Your website’s privacy policy isn’t just a legal necessity, it’s a tool for building trust.
A good privacy policy will follow some essential best practices, like using clear, user-friendly language and keeping it updated.
In this guide, I break down all of the privacy policy best practices and explain what to include in yours, how to structure it, and more.
Privacy Policy Best Practices
To help you get started, here are the best practices you should follow when creating your privacy policy.
Follow Applicable Privacy Laws
A major privacy policy best practice is to make sure your document aligns with applicable privacy laws.
Privacy laws help protect users’ data, and your policy should accurately reflect all of the laws that apply to your business.
Some key privacy laws to know include:
- General Data Protection Regulation (GDPR): Applies to any business collecting or processing personal data from citizens in the European Union (EU)/European Economic Area (EEA).
- California Consumer Privacy Act (CCPA): Sets rules for collecting, using, and processing personal data from California residents.
- Children’s Online Privacy Protection Act (COPPA): Aims to protect the privacy of children under the age of 13.
- Personal Information Protection and Electronic Documents Act (PIPEDA): Dictates how organizations collect and use personal data from Canadian users.
For more information on major data privacy regulations and to see what Termly covers, check out our article on laws we help you comply with.
Be Honest and Transparent
Another legally-mandated best practice when making a privacy policy is to ensure it’s honest and transparent.
Transparency is key to a strong privacy policy because it’s legally required and it’s the literal purpose of the document.
Users should know exactly how you collect, use, or share their data.
If your privacy policy hides or buries important information, it can lead to legal penalties and mistrust with your users.
Case in point
In 2019, Google was hit with a fine of 50 million euros by the French National Data Protection Commission (CNIL) under the GDPR.
Why? For “lack of transparency, inadequate information, and lack of valid consent” regarding how user data was being used for personalized ads.
This case highlights the importance of being upfront about data practices and providing clear, accessible information to your users.
Only Collect Necessary Data
Another best practice is to limit the amount of data you collect.
You should only collect the data you need.
Asking for too much violates privacy laws, and if you start collecting sensitive information, it increases your legal obligations.
This is the case with the GDPR (Chapter 2, Article 5) and the CCPA (Section1798.100).
For example, when it comes to subscription services:
- Necessary information may include an email address, username, and payment method.
- Unnecessary information may include a full birth date and phone number, unless specifically required for age verification or account recovery.
Netflix serves as a good example of limited data collection.
It only asks for an email address and payment information. If a user opts for an ad-supported plan, it then requests additional information, like birth date.
Use Easy-To-Read Language
Privacy policies should be easy to understand.
Laws like the GDPR require privacy policies to be written in clear and plain language, as outlined in Article 12, Section 1.
Nobody wants to read a wall of text filled with confusing legalese.
You should use straightforward wording, short sentences, and a logical structure to make your policy accessible.
Example of a hard-to-read privacy policy:
“Pursuant to applicable data protection legislation, we may, from time to time, collect, process, and retain personally identifiable information for the purpose of optimizing user engagement and ensuring compliance with regulator frameworks.”
Example of an easy-to-read privacy policy:
“We collect and use your personal information to improve your experience and follow privacy laws.”
Tip: If your business uses third-party tools, such as analytics platforms and other tracking technologies, be clear about what data these tools collect and how they’re used.
Take a look at how ServiceArizona does this in their privacy policy, where they mention their use of Google Analytics.
This is a great example of clear, transparent language.
Format It in a Simple Way
It’s also important that you format your privacy policy in a logical, simple way.
A clear, easy-to-scan format will help your users find important information quickly.
Consider using the following formatting techniques in your policy:
- Clear headings
- Bullet points
- Short sections
- Table of contents
- Jump links
Post It in Easy-To-Find Locations
It’s important that you post your privacy policy in multiple easy to find locations.
Your users should be able to access your privacy policy before they share personal information, such as signing up for an account or making a purchase.
Place links to your policy in common locations like the ones listed below.
- Website footer
- Signup forms
- Checkout pages
- Cookie consent banner
- Wherever data collection occurs
Making your policy easy to find ensures users always know where to look if they have questions about their data and helps you align with applicable privacy laws.
Ensure It’s Always up to Date
Finally, remember, privacy laws and data practices evolve, and your privacy policy should too.
You should regularly review and update your policy so it always reflects new regulations or changes in your data collection.
When you make any updates, let your users know by:
- Adding a “Last Updated” date
- Sending an email notification
- Posting a blog update
- Using a pop-up or website banner
Does Your Website Need a Privacy Policy?
Most websites are legally required to have a privacy policy.
If your site collects personal data — like names, birthdays, emails, and more — you’ll likely need one to comply with major data privacy laws like the CCPA and the GDPR.
Sometimes, you might not even realize you’re collecting personal data.
For example, if you’re using tools like Google Analytics or Facebook Pixel, these services collect data such as IP addresses, user behavior, and other personal details. It’s important to ensure you have a privacy policy that reflects this information.
Even if your website doesn’t require a policy, having one helps build trust with your users.
In a 2023 report, the International Association of Privacy Professionals (IAPP), shared that:
“According to 64% of consumers, companies that provide clear information about their privacy policies enhance their trust.”
Ultimately, a privacy policy shows users that you prioritize their data protection, which strengthens their perceptions of your business.
What Information Must Go In a Privacy Policy?
The specific details of a privacy policy depend on the laws that apply to your business.
Some regulations, like the GDPR and Cthe CPA, have strict requirements, while others provide general guidelines.
In the sections below, I walk you through the key components your privacy policy should cover to keep it clear, user-friendly, and aligned with legal requirements.
Introduction
All privacy policies need an introduction section. You can use this area to explain who the policy applies to and define any terms used throughout the document.
Adding a table of contents is helpful for making your policy extra clear and easy to read.
What Data You Collect
Your privacy policy should clearly state what types of personal data you collect from users. This may include:
- Personal information (e.g., names, email addresses, phone numbers).
- Payment details (e.g., credit card information or billing addresses).
- Device and browsing data (e.g., IP addresses, cookies, browser type).
- User-generated content (e.g., comments, reviews, uploaded files).
Be specific about the data you collect and why it’s necessary for your services.
How You Use the Data
Explain in your privacy policy how you process the collected data.
Some common uses include:
- Targeted advertising
- Personalizing user experience
- Providing and improving services
- Processing transactions
Make sure your users understand how sharing their information benefits them and how it aligns with your business needs.
Third Party Access to Data
If you share user data with third parties, your privacy policy should list:
- Who you share data with (e.g., payment processors, analytics providers, advertisers).
- Why you share it (e.g., to process payments, run targeted ads).
- How third parties handle the data
Transparency about third-party access reassures users and helps meet legal requirements.
Consumer Rights Over Their Data
Users have the right to control their personal data, and your privacy policy should clearly explain what those rights are. Your policy should cover:
- The right to access their data.
- The right to correct inaccurate information.
- The right to delete their data.
- The right to opt out of data collection.
Clearly state how users can exercise these rights, such as through a Data Subject Access Request (DSAR) form or contact email.
Cookies and Other Trackers
If your website uses cookie or similar tracking technology, your privacy policy should:
- Explain what types of cookies you use (e.g., essential, analytics, marketing).
- Clarify why you use them (e.g., site functionality, performance tracking).
- Provide options for managing cookies.
Many privacy laws require clear disclosures and user consent for non-essential cookies.
Children’s Data
If your website collects data from children, include ca clause in your privacy policy to comply with laws like the COPPA.
Even if your site isn’t intended for children, it’s best to say as much in your policy.
Your policy should state:
- Age restrictions for data collection.
- Whether parental consent is required.
- How children’s data is protected or deleted upon request.
Data Retention Clause
Your privacy policy should include a data retention clause, especially if you’re subject to following the GDPR.
A data retention clause tells users how long you keep their data and why.
Your clause should include:
- The duration data is kept.
- The reasons for retention.
- When and how data is deleted.
Check out Apple’s data retention clause below to see how a leading company handles this.
Company Contact Information
All privacy policies should provide users with the business contact information.
Some ways users can reach you for privacy-related inquiries might include:
- A contact email for privacy requests.
- A physical address (if required by law).
- A Data Protection Officer’s (DPO) contact (if applicable).
Making contact information easily accessible helps meet regulatory requirements and helps users exercise their rights.
How Termly Helps Businesses Make a Privacy Policy
Making a privacy policy that checks all the boxes can be tricky, but with Termly, it’s a lot easier.
You can use our Privacy Policy Generator to take the guesswork out of the process.
It asks simple questions about your business and makes a unique policy based on your answers, which helps ensure your privacy policy is comprehensive and tailored to your needs.
We always keep our tools up to date to reflect the latest laws and regulations.
You can quickly create a custom privacy policy that aligns with major privacy laws, including the GDPR, the CCPA, CalOPPA, PIPEDA, and more.
Summary
A well-crafted privacy policy is essential for compliance and building trust with your users.
By following Termly’s privacy policy best practices, you can create a transparent, user-friendly experience that keeps your site on the right side of the law while building trust with your visitors.
To make it extra easy, use Termly’s privacy policy generator, which helps follow all of these best practices and more.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
