Writing a privacy policy on your own for a website or app is no simple task. In order to meet the strict requirements of privacy laws, like the GDPR, you’ll need to ensure that your policy is detailed, comprehensible, and transparent.
In this article, we’ll cover the principles and the required clauses for every privacy policy, as well as tips on where to place your policy and how to make it user-friendly. However, if you want to save time, our free privacy policy generator can help you craft a custom policy in minutes.
1. The 5 Core Principles of Every Privacy Policy
The foundation of every privacy policy begins with the Fair Information Practice Principles. In 1998, the FTC found that there were five core principles of privacy protection that were common in privacy policies in most countries. These five principles are:
- Notice: Consumers should be made aware of a website’s data collection and processing practices before any personal information is collected from them.
- Choice: Consumers should have a say in how their personal information is used. A privacy policy should inform users how they can opt-out of secondary data processing activities (e.g. newsletters).
- Access: Consumers should have the ability to access the data collected from them to ensure it is accurate and complete. Privacy policies should provide instructions on how users can access their information and correct any inaccuracies.
- Security: Businesses must take reasonable steps to protect user data and have a process for deleting old data. A privacy policy should detail a business’s security measures.
- Enforcement: In order for businesses to adhere to these principles, there must be enforcement measures. Privacy policies should offer a simple way for consumers to have their privacy concerns addressed, and to remedy violations.
With these principles in mind, let’s explore the key clauses to include in your privacy policy, tips to make your policy user-friendly, and where you should put your policy on your website.
2. Required Clauses for a Privacy Policy
Below, we outline the basic clauses that are legally required for privacy policies. Keep in mind that your specific business may require additional clauses depending on your website’s data collection and processing activities.
Section 1: What type of information do you collect?
Privacy policies almost always begin by explaining the types of data that a website or app may collect from users. It’s important that you are as detailed as possible with the data you collect.
You’ll likely need to conduct an audit of your site to pinpoint exactly where/when you acquire visitor data (e.g. account signup, newsletter subscription, contact form) and what data you collect at each collection point.
Spotify’s privacy policy is a great model for how you should structure this section:
Not only does Spotify organize the personal data into categories – making it easier for readers to clearly understand what information is being collected – but they also offer details on when the data is collected and if it’s required or optional.
Section 2: How do you use personal information?
After you list the information you collect and process, the next section of your policy should explain what you do with visitor data.
As you’ll see in the NBA’s privacy policy below, it provides the broad purposes for data processing and then lists the specific ways data is used.
Section 3: How do you protect personal information?
As one of the five Fair Information Practice Principles mentioned earlier, a site’s security measures should be specified in its own section. The required security measures you’ll need to have in place will depend on the amount of data you collect, and its sensitivity.
PayPal explains that they use things like firewalls, data encryption, physical access controls, and information access authorization controls.
Section 4: Do you share data with third parties?
It’s common to use third-party tools to help with things like content optimization, affiliate marketing, lead generation, customer service, and analytics. If you share data with third-party service providers, then you must disclose this in your privacy policy.
Section 3 of Twitter’s privacy policy includes a paragraph on the types of service providers they use and the kinds of data they share.
Inappropriate processing of personal data collected through analytics tools can cost your company up to 4% of its annual revenue in GDPR fines. Our Google Analytics GDPR guide provides actionable steps for complying with the GDPR.
Section 5: Do you use cookies and tracking technologies?
Almost every website uses cookies in some capacity – most of the time for advertising and analytics. Since cookies can collect personal information from website visitors, they should be mentioned in your privacy policy if you use them.
However, the cookies section of your privacy policy does not have to be too extensive, as the nitty-gritty details will be reserved for a separate cookie policy.
Use our free cookie consent manager to scan your website for cookies and generate a custom cookie policy and consent banner.
As you can see in Uber’s privacy policy below, they simply mention that cookies are used and list their purposes.
Like most privacy policies, Uber’s also links directly to its cookie policy for users that desire more details.
Section 6: How can users control their data?
With the passing of privacy laws such as the GDPR and CCPA, giving users control over their data has become a key concern for online businesses. Therefore, privacy policies have become instruction manuals for how users can exercise their data rights.
As Shopify does in its privacy policy, you should include the steps that users can take to access, change, transfer, or delete their information.
Section 7: How will you notify users of policy changes?
From time to time, you may need to update your privacy policy. Depending on the significance of the update, users may have the right to be informed of the changes.
For a great example of how to address policy updates, check out Google’s privacy policy.
Google assures users that updates will never reduce their rights without consent. The policy also lets users know that if changes are significant, users will receive a notice via email.
3. How Can You Make Your Policy User-Friendly?
Two researchers at Carnegie Mellon found that if the average American were to read every privacy policy they encounter in a year, it would take a total of 76 days.
While privacy policies have historically been long, dense, and difficult to understand, companies are opting for more user-friendly privacy statements in order to better quell customer concerns over data. For some online businesses, it has even become a necessity. Article 12 of the GDPR states that information should be presented “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
If you want to make your policy more user-friendly, here are a few steps you can take:
Implement a table of contents
A table of contents allows users to easily navigate your policy. Even the most transparent and concise policies can get lengthy – making it a nuisance for users to quickly find what they are looking for. That’s why we include a table of contents in our own privacy policy:
Make your section headings clear
We find that an FAQ format works best, as most users visit privacy policies with questions in mind.
Once again, this is something we’ve implemented in our own policy, as you can see in the example above.
Add section summaries
Giving users the tl;dr on each section of your policy allows them to easily skim your policy and cut through the legal jargon on their own. LinkedIn does a great job of this in their privacy policy:
Use clear and plain language
Legalese could be harmful to your legal compliance efforts and your customer relations. Instead, use plain language and be as clear as possible.
We updated our generator to reflect these user-friendly implementations, so our customers’ policies have these features built right in! Check out all the improvements you can find in the new universal privacy policy.
4. Where to Put a Privacy Policy on a Website?
Your policy must be posted on your company or organization’s website in an easy-to-find location. The policy must be readily available to all visitors to the website, rather than just to visitors who have already submitted information or had data collected.
Many companies choose to include a direct link in the footer – allowing it to appear on any every page of their website. Make sure that the link font isn’t tiny, and that it doesn’t blend in with the footer’s background.
Depending on the type of data you collect, and if you need to comply with laws like the GDPR, you may need to get consent to your privacy policy (read more about GDPR consent requirements if you aren’t sure this applies). If that’s the case, you’ll need to link to your privacy policy at every point of data collection.
For instance, when you sign up for a Termly account, you’ll notice that we link to our terms and conditions and privacy policy before you complete the signup:
You should also be linking to your site’s terms alongside your privacy policy. If you don’t yet have this important document, use our terms and conditions generator to create one in minutes.
Final Words
While some business owners choose to write their own privacy policies, we strongly advise that you use professional assistance when creating legal documents to ensure adequate protection and legal validity. If you want to make a policy more customized than what a generator can offer, we recommend you consult with an attorney to make sure your privacy policy enjoys maximum legality.
However, it is possible to create your own policy. For an easy start, you can download one of our generic privacy policy templates:
| Privacy Policies | Description | Template Download |
|---|---|---|
| Website | A standard privacy policy for basic websites and blogs. | |
| Mobile App | A privacy policy for apps on the App Store and Google Play. | |
| GDPR | A GDPR-ready privacy policy for any online business. |
jay jain
this is very helpful information for me …all aspects are covered