How to write a privacy policy: Achieve and maintain compliance in 12 steps

A privacy policy isn’t just another dusty and forgotten page linked from your website’s footer. It’s a legal requirement under the world’s ever-expanding number of data privacy laws, not to mention additional frameworks and the policies of your important tech platform partners.

Just as importantly, research surveying nearly 5,000 individuals across 19 countries showed that over two-thirds of consumers are either somewhat or very concerned about their online privacy. People are no longer willing to do business with companies they don’t trust, and laws are making it easier for them to take their money (and data) elsewhere.

Re-enter the privacy policy. One that is clear, comprehensive, and well maintained provides transparency, builds trust, and helps you meet regulatory requirements under laws like the GDPR and CCPA.

This guide walks you through the steps to create, publish, and maintain a user-friendly and legally compliant privacy using best practices. From identifying relevant laws to mapping data flows, responding to user rights requests, and keeping the contents updated — we have you covered.So yes, you do need a privacy policy. The good news is, creating and maintaining one is easier than you think, and we have the information and tools you need.

So yes, you do need a privacy policy. The good news is, creating and maintaining one is easier than you think, and we have the information and tools you need.

Key takeaways

• A clear and up-to-date privacy policy is legally required by international privacy laws, as well as other frameworks and tech partners’ policies.

• The process to create and maintain a compliant privacy policy starts well before it’s drafted, and maintenance is also critical.
  
• Use plain language, scannable formatting, and purpose-based sections.
  
• Embed your policy into site/app design (e.g. banners, footers, forms) in ways that are easily accessible.
  
• Keep the policy synchronized with your consent tools, audits, and vendor changes so it stays up to date as laws, technology in use, and business operations grow and change.

What should a privacy policy include?

The specifics of requirements will vary depending on relevant laws and your data processing operations. However, much of the necessary information is fairly standard at this point. It is important to know which laws apply to your business so you can confirm the requirements of all relevant laws if there are multiple.

Equally important is that the contents of the policy are clear to the average person to meet the “informed” requirement of many privacy regulations. That means no legalese or technical jargon.

• Identity and contact details of the data controller (usually website or app owner) and Data Protection Officer (DPO) or comparable role
• Processing activities and their purposes, including profiling or targeted advertising and/or processing by third parties, e.g. advertising or e-commerce fulfillment.
• Legal basis of the processing and the reasoning behind it (where required)
• Information about special categories of personal data processed (where relevant), including data categorized as sensitive or belonging to minors
• Recipients of data, including for sharing, sale, or other use
• Information about international data transfers and safeguards in place
• Period for which data will be retained
• What data subjects’ rights are and how to exercise them
• Information about changing or withdrawing previously granted consent
• Information about making a complaint or appealing a decision
• Existence of automated decision-making and its uses, especially where relevant for profiling and/or targeted advertising

The 12-step process for writing a privacy policy

Here’s your step-by-step guide to how to create a privacy policy. Remember that privacy policies need to reflect your specific and evolving data processing operations. Do not copy another company’s policy, as it may not match your data processing or regulatory requirements. 

Also be very careful if you start with a privacy policy template, and go through it carefully to ensure it’s customized for your responsibilities.

Privacy policies need to be kept up to date, so this is not a “one and done” exercise, but one that should be integrated into your data privacy maintenance operations.

1. Map data flows and purposes

• Build or update a data inventory that lists all data categories, including names, emails, IP addresses, device identifiers, analytics, cookies, etc. and where they originate, like forms, SDKs, and trackers.
  
• For each flow, note the purpose, the recipients (processors), retention timeline, and, where required, the legal basis, e.g. consent, contract, legitimate interest, or contractual requirements.
  
• Run a website or app scan to detect hidden cookies and trackers. Third-party trackers can be several layers deep and hard to detect, but you are still likely responsible for their data access and use.

2. Identify relevant privacy laws and platform rules

• Determine which data privacy regulations apply to your operations and users, e.g. the GDPR, CCPA/CPRA or PIPEDA. Remember that many laws are extraterritorial, so it matters where your users are, not where your company is located.
  
• Check industry or platform rules relevant to your operations, like Google’s EU user consent policy or platforms’ advertising policies. Confirm requirements for any mandated tools as well, like Consent Mode or the TCF v2.2.
  
• Build a disclosure matrix that maps which clauses you must include under each law or platform.

3. Choose policy structure and tone

Make the policy document easy to scan and understand. Use headings, short paragraphs, bullets, and plain language. Make links to relevant information or contacts easy to find. Here’s an example of a clear privacy policy structure for sections:

1. Contact information for the controller and/or DPO, for complaints or inquiries, etc.
2. Data collected by category (including sensitive data)
3. How and why you use data
4. Cookies and trackers in use (relevant laws may require granular detail or only categories)
5. Data sharing and third parties it’s shared with (relevant laws may require granular detail or only categories)
6. International data transfers and adequacy agreements or other legal mechanisms, like Standard Contractual Clauses
7. Data retention and destruction
8. Users’ rights and choice options and how to exercise them
9. Children’s data collection, handling, and consent requirements
10. Data security
11. Inquiries, complaints, and disputes, with how to submit and to whom
12. Policy changes and version history (some laws set specific timeframe requirements, like annually)

4. Draft purpose-based disclosure sections

• For each processing purpose, like user registration, marketing, analytics, or support, draft a sub-section, including information like:
  • What categories of data are collected and used
  • Why you process the data (purposes)
  • Legal basis (if required)
  • Data recipients, including processors and/or sub-processors
  • Data retention period and information about deletion, anonymization, or other functions
    
• Avoid vague statements like “we may use” or “improve customer experience.” Be specific and keep this information up to date.

5. Explain the cookies and tracking technologies in use

• Include an overview in the policy, and ideally embed or link to a cookie notice that updates as tools change. A robust CMP detects these technologies for you and makes the list embeddable where you need it.
• Define purpose categories, i.e. essential or strictly necessary, performance, functional, and targeting.
• Explain whether cookies/tracking require consent and how users can choose at a granular level, decline, or opt out later. Under many privacy laws, all but essential cookies require consent.
  

6. Disclose data sharing, sales, and other uses, plus enable opt out

• Identify all external entities you share with, including adtech, analytics vendors, hosting, support, and partners.
• Clarify if any sharing qualifies as a sale (which varies by law) or sharing for targeted advertising under applicable regulations.
• Provide opt-out information, include specific formats where required, like California’s “Do Not Sell Or Share My Personal Information” link, and necessary rights requests mechanisms.

7. Explain international data transfers and security measures

• If you move data across borders, e.g. for processing or storage by third parties, specify the privacy and security mechanisms, like adequacy decision, standard contractual clauses, or binding corporate rules.
  
• Provide users with access to a copy of the privacy and security mechanism in detail, e.g. linked from the privacy policy, as well as contact information in the event of questions or concerns.

8. State retention criteria and periods

• Provide specific information about how long and under what circumstances data is retained, e.g. “as long as the account is active plus three years for dispute resolution.” Some regulations specify retention periods, e.g. regarding financial operations.
  
• Clarify what happens to user data at the end of the retention period, e.g. that it is securely deleted or fully anonymized safely.

9. Outline user rights and how to act on them

• List relevant user rights, which may vary by applicable law and jurisdiction. This is one area where geolocation functionality is useful, as it enables customizing user experience and messaging to relevant regulatory requirements. These rights can include:
  • Access to their data
  • Correction of incomplete or inaccurate data
  • Deletion of personal data
  • Disclosure of third parties (either categories or a specific list of entities) that have had access to personal data for stated purposes
  • Data portability, in which the user is supplied with their data in a usable format
  • Objection to data processing or withdrawal of consent, which requires cessation
  • Opt out of sale, sharing, targeted advertising and/or profiling
  • Provision of information about automated decision-making and opting out
  • Questioning the controller’s profiling 
  • Restrict access to or processing of sensitive data
  • Not being discriminated against for exercising rights

• Provide a method for exercising rights, e.g. email address or web form, which also needs to include a means of identity verification. Also provide information about response times, which are usually legally mandated.
• Provide information about escalation options for users to lodge complaints or appeal the controller’s response to a rights request.
• Include a statement that there will be no discrimination for exercising data privacy right

10. Describe security practices and breach response

• Summarize technical, administrative, and physical safeguards in place, like encryption, MFA, role-based access, and vendor security reviews.
  
• Explain your breach response process, which requires notifying authorities, and usually affected individuals, with steps to mitigate harm, and your actions to remedy the issue.

11. Include provisions for children’s data

• Specify age thresholds (e.g. under 13 in many regions) and whether you knowingly collect data from children.
  
• Describe parental/guardian consent or verification procedures, and how parents can access, delete, or refuse processing of children’s data.

• Provide a mechanism for obtaining parental/guardian consent before or at the time of collecting children’s data, if you don’t already have one in place for all users per legal requirement.

12. Provide governance and versioning information with change management

• Provide contact information for the Data Protection Officer, privacy expert, or comparable person/office.
  
• Include the policy’s effective date, version history, and links to archived policy versions.
  
• State your review cadence, e.g. annual or upon material changes. Applicable laws may have specific time frames.
  
• Ensure updates flow into your product/release process and notify users as needed.

How to create a privacy policy: templates, generators, and automation

Writing a privacy policy manually can be labor-intensive, and maintaining it to legal standards requires ongoing resources. You can create a privacy policy faster and keep it current by using a privacy policy generator integrated with your consent management platform (CMP). 

These tools enable you to automate cookie disclosures, versioning, and synchronization with your actual stack changes.

Usercentrics Web CMP and App CMP enable you to obtain valid consent; customize appearance, messaging, and user experience; and comply with requirements as laid out in your privacy policy.

When privacy policy generation and updates are linked to consent solutions, it helps reduce mismatches between your data handling operations and what you state in your privacy policy and cookie notice.

Privacy policy best practices when drafting and updating

• Use plain language and define all necessary legal and technical terms clearly.

• Break up the information into cascading sections, with clear, scannable headings and logical progression of topics. (See example list above under policy structure.)

• Localize the contents for relevant regulations and languages to support privacy compliance and improve user experience.

• Link actions near statements, e.g. “You can opt out here” or “Contact us with any questions” as much as possible, and don’t just put options or contact information at the bottom of the page.

• Link to other relevant documents, like the cookie notice if it’s not part of the same document, terms of service, or data processing agreements.

• Include contact information for your company and third-party vendors and partners involved in data processing, where possible.

• Sync your consent banner(s) and privacy policy. The information that users can learn about in your policy, and the consent options you explain to them should match their experience when interacting with your actual consent banners.

• Provide real examples of what you use data for, e.g. “When you sign up for our newsletter, we use your email address to send updates and analyze engagement.”

• Use a privacy policy generator that enables you to customize the contents for your data processing operations, relevant laws, and other details. 

• Set a schedule for data processing audits, review of relevant regulations, and privacy policy updates so the privacy policy stays up to date.
• Provide a downloadable/printable version of the privacy policy.

How to add a privacy policy to your website (or app or anywhere else you need it)

There are several best practices to maximize visibility and usability to support privacy compliance and ensure your customers are well informed.

• Add a footer link to “Privacy Policy” so it appears on every page.
  
• Include a prominent link in your consent banner, and maintain a persistent icon or menu link.
  
• At points of data collection, like signups or account registration, checkouts, app store listing, or contact forms, include brief notices with a link to the full policy.
  
• In apps, include privacy policy links in the settings, profile screens, and onboarding flows.
  
• In emails, include a footer link to your privacy policy.
  
• Use anchor links in your privacy policy so users can jump to sections to quickly learn about their rights, how to contact you, which cookies you use, etc.

• Make the versioning and date stamp information clear and ensure that previous versions of the privacy policy are easily accessible. Include a brief “what’s new” section or changelog for scanability.

• Use responsive, accessible design to ensure the policy is mobile-friendly, readable on all screen sizes, and fully accessible to people using assistive technologies, e.g. WCAG standards.

• Integrate the privacy policy with your consent management platform to maintain alignment between data use purposes and consent choices.

Website vs. app privacy policy priorities

Websites and apps share a lot of functions and characteristics, particularly with regards to data privacy requirements. However, they’re different platforms, and you’ll want to customize for each as is relevant to your business.

Privacy policy for websites

On your website, you’ll want to ensure privacy policy emphasis on data uses like:

• Cookie use
• Advertising partners
• Third parties (including scripts)
• Tracking tags

Use a comprehensive scanner for cookie and tracker use that is well-integrated with your CMP and privacy policy so the policy stays up to date as your tech stack evolves.

Privacy policy for apps

Data privacy compliance and required notifications for apps may include different data collection and UX requirements given the smaller screen and other considerations. 

In your app(s), you’ll want to ensure privacy policy emphasis on data uses and access to functions like:

• Include mobile permissions (camera, location, contacts)
• Operating system-level privacy controls
• In-app identifiers (IDFA/AAID)
• Push notification settings
• Backups and syncing
• Social login integrations

Clearly describe and provide functions for users to manage permissions within the app or via device settings quickly and easily.

Managing and updating your privacy policy

• Establish a review schedule, so you don’t get behind on updates as new processing purposes, vendors, or tracking technologies. This should be at least annually, but some laws have specific mandated time frames.
  
• Tie policy updates into your product release workflow. Maintain version logs and make access to previous versions, ideally with a summarized changelog, easily accessible.
  
• Update vendor and/or processor lists as partnerships and contracts change.
  
• Continuously sync consent tools, cookie scans, and policy content. Automated scanning is invaluable to save time, mitigate risk of missed changes or errors, and to keep documentation updated.
  
• Train your teams, including Support, Marketing, Development, Compliance, etc., on the contents of the privacy policy, how it applies to your business, and your evolving privacy compliance responsibilities.

Your privacy policy contains a lot of varied information, and does require resources to keep up to date. But doing so is critical for privacy compliance and protecting your business, as well as demonstrating transparency and respect for data and privacy to your customers. 

Fortunately, a customizable privacy policy generator and robust and scalable CMP helps automate many functions to save you time and give you peace of mind.

Tilman Harmeling

Senior Expert Privacy, Usercentrics GmbH

Having focused on the business and technical complexities of privacy throughout his career, Tilman has gained significant and varied... Read more

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Newsletter

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy