Any business that collects customer data needs a privacy policy, including website owners, app owners, and anyone in between.
Having a privacy policy is legally required and it shows consumers you’re honest about your data processing activities.
To help simplify making one of these essential business policies, I’ve made the ultimate privacy policy requirements checklist, which explains to what goes into a privacy policy, laws that require them, where to post it, and so much more.
Privacy Policy Checklist
Read through my privacy policy checklist below, which features details about legally required clauses, the details that must go in those clauses, and lists the privacy laws that require it.
| Privacy Policy Clause | To-do | Required By The… |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legal Requirements for Privacy Policies
In the next table, I provide the specific privacy policy requirements outlined by different privacy laws that may impact your businesses.
| Data Privacy Law | Privacy Policy Requirements |
| 🇪🇺 General Data Protection Regulation (GDPR) |
|
| 🇬🇧 The Data Protection Act (UK GDPR) |
|
| 🇺🇸 Amended California Consumer Privacy Rights Act (CCPA/CPRA) |
|
| 🇺🇸 California Online Privacy Protection Act (CalOPPA) |
|
| 🇺🇸 Virginia Consumer Data Privacy Act (VCDPA) |
|
| 🇺🇸 Connecticut Data Protection Act (CTDPA) |
|
| 🇺🇸 Colorado Privacy Act (CPA) |
|
| 🇺🇸 Children’s Online Privacy Protection Act (COPPA) |
|
| 🇨🇦 Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
| 🇦🇺 Australia’s Privacy Act of 1988 |
|
| 🇳🇿 New Zealand’s Privacy Act of 2020 |
|
| 🇿🇦 South Africa’s Protection of Personal Information Act (PoPIA) |
|
Privacy Policy Requirements Explained
Next, I explain in more detail what should go into the required clauses I provided in the privacy policy checklist above.
Personal Data Collection
Every data privacy law gives individuals the right to know what personal data is being collected or processed about them, making this one of the most critical clauses in your privacy policy.
To comply with these laws, you must clearly list all categories of personal data you collect, including sensitive personal information, which is subject to stricter guidelines under law like the GDPR, the CCPA, and the VCDPA.
While the precise definition of personal data varies depending on what legislation you look into, it typically refers to any information that could reasonably be linked to an individual or household, directly or indirectly.
Along with what data you collect, you also need to state:
- Why you collect the data, including your legal basis if you must comply with laws like the GDPR
- How you collect the personal data — for example, you might gather the information voluntarily from the user, through web forms, by placing cookies on users’ browsers, or when they sign up for accounts or make purchases, etc.
- What you do with the data, like using it for marketing or research purposes, to enhance the user experience on your website, or to provide consumers with targeted ads and more specific product recommendations.
Many companies put this information into tables or bullet lists in their privacy policy, with titles representing each specific legal requirement, like the music streaming service Spotify, which you can see in the screenshot below.
Selling or Sharing of Personal Data
If you share or sell the personal data you collect to any third parties, you must disclose it in your privacy policy, as required by laws, like the GDPR, the CCPA, and others.
To comply, you must also list all categories of third parties you share information with or sell the data to directly.
For formatting, consider using a table or a bullet list, like how Spotify writes this clause in its privacy policy, as shown in the following screenshot.
Privacy Rights for Consumers
Several data protection laws require you to list individuals’ rights in your privacy policy and provide instructions for following through on those rights, which can be achieved by making clauses specific to the different laws that apply to your business.
For example, if you fall under both the VCDPA and the amended CCPA, make a clause outlining users’ rights in Virginia and another for users in California.
The general merchandise retailer Target does this in their privacy policy, as shown in the screenshot below.
Next, see their rights pertaining to Virginia residents.
Ensure you follow the specifications outlined by all laws that apply to your business, be it a “Do Not Sell or Share My Personal Information” link as described by the CCPA or a generic Data Subject Access Request (DSAR or SAR) form as recommended for the GDPR.
International Data Transfers
You may be subject to international transfer requirements, particularly by the GDPR and the UK GDPR, if you transfer personal data from users who live in a different country than where your business is located.
Under the GDPR, if an adequacy decision is in place, international data transfer from an EU/EEA nation can occur without other authorizations or assessments.
But if there is no decision in place, as is the case with the US, you must ensure the international transfer meets all requirements outlined by Chapter 5, Articles 44 – 50 of the Regulation.
You also must put a clause in your privacy policy explaining if and where you transfer the data and what protections are in place to ensure the information is appropriately protected and that individuals can follow through on their rights.
See how internet search engine Google writes about international data transfers in their privacy policy below.
Data Retention Limits
Laws like the GDPR, Canada’s PIPEDA, and others mandate that you can only keep personal data for as long as necessary based on the purposes you outlined in your privacy policy. But you must also describe your data limitation process in a clause within the policy.
If the purpose for collecting personal data doesn’t have a clear end or time limit, explain how you’ll determine when you’ve achieved your goal and no longer need to retain the information.
See how Google writes their data limitation clause in their privacy policy below.
Security Measures To Protect Personal Data
Data protection laws like the GDPR and the CCPA hold businesses accountable if personal information gets breached or leaked. You must explain in a clause in your privacy policy what security measures you have in place to prevent this type of cybercrime or error from occurring.
You might consider:
- Anonymizing the data
- Encrypting the data
- Pseudonymization the data
This clause can be short and sweet, but it is legally necessary. Below, see a great example of how the supermarket and general store chain Woolworths phrases the security portion of their privacy policy.
Privacy Policy Updates
Legally, your privacy policy must always remain current, so include a clause explaining when you’ll make changes to the policy, why the changes may be necessary, and how you’ll update your users.
The amended CCPA requires you to update your privacy policy at least once every 12 months.
But many of these laws, including the GDPR and the VCDPA, state that you can only use personal data based on what you put in your privacy policy. So you also need to update your policy, inform your users, and sometimes even re-obtain their opt-in consent if you want to change your data collection and processing activities.
See an excellent example of this type of clause from Woolworths’ privacy policy in the screenshot below.
Remember, this is a living document. It should change as often as you need it to.
Just ensure you properly inform your consumers every time, fix the ‘Last Updated’ date on your policy, and tell your users what exactly is different about your policy.
Submitting Complaints
Laws, including the GDPR, PoPIA, and others, grant individuals the right to submit complaints if they think you violate their data privacy rights.
You must include a clause within your privacy policy explaining this right and giving the proper contact information based on the applicable law.
If you fall under multiple laws, you should consider using a separate clause for each relevant regulator or supervisory authority so your users from those locations can easily find the proper contact information.
Once again, see how Woolworths does it in their privacy policy, shown below.
For comparison’s sake, this is how simply the popular South African grocery chain Shoprite does it in their privacy policy, highlighted in the screenshot below, to comply with PoPIA.
Data Processing Impact Assessments (DPIAs)
Where you intend to perform certain types of processing that carry a ‘high risk’ to your consumers, data privacy laws, including the GDPR and the CTDPA, require you to perform DPIAs, and you should explain this process within a clause in your privacy policy to keep your consumers adequately informed.
You must explain that you performed an appropriate DPIA to assess the risks associated with the processing and to identify suitable protections for your users.
Your users also have the right to limit how their sensitive personal data gets used, so give them a way to follow through on their rights regarding this information.
Below, see how higher education group Study.Iceland handles this clause in their privacy policy.
Company Contact Information
Several data privacy laws require you to include appropriate contact information within your privacy policy so your users can submit a complaint, ask questions, or request to follow through on their rights to access, amend, or delete their data.
Under the GDPR, if you have appointed a Data Protection Officer, you must also identify them and provide their contact details.
Under laws like COPPA, which protects minors, you must include correct contact information within your privacy policy so legal guardians can protect their children’s privacy rights.
Below, see an example of where the department store Harrods puts their contact details within their privacy policy.
10 Tips for Complying With Privacy Policy Requirements
Because making a privacy policy includes balancing legal requirements, necessary clauses, and more, I’ve compiled some tips to help your business simply compliance.
Tip 1: A privacy policy differs from terms and conditions, and you need both because they do different things. Your terms and conditions protect your business, and certain clauses and disclaimers belong in there as opposed to in your privacy policy.
Tip 2: Conduct a privacy audit of your website or app before making your privacy policy to ensures you know all pieces of data you process and where that data collection occurs.
Tip 3: Only use easy-to-read language throughout your privacy policy so it’s accessible to as many people as possible, and avoid legalese and technical jargon.
Tip 4: To ensure your consumers have easy access to relevant legal policies, put live links to those other documents in your privacy notice, including your cookie policy and terms of service agreement (and vice-versa).
Tip 5: Put a privacy policy on your website even if you don’t collect data or fall under privacy laws. People expect to see one and may assume your site isn’t trustworthy if they can’t find it.
Tip 6: Plan to post your privacy policy in multiple locations, including the footer of your website and at or before the points where data collection occurs, like payment screens or new user account creation pages.
Tip 7: You should also make a process for updating your privacy policy. You should review this document every few months and adapt it whenever your privacy protocols change.
Tip 8: While you can write a privacy policy on your own, try using a privacy policy generator or starting with a free privacy policy template to give yourself a head start — of course, if you use a generator like ours, it does all the hard work for you.
Tip 9: Don’t lie about your data processing activities or try sneaky workarounds, as this is a major issue to avoid in your privacy policy. If you get caught, the bad press and potentially hefty fines for violating laws could hurt your business.
Tip 10: Privacy policy, privacy notice, and privacy agreement all refer to the same thing, so title it however you want. Just make sure it’s very obvious to your consumers that it’s the document that explains your data processing activities.
Trust me, I’ve helped many businesses and marketing agencies create privacy policies, and following these tips will make the entire process easier for you.
Penalties for Not Complying With Privacy Policy Laws
I’ve mentioned that violating data privacy laws could lead to hefty fines and a lot of public scrutiny — well, this is where I put my money where my mouth is.
In the table below, read through the financial consequences of violating the data protection laws and regulations I mentioned in the privacy policy checklist.
| Data Privacy Law | Penalties for Violating the Law |
| General Data Protection Regulation (GDPR) |
|
| The Data Protection Act (UK GDPR) |
|
| Amended California Consumer Privacy Rights Act (CCPA/CPRA) |
|
| California Online Privacy Protection Act (CalOPPA) |
|
| Virginia Consumer Data Privacy Act (VCDPA) |
|
| Connecticut Data Protection Act (CTDPA) |
|
| Colorado Privacy Act (CPA) |
|
| Children’s Online Privacy Protection Act (COPPA) |
|
| Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
| Australia’s Privacy Act of 1988 |
|
| New Zealand’s Privacy Act of 2020 |
|
| South Africa’s Protection of Personal Information Act (PoPIA) |
|
Depending on the size of your business, not complying with these laws, even by accident, could lead to fines large enough to put your company under.
But beyond losing money, you’d also face public backlash that is arguably just as damaging to your brand as a fine.
Just check out these data privacy statistics suggesting that customers aren’t afraid to end their relationship with you if you don’t treat their personal information with respect:
- 63% of Internet users believe most companies aren’t transparent about how their data is used, and 48% have stopped shopping with a company because of privacy concerns. (Tableau)
- 33% of users have terminated relationships with companies over data. They left social media companies, ISPs, retailers, credit card providers, and banks or financial institutions. (Cisco)
The consequences just aren’t worth it. Retain more customers and avoid legal fines and bad press by publishing an honest, compliant privacy policy on your platform.
How Termly Helps Your Business Create a Privacy Policy
By this point, I’ve hopefully convinced you of how essential privacy policies are for businesses operating online.
But don’t worry, you don’t need to make your own — Termly can help do the hard work for you if you use our privacy policy generator or free template.
Termly’s Privacy Policy Generator
Let me take a second to brag about Termly’s privacy policy generator — it’s pretty great.
Our team updates it whenever new regulations enter into force (or if old ones get amended).
Whenever this happens, our customers get emailed with instructions if anything is necessary to ensure compliance with the relevant data privacy laws.
To use it, you just answer easy questions about your business, and it creates a compliant policy based on your answers that’s ready to publish on your website or app.
See a screenshot of it below.
Termly’s Privacy Policy Templates
Besides our generator, we also offer a privacy policy template that you can customize to fit any business need you can think of.
Templates require more work on your end because you have to manually fill in the blank sections with details about your business. But it’s already formatted for you and includes clauses that follow the privacy laws I’ve covered in this guide.
Below, see a screenshot of what it looks like.
Check out this massive table of guides and templates that you can rely on depending on your industry, what platform you use, or the laws relevant to your business.
Summary
Privacy policies are essential documents that help businesses comply with applicable laws and build trust by informing users about what you do with their personal data.
By following my privacy policy checklist and the tips provided above, you can make a legally compliant, comprehensive privacy policy for your business.
Make it easier by using Termly’s privacy policy generator to have your policy ready in minutes.
More about the author
Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT
James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author
