized under the data privacy laws we’ve already mentioned.

For instance, under laws like the California Online Privacy Protection Act, your website privacy policy must clearly state how your website collects and uses personal information from users. Non-compliance can lead to significant financial penalties and damage to your organization’s reputation.

However, there are additional benefits to developing one.

For one, it helps you define a framework for your privacy program. Having to sit down and explicitly state how you handle personal data at your organization forces you to think about what you actually do with that data and what you actually should be doing.

This process also supports the principles of privacy by design, ensuring that data protection is integrated into every aspect of your operations. A comprehensive policy should also address how data collected from mobile apps is handled, ensuring that users are informed across all platforms.

In a world where consumers are increasingly aware of data privacy concerns, a clear and informative privacy policy signals that your organization cares about consumer rights. This transparency builds trust, which is crucial for maintaining strong customer relationships and brand loyalty, especially when you clearly outline the information you collect.

Privacy Policies: Dos and Don’ts

Creating a privacy policy for your website or mobile app is a critical step in ensuring compliance with privacy regulations and protecting user privacy. However, it’s essential to avoid common mistakes that can undermine the effectiveness of your policy. 

Below, we’ll explore the dos and don’ts of writing an effective privacy policy that aligns with relevant data privacy laws.

Don’t Copy and Paste Another Company’s Policy

First, don't copy and paste another company's privacy policy and then switch out their name for yours. It might seem like an obvious tip, but it's a rather persistent practice.

That's according to Dennis Dayman, chief privacy officer at Maropost, a cloud-based marketing platform. He has been helping companies with their data privacy for 25 years, has written his fair share of privacy policies, and read far more of them.

"That's probably the biggest thing I run into these days is people trying to try and copy and paste policies as their own," Dayman said. "They just say, 'I'm gonna grab this as a beginning template,’ but it doesn't necessarily have the same data collection practices as the company they copied it from."

If you're a small company, for example, and you don't yet collect massive pools of data, your privacy policy for a small business should be tailored to reflect the specific information that your website collects and processes. It's important to write an effective privacy policy that accurately represents your data practices, especially if your business handles sensitive user data.

Understand Your Data Collection Practices

Your privacy policy must include a detailed explanation of how your website or app collects, uses, and shares personal information. Whether your website collects data from users directly or through third-party services, the language in your privacy policy must be clear and specific.

Catherine Dawson, a privacy attorney, emphasizes the importance of creating a privacy policy tailored to your business.

"Lawyers borrow language from other legal documents all the time, and often it makes sense,” she said. "It's not necessarily a bad thing to look at someone else's privacy policy example and reuse language that you like, but it's an easy temptation to cut and paste wholesale from another privacy policy. And that can be a dangerous practice because if it's not tailored to your business, you may have inadvertently described a privacy practice that is not yours."

Communicate Data Practices Clearly

One of the biggest challenges business owners face is explaining how user data is treated in a way that makes sense to the average user while still protecting the company against potential litigation.

Dayman recommends applying the “grandmother test” when writing the policy. "Would you do this to your grandmother? Would you collect this data and use it the way you want to on your grandmother? Privacy has to be as hyper-transparent for your grandmother to use as well. You've got to be very careful in drafting that."

To ensure your privacy policy is accessible, ask individuals from your organization to review the draft. Does it make sense to them? Is the language in your privacy policy filled with legal and technical jargon that only a lawyer could understand? Writing a good privacy policy involves simplifying complex terms without sacrificing accuracy.

Avoid Legal Jargon and Keep It Simple

Writing in legalese has been one of the hallmarks of bad privacy policies. "A lot of these social media companies have had these privacy policies that were just pages and pages long. A lot of people feel like they've been tricked into giving their data," Dayman said.

Dayman recommends keeping it simple. If you're using words like "jurisdiction" or "precedence," you might be taking the wrong approach. Simplifying the language in your privacy policy will help users understand their rights and your data practices more clearly.

Dawson agreed but noted that there’s a reason some companies resort to legal jargon, especially if they rely heavily on third-party data and vendors to collect personal data.

"It can be hard for people to articulate clearly how their data is shared with third parties," Dawson said. "It's not that folks are trying to hide the ball, but more that the online advertising ecosystem is complex. It can be challenging to describe accurately and clearly how the data you collect flows through that ecosystem and how it is combined with other data."

Get Buy-In from Key Stakeholders

When writing an effective privacy policy, it is important to involve key stakeholders across your organization. Dayman suggests a top-down approach, aiming to get buy-in from your CEO and the board.

"Getting buy-in from executives and those who make decisions about the company is highly important," he said.

But it's also important to involve various business groups that might not seem obvious. The IT, engineering, and sales teams all touch and use customer data at some point, so it makes sense that they should provide input on the policy or at least review a draft to ensure that what's being conveyed about company practices matches how their department actually uses data.

"You don't always know what the engineering team is doing with the data. Sometimes they have to use data to test systems, and you have to figure out whether you have to make a statement about that in your policy," Dayman said.

Ensure Ongoing Compliance and Updates

The bottom line, said Dawson, is to roll up your sleeves and fully understand all of your company’s data practices. If you get the fundamentals wrong, your policy will fall short. Be as straightforward as you can in your descriptions of those practices, and then ensure the rest of the organization doesn’t deviate from those descriptions.

Your privacy policy should also include a clause that addresses child privacy, especially in compliance with the Children’s Online Privacy Protection Act (COPPA). This is essential for businesses that handle data from children under the age of 13.

Privacy enforcement agencies globally have said, "'Your privacy policy should convey what practices you have with respect to people's data,'" Dawson said. "You need to say what you do and then do what you say."

Finally, regularly update your privacy policy to reflect any changes in your data practices or privacy regulations. Providing a link to your privacy policy on your website and ensuring that users are informed about any changes to your privacy policy is critical for maintaining transparency and compliance.

How To Write a Privacy Policy: Information to Include

When you write your privacy policy, it’s essential to ensure it is comprehensive and tailored to the specific needs of your business. Here’s what to include in your privacy policy to ensure compliance with relevant data privacy regulations. For more detailed guidance on each of these steps, read our Ultimate Privacy Policy Checklist. 

1. Your business and contact information.
2. The categories of data you collect.
3. The sources of the data or how you collect data.
4. The purpose of data collection and how it applies to your business.
5. The legal basis of data collection.
6. The consumer’s rights within their privacy policy.
7. Who you share personal information with (including third parties).
8. Whether the data will be transferred across borders and how.
9. Whether data collection is voluntary or mandatory.
10. Your data retention policies.
11. Your privacy and security measures to protect your business.
12. Your financial incentive programs (if applicable).
13. How you will communicate changes to your policy.
14. Effective date.
15. Accessibility of the privacy policy (ensuring it is easily accessible on your website or app).
16. Child privacy protections (if applicable, in compliance with the Children’s Online Privacy Protection Act).
17. Regular updates to ensure compliance with evolving privacy regulations around the world.