How to write a privacy policy

A privacy policy is a legal statement or document that provides information on how businesses and other organizations collect, use, share, and protect personal information. Data privacy laws typically require public posting of this information, like on a company’s website. It needs to be understandable to the average person and contain granular detail. Personal information or personal data is collected from data subjects, which are individuals who use an organization’s website, apps, or other services.

What is a privacy notice? It provides privacy-related information, but is typically shorter than a privacy policy, which contains more comprehensive information about collection and use of personal data. A privacy notice is meant to be a summary of an organization’s privacy practices. It is often presented to data subjects, like website visitors, app users, ecommerce customers, etc., at the point of data collection. This could be when they sign up for a service, arrive at a website for the first time, or other action. A privacy notice is meant to provide specific, relevant privacy information to the action being taken and the data collection resulting from it.

A privacy policy has a broader scope and contains all relevant information about an organization’s data processing activities, security practices, and users’ rights pertaining to data processing.

It is commonly published as a page on a website, and includes detailed information about what data is collected and how, under what legal basis (if relevant), for what purpose(s), who it may be shared with, how long it’s retained, and how it’s kept secure. A privacy policy typically has to include information about data subjects’ rights regarding data privacy, how they can exercise their rights, and contact information for the company.

If your organization collects and processes personal data, likely yes. While different data privacy regulations around the world have different requirements regarding legal basis for data processing, or different data subject rights, pretty much all of the laws require organizations to notify data subjects about data collection, use, security, and user rights. These days, most websites collect personal data.

The need for a privacy policy is not limited to commercial entities, i.e. companies making money from personal data, e.g. for sale or use in advertising. Other types of organizations collect and use personal data as well, including charities, B2B entities, and more, so they must also comply with data privacy laws.

Privacy policies are required by laws that are specifically for data privacy, like the European Union’s General Data Protection Regulation (GDPR), Brazil’s General Law for the Protection of Personal Data (LGPD), or any of the state-level data privacy laws in the United States, like California’s Consumer Privacy Act (CCPA). But they can also be required by other laws covering operations where data processing takes place.

Healthcare or financial services deal with large amounts of sensitive personal data, and must follow strict policies and procedures regarding using and securing it. An example of this is the Health Insurance Portability and Accountability Act (HIPAA) in the United States. It is common for some data privacy laws to reference or defer to these other laws.

In addition to legal requirements, creating and maintaining a comprehensive privacy policy is good business and important for consumer relations. Being clear and transparent about data use and security, and making it easy for people to contact your organization and exercise their rights, is important for good user experience and building and maintaining trust.

Governments may require organizations to provide a privacy policy via data privacy regulations, but a privacy policy is not really for them. Privacy policies aren’t entirely for the organizations that create them to comply with regulations and avoid violation penalties, either.

Most commonly, based on stated regulatory purposes, a privacy policy is for data subjects, to protect people whose data is collected and used. Website visitors, app users, ecommerce shoppers, and more.

The need for a privacy policy is not limited to operations where money is being made, either directly through sales, or secondarily, like through use or sale of data collected. It applies to people signing up for a newsletter or applying for a job as well.

It also applies to parties other than consumers. Staff of a business’ partners or third-party vendors could be subject to an organization’s privacy policy and have rights if their data is collected and used while working together.

Anyone who makes use of online information, uses services, purchases products, completes activities, etc. and through that has their data collected, has a right to clear, transparent information in a privacy policy and the ability to exercise control over their data.

Information required in a privacy policy is fairly standard among data privacy regulations, however, organizations should familiarize themselves with the specific stipulations of laws relevant to them. Overall, a privacy policy must clearly communicate (no legalese) what personal data an organization wants to collect, how, how they will use it, who they may share it with, and how they will keep it secure.

Typically, a privacy policy must also provide information on users’ rights as well and how to exercise them, along with contact information for the organization.

A privacy policy states what types of personal information are collected, like name, phone number, email address, IP address, browsing activities, payment information, and more. Typically, any information collected that could be used to identify a person.

Some personal data is categorized as “sensitive”, as a misuse of it could cause harm. This type of data can include information like race or ethnicity, religious or political affiliation, sexual orientation, or health information, and typically it requires special handling and protection.

A privacy policy includes details about how the organization collects personal data, whether through user input, e.g. filling out a form or completing an ecommerce process, through browser cookies or trackers, or by other means.

A privacy policy covers the purpose(s) for which personal data is collected and how it’s used. Organizations must communicate their purpose for collecting personal data, and may only use it for that stated purpose. Usually, under regulations that require prior consent, if the purpose(s) changes or the organization wants to use personal data for any additional purpose, new consent must be obtained.

Purposes could include:

• providing products or services
• improving or personalizing user experiences
• targeting advertising
• creating profiles
• complying with legal requirements

Under some data privacy laws, like the GDPR (Art. 6), the data controller must also use and communicate a valid legal basis for lawful data processing, like having obtained user consent—with the relevant mechanisms for collecting and managing consent—or other options like fulfilling a contract or providing a requested product or service.

A privacy policy lists all entities that may have access to the data collected. The data controller may collect and process data itself, or it may use third-party data processors. These can include marketing or advertising companies, partners, vendors, authorities, or other organizations.

Information about transfer of personal data is also included, e.g. if it is transferred to a country or region other than where it was collected. Many countries have restrictions on data being transferred internationally unless there is a contract or agreement between the countries that all parties’ data privacy and protection operations are considered adequate. The European Union, for example, has strict requirements for international data transfers under the GDPR (Art. 44).

A privacy policy explains how the entity secures the personal data it has collected, how long it is retained, and how it prevents unauthorized access, disclosure, alteration, or destruction. Information regarding procedures in the event of a data breach may also be included.

These will vary depending on relevant data privacy laws, so accurate information must be presented and kept up to date. For example, under the GDPR, consent must be obtained before any data is collected, if consent is the legal basis being used to validate data processing. But under the regulations in the United States, prior consent is not required in many cases for data collection and use, only the ability to opt out at any point.

Some typical user rights under data privacy laws, which a privacy policy should communicate, can include:

• the right to access one’s data
• the right to have data corrected or deleted
• the right to data portability
• the right to opt out of data processing for sale or other specific uses (under regulations not requiring prior opt-in)
• the right to not be discriminated against, including for exercising one’s rights

A privacy policy will include contact information for the organization, whether for questions or data subjects’ requests, such as to exercise their rights. Some laws require specific contact methods, some just indicate that the methods should be “normal” or “typical”. Some laws require options that are digital, like an email address and/or web form, and at least one option that isn’t, like a phone number.

The organization also needs to explain how often the policy is updated or changed, and when it is, what changes have been made and on what date. Often it’s also necessary to enable users to access previous versions of the privacy policy.

While consumers are generally used to providing personal data online, different organizations and platforms request and use personal data for different purposes. An ecommerce website has different tools and data collection purposes than a charity newsletter, for example. And how users are tracked in an app can be different from cookie and tracker use in a web browser.

These platforms and more, including—increasingly—smart devices like connected TV, must communicate with users about data collection and use.

The platform via which personal data is collected influences what information a privacy policy needs to include. Websites use some methods of data collection that are specific to that platform, so it must be communicated in addition to the more general information outlined above.

Some website-specific privacy policy information that must be included, and for which users may have to be provided the option of opting out:

• cookies or other tracking technologies in use
• analytics and log files
• advertising
• third-party services
• marketing communications
• user-generated content and its use
• privacy and consent management for children
• external website links

It’s important to be familiar with relevant data privacy laws for your specific organization, as well as having an up to date data audit on what data a website collects, and how, to ensure the privacy policy is kept up to date.

More data protection authorities are cracking down on apps, which to date have often had poor data privacy compliance. In addition to the more general privacy information requirements outlined above, some app-specific privacy policy information that must be included, and for which users may have to be provided the option of opting out:

• mobile device permissions
• geolocation data
• mobile advertising
• in-app purchases and payment information
• integration with social platforms
• user-generated content and its use
• push notifications
• data backup and sync
• privacy and consent management for children
• app-specific security measures

Privacy policies and other user-facing information and notifications must be clear and transparent, understandable to the average person. Qualified legal counsel should be involved in writing and maintaining a privacy policy, but users should not have to be lawyers to understand it.

Information in the privacy policy must be specific. It is a violation of a number of data privacy laws to use broad or vague descriptions or group information about data collection or uses, for example. Users must be able to see in detail what data is collected, and all the means used to do so. In many cases they must also be able to consent or refuse that collection and use at a granular level.

A privacy policy must be customized to the organization. It is possible to use example policies, templates, or generators to create a privacy policy, but the onus is on the organization to ensure that the resulting privacy policy is specific and accurate to their operations and users. Customized branding also improves user experience.

This customization principle applies to the privacy policy page, a privacy notice that appears at the point of collection, a consent banner, or any other presentation of privacy-related information.

The privacy policy should be easy to find and access, and carefully organized. This includes following user experience and accessibility best practices so it is readable by all users.

From a user experience perspective, people don’t tend to read a lot of text online, so while a privacy policy must contain a fair amount of information and be well organized, where possible a privacy notice should be kept as brief as possible and very clear. This principle would apply more to a cookie consent banner, for example, than to the privacy policy page. This applies even more for apps, where users are impatient to get playing, etc., and where the user interface is quite small.

A privacy policy needs to be updated regularly. This may be a legal requirement under some laws, but it is generally a best practice. Some aspects of updating the privacy policy can be automated, like checking what cookies and trackers a website is using. The privacy regulation landscape also changes rapidly, so regular review and updates are important, especially for organizations required to comply with multiple data privacy laws.

A privacy policy tends to be a longer document, so it’s common for it to be located on its own web or app page. Links to it should be accessible from elsewhere, e.g. in the header or top navigation or footer of a website, or in mobile apps settings.

When information is legally required to be presented at a certain point, whether for a site or app, the privacy notice must be presented at the point of data collection, e.g. when the website or app first loads or when the user is about to complete a specific action.

Other relevant points when privacy information must or should be presented and/or accessible:

• landing page / homepage
• first interface upon app loading
• account registration / signup page
• checkout process
• app store listings
• email communications

It is important to consult qualified legal counsel or your privacy expert, like a data protection officer (if required), when creating and updating a privacy policy and/or privacy notices. Organizations need to be clear and up to date on what data they collect and store, via what means, how it’s used and who it’s shared with. This is the only way to ensure accurate communication to data subjects and the ability for them to exercise their rights at a granular level. It also helps to ensure compliance with relevant data privacy regulations.

There are tools available both to help create and automate maintenance of privacy policies, and which integrate with tools like a consent management platform (CMP) to ensure the privacy policy stays accurate and up to date. A CMP also enables consent collection and management at the point of data collection, which can also enable data privacy compliance.

If you have questions or interest in implementing a compliant privacy policy for your website or app, or a consent management platform to help achieve compliance with privacy laws around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.