Privacy policies inform people about how an organization collects, processes, and uses personal data.
It’s essential for businesses to know what a privacy policy is and how to make one because these policies are legally required.
In this guide, I explain what a privacy policy is and what goes into one, discuss the different laws that affect it, and explain the possible consequences of not having one.
- What Is a Privacy Policy?
- Why Are Privacy Policies Important?
- Do I Need a Privacy Policy?
- Which Laws Require a Privacy Policy?
- Which Platforms Require a Privacy Policy?
- What Are the Benefits of a Privacy Policy?
- What Do Privacy Policies Include and Cover?
- What Are the Penalties for Not Having a Privacy Policy?
- Where Do You Need To Display Your Privacy Policy?
- How Can You Enforce Your Privacy Policy?
- Options for Creating a Privacy Policy
- How To Maintain Your Privacy Policy
- Additional Legal Policies You May Need
- Summary
What Is a Privacy Policy?
Simply put, a privacy policy informs your website or app users how you collect and process their personal data.
It also tells them their rights over how their data gets processed and gives instructions for following through on those rights.
While the specific details included in your privacy policy depend on applicable data protection laws, it usually explains:
- What personal information you collect
- How you collect that information
- Why you collect it, also known as your ‘legal basis’
- Who you share the data with or sell it to
You’re most likely legally required to publish a compliant privacy policy depending on:
- Where your business is located
- Where your customers come from
- How much data you collect
- Your gross annual revenue
It’s important to note that privacy policies are not the same as your terms and conditions, which protect your business by outlining your rules of use, dispute resolutions, and payment terms.
Furthermore, privacy policies are not like disclaimers, which usually go inside your terms and conditions and are used to remove liabilities from your plate.
If your company operates online in any capacity, you should have all of these necessary website policies posted to your platform. But this guide focuses on privacy policies, so let’s not get too off-topic here.
Legal Definition of a Privacy Policy
The legal definition of a privacy policy and what specifically must go into it depends on what laws apply to your business because they often require different things.
To help you out, the table below compares the legally necessary information you must include in your privacy policy based on 12 of the most significant data protection laws.
| Data Privacy Law | Privacy Policy Obligations |
| 🇪🇺 General Data Protection Regulation (GDPR) |
|
| 🇬🇧 The Data Protection Act (UK GDPR) |
|
| 🇺🇸 Amended California Consumer Privacy Rights Act (CCPA & CPRA) |
|
| 🇺🇸 California Online Privacy Protection Act (CalOPPA) |
|
| 🇺🇸 Virginia Consumer Data Privacy Act (VCDPA) |
|
| 🇺🇸 Connecticut Data Protection Act (CTDPA) |
|
| 🇺🇸 Colorado Privacy Act (CPA) |
|
| 🇺🇸 Children’s Online Privacy Protection Act (COPPA) |
|
| 🇨🇦 Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
| 🇦🇺 Australia’s Privacy Act of 1988 |
|
| 🇳🇿 New Zealand’s Privacy Act of 2020 |
|
| 🇿🇦 South Africa’s Protection of Personal Information Act (PoPIA) |
|
Other Names for a Privacy Policy
You can use several names for your privacy policy, like privacy notice or privacy disclosure.
But for legal compliance reasons, try not to use a misleading or abstract title so it’s obvious to users what the document is.
Here are the most common names for a privacy policy (other than, of course, privacy policy):
- Privacy Notice
- Privacy Agreement
- Privacy Disclosure
- Privacy Statement
Why Are Privacy Policies Important?
Privacy policies are important because they help ensure you follow relevant data protection laws, keeping your business out of trouble and helping you avoid potentially massive fines.
Furthermore, a good privacy policy helps build and maintain trust with your users because it tells them what you’re doing with their personal information when they use your website or app.
Various consumer and data privacy statistics suggest that people will abandon their shopping carts or ditch your service if they think you’re dishonest about how you handle their information:
- 60% of users say they would spend more money with a brand they trust to handle their personal data responsibly. (Global Consumer State of Mind Report 2021)
- 84% of users are more loyal to companies with strong security controls. (Salesforce)
- 48% of users have stopped buying from a company over privacy concerns. (Tableau)
So, put a privacy policy on your website or app to retain more customers, attract new shoppers, and prevent yourself from getting hit with legal penalties.
Do I Need a Privacy Policy?
Yes, if your business operates online in any capacity, you need a privacy policy. Posting one is a matter of legal compliance and a business best practice.
But you also may be required to have one if you:
- Own a website: Websites often collect personal data from visitors, and therefore they need privacy policies, whether for an online clothing store, a basic photography website, or some other ecommerce businesses.
- Develop apps: Android, iOS, and Facebook app developers must have a privacy policy for the app to pass the final review process.
- Run a small business: Size doesn’t matter much regarding privacy compliance, so even small businesses need privacy policies. Most fall under laws with broad thresholds, like the GDPR and CalOPPA.
- Use third-party software or services: Many third-party services, including Google Analytics and Shopify, require you to post a privacy policy and follow any applicable data privacy laws as part of their terms of use agreements.
- Collect information about your employees: Sometimes called an ‘Employee Monitoring Policy,’ you may need to provide your employees with details about the data you collect about them, both for in-person and work-from-home roles.
- Own a basic blog: Even simple blogs should have a privacy policy because internet users expect to find one and may assume you’re dishonest or sneaky if they don’t see one on your site.
- Own a marketing agency: Yes, even marketing agencies need privacy policies, as these groups typically work with large amounts of personal data and are subject to following all applicable data protection laws.
- Have a dropshipping store: Dropshipping stores also need privacy policies, especially if they fall under any data privacy laws or take part in international data transfers, which are subject to specific legal guidelines.
Which Laws Require a Privacy Policy?
Several data protection laws from around the globe require a privacy policy either directly or indirectly, including the following:
- General Data Protection Regulation (GDPR)
- Data Protection Act (UK GDPR)
- Amended California Consumer Privacy Act (CCPA/CPRA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Privacy Act (VCDPA)
- Connecticut Data Protection Act (CTDPA)
- Colorado Privacy Act (CPA)
- Children’s Online Privacy Protection Act (COPPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia’s Privacy Act of 1988
- New Zealand’s Privacy Act of 2020
- South Africa’s Protection of Personal Information Act (PoPIA)
Some of these laws, like the CTDPA and the VCDPA, clearly say you must give users a privacy notice. (This is just another name for a privacy policy, as I discussed above.)
Others provide guidelines you can quickly meet using a privacy policy, like the ten fair principles outlined by PIPEDA.
Which Platforms Require a Privacy Policy?
Besides legal compliance, several third-party platforms stipulate that you must publish a privacy policy to use their services. They usually specify this in their terms of service agreement.
In this next section, I’ll walk you through some obligations outlined by major third-party services relevant to websites and apps.
Websites
If you own a website, you may be required to post a privacy policy by the terms of use outlined by whatever content management system or service you use.
For example, you should plan to make a privacy policy if you:
- Own a WordPress Website: Your WordPress site needs a privacy policy. Section 7 of the WordPress Terms of Service stipulates that you’ll post a privacy policy on your website following any applicable data privacy laws.
- Run a Squarespace Website: According to section 7 of the Squarespace Terms of Service, you must put a compliant privacy policy on your Squarespace website following any relevant data privacy laws.
- Use Blogger (Blogspot) to host your website: Google owns Blogger, so your use of this service is subject to the Google Privacy Policy, and you must follow applicable data privacy laws and post a Blogger privacy policy whenever necessary. According to the Blogger Content Policy, your account may be terminated or reported to law enforcement if you fail to do so.
- Use Wix for your website: In their Terms of Use, Wix requires you to follow all applicable data privacy laws and holds you accountable if you fail to do so, which includes posting a compliant privacy policy on your Wix website.
- Run a Shopify store: According to Shopify’s Privacy Policy and their Data Processing Addendum, you should post a Shopify privacy policy and ensure you follow all relevant data privacy laws correctly. Otherwise, they may terminate your use of their service.
- Use third-party software or services: To use third-party services like Google Analytics, their User Terms require you to post a privacy policy on any website using Google Analytics.
Apps
Meta, Google, and Apple require developers to post a compliant privacy policy as part of the final app review process before they can get published on their various app stores.
For example, you should prepare a privacy policy if you:
- Develop Android apps for the Google Play Store: Android apps need a privacy policy. Your policy must meet the Google Play Store privacy notice requirements. The Google Developer Distribution Agreement requires all apps to have a privacy policy before the app gets published on the Play Store. You can read more about it in their Play Console Help Center.
- Develop mobile apps for the Apple App Store: Other mobile apps also need privacy policies. For example, Apple’s App Store Review Guidelines require all apps published on the App Store to have one before publication.
- Develop Facebook apps: Meta, the owners of Facebook, require anyone who develops apps that process data to publish a Facebook privacy policy that meets the requirements outlined in their Meta Platform Terms — this is also the case if you use their Instagram API.
What Are the Benefits of a Privacy Policy?
Privacy policies benefit both your business and consumers, making them a win-win for everyone involved. In particular, they help:
- Protect your business from violating data privacy laws: I’ve mentioned this a few times, but privacy policies are necessary if you need to comply with any data privacy laws, and posting one can help prevent you from getting fined.
- Build trust with your users: People want to know who has access to their personal data and what’s happening to it, so posting a privacy policy shows new and returning consumers that you’re honest and transparent about your data processing activities.
- Create awareness and help educate your staff: Cybercrime is increasing rapidly, and personal data is often the subject of these attacks. By raising your privacy awareness and posting a comprehensive privacy policy on your website, it’ll be easier to educate your team about privacy issues and prevent your business (and consumers) from falling victim to a data breach or leak.
- Fosters a safer, more user-friendly internet: We all use the internet, business owners and consumers alike. Don’t you want to know what happens to your data when browsing shops or apps online? Posting a thoughtful privacy policy shows that you take data privacy seriously, which leads to a more user-friendly and safer internet for all of us.
What Do Privacy Policies Include and Cover?
Privacy policies include almost every detail about your data processing activities that you can imagine, and they also cover the rights your users have and explain how they can act on them.
In this next section, read about nearly every applicable clause that a privacy policy should have, and remember that not all of these may apply to your business.
Introductory Clause
Your privacy policy should have a clear, easy-to-read introductory clause that provides your company name, explains to whom the policy applies, and defines relevant terms to be used throughout the policy.
This section is also a good place to link to other relevant documents you want your users to have access to, like your terms and conditions or cookie policy.
I recommend you also put a ‘last updated’ date in this first section of your policy.
Below, see a great sample of an introductory clause from the language learning tool Duolingo’s privacy policy.
What Personal Data You Collect
All privacy policies must disclose what personal data you collect from your users.
Keep it simple and clean by listing all categories of personal information you process, including sensitive personal data.
Below, see a good example of how to format this clause easily from the video streaming service Netflix’s privacy policy.
How You Use the Data
You must explain why you collect user data, also known as your legal basis, somewhere in your privacy policy.
Regulations like the GDPR, the VCDPA, and others require this, and your reasoning is subject to specific legal grounds.
See below how the social media video-sharing platform TikTok handles this clause in their privacy policy.
How You Collect Personal Data
For legal compliance reasons, you must disclose how you collect personal data from your users in a clause in our privacy policy.
Common methods for data collection include:
- Voluntarily provided by the individual
- Through payment screens or checkout pages
- Filling out an online form
- Placing cookies on users’ browsers
- In-person or in-store recordings
Below, see how succinctly TikTok writes this in their privacy policy (they then expand upon this information further in their policy).
If You Share the Data With Third Parties
If you plan to share the personal data you collect with any third parties, you must say so in your privacy policy.
List what categories of third parties you share or sell personal information to, explain why you share or sell the data, and say how it gets shared with the other entities.
See a great example of how to write this clause in the screenshot below, which is from the video meeting platform Zoom’s privacy policy.
An Explanation of Your Users’ Legal Rights
You must explain what rights your users have over their personal information somewhere in your privacy policy.
The rights provided by each law vary slightly, but most of them grant the right to:
- Access their personal data
- Request to amend or correct their data
- Request to delete their data
- Limit the use of their data
- Obtain a portable copy of their data
- Opt into or opt out of certain data processing activities
Below, see how TikTok writes this clause in their privacy policy.
A Method for Following Through on Data Privacy Rights
Most data privacy laws also require you to explain how your users can follow through on their applicable data privacy rights in your privacy policy.
You might achieve this by:
- Putting a link to a functioning Data Subject Access Request (DSAR or SAR) form
- Saying if you honor “Do Not Track” requests and Global Privacy Controls (GPC)
- Providing proper, working contact information
- Having a “Do Not Sell or Share my Personal Information” link (under the CCPA/CPRA)
- Using a “Limit the Use of my Sensitive Personal Information” link (under the CCPA/CPRA)
The screenshot below shows a sample of this clause from Zoom’s privacy policy.
Details About International Data Transfers
You must explain if you plan to transfer personal data internationally in a clause in your privacy policy and list what countries the data may get transferred to.
For example, under the GDPR, you must disclose if an adequacy decision exists regarding the data transfer or if you use another transfer mechanism.
Below, see how Duolingo handles this clause in their privacy policy.
Data Retention Policy
Regulations like the GDPR require you to explain your data retention timeline and protocols within a clause in your privacy policy.
You must state how long you plan to store the data for or give the process you’ll use for determining when you’ve achieved your lawful goals for using the data.
To avoid legal issues, don’t keep data for longer than necessary.
Below, see how Zoom writes this clause in their privacy policy.
Safety and Security Measures
Laws like the GDPR and the CCPA hold businesses accountable for implementing safety and security measures to protect personal data from breaches, leaks, or other cybercrimes.
Taking the following precautions is recommended:
- Pseudonymize the data
- Encrypt the data
- Ensure ongoing confidentiality, integrity, resilience, and availability of your processing system
- Implement a way to restore the availability or access to personal data should a breach occur
- Have a process for routinely testing, assessing, and evaluating the effectiveness of your security protocols
See a sample of this clause from TikTok’s privacy policy below.
Updates to Your Privacy Policy
You should include a clause in your privacy policy explaining when you’ll make updates and how you’ll inform your consumers about those changes.
Under the CCPA, you must update it at least once every 12 months. Plus, some laws, like the GDPR, expect you to re-obtain user consent if you change what data you’re processing or your purposes and use of the information.
Below, see an example of this clause from Duolingo’s privacy policy.
The Right to Lodge a Complaint
Under laws like the GDPR and PoPIA, you must explain in your privacy policy that consumers can submit a complaint about you if they think you’re violating their privacy rights.
If possible, provide the correct contact information by region for the appropriate person or entity to submit those complaints.
See a sample of this clause in the privacy policy from Netflix below.
Children’s Data
If your website or app targets children, you must include specific information to comply with relevant laws like COPPA, which are meant to protect minors and young people.
For example, you must inform parents or legal guardians of their right to opt their children into data processing.
See how Duolingo writes this clause in their privacy policy below.
Company Contact Information
Many data protection laws require you to include your proper company contact information directly in your privacy policy. This ensures that users know who to contact if they have questions about the details of your policy.
Below, see an example of how Duolingo writes this clause in their privacy policy.
What Are the Penalties for Not Having a Privacy Policy?
The penalties for not having a privacy policy change depend on what law you’ve violated.
The table below compares the non-compliance punishments for the 12 data protection laws covered throughout this guide.
| Data Privacy Law | Penalties for Violating the Law |
| General Data Protection Regulation (GDPR) |
|
| The Data Protection Act (UK GDPR) |
|
| Amended California Consumer Privacy Act (CCPA/CPRA) |
|
| California Online Privacy Protection Act (CalOPPA) |
|
| Virginia Consumer Data Privacy Act (VCDPA) |
|
| Connecticut Data Protection Act (CTDPA) |
|
| Colorado Privacy Act (CPA) |
|
| Children’s Online Privacy Protection Act (COPPA) |
|
| Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
| Australia’s Privacy Act of 1988 |
|
| New Zealand’s Privacy Act of 2020 |
|
| South Africa’s Protection of Personal Information Act (PoPIA) |
|
As you can see, some of these laws, like the amended CCPA, give individual users the right to pursue privacy action against you.
Others, like PoPIA, could potentially lead to criminal charges.
You’d also face public backlash from your customers, which could cause you to lose sales.
Where Do You Need To Display Your Privacy Policy?
Where you display your privacy policy also depends on what data protection laws apply to your business, and you should plan to post it in multiple spots.
Regulations like the GDPR and CCPA require you to present your consumers with certain information at or before the points where data collection occurs.
So, I recommend putting your privacy policy in all of the following spots:
- The footer of your website: This is where most people look for your policy, and since it always stays the same no matter where users end up on your site, it helps ensure they always have access to it.
- A static menu of your app: If you own an app, link your privacy policy in a fixed menu so your users can always locate the information.
- Payment screens or checkout pages: Payment screens usually collect personal information from users, so this is a legally necessary place to link to your privacy policy.
- Profile or new user account creation pages: To set proper user expectations, give them a link to your privacy policy before they create a profile or user account. This is another area where data collection typically occurs.
- Linked to your consent banner: Along with a cookie policy, consider also putting your privacy policy on your cookie banner and request that your users read it and choose if they agree. This proves they’re fully informed before they continue accessing your services.
- App store listings: Put a link to your privacy policy on any app listing pages so users can read the agreement before downloading your platform. Many app stores require this before they’ll approve your app for publishing.
- In your marketing emails: A link to your privacy policy within your marketing emails helps keep your users informed and allows them to access it as needed.
How Can You Enforce Your Privacy Policy?
Your privacy policy is not a document that you need to enforce. Instead, it explains your data processing activities to inform the people who may use your website or app.
In fact, your business is held accountable for following everything you write in your privacy policy, not your consumers. It’s also your responsibility to ensure that it meets all obligations outlined by any data privacy laws that may impact your company.
A better question to ask yourself is: Is your privacy policy compliant?
Because if the answer is no, all liabilities fall on your business.
Options for Creating a Privacy Policy
When it comes to making a privacy policy for your website or app, you have a few options:
- Use a managed solution like a generator
- Use a free template
- Write it yourself
Contrary to popular belief, unless you collect highly sensitive personal information or process massive amounts of data, you typically don’t need to rely on a lawyer for your privacy policy.
Let’s discuss these privacy policy solutions so you can choose the best method for your business needs.
Managed Solution
The easiest way to make a privacy policy for your platform that adequately follows data privacy laws is to use a managed solution like Termly’s free Privacy Policy Generator.
To use the generator, you answer simple questions about your business, and it creates a compliant policy based on your answers. If you need help, our legal team provides tips for most sections, and we have a great group of customer support staff ready to chat.
Our privacy policy generator features clauses that comply with several data privacy laws, and we update it regularly to keep up with any new or changing legislation.
See what it looks like in the screenshot below.
Free Template
Another good option is our free privacy policy template, which takes a little more work but is still relatively quick and easy.
With a template, you manually fill in the blank sections with details about your business. Ours features all the necessary clauses to comply with several of the data privacy laws mentioned in this guide.
Below, you can see an example of what it looks like.
Termly has guides and templates for privacy policies, no matter your need.
Do-It-Yourself
You can also write your privacy policy, but I only recommend this if you have extensive data privacy and legal knowledge or access to a lawyer.
If you try this, use easy-to-read language, and don’t leave anything out. Violating these data privacy laws — even by mistake — still leads to fines.
You should also plan to regularly review and update your policy and develop a process for keeping up with new or changing data privacy laws.
How To Maintain Your Privacy Policy
Maintaining your privacy policy is an integral part of legal compliance. You should plan to review and update it regularly and have a process in place for informing your users whenever you make any changes.
Reasons to update your privacy policy include:
- You made a general update or change regarding your data collection and processing activities.
- You must comply with the CCPA, which states that you must update your policy at least once every 12 months.
- You want to collect new types of personal information from users not previously outlined in your privacy policy.
- You’re using a new third-party service or will share the data you collect with a new entity.
- You changed how you want to use the personal data you collect to something not previously expressed in your privacy policy.
To inform users of your updated privacy policy, you can:
- Send out an email with a link to the new policy and an explanation of what changed
- Use a pop-up notification on your website or app so anyone who visits is informed about the changes
- Publish a blog post that explains to users that you’ve changed your privacy policy
- Put a ‘Last Updated’ date clearly on your privacy policy — in the introduction section is best
I recommend implementing all of the above solutions so that as many of your users as possible can see the changes you’ve made to the agreement.
It’s also a good idea to provide an archive of past versions of your policy somewhere on your app or website. This way, you can prove that you’ve kept up with the appropriate changes based on any laws that may impact your business.
Additional Legal Policies You May Need
A privacy policy is only one of several different legal documents you might need for your website, app, or platform.
Depending on the industry you’re in and what services you provide, you may need a:
- Consent Management Platform (CMP): To set your website or app up for full compliance under most data privacy laws, you may need to use a Consent Management Platform and set up a cookie consent banner that allows your users to opt into or out of certain data collection practices, based on applicable laws.
- Cookie Policy: Cookies qualify as personal information under most of the data privacy laws mentioned in this guide. You should create a compliant cookie policy that tells users what cookies your website leaves on their browsers and how they can control them.
- Terms and Conditions Agreement: If you run a website, creating a terms and conditions agreement helps protect your business by explaining the rules of use and limiting some of your liabilities. You can include clauses to outline your dispute resolution and governing laws and explain processes like your payment terms.
- Acceptable Use Policy (AUP): If your business allows users to interact with one another, post their own content, or fosters an interactive community, you should create an Acceptable Use Policy that explains all acceptable and prohibited uses, behaviors, and activities on your platform.
- Return and Refund Policy: If you run an ecommerce store, create a return policy to help answer common customer questions about if you offer returns, refunds, or exchanges and how long customers have to request one.
- Shipping Policy: If you send goods through the mail, create a shipping policy so consumers know all details about your shipping and handling practices, like where you ship to, how much it might cost, and a timeline for how long it usually takes for people to receive their packages.
- End-user License Agreement (EULA): For apps or software developers, creating a EULA helps protect your technology that’s available for public use.
- Disclaimers: Most businesses need to create at least one disclaimer on their site to help remove (aka, disclaim) liabilities from their plates.
Summary
No matter what kind of business you own, a privacy policy helps you comply with data privacy laws and shows consumers that you respect their personal information.
Remember to update your privacy policy often to ensure it’s always accurate, and post it in multiple places throughout your platform so users can always find and read it.
You can easily make a privacy policy for your website or app by using tools like our Privacy Policy Generator.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
