Bolt Image

How to Write a Privacy Policy: The Basics & Requirements

Christine Hennel

by Christine Hennel

November 24, 2021

Build My Privacy Policy
How to Write a Privacy Policy The Basics and Requirements

Writing a privacy policy on your own for a website or app is no simple task. If you want to write a good privacy policy, you must familiarize yourself with privacy laws and ensure that your document is detailed, easy to understand, and transparent.

This article will guide you through the process of writing a privacy policy. It addresses privacy policy basics, clauses to consider, where to place your policy, how to make it user-friendly, and more.

However, if you want to save time, our free privacy policy generator can help you craft a custom policy in minutes.

Table of Contents
  1. Quick Overview of Privacy Policies
  2. Significance of a Privacy Policy
  3. Fundamentals of Privacy Policies
  4. Essential Clauses in a Privacy Policy
  5. How to Make Your Privacy Policy User Friendly
  6. Where To Place a Privacy Policy on Your Website
  7. Privacy Policy Basics [Infographic]
  8. Final Words

Quick Overview of Privacy Policies

A privacy policy is a legal document that explains how a business or website collects, uses, shares, and protects users’ personal information. Personal information may include:‌

  • Names
  • Dates of birth
  • Email addresses
  • Postal addresses
  • Purchase activity
  • Geolocations
  • IP addresses
  • Payment details such as credit or debit card numbers
  • Social security or social insurance numbers‌‌

Privacy policies also need to include the reasons an organization collects personal information, details about the rights users have over their data and more.

Significance of a Privacy Policy

A privacy policy is a legal requirement under many privacy and consumer protection laws. If your business, website, or app collects personal information from users, you likely need a privacy policy.

Read on to learn about some of the laws that aim to protect an individual’s data rights.

GDPR

One of the most well-known data privacy laws is the General Data Protection Regulation (GDPR), enacted in 2018. The European Union (EU) implemented the GDPR to provide internet users rights over their data.

This set of regulations gives users more rights over how and when their data is collected. It also instills a “Privacy by Design” model in which businesses are required to consider users’ data privacy when designing their business practices, systems, and processes.

The GDPR applies to websites and apps that target European Economic Area (EEA) residents — regardless of where the website or app is located. This law has become the blueprint for many other modern data privacy laws.

CCPA

Another landmark data protection law is the California Consumer Privacy Act (CCPA), which was also enacted in 2018. The CCPA is the first comprehensive data privacy law passed by a US state. It was designed to give users living in the state of California more control over the information that businesses collect on them.

The CCPA is similar to the GDPR but is generally considered to be less restrictive. For example, both laws give users more control over the collection and processing of their data, but the GDPR has stricter rules over cookie use and user consent. You should check out our cool infographic that displays the differences between the CCPA and GDPR.

ePrivacy Directive & Regulation

Before the CCPA and GDPR, the ePrivacy Directive — also known as the EU cookie law — was the main regulator of EU internet privacy. It made sure websites obtained user consent to place non-essential cookies in their browsers. The directive is being modified so that it can become the ePrivacy Regulation (ePr), which will work in conjunction with the GDPR. However, the EU Commission hasn’t agreed upon a final text and has postponed the effort indefinitely.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law. It provides Canadian internet users with the right to consent to the collection of their data as well as the right to access their information and dispute its accuracy. According to PIPEDA, personal data from individuals may only be used for the purpose for which it was collected.

The fundamental principles of this law are increased accountability, identified purpose for data collection, adequate use of consent, and limits over the collection of sensitive or personal data.

Additionally, it aims to restrict the use, disclosure, and retention of personal information. The data must be safe, accurate, and should allow for individual access. Moreover, individuals must be able to challenge an organization that does not comply.

Fundamentals of Privacy Policies

Privacy policies are based on by-laws established by the U.S. Federal Trade Commission in 1998. Also known as fair information practice principles, or FIPPs, these by-laws note that privacy policies must include five fundamental aspects. They are:

  1. Notice: Consumers must be notified of an app or website’s practices regarding personal information before the information is collected from them.
  2. Choice: Consumers should be able to have a choice about personal data collection and use. Examples of this include being able to opt out of certain cookies, set cookie preferences, or decline newsletter subscriptions.
  3. Access: Consumers must have access to their personal data. A website or app’s privacy policy must state how this information can be accessed and or changed.
  4. Security: A company must protect the personal information that is collected through its websites or apps. They must also have a process to delete old data and safeguard current user data. The company’s security measures must also be disclosed in the privacy policy.
  5. Enforcement: Enforcement measures on how these principles will be implemented must be clear. Companies must also explain how they will adhere to the aforementioned clauses and how violations of these clauses may be addressed and fixed.

Now, let’s dive into what essential clauses you should include, how to make it accessible, and where to place your privacy policy.

Essential Clauses in a Privacy Policy

If you want to learn how to write a policy, this section will provide a framework for the essential clauses that are generally included in these documents. Keep in mind that you may need to include additional clauses based on the type of business or organization you’re running.

Section 1: List all of the personal information that you collect

The first section of your privacy policy should identify and list all of the personal data that your website or app collects from users. This list needs to be as detailed as possible.

You may need to review your website or app so that you understand how, when, and where user information is collected.  An audit of your site will help you identify every place where you collect data.

For example, if your website has a newsletter that requires a name and email to sign up you need to let users know about this in your privacy policy.

As an example, here’s a look at Apple’s Privacy Policy statement:

what is personal data at apple

In its privacy policy, Apple clearly states what its interpretation of personal data is and the kind of information it collects from its customers.

Section 2: Explain how the personal information collected will be used

After listing all of the information that your website or app collects from users, your privacy policy needs to explain what you plan to do with that data. This should be the second section of your privacy policy.

Spotify offers an excellent example of a coherent, user-friendly privacy policy. In it, the company displays its explanations in a table format, making it easy for users to understand the “why” behind data utilization.

spotify-user-friendly-privacy-policy

Section 3: Address privacy issues concerning children age 13 and younger

Whether your website or app is targeted towards children or not, a clause that addresses child privacy must be included in your privacy statement.

According to the Children’s Online Privacy Protection Act (COPPA), it may be illegal for your website or app to collect data from children age 13 and younger without following COPPA guidelines.

If your app targets adults, then a simple statement in your policy could suffice. But if you target children or teenagers, you likely need more information to comply with COPPA.

The Walt Disney Company’s children’s privacy policy is an excellent example of how to comply with COPPA. It is a separate privacy policy that addresses how they collect, use, and disclose children’s personal information. It also discusses how they obtain parental consent.

walt disney coppa compliance

Section 4: How personal data is protected

This section of your privacy policy should explain how you plan to protect the personal information that your website or app collects and prevent security breaches. This meets specifications by the US Federal Trade Commission’s fair information practice principles requiring that a privacy policy allocate a specific section to its security measures.

The kind of security measures that you should implement depends on how sensitive the data is and how much of it is collected. Banking and payment information, for instance, is highly sensitive and may require additional protection.‌

As an example, Visa’s social security number policy and sensitive personal information statement explains how the financial service company safeguards customer information.

visa-social-security-number-policy

Section 5: Do you share data with third parties?

Third-party tools can be essential for many purposes, including content optimization, lead generation, affiliate marketing, customer service, and site analytics. If your website or app relies on third-party tools that collect personal information from your users, this needs to be disclosed in a section of your privacy policy.

Violating GDPR’s rules on processing personal data collected via analytical tools may cost a company up to 4% of its revenue annually.

Take a look at Google’s privacy policy on third-party involvement. In it, the company mentions how it may use personal information for “external processing” through its affiliates and how it may share information for legal reasons.

google-third-party-privacy-policy-statement

Section 6: Use of cookies and tracking technologies

Most apps and websites use cookies and other tracking technologies. Cookie use must be covered in your privacy policy.

This section doesn’t need to be detailed or extensive in the privacy policy itself if you already have a separate cookie policy that includes all the details.

Uber’s privacy policy has a cookies and third-party technologies section that’s a good example of what this section should include. It also includes a link to their cookie policy, which contains more in-depth cookie information.

uber cookies and third-party technology

Section 7: How users can access and control their data

Your privacy policy should include a section addressing how your users or visitors can access the information you collect. This falls in line with GDPR and CCPA guidelines, which have given users control over their personal information.

As an example, Shopify’s privacy policy informs its users on how they can access, transfer, change, or delete their personal information. You may also wish to link to your Data Subject Access Request (DSAR) form in your privacy policy. A DSAR form allows your users to submit requests to access, edit, transfer, or delete their personal data.

shopify your rights over your information

Section 8: Policy changes

Over time, you may need to change and update your privacy policy for a variety of reasons, including when your company’s practices change or if privacy laws are updated. When this happens, you need to notify your users. This section of your privacy policy should explain how and when you’ll notify users about policy changes.

The eighth section of Instagram’s data policy, for example, lets users know it will notify them before changes are made, allowing them to review the changes and decide if they want to keep using the platform and its products.

instagram-notification-of-privacy-policy-update

Supplementary clauses

In addition to the eight sections we just discussed, you may also want to include additional clauses. These could include the following:

  • A communications clause.‌ Specify and explain all the ways that your website visitors or app users can contact you. If your website has a chatbox, for example, let your visitors know that contact information includes personal information, like their name and an email address, that will be collected as part of the communication process.
  • A business transfer clause.‌ As a preventative measure, it may be a good idea to add a business clause to reduce your liabilities in case you ever decide to sell your company. This lets website visitors and app users know that their personal data may be forwarded to a new owner if this happens.

How to Make Your Privacy Policy User Friendly

According to researchers at Carnegie Mellon University, if the average American were to read every privacy policy that they encounter annually, it would take them up to 76 days to do so.

Over the years, companies have tried their best to shorten lengthy, dense privacy statements that have been difficult to understand. This effort follows guidance by the GDPR, which states that a privacy policy must be worded “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”

Here are a few steps that you can take to make your privacy policy user-friendly.‌

Include a table of contents

A table of contents helps users navigate the privacy policy. By noting each section title, a user can skip around and read the topics that most concern them.

As an example, LinkedIn’s privacy policy includes a concise table of contents.

linkedins-privacy-policy-table-of-contents

Make section headings clear

‌To ensure easy navigation, use the standard, basic terms that are generally used in privacy policies. The headings in LinkedIn’s privacy policy, for example, are all plainly worded and easy to understand. You could also consider including section summaries at the beginning of each section.

Use clear and plain language‌

Not all of your users will be familiar with legal or technical jargon. For this reason, your privacy policy must be easy for users to follow and understand, so avoid legalese.

Use relevant resources

Online resources can prove instrumental if you’re learning how to write a policy. Termly’s Privacy Policy Generator tool, for example, can help ensure that your privacy statement meets all the necessary criteria. You can also consider using a privacy policy template that can help you learn how to write a privacy policy.

Where To Place a Privacy Policy on Your Website

Your privacy policy must be easy to find and access. It should be prominently displayed on your website or be accessible through your app. The policy must be made available to users before they share their data on the site or app.

Most companies tend to include a link or button to their legal policies in their website’s footer. You should make sure the font is clear and easy to distinguish from the background.

If you happen to be a WordPress user, then their interface makes it easy for you to link to your WordPress privacy policy in multiple places on your site.

If you’re required to comply with laws such as the GDPR, then you may have to provide a link to your site’s privacy policy at every point where data is collected. This is because, according to GDPR consent obligations, certain types of data require consent to your privacy policy.‌

Privacy Policy Basics [Infographic]

If you don’t have the time to read the full guide on how to write a company privacy policy, get the basic information through our infographic below:

termly's privacy policy basics infographic

6. Final Words

We’ve offered insights, tips, and guidance to help you write your privacy policy. But if you’re learning how to write a policy so you can draft it on your own, we strongly recommend getting in touch with legal experts to ensure the legal validity and adequate protection of your document.

If you want to create a privacy policy that’s more customized than what a generator can offer, we suggest you consult an attorney to make sure your privacy policy enjoys maximum legality.

However, it is possible to create your own policy. For an easy start, you can download one of our generic privacy policy templates:

Privacy Policy Description
Website Privacy Policy Template A standard privacy policy for basic websites and blogs.
GDPR Privacy Policy Template A GDPR-ready privacy policy for any online business.
Mobile App Privacy Policy Template A privacy policy for apps on the App Store and Google Play.
Ecommerce Privacy Policy Template A privacy policy built specifically for online eCommerce stores.
Email Marketing Privacy Policy Template A privacy policy for email newsletters and email marketing.
Christine Hennel
More about the author

Written by Christine Hennel

Christine is a product specialist and writer for Termly. She writes support articles, user FAQs, and documentation for Termly’s policy generators and cookie consent manager. More about the author

Related Articles

Explore more resources Explore more resources