In this guide, I walk you through how to write a privacy policy for your website or app in 9 easy steps and address what clauses to include, where to post it, how to make it user-friendly, and more.
- Step-By-Step Guide To Writing Your Privacy Policy
- How to Outline and Prepare Your Privacy Policy
- How To Write Each Clause In Your Privacy Policy
- What To Avoid Putting in a Privacy Policy
- Tips for Writing a Good Privacy Policy
- Where Should You Display Your Privacy Policy?
- What Is the Purpose of a Privacy Policy?
- What Privacy Laws Impact How You Write a Privacy Policy?
- Can You Legally Write Your Own Privacy Policy?
- Other Privacy Policy Solutions
- Conclusion & Additional Resources
Step-By-Step Guide To Writing Your Privacy Policy
To help you write your privacy policy, I’ve outlined a few steps you should take to ensure the document is effective and legally compliant.
Step 1: Understand Which Data Privacy Laws Impact You
First, take the time to verify what data privacy legislation applies to your business and familiarize yourself with all guidelines and legal obligations that affect your privacy policy and practices.
Step 2: Perform A Privacy Audit
Then perform a thorough privacy audit on your platform to determine and record every piece of personal information you collect from users, including through internet cookies or other trackers.
Step 3: Determine All Categories of Personal Information You Collect
Next, determine which categories of personal data you collect under the data privacy regulations your business must follow.
This may include sensitive personal information which is subject to stricter guidelines under laws like the amended CCPA and the CDPA
Step 4: Determine and Explain Why You Collect Personal Data
You now need to determine and record your legal basis for why you collect each piece of personal data, which may be subject to legal guidelines if you fall under regulations like the GDPR
Step 5: State How You Collect Personal Data
Afterward, you also must note how you plan on collecting each piece of personal data and explain those practices clearly and straightforwardly in your privacy policy.
This might include collecting data by placing internet cookies on browsers, getting data from consumers through internet forms, or collecting publicly available information.
Step 6: Explain How You Use the Personal Data
Under legislation like the GDPR and amended CCPA, you also need to state how you use personal data, including if it’s shared or sold to any third parties, so clearly describe if this is the case or not.
Step 7: Mention Safety and Security Practices
You also must include a clause in your privacy policy explaining how you plan to keep your users’ personal information stored safely and securely per regulations like the GDPR and the amended CCPA
Step 8: Describe How You’ll Communicate Privacy Policy Updates
You need to inform people about your process for making changes to your privacy policy and how you’ll notify your consumers, which you should add as a clause in your privacy policy
Step 9: Add Other Relevant Clauses As Neccesary
Finally, take the time to verify that you properly added every applicable clause necessary to your privacy policy, and fill in any missing gaps you might find.
I include a list of privacy policy clauses you can include a little further below.
How to Outline and Prepare Your Privacy Policy
Before you begin writing your privacy policy, it’s a good idea to create an outline to organize and streamline the process. Think of this part as laying out the foundation for your agreement.
To create an outline for your privacy policy:
- First, determine how you want to format and organize your policy, like using a traditional table of contents or a frequently asked questions (FAQ) style
- Then, list all clauses in a logical, orderly way — for example, put what data you collect closer to the top of the document since that’s vital information most users are looking for
- Next, ensure you’re using a font type, color, and size that’s readable and easy to see on digital screens
- Also, ensure you use simple, straightforward language throughout the entire document and avoid unnecessary jargon or legalese
- Finally, double and triple-check that you’ve covered all relevant business obligations under any regulations that apply to your business
Once you’ve created your outline, you’re ready to write!
But first, let’s discuss the most common clauses that appear in privacy policies and how you should approach each one.
How To Write Each Clause In Your Privacy Policy
To help you properly draft your privacy policy, I’ve outlined the most common clauses that typically appear in these agreements and provided tips for writing each section.
While I’ve tried to be as thorough as possible, remember that you may need to include additional clauses based on your business or organization.
Introduction
The first part of your privacy policy is the introduction, where you introduce your company, explain to whom the policy applies, and define the terms you plan on using throughout the agreement.
Be very transparent in your introduction to properly set your users’ expectations and double-check that all the details are accurate and current.
What Personal Information You Collect
The first significant clause you write in your privacy policy should identify all of the personal data that your website or app collects from users.
Make this list as detailed as possible. If you leave something out, you could get into trouble with data privacy legislation like the GDPR or the amended CCPA.
Consider reviewing your platform so that you understand how, when, and where user information is collected. An audit of your site can help identify the places where you collect data.
How You Plan To Collect the Data
You also need to tell your users how you plan to collect personal data, like filling out digital forms, using payment screens, or even through internet cookies or other trackers.
Be thorough with this clause, but remember to use clear and simple language, so it’s accessible to as many readers as possible.
Your Legal Basis for Collecting the Data
Regulations like the GDPR require you to have a legal basis for collecting personal information from your users, and you must explain as much in your privacy policy.
So with each category of data you collect, you also must outline your reasons for why it’s necessary.
How You Use the Personal Information
After listing all of the information your website or app collects from users, your privacy policy needs to write a clause explaining how you plan to use the data.
Because this impacts your legal compliance, consider formatting these details into a table so users can find answers more easily.
If You Share or Sell Personal Information
Regulations like the GDPR and the amended CCPA obligate you to inform consumers if you share their personal information with third parties. Write those details in a clause in your privacy policy.
Our guide on compliance for Google Analytics explains how to avoid violating GDPR guidelines.
Address Privacy Issues for Children or Minors
Whether your website or app is targeted towards children or not, a clause that addresses child privacy must be included in your privacy statement.
If your platform is not made for children, then a simple statement in your policy could suffice. If you do target children, you need to comply with the Children’s Online Privacy Protection Act (COPPA).
Outline Your Users’ Privacy Rights and How To Act On Them
Privacy laws require you to clearly explain to your consumers their rights over their data, so put those details in a clause in your privacy policy.
You might choose to title this clause based on the specific region it applies to.
How Users Can Access and Control Their Data
You should write a clause in our privacy policy addressing how your users or visitors can access the information you collect. This aligns with guidelines from the GDPR and the amended CCPA, which gives users more control over their data.
You can even link to a Data Subject Access Request (DSAR) form directly in your privacy policy, allowing your users to submit requests to access, edit, transfer, or delete their personal data.
Explain Your Safety and Security Practices Regarding Data Storage
Data privacy laws like the GDPR and the amended CCPA put the responsibility on business owners to keep personal information safe from data breaches and cybersecurity hacks.
The kind of security measures you should implement depends on how sensitive the data is and how much of it is collected.
Data Retention Information
Some data privacy laws dictate how long you must retain your users’ personal information, like the CDPA and the GDPR, so include a clause following those obligations if they apply to your business.
Your Use of Cookies and Other Trackers
Most apps and websites use cookies and other tracking technologies, which qualify as personal information under regulations like the amended CCPA and the GDPR.
Your cookie use must be covered in your privacy policy or a separate cookie policy.
This section doesn’t need to be detailed or extensive in the privacy policy. Instead, just link to your cookie policy. You can use our free cookie policy generator to automatically draft a cookie policy.
Address Changes to Your Privacy Policy
Some data privacy laws require you to inform your users about your process for updating them about changes to your privacy policy, which must be written as a separate clause.
For example, the CPRA amendments to the CCPA require you to update your policy once every 12 months.
You may need to change or update your privacy policy for various reasons, including when your company’s practices adapt or if privacy laws are updated.
Links To Other Policies
It’s a business best practice to link to other relevant legal and website policies within your privacy policy, primarily your:
Because all these agreements are closely related and you want to ensure your users can easily find and read each one, linking them within one another provides another means for accessibility.
International Data Transfers
If you transfer data internationally, you must write a clause in your privacy policy abiding by EU legislation like the GDPR.
It’s also a good idea to include live links in your privacy policy.
Business Clause
As a preventative measure, it’s a good idea to add a business clause to reduce your liabilities in case you ever decide to sell your company.
To write this clause, just let people know that their personal data may be forwarded to a new owner if you ever sell your platform.
Contact Information
At the end of your privacy policy, list one or two ways your customers can contact you if they have questions about the agreement.
Keep this clause short and simple. Just ensure the details you provide are up to date.
What To Avoid Putting in a Privacy Policy
Next let’s briefly discuss a few things you should avoid adding to your agreement.
- Don’t use confusing language. Legally, your privacy policy must be written in a way that’s easy to understand, so avoid putting any jargon or legalese in your agreement.
- Don’t leave details out. Avoid leaving out details or information on purpose, as this could get you into trouble with the law, plus you’ll lose the trust of your consumers.
- Don’t set it and forget it. For proper legal compliance, your privacy policy must be reviewed and evaluated regularly (once every 12 months under the amended CCPA), so avoid posting it on your site and then forgetting to recheck it.
- Don’t copy someone else’s privacy policy. Copyright laws protect these documents, so copying someone else’s policy is plagiarism, it also will not accurately reflect your business’s privacy practices, leaving you at risk.
Tips for Writing a Good Privacy Policy
Now that you know how to make your outline and pick the proper clauses to include in your privacy policy for legal compliance, I’ll discuss some basic tips for making your policy stand out.
Make It Easy To Agree To
When you post your privacy policy on your website, make it very easy for users to agree to it or withdraw their consent from it.
Not only does this help you comply with the opt-in and opt-out consent requirements outlined by various data privacy regulations like the GDPR or the CDPA, but it also gives your users more control over how their information gets used.
Make It Easy To Read & Understand
Legally, you must present your consumers with a privacy policy written in clear, concise language free from confusing jargon and unnecessary legalese.
Paraphrasing complex legal terms into simpler, more understandable language can help achieve this, ensuring that users are more likely to fully grasp and agree with your policy.
These days you can even use the help of something like an ai paraphrasing tool to make things a little easier, but I wouldn’t solely rely on them. Double check the work!
Avoid Copy & Pasting
Don’t copy and paste someone else’s privacy policy.
Not only is that plagiarism, but it also won’t accurately apply to your business’s privacy practices, leaving you at risk under different data privacy regulations.
You could face significant fines and lose customer trust.
Free templates, policy generators, and other resources exist, so you don’t have to resort to high-risk practices.
Set Clear Guidelines & Expectations
When writing your privacy policy, be mindful of setting clear guidelines and expectations for your consumers to foster a relationship of trust.
Let them know clearly what data you collect and why it’s essential.
What You Expect From Customers
Collecting personal information from your consumers is a two-way street, so let them know what information you require most to offer them even better services, goods, and resources.
By transparently explaining to your customers that you expect them to share specific details about themselves to enhance their overall experience, they may be more likely to share that information with you actively.
88% of users say their willingness to share personal information depends on how much they trust the company (PwC).
Assuming you act within the boundaries of relevant data privacy laws, this honesty can go a long way with your consumers.
What Customers Can Expect From You
You should also clearly explain to your users what they can expect from you because they share their personal information with your business.
Over 80% of internet users would share personal data directly with a brand to personalize marketing messages (Vision Critical).
So let them know if their data contributes to product updates, new research, or more personalized offerings and suggestions.
Avoid Harsh Language
Try not to use harsh, overly serious, or inappropriate language in your privacy policy, as this may confuse, upset, and even turn away some users.
This policy explains your privacy practices to your users and their rights over that information. So keep that as the primary focus when writing, no matter how the rest of the process makes you feel.
Since it’s a direct reflection of your brand, ensure you write in a way that’s both professional and compliant with the relevant data privacy regulations.
Be Honest and Actionable
You must be honest in your privacy policy and genuinely follow through on your protocols, both for compliance reasons and because it’s the right thing to do.
Be transparent about the data you collect, tell the truth about how it’s used, and avoid making any false promises.
Just consider some of these shocking data privacy statistics showcasing consumers’ desires for companies to use more transparency:
- 76% of users believe companies must do more to protect their data online (Global Consumer State of Mind Report 2021)
- 92% of Americans are concerned about their privacy when using the Internet. (TrustArc)
- 33% of users have terminated relationships with companies over data. They left social media companies, ISPs, retailers, credit card providers, and banks or financial institutions. (Cisco)
Where Should You Display Your Privacy Policy?
Legally, your privacy policy must be easy to find and access, and under specific laws, you either need to get opt-in consent or provide a way for users to opt out of consenting to your policy.
Let’s go over the different places where I recommend you link to your privacy policy.
Website or App Footer
The footer of your website or app are static parts of your platform that users can always see, so they’ll have quick and easy access to a link to your privacy policy.
New User Account Creation Page
Before someone signs up as a new user for your service, which is a process that usually involves data collection, give them a link to your privacy policy so they can read it and choose if they want to proceed or not.
Payment Screens
Payment screens are another place where websites often collect user information, so add a link to your privacy policy so your consumers can choose if they agree to your policies or not.
Privacy Center
There are lots of website policies and legal agreements you want your users to access easily, so consider hosting all of them on a single page on your website and calling it a privacy center.
For some extra support, we made a guide to help you make a privacy center for your own website.
What Is the Purpose of a Privacy Policy?
The purpose of a privacy policy is to explain how a business collects, uses, shares, and protects users’ personal information and explains what control users have over that data.
These policies help build trust with your consumers by showing transparency and honesty. If they can’t find one on your website, they might assume you’re hiding your privacy practices and shop elsewhere.
Privacy policies are also legally required under data privacy regulations like the:
- General Data Protection Regulation (GDPR)
- Amended California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
While the definition of personal information varies under each piece of legislation, it typically includes things like:
- Names
- Dates of birth
- Email addresses
- Postal addresses
These laws also account for a category of data called sensitive personal information, which is subject to stricter legal guidelines.
What Privacy Laws Impact How You Write a Privacy Policy?
Basically any data privacy law that exists is going to address or impact privacy policies in some way, because these documents outline and explain all of your data processing protocols.
Here’s a brief summary of some of the most impactful privacy laws that currently make up the global legal landscape.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) provides internet users in the European Union (EU) with rights over their data and outlines obligations for businesses impacting your privacy policy.
Under the GDPR, your privacy policy must explain:
- What data you collect
- How it’s collected
- Why you’re collecting the data
- Who the information gets shared with, and
- What legal basis you have for collecting the data
- All rights consumers have under the GDPR
- How they can act on those rights
This set of regulations instills a “Privacy by Design” model in which businesses must consider users’ data privacy when designing their business practices, systems, and processes.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives California consumers more control over the information that businesses collect and how that data gets used, and it also impacts your privacy policy.
To write a complaint CCPA privacy policy, it must state:
- What data you collect
- How it’s collected
- Why you collect each category of data
- Who it’s shared with or sold to
- List all rights consumers have under the CCPA
- Give users access to Data Subject Access Request (DSAR) forms
You must also give users access to a “Do Not Sell or Share My Personal Information” and a “Limit the Use of My Sensitive Personal Information” link.
California Online Privacy Protection Act (CalOPPA)
The California Online Privacy Protection Act (CalOPPA) requires you to have a privacy policy on your site and likely impacts your business.
This law obligates any website with visitors from California to post a privacy policy that:
- Includes the ‘effective’ date
- Explains the types of personal information you collect and how users can opt out of the collection
- Informs users how to request to review or delete their information
- Outlines your process for communicating changes to the privacy policy with your consumers
- Says if the information is shared with any third parties
- States if “Do Not Track” (DNT) requests are honored or not
CalOPPA works alongside the amended CCPA to provide comprehensive privacy rights for California consumers.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA gives consumers rights over their personal data and outlines obligations for businesses, including requireing businesses to give a privacy notice to consumers.
It must specify all of the following:
- The purpose for processing personal data
- Categories of data processed
- Categories of data shared with third parties
- Categories of data sold to third parties
- Discloses categories of third parties themselves
- How consumer requests can be submitted
- A mechanism for appealing decisions related to consumer requests
- Clearly discloses the processing of personal data for targeted advertising
- Provides the right to opt out of processing data
ePrivacy Directive
Before the GDPR, the ePrivacy Directive, aka the EU cookie law, was the primary regulator of EU internet privacy. It ensured websites obtained user consent to place non-essential cookies in their browsers.
How does this impact your privacy policy?
Under this law, in tandem with the GDPR, cookies legally qualify as personal information and are subject to the same strict guidelines as all other personal data.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The data privacy law impacting privacy policies in Canada is called the Personal Information Protection and Electronic Documents Act (PIPEDA).
It provides Canadian internet users with the right to consent to the collection of their data and access their information and dispute its accuracy. You must also inform them about your data collection practices, which are disclosed in a privacy policy.
According to PIPEDA, personal data from individuals may only be used for the original purpose it was collected.
Some of the fundamental principles of this law are:
- Increased accountability
- Identified purpose for data collection
- Adequate use of consent
- Limits over the collection of sensitive or personal data
A Brief Overview of the Legal History of Privacy Policies
Ready for a bit of privacy policy history?
Privacy policies are based on by-laws established by the U.S. Federal Trade Commission in 1998.
Also known as fair information practice principles (FIPPs), these by-laws note that privacy policies must include five fundamental aspects:
- Notice: Consumers must be notified of a platform’s practices regarding personal information before it’s collected from them
- Choice: Consumers should be able to have a choice about personal data collection and use
- Access: Consumers must have access to their personal data
- Security: A company must protect the personal information it collects, have a process to delete old data, safeguard current user data and disclose its security practices in a privacy policy
- Enforcement: Enforcement measures on how these principles will be implemented must be made clear
Many laws and regulations have updated these guidelines since 1998, but the basic principles still make up the foundation for data privacy in the US.
Can You Legally Write Your Own Privacy Policy?
Yes, you can legally write your privacy policy for your website or mobile app. You’re not required to consult a lawyer when making this policy for your platform.
Plenty of laws and regulations around the world dictate the following aspects of your privacy policy:
- What goes into it
- Where you post it
- How you ask for consumer consent
- When you share it with your users
- How you share it with your users
But nothing regulates how you create the document itself. As long as it’s legally compliant, you can write your policy on your own or even have someone else do it.
Other Privacy Policy Solutions
Besides writing one from scratch, you can make a privacy policy for your platform in a few different simple ways:
- Use a managed solution
- Try a free template
Why Use a Managed Solution?
Managed solutions, like our Privacy Policy Generator, are the quickest and easiest ways to make a legally compliant policy for your business.
These documents cover a lot of complex information and take a long time to make. They also are subject to legal requirements under different data privacy regulations. Our generator speeds up and simplifies those processes for you.
All you do is answer a few questions about your business, and it creates a compliant privacy policy for you.
See a screenshot of our Generator below.
Made by our legal department and data privacy experts, our Privacy Policy Generator works for mobile apps and websites and complies with the following data privacy legislation:
- General Data Protection Regulation (GDPR)
- The Data Protection Act 2018 (UK GDPR)
- Amended California Consumer Protection Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
Why Use a Template?
For a free and easy option, try using a privacy policy template. Templates already have the initial writing and formatting done for you.
Our free one features the most common clauses, which you can customize by filling in the blanks with details about your website or app.
See an example of what our template looks like in the screenshot below.
Our legal team and data privacy experts also vetted our template, and it features clauses you can customize that are compatible with the same regulations as our Generator.
It’s also written in a clear, straightforward way that avoids legalese and jargon.
Conclusion & Additional Resources
If you write your own privacy policy, ensure it follows relevant data privacy laws, is written in a straightforward way, and is posted in multiple easy to find locations throughout your platform.
Depending on your technical experience and data privacy knowledge, you may want a legal expert to review the privacy policy you wrote to verify its legal validity.
However, it is possible to make the policy entirely on your own policy. For an easy jump start, download one of our generic privacy policy templates:
| Privacy Policy | Description |
| Website Privacy Policy Template | A standard privacy policy for basic websites and blogs. |
| GDPR Privacy Policy Template | A GDPR-ready privacy policy for any online business. |
| Mobile App Privacy Policy Template | A privacy policy for apps on the App Store and Google Play. |
| Ecommerce Privacy Policy Template | A privacy policy built specifically for online ecommerce stores. |
| Email Marketing Privacy Policy Template | A privacy policy for email newsletters and email marketing. |
Written by Natasha Piirainen
Natasha Piirainen is a privacy writer with a Bachelor’s Degree in English and Philosophy from Wheaton College and over 10 years of professional experience in research-driven content development.
Read all posts by Natasha Piirainen
Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha Komnenic is a legal counsel and Termly’s Director of Global Privacy, who received her law degree from Belgrade University. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD).
Read all posts reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
