Writing a privacy policy for a website or app is not for the faint of heart.
Privacy policies are legally-binding agreements that must disclose your data collection practices, comply with applicable privacy laws, and be presented in a way that’s easy to read and understand.
If you leave something out — even accidentally — you could face hefty legal fines and lose the consumer trust you’ve worked so hard to foster and maintain.
Our guide will walk you through how to write a privacy policy for your website or app and address what clauses to include, where to post your policy, how to make it user-friendly, and more.
- What Is the Purpose of a Privacy Policy?
- Can You Legally Write Your Own Privacy Policy?
- Privacy Policy Solutions
- Step-by-Step Guide To Writing Your Privacy Policy
- How to Outline and Prepare Your Privacy Policy
- What Clauses Your Privacy Policy Should Contain
- What to Avoid Putting in a Privacy Policy
- Tips for Writing a Good Privacy Policy
- Displaying Your Privacy Policy
- Summary
What Is the Purpose of a Privacy Policy?
The purpose of a privacy policy is to explain how a business collects, uses, shares, and protects users’ personal information and explains what control users have over that data.
These policies help build trust with your consumers by showing transparency and honesty. If they can’t find one on your website, they might assume you’re hiding your privacy practices and shop elsewhere.
Privacy policies are also legally required under data privacy regulations like the:
- General Data Protection Regulation (GDPR)
- Amended California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
While the definition of personal information varies under each piece of legislation, it typically includes things like:
- Names
- Dates of birth
- Email addresses
- Postal addresses
These laws also account for a category of data called sensitive personal information, which is subject to stricter legal guidelines.
Significance of a Privacy Policy
If your website or app collects personal information from users, you’re likely required by data privacy laws to post a privacy policy on your platform.
Read on to learn about some of the specific pieces of legislation from around the globe that impact your privacy policy.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) provides internet users in the European Union (EU) with rights over their data. But it also outlines obligations for businesses that impact your privacy policy.
This set of regulations instills a “Privacy by Design” model in which businesses must consider users’ data privacy when designing their business practices, systems, and processes.
Under the GDPR, your privacy policy must explain:
- What data you collect
- How it’s collected
- Why you’re collecting the data
- Who the information gets shared with, and
- What legal basis you have for collecting the data
- All rights consumers have under the GDPR
- How they can act on those rights
Amended California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) was officially amended by the California Privacy Rights Act (CPRA) on January 1, 2023, and together they make up one piece of legislation.
The CCPA gives California consumers more control over the information that businesses collect and how that data gets used, and it also impacts your privacy policy.
To write a complaint CCPA privacy policy, it must state:
- What data you collect
- How it’s collected
- Why you collect each category of data
- Who it’s shared with or sold to
- List all rights consumers have under the CCPA
- Give users access to Data Subject Access Request (DSAR) forms
You must also give users access to a “Do Not Sell or Share My Personal Information” and a “Limit the Use of My Sensitive Personal Information” link.
California Online Privacy Protection Act (CalOPPA)
The California Online Privacy Protection Act (CalOPPA) requires you to have a privacy policy on your site and likely impacts your business.
This law obligates any website with visitors from California to post a privacy policy that:
- Includes the ‘effective’ date
- Explains the types of personal information you collect and how users can opt out of the collection
- Informs users how to request to review or delete their information
- Outlines your process for communicating changes to the privacy policy with your consumers
- Says if the information is shared with any third parties
- States if “Do Not Track” (DNT) requests are honored or not
CalOPPA works alongside the amended CCPA to provide comprehensive privacy rights for California consumers.
Virginia Consumer Data Protection Act (CDPA)
Virginia passed the Consumer Data Protection Act (CDPA), which gives consumers rights over their personal data and outlines obligations for businesses.
This law requires businesses to give a privacy notice to consumers, another name for a privacy policy.
It must specify all of the following:
- The purpose for processing personal data
- Categories of data processed
- Categories of data shared with third parties
- Categories of data sold to third parties
- Discloses categories of third parties themselves
- How consumer requests can be submitted
- A mechanism for appealing decisions related to consumer requests
- Clearly discloses the processing of personal data for targeted advertising
- Provides the right to opt out of processing data
ePrivacy Directive & Regulation
Before the GDPR, the ePrivacy Directive — aka the EU cookie law — was the primary regulator of EU internet privacy. It ensured websites obtained user consent to place non-essential cookies in their browsers.
How does this impact your privacy policy?
Under this law, in tandem with the GDPR, cookies legally qualify as personal information and are subject to the same strict guidelines as all other personal data.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The data privacy law impacting privacy policies in Canada is called the Personal Information Protection and Electronic Documents Act (PIPEDA). It provides Canadian internet users with the right to consent to the collection of their data and access their information and dispute its accuracy.
You must also inform them about your data collection practices, which are disclosed in a privacy policy.
According to PIPEDA, personal data from individuals may only be used for the original purpose it was collected.
Some of the fundamental principles of this law are:
- Increased accountability
- Identified purpose for data collection
- Adequate use of consent
- Limits over the collection of sensitive or personal data
Fundamentals of Privacy Policies
Ready for a bit of privacy policy history? Privacy policies are based on by-laws established by the U.S. Federal Trade Commission in 1998.
Also known as fair information practice principles (FIPPs), these by-laws note that privacy policies must include five fundamental aspects:
- Notice: Consumers must be notified of a platform’s practices regarding personal information before it’s collected from them
- Choice: Consumers should be able to have a choice about personal data collection and use
- Access: Consumers must have access to their personal data
- Security: A company must protect the personal information it collects, have a process to delete old data, safeguard current user data and disclose its security practices in a privacy policy
- Enforcement: Enforcement measures on how these principles will be implemented must be made clear
Many laws and regulations have updated these guidelines since 1998, but the basic principles still make up the foundation for data privacy in the US.
Can You Legally Write Your Own Privacy Policy?
Yes, you can legally write your privacy policy for your website or mobile app. You’re not required to consult a lawyer when making this policy for your platform.
Plenty of laws and regulations around the world dictate the following aspects of your privacy policy:
- What goes into it
- Where you post it
- How you ask for consumer consent
- When you share it with your users
- How you share it with your users
But nothing regulates how you create the document itself. As long as it’s legally compliant, you can write your policy on your own or even have someone else do it.
Privacy Policy Solutions
You can make a privacy policy for your platform in a few different ways. For example, you might:
- Use a managed solution
- Try a free template
- Take a do-it-yourself approach
Let’s cover each option in greater detail.
Managed Solution
Managed solutions, like our Privacy Policy Generator, are the quickest and easiest ways to make a legally compliant policy for your business.
These documents cover a lot of complex information and take a long time to make. They also are subject to legal requirements under different data privacy regulations. Our generator speeds up and simplifies those processes for you.
All you do is answer a few questions about your business, and it creates a compliant privacy policy for you.
See a screenshot of our Generator below.
Made by our legal department and data privacy experts, our Privacy Policy Generator works for mobile apps and websites and complies with the following data privacy legislation:
- General Data Protection Regulation (GDPR)
- The Data Protection Act 2018 (UK GDPR)
- Amended California Consumer Protection Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
Use a Template
For a free and easy option, try using a privacy policy template. Templates already have the initial writing and formatting done for you.
Our free one features the most common clauses, which you can customize by filling in the blanks with details about your website or app.
See an example of what our template looks like in the screenshot below.
Our legal team and data privacy experts also vetted our template, and it features clauses you can customize that are compatible with the same regulations as our Generator.
It’s also written in a clear, straightforward way that avoids legalese and jargon.
Write Your Own Privacy Policy
You can also write your privacy policy yourself; the rest of this guide will help teach you how.
This is the most challenging way to make a privacy policy, but it’s ideal for businesses that:
- Have access to a legal department or data privacy experts
- Require unique or non-standard clauses
- Are familiar with data privacy legislation and requirements
Writing your own privacy policy is a challenge that shouldn’t be taken lightly. Your business’s legal compliance is at stake.
But with the proper technical skills and knowledge about data privacy laws, you can write this document independently.
Step-by-Step Guide To Writing Your Privacy Policy
To help you write your privacy policy, we’ve outlined a few steps you should take to ensure the document is effective and legally compliant.
How to Outline and Prepare Your Privacy Policy
Before you begin writing your privacy policy, it’s a good idea to create an outline to organize and streamline the process. Think of this part as laying out the foundation for your agreement.
To create an outline for your privacy policy:
- First, determine how you want to format and organize your policy, like using a traditional table of contents or a frequently asked questions (FAQ) style
- Then, list all clauses in a logical, orderly way — for example, put what data you collect closer to the top of the document since that’s vital information most users are looking for
- Next, ensure you’re using a font type, color, and size that’s readable and easy to see on digital screens
- Also, ensure you use simple, straightforward language throughout the entire document and avoid unnecessary jargon or legalese
- Finally, double and triple-check that you’ve covered all relevant business obligations under any regulations that apply to your business
Once you’ve created your outline, you’re ready to write. But first, let’s discuss the most common clauses that appear in privacy policies and how you should approach each one.
What Clauses Your Privacy Policy Should Contain
To help you properly draft your privacy policy, we’ve outlined the most common clauses that typically appear in these agreements and provided tips for writing each section.
While we’ve tried to be as thorough as possible, remember that you may need to include additional clauses based on your business or organization.
Introduction
The first part of your privacy policy is the introduction, where you introduce your company, explain to whom the policy applies, and define the terms you plan on using throughout the agreement.
Be very transparent in your introduction to properly set your users’ expectations and double-check that all the details are accurate and current.
Below, see a great example of how Spotify, the music streaming service, writes their intro clause in their privacy policy.
What Personal Information You Collect
The first significant clause you write in your privacy policy should identify all of the personal data that your website or app collects from users.
Make this list as detailed as possible. If you leave something out, you could get into trouble with data privacy legislation like the GDPR or the amended CCPA.
Consider reviewing your platform so that you understand how, when, and where user information is collected. An audit of your site can help identify the places where you collect data.
Below, see an example of how tech giant Apple writes this clause in their privacy policy.
How You Plan To Collect The Data
You also need to tell your users how you plan to collect personal data, like filling out digital forms, using payment screens, or even through internet cookies or other trackers.
Be thorough with this clause, but remember to use clear and simple language, so it’s accessible to as many readers as possible.
Check out how the Walt Disney Company clearly writes this clause in their privacy policy.
Your Legal Basis for Collecting the Data
Regulations like the GDPR require you to have a legal basis for collecting personal information from your users, and you must explain as much in your privacy policy.
So with each category of data you collect, you also must outline your reasons for why it’s necessary.
Below, see a GDPR-compliant version of this clause as it appears in Spotify’s privacy policy, which they organize into a table.
How You Use the Personal Information
After listing all of the information your website or app collects from users, your privacy policy needs to write a clause explaining how you plan to use the data.
Because this impacts your legal compliance, consider formatting these details into a table so users can find answers more easily.
For example, Apple uses a simple bullet list in this clause in their privacy policy, shown below.
If You Share or Sell Personal Information
Regulations like the GDPR and the amended CCPA obligate you to inform consumers if you share their personal information with third parties. Write those details in a clause in your privacy policy.
Below, see a sample of how Google writes this clause in their privacy policy and notice that they avoid using large walls of text.
Address Privacy Issues for Children or Minors
Whether your website or app is targeted towards children or not, a clause that addresses child privacy must be included in your privacy statement.
If your platform is not made for children, then a simple statement in your policy could suffice. But if you target minors under 18, you need more information to comply with the Children’s Online Privacy Protection Act (COPPA).
Otherwise, it may be illegal for your website or app to collect data from children aged 13 and younger.
Below, see a sample of how the Walt Disney Company writes this clause in their privacy policy, which links to their entirely separate Children’s Privacy Policy.
Outline Your Users’ Privacy Rights and How to Act on Them
Under laws like the Virginia CDPA and amended CCPA, you must clearly explain to your consumers their rights over their data, so put those details in a clause in your privacy policy.
You might choose to title this clause based on the specific region it applies to, like:
- Virginia consumer privacy rights
- California consumer privacy rights
These are standard clauses in your privacy policy, so when you write this section on your own, you can use the example below from Google’s privacy policy to help guide you.
How Users Can Access and Control Their Data
You should write a clause in our privacy policy addressing how your users or visitors can access the information you collect. This aligns with guidelines from the GDPR and the amended CCPA, which gives users more control over their data.
See an example of how to write this part of your privacy policy based on ridesharing company Uber’s clause.
You can even link to a Data Subject Access Request (DSAR) form directly in your privacy policy, allowing your users to submit requests to access, edit, transfer, or delete their personal data.
Explain Your Safety and Security Practices Regarding Data Storage
Data privacy laws like the GDPR and the amended CCPA put the responsibility on business owners to keep personal information safe from data breaches and cybersecurity hacks. Plan to write about your security practices in a clause in your privacy policy.
The kind of security measures you should implement depends on how sensitive the data is and how much of it is collected.
For example, see how credit card company Visa writes this clause in their privacy policy.
Data Retention Information
Some data privacy laws dictate how long you must retain your users’ personal information, like the CDPA and the GDPR, so include a clause following those obligations if they apply to your business.
Below, see how Google writes their data retention clause in their privacy policy.
Your Use of Cookies and Other Trackers
Most apps and websites use cookies and other tracking technologies, which qualify as personal information under regulations like the amended CCPA and the GDPR. So your cookie use must be covered in your privacy policy or a separate cookie policy.
This section doesn’t need to be detailed or extensive in the privacy policy. Instead, just link to your cookie policy.
See a sample of how Uber writes this clause in their privacy policy below.
Address Changes to Your Privacy Policy
Some data privacy laws require you to inform your users about your process for updating them about changes to your privacy policy, which must be written as a separate clause.
For example, the CPRA amendments to the CCPA require you to update your policy once every 12 months.
You may need to change or update your privacy policy for various reasons, including when your company’s practices adapt or if privacy laws are updated.
This time, look at a sample of how social media company Instagram, owned by Meta, writes this clause in their privacy policy.
Links to Other Policies
It’s a business best practice to link to other relevant legal and website policies within your privacy policy, primarily your:
Because all these agreements are closely related and you want to ensure your users can easily find and read each one, linking them within one another provides another means for accessibility.
Below, see an example of how Spotify links to their terms and conditions within their privacy policy.
International Data Transfers
If you transfer data internationally, you must write a clause in your privacy policy abiding by EU legislation like the GDPR.
Below, we’re using Spotify as our privacy policy example again, because we like how straightforward they write this part of their agreement.
It’s also a good idea to include live links in your privacy policy like how Spotify does it in the above example.
Business Clause
As a preventative measure, it’s a good idea to add a business clause to reduce your liabilities in case you ever decide to sell your company.
To write this clause, just let people know that their personal data may be forwarded to a new owner if you ever sell your platform.
Below is a great example of how Visa writes this clause in their privacy policy.
Contact Information
At the end of your privacy policy, list one or two ways your customers can contact you if they have questions about the agreement.
Keep this clause short and simple. Just ensure the details you provide are up to date.
See how Spotify writes this clause in their privacy policy in the example below.
What to Avoid Putting in a Privacy Policy
Now that you know what goes into your privacy policy, let’s briefly discuss a few things you should avoid adding to your agreement.
- Don’t use confusing language. Legally, your privacy policy must be written in a way that’s easy to understand, so avoid putting any jargon or legalese in your agreement.
- Don’t leave details out. Avoid leaving out details or information on purpose, as this could get you into trouble with the law, plus you’ll lose the trust of your consumers.
- Don’t set it and forget it. For proper legal compliance, your privacy policy must be reviewed and evaluated regularly (once every 12 months under the amended CCPA), so avoid posting it on your site and then forgetting to recheck it.
- Don’t copy someone else’s privacy policy. Copyright laws protect these documents, so copying someone else’s policy is plagiarism, it also will not accurately reflect your business’s privacy practices, leaving you at risk.
Tips for Writing a Good Privacy Policy
Now that you know how to make your outline and pick the proper clauses to include in your privacy policy for legal compliance, let’s discuss some basic tips for making your policy stand out:
- Make it easy to agree to
- Make it easy to find
- Make it easy to read
- Avoid copying and pasting
- Set clear customer expectations
- Use your brand’s voice and tone
- Avoid using harsh language
- Be honest and actionable
Let’s go over each of these tips in a little more detail.
Make it Easy to Agree to
When you post your privacy policy on your website, make it very easy for users to agree to it or withdraw their consent from it.
Not only does this help you comply with the opt-in and opt-out consent requirements outlined by various data privacy regulations like the GDPR or the CDPA, but it also gives your users more control over how their information gets used.
Make it Easy to Read & Understand
Legally, you must present your consumers with a privacy policy written in clear, concise language free from confusing jargon and unnecessary legalese.
Plus, you worked hard writing the policy and want as many users as possible to understand and agree to it.
Avoid Copy & Pasting
Whatever you do, don’t copy and paste someone else’s privacy policy. Not only is that plagiarism, as these are copyright-protected documents, but it also won’t accurately apply to your business’s privacy practices.
This leaves you at risk under different data privacy regulations, and you could face significant fines and lose customer trust.
Free templates, policy generators, and other resources exist, so you don’t have to resort to high-risk practices.
Set Clear Guidelines & Expectations
When writing your privacy policy, be mindful of setting clear guidelines and expectations for your consumers to foster a relationship of trust.
Let them know clearly what data you collect and why it’s essential. Remind them that this process benefits both of you in the long run — it helps you understand your consumers more, and as a result, they get a better overall experience accessing your resources.
What you expect from customers
Collecting personal information from your consumers is a two-way street, so let them know what information you require most to offer them even better services, goods, and resources.
By transparently explaining to your customers that you expect them to share specific details about themselves to enhance their overall experience, they may be more likely to share that information with you actively.
88% of users say their willingness to share personal information depends on how much they trust the company (PwC).
Assuming you act within the boundaries of relevant data privacy laws, this honesty can go a long way with your consumers.
What customers can expect from you
You should also clearly explain to your users what they can expect from you because they share their personal information with your business.
Over 80% of internet users would share personal data directly with a brand to personalize marketing messages (Vision Critical).
So let them know if their data contributes to product updates, new research, or more personalized offerings and suggestions.
Match Your Brand’s Voice
One benefit of writing your privacy policy yourself is that you get to control the tone and voice of the entire agreement, so make it match the rest of your brand.
Not only does this provide cohesion and brand awareness, but it also helps users automatically associate the policy with your business.
Just remember, a legally compliant privacy policy needs to be written in an accessible way so everyone can read and understand it.
Avoid harsh language
Try not to use harsh, overly serious, or inappropriate language in your privacy policy, as this may confuse, upset, and even turn away some users.
This policy explains your privacy practices to your users and their rights over that information. So keep that as the primary focus when writing, no matter how the rest of the process makes you feel.
Since it’s a direct reflection of your brand, ensure you write in a way that’s both professional and compliant with the relevant data privacy regulations.
Be Honest and Actionable
You must be honest in your privacy policy and genuinely follow through on your protocols, both for compliance reasons and because it’s the right thing to do.
Be transparent about the data you collect, tell the truth about how it’s used, and avoid making any false promises.
Just consider some of these shocking data privacy statistics showcasing consumers’ desires for companies to use more transparency:
- 76% of users believe companies must do more to protect their data online (Global Consumer State of Mind Report 2021)
- 92% of Americans are concerned about their privacy when using the Internet. (TrustArc)
- 33% of users have terminated relationships with companies over data. They left social media companies, ISPs, retailers, credit card providers, and banks or financial institutions. (Cisco)
Displaying Your Privacy Policy
Legally, your privacy policy must be easy to find and access, and under specific laws, you either need to get opt-in consent or provide a way for users to opt out of consenting to your policy.
- When it comes to posting your privacy policy, we recommend the following places:
- Website or app footer
- New user account creation pages
- Payment Screens
- Privacy Centers
Let’s go over why each place is important to link to your privacy policy in greater detail.
Website or App Footer
The footer of your website or app are static parts of your platform that users can always see, so they’ll have quick and easy access to a link to your privacy policy.
Below, see how Tesco links to their privacy policy in the footer of their website.
New User Account Creation Page
Before someone signs up as a new user for your service, which is a process that usually involves data collection, give them a link to your privacy policy so they can read it and choose if they want to proceed or not.
Below, see how Spotify does it when someone signs up for their services for the first time.
Payment Screens
Payment screens are another place where websites often collect user information, so add a link to your privacy policy so your consumers can choose if they agree to your policies or not.
In the screenshot below, see how Best Buy links to their privacy policy on their payment screen.
Privacy Center
There are lots of website policies and legal agreements you want your users to access easily, so consider hosting all of them on a single page on your website and calling it a privacy center.
Below, see a screenshot of Spotify’s privacy center, which includes a link to their privacy policy as well as other relevant agreements.
For some extra support, we made a guide to help you make a privacy center for your own website.
But before we conclude, let’s briefly talk about how to properly request consent for the privacy policy you worked so hard on writing.
Consent and Your Privacy Policy
Under different data privacy laws, you must obtain certain kinds of consent from your consumers to legally collect and process their personal information.
For example, the GDPR requires you to get consumers’ active, explicit opt-in consent before any data collection occurs. Many websites use the clickwrap method for consent, which is when you prompt users to select a checkbox to denote agreement with your policy.
Below, see an example of how clothing retailer American Eagle Outfitters uses the clickwrap consent method to prompt people to opt-into agreeing to their privacy policy.
Other laws, like the amended CCPA, require you to give users a way to opt out of having their information used or processed for specific purposes. To do this, you must provide compliant “Do Not Sell or Share My Personal Information” links and give them access to a DSAR form.
You can also start honoring your users’ consent preferences on their browsers.
See an example of a compliant “Do Not Sell or Share My Personal Information” link as it appears in the footer of Disney’s website.
Summary
You are now prepared to write your very own privacy policy — make sure it follows relevant data privacy laws, is written in a straightforward way, and is posted in multiple easy to find locations throughout your platform.
Depending on your technical experience and data privacy knowledge, you may want a legal expert to review the privacy policy you wrote to verify its legal validity.
However, it is possible to make the policy entirely on your own policy. For an easy jump start, download one of our generic privacy policy templates:
| Privacy Policy | Description |
| Website Privacy Policy Template | A standard privacy policy for basic websites and blogs. |
| GDPR Privacy Policy Template | A GDPR-ready privacy policy for any online business. |
| Mobile App Privacy Policy Template | A privacy policy for apps on the App Store and Google Play. |
| Ecommerce Privacy Policy Template | A privacy policy built specifically for online ecommerce stores. |
| Email Marketing Privacy Policy Template | A privacy policy for email newsletters and email marketing. |
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
