# [How to write a privacy policy: Achieve and maintain compliance in 12 steps](https://usercentrics.com/knowledge-hub/how-to-write-a-privacy-policy/)

**When did you last update your privacy policy? Privacy compliance requires a clear and up-to-date privacy policy. Get one in minutes — customized for your business.**

[Create Privacy Policy](https://usercentrics.com/privacy-policy-generator/)

Author: [Tilman Harmeling](https://usercentrics.com/person/tilman-harmeling/) · Read time: 15 mins · Published: Oct 1, 2025

---

Data privacy regulations require that you clearly communicate with data subjects, including website visitors, app users, and e-commerce customers, about the data you collect and process, and inform them about their privacy rights. This guide outlines how to write a privacy-compliant and user-friendly privacy policy for a website — from drafting to publishing to ongoing governance.

A privacy policy isn't just another dusty and forgotten page linked from your website's footer. It's a legal requirement under the world's ever-expanding number of data privacy laws, not to mention additional frameworks and the policies of your important tech platform partners.

Just as importantly, research surveying nearly 5,000 individuals across 19 countries showed that [over two-thirds of consumers are either somewhat or very concerned](https://iapp.org/media/pdf/resource_center/privacy_and_consumer_trust_report_summary.pdf) about their online privacy. People are no longer willing to do business with companies they don't trust, and laws are making it easier for them to take their money (and data) elsewhere.

Re-enter the privacy policy. One that is clear, comprehensive, and well maintained provides transparency, builds trust, and helps you meet regulatory requirements under laws like the GDPR and CCPA.

This guide walks you through the steps to create, publish, and maintain a user-friendly and legally compliant privacy using best practices. From identifying relevant laws to mapping data flows, responding to user rights requests, and keeping the contents updated — we have you covered.

So yes, [you do need a privacy policy](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/). The good news is, creating and maintaining one is easier than you think, and we have the information and tools you need.

## What should a privacy policy include?

**Key Takeaways**

- A clear and up-to-date privacy policy is legally required by international privacy laws, as well as other frameworks and tech partners' policies.
- The process to create and maintain a compliant privacy policy starts well before it's drafted, and maintenance is also critical.
- Use plain language, scannable formatting, and purpose-based sections.
- Embed your policy into site/app design (e.g. banners, footers, forms) in ways that are easily accessible.
- Keep the policy synchronized with your consent tools, audits, and vendor changes so it stays up to date as laws, technology in use, and business operations grow and change.

The specifics of requirements will vary depending on relevant laws and your data processing operations. However, much of the necessary information is fairly standard at this point. It is important to know which laws apply to your business so you can confirm the requirements of all relevant laws if there are multiple.

Equally important is that the contents of the policy are clear to the average person to meet the "informed" requirement of many privacy regulations. That means no legalese or technical jargon.

- Identity and contact details of the data controller (usually website or app owner) and [Data Protection Officer (DPO)](https://usercentrics.com/knowledge-hub/what-is-dpo-data-protection-officer/) or comparable role
- Processing activities and their purposes, including profiling or targeted advertising and/or processing by third parties, e.g. advertising or e-commerce fulfillment.
- Legal basis of the processing and the reasoning behind it (where required)
- Information about special categories of personal data processed (where relevant), including data categorized as sensitive or belonging to minors
- Recipients of data, including for sharing, sale, or other use
- Information about international data transfers and safeguards in place
- Period for which data will be retained
- What data subjects' rights are and how to exercise them
- Information about changing or withdrawing previously granted consent
- Information about making a complaint or appealing a decision
- Existence of automated decision-making and its uses, especially where relevant for profiling and/or targeted advertising

Do you know the privacy policy requirements of your partner platforms? Get our free guide to the privacy policies of major platforms. Get clear information to stay compliant with the requirements of platforms like Facebook, Zoom, and ChatGPT.

[Get guide](https://usercentrics.com/guides/privacy-policies-of-major-platforms/)

---

## The 12-step process for writing a privacy policy

Here's your step-by-step guide to how to create a privacy policy. Remember that privacy policies need to reflect your specific and evolving data processing operations. Do not copy another company's policy, as it may not match your data processing or regulatory requirements.

Also be very careful if you start with a privacy policy template, and go through it carefully to ensure it's customized for your responsibilities.

Privacy policies need to be kept up to date, so this is not a "one and done" exercise, but one that should be integrated into your data privacy maintenance operations.

[Download infographic](https://usercentrics.com/wp-content/uploads/2025/10/uc_12_steps_privacy_policy_checklist-1.pdf)

### 1. Map data flows and purposes

- Build or update a data inventory that lists all data categories, including names, emails, IP addresses, device identifiers, analytics, cookies, etc. and where they originate, like forms, SDKs, and trackers.
- For each flow, note the purpose, the recipients (processors), retention timeline, and, where required, the legal basis, e.g. consent, contract, legitimate interest, or contractual requirements.
- Run a website or app scan to detect hidden cookies and trackers. Third-party trackers can be several layers deep and hard to detect, but you are still likely responsible for their data access and use.

Learn more about [data mapping](https://usercentrics.com/knowledge-hub/gdpr-data-mapping/) and how to do it to support privacy compliance.

### 2. Identify relevant privacy laws and platform rules

- Determine which data privacy regulations apply to your operations and users, e.g. the GDPR, CCPA/CPRA or PIPEDA. Remember that many laws are extraterritorial, so it matters where your users are, not where your company is located.
- Check industry or platform rules relevant to your operations, like [Google's EU user consent policy](https://usercentrics.com/magazine/articles/googles-eu-user-consent-policy-whats-changed-and-what-does-it-mean-for-advertisers/) or platforms' advertising policies. Confirm requirements for any mandated tools as well, like [Consent Mode](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) or the [TCF v2.2](https://usercentrics.com/cmp-for-publishers/).
- Build a disclosure matrix that maps which clauses you must include under each law or platform.

### 3. Choose policy structure and tone

Make the policy document easy to scan and understand. Use headings, short paragraphs, bullets, and plain language. Make links to relevant information or contacts easy to find. Here's an example of a clear privacy policy structure for sections:

1. Contact information for the controller and/or DPO, for complaints or inquiries, etc.
2. Data collected by category (including sensitive data)
3. How and why you use data
4. Cookies and trackers in use (relevant laws may require granular detail or only categories)
5. Data sharing and third parties it's shared with (relevant laws may require granular detail or only categories)
6. International data transfers and adequacy agreements or other legal mechanisms, like Standard Contractual Clauses
7. Data retention and destruction
8. Users' rights and choice options and how to exercise them
9. Children's data collection, handling, and consent requirements
10. Data security
11. Inquiries, complaints, and disputes, with how to submit and to whom
12. Policy changes and version history (some laws set specific timeframe requirements, like annually)

### 4. Draft purpose-based disclosure sections

- For each processing purpose, like user registration, marketing, analytics, or support, draft a sub-section, including information like:
  - What categories of data are collected and used
  - Why you process the data (purposes)
  - [Legal basis](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/#legal-bases-and-legitimate-interest-in-the-general-data-protection-regulation-5) (if required)
  - Data recipients, including processors and/or sub-processors
  - Data retention period and information about deletion, [anonymization](https://usercentrics.com/knowledge-hub/data-anonymization/), or other functions
- Avoid vague statements like "we may use" or "improve customer experience." Be specific and keep this information up to date.

Learn more about [data retention](https://usercentrics.com/knowledge-hub/gdpr-data-retention/) and how to protect your business by doing it right.

### 5. Explain the cookies and tracking technologies in use

- Include an overview in the policy, and ideally embed or link to a cookie notice that updates as tools change. A robust CMP detects these technologies for you and makes the list embeddable where you need it.
- Define purpose categories, i.e. essential or strictly necessary, performance, functional, and targeting.
- Explain [whether cookies/tracking require consent](https://usercentrics.com/knowledge-hub/gdpr-cookies/) and how users can choose at a granular level, decline, or opt out later. Under many privacy laws, all but essential cookies require consent.

### 6. Disclose data sharing, sales, and other uses, plus enable opt out

- Identify all external entities you share with, including adtech, analytics vendors, hosting, support, and partners.
- Clarify if any sharing qualifies as a sale (which varies by law) or sharing for targeted advertising under applicable regulations.
- Provide opt-out information, include [specific formats where required](https://usercentrics.com/knowledge-hub/us-data-privacy-laws-by-state/#how-are-consent-and-global-privacy-control-managed-under-the-us-data-privacy-laws-7), like California's "Do Not Sell or Share My Personal Information" link, and necessary rights requests mechanisms.

Learn more about [zero-, first-, and third-party data](https://usercentrics.com/knowledge-hub/zero-first-and-third-party-data/), the differences among them and various benefits to your marketing strategy.

### 7. Explain international data transfers and security measures

- If you move data across borders, e.g. for processing or storage by third parties, specify the privacy and security mechanisms, like adequacy decision, standard contractual clauses, or binding corporate rules.
- Provide users with access to a copy of the privacy and security mechanism in detail, e.g. linked from the privacy policy, as well as contact information in the event of questions or concerns.

### 8. State retention criteria and periods

- Provide specific information about how long and under what circumstances data is retained, e.g. "as long as the account is active plus three years for dispute resolution." Some regulations specify retention periods, e.g. regarding financial operations.
- Clarify what happens to user data at the end of the retention period, e.g. that it is securely deleted or fully anonymized safely.

Learn about requirements for a compliant [Google Ads privacy policy](https://usercentrics.com/guides/privacy-led-marketing/google-ads-privacy-policy/).

### 9. Outline user rights and how to act on them

- List relevant user rights, which may vary by applicable law and jurisdiction. This is one area where geolocation functionality is useful, as it enables customizing user experience and messaging to relevant regulatory requirements. These rights can include:
  - Access to their data
  - Correction of incomplete or inaccurate data
  - Deletion of personal data
  - Disclosure of third parties (either categories or a specific list of entities) that have had access to personal data for stated purposes
  - Data portability, in which the user is supplied with their data in a usable format
  - Objection to data processing or withdrawal of consent, which requires cessation
  - Opt out of sale, sharing, targeted advertising and/or profiling
  - Provision of information about automated decision-making and opting out
  - Questioning the controller's profiling
  - Restrict access to or processing of sensitive data
  - Not being discriminated against for exercising rights
- Provide a method for exercising rights, e.g. email address or web form, which also needs to include a means of identity verification. Also provide information about response times, which are usually legally mandated.
- Provide information about escalation options for users to lodge complaints or appeal the controller's response to a rights request.
- Include a statement that there will be no discrimination for exercising data privacy rights.

### 10. Describe security practices and breach response

- Summarize technical, administrative, and physical safeguards in place, like encryption, MFA, role-based access, and vendor security reviews.
- Explain your breach response process, which requires notifying authorities, and usually affected individuals, with steps to mitigate harm, and your actions to remedy the issue.

### 11. Include provisions for children's data

- Specify age thresholds (e.g. under 13 in many regions) and whether you knowingly collect data from children.
- Describe parental/guardian consent or verification procedures, and how parents can access, delete, or refuse processing of children's data.
- Provide a mechanism for obtaining parental/guardian consent before or at the time of collecting children's data, if you don't already have one in place for all users per legal requirement.

Learn more about the [Children's Online Privacy Protection Act (COPPA)](https://usercentrics.com/knowledge-hub/childrens-online-privacy-protection-act-coppa/), a federal privacy law in the US.

### 12. Provide governance and versioning information with change management

- Provide contact information for the Data Protection Officer, privacy expert, or comparable person/office.
- Include the policy's effective date, version history, and links to archived policy versions.
- State your review cadence, e.g. annual or upon material changes. Applicable laws may have specific time frames.
- Ensure updates flow into your product/release process and notify users as needed.

---

## How to create a privacy policy: templates, generators, and automation

Writing a privacy policy manually can be labor-intensive, and maintaining it to legal standards requires ongoing resources. You can **create a privacy policy** faster and keep it current by using a **privacy policy generator** integrated with your consent management platform (CMP).

These tools enable you to automate cookie disclosures, versioning, and synchronization with your actual stack changes.

Usercentrics [Web CMP](https://usercentrics.com/website-consent-management/) and [App CMP](https://usercentrics.com/in-app-sdk/) enable you to obtain valid consent; customize appearance, messaging, and user experience; and comply with requirements as laid out in your privacy policy.

When privacy policy generation and updates are linked to consent solutions, it helps reduce mismatches between your data handling operations and what you state in your privacy policy and cookie notice.

Get your comprehensive guide to [email and social media marketing privacy compliance](https://usercentrics.com/guides/social-media-email-marketing-compliance/email-marketing-privacy-policy/).

---

## Privacy policy best practices when drafting and updating

- **Use plain language** and define all necessary legal and technical terms clearly.
- **Break up the information** into cascading sections, with clear, scannable headings and logical progression of topics. (See example list above under policy structure.)
- **Localize the contents** for relevant regulations and languages to support privacy compliance and improve user experience.
- **Link actions near statements**, e.g. "You can opt out here" or "Contact us with any questions" as much as possible, and don't just put options or contact information at the bottom of the page.
- **Link to other relevant documents**, like the cookie notice if it's not part of the same document, terms of service, or data processing agreements.
- **Include contact information** for your company and third-party vendors and partners involved in data processing, where possible.
- **Sync your consent banner(s) and privacy policy.** The information that users can learn about in your policy, and the consent options you explain to them should match their experience when interacting with your actual consent banners.
- **Provide real examples** of what you use data for, e.g. "When you sign up for our newsletter, we use your email address to send updates and analyze engagement."
- **Use a privacy policy generator** that enables you to customize the contents for your data processing operations, relevant laws, and other details.
- **Set a schedule for data processing audits**, review of relevant regulations, and privacy policy updates so the privacy policy stays up to date.
- **Provide a downloadable/printable version** of the privacy policy.

Try the interactive Privacy Policy Generator demo. In our free interactive demo, learn how to get a customized, up to date privacy policy for your site in minutes.

[Start demo](https://usercentrics.com/product-demo/#ppg)

---

## How to add a privacy policy to your website (or app or anywhere else you need it)

There are several best practices to maximize visibility and usability to support privacy compliance and ensure your customers are well informed.

- Add a footer link to "Privacy Policy" so it appears on every page.
- Include a prominent link in your consent banner, and maintain a persistent icon or menu link.
- At points of data collection, like signups or account registration, checkouts, app store listing, or contact forms, include brief notices with a link to the full policy.
- In apps, include privacy policy links in the settings, profile screens, and onboarding flows.
- In emails, include a footer link to your privacy policy.
- Use anchor links in your privacy policy so users can jump to sections to quickly learn about their rights, how to contact you, which cookies you use, etc.
- Make the versioning and date stamp information clear and ensure that previous versions of the privacy policy are easily accessible. Include a brief "what's new" section or changelog for scanability.
- Use responsive, accessible design to ensure the policy is mobile-friendly, readable on all screen sizes, and fully accessible to people using assistive technologies, e.g. WCAG standards.
- Integrate the privacy policy with your consent management platform to maintain alignment between data use purposes and consent choices.

What are the requirements for a [privacy policy for Facebook Ads](https://usercentrics.com/guides/social-media-email-marketing-compliance/privacy-policy-for-facebook-ads/)? Find out now.

---

## Website vs. app privacy policy priorities

Websites and apps share a lot of functions and characteristics, particularly with regards to data privacy requirements. However, they're different platforms, and you'll want to customize for each as is relevant to your business.

### Privacy policy for websites

On your website, you'll want to ensure privacy policy emphasis on data uses like:

- Cookie use
- Advertising partners
- Third parties (including scripts)
- Tracking tags

Use a comprehensive [scanner for cookie and tracker use](https://usercentrics.com/privacy-compliance-scanner/) that is well-integrated with your CMP and privacy policy so the policy stays up to date as your tech stack evolves.

### Privacy policy for apps

Data privacy compliance and required notifications for apps may include different data collection and UX requirements given the smaller screen and other considerations.

In your app(s), you'll want to ensure privacy policy emphasis on data uses and access to functions like:

- Include mobile permissions (camera, location, contacts)
- Operating system-level privacy controls
- In-app identifiers (IDFA/AAID)
- Push notification settings
- Backups and syncing
- Social login integrations

Clearly describe and provide functions for users to manage permissions within the app or via device settings quickly and easily.

Learn more: Understanding [LinkedIn Ads privacy policies](https://usercentrics.com/guides/social-media-email-marketing-compliance/linkedin-ads-privacy-policy/) for lead generation forms.

---

## Managing and updating your privacy policy

- **Establish a review schedule,** so you don't get behind on updates as new processing purposes, vendors, or tracking technologies. This should be at least annually, but some laws have specific mandated time frames.
- **Tie policy updates into your product release workflow**. Maintain version logs and make access to previous versions, ideally with a summarized changelog, easily accessible.
- **Update vendor and/or processor lists** as partnerships and contracts change.
- **Continuously sync consent tools, cookie scans**, and policy content. Automated scanning is invaluable to save time, mitigate risk of missed changes or errors, and to keep documentation updated.
- **Train your teams**, including Support, Marketing, Development, Compliance, etc., on the contents of the privacy policy, how it applies to your business, and your evolving privacy compliance responsibilities.

Your privacy policy contains a lot of varied information, and does require resources to keep up to date. But doing so is critical for privacy compliance and protecting your business, as well as demonstrating transparency and respect for data and privacy to your customers.

Fortunately, a customizable privacy policy generator and robust and scalable CMP helps automate many functions to save you time and give you peace of mind.

Still have cookie consent concerns? Requirements for cookie use are evolving fast. Book your free demo today — let's discuss how to protect your brand.

[Book demo](https://usercentrics.com/book-a-consultation/)

---

## Frequently asked questions

### How to write a privacy policy for a website?

Follow the 12-step framework above: map your data; determine applicable laws; draft purpose-based sections; cover cookies, sharing, transfers, retention, rights, security, children, and governance. Tie it into your website UX and maintain it via periodic reviews.

### How to write a privacy policy for an app?

Use the same structured approach, but include app-specific details like permissions, identifiers, push, sync, and OS settings. Link to in-app consent controls and describe how users can revoke data sharing from within the app.

### What should a privacy policy include?

At a minimum: controller contact information, data categories collected, processing purposes, legal bases (if required), cookies/trackers in use, recipients of data (partners/vendors), international data transfers, retention periods and deletion, user rights, children's data, security, complaint channels, and versioning.

### How do I create a privacy policy quickly?

Use a privacy policy generator connected to your CMP. These tools enable you to customize the policy to your business, and pull in actual scripts, cookies in use, and vendors, and help you automatically keep the privacy policy up to date.

### What are common mistakes to avoid with a privacy policy?

Ensure your privacy policy is customized to your data processing operations, website or app, and regulatory requirements. If you use a template, only use it as a starting point. Do not copy another company's privacy policy, or use a privacy policy generator that does not enable customization.

Do not use legalese or technical jargon that the average person cannot understand. Also do not use long paragraphs or too few section headings so the privacy policy is hard to scan through for specific information.

Make important parts clear, like links to actions near the information about those actions, e.g. rights requests.

Do not consider your privacy policy a one-time project to create and publish. Privacy regulations require that you provide up to date information on your data processing, vendors, and more.

Do not make your privacy policy hard to find, or only link to it from your website footer. Link to it wherever data processing actions take place, in your app settings, etc.

---

## Products
- [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/)
- [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/)
- [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/)
- [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/)
- [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/)
- [Preference Manager](https://usercentrics.com/preference-management/)
- [Audience Unlocker](https://usercentrics.com/audience-unlocker/)
- [Integrations](https://usercentrics.com/integrations/)
- [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/)
- [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/)
- [ROAS Calculator](https://usercentrics.com/roas-calculator/)

## Solutions
- [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/)
- [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/)
- [Migration](https://usercentrics.com/migration/)
- [Media & Publishing](https://usercentrics.com/media-publishing/)
- [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/)
- [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/)
- [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/)
- [Gaming](https://usercentrics.com/gaming/)
- [Education](https://usercentrics.com/education/)
- [Automotive](https://usercentrics.com/automotive/)
- [Travel & Hospitality](https://usercentrics.com/travel/)

## Regulations & Frameworks
- [GDPR (EU)](https://usercentrics.com/gdpr/)
- [GDPR (UK)](https://usercentrics.com/uk-gdpr/)
- [CCPA (California)](https://usercentrics.com/ccpa/)
- [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/)
- [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/)
- [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/)
- [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/)
- [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/)
- [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/)
- [View all regulations](https://usercentrics.com/regulations-and-frameworks/)

## Resources
- [Blog](https://usercentrics.com/knowledge-hub/)
- [Whitepapers](https://usercentrics.com/whitepapers/)
- [Checklists](https://usercentrics.com/checklists/)
- [Courses](https://courses.usercentrics.com/)
- [Case Studies](https://usercentrics.com/case-studies/)
- [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/)
- [Events](https://usercentrics.com/webinar/)
- [CONSENTED Podcast](https://usercentrics.com/consented/)
- [Guides](https://usercentrics.com/guides/)
- [Release Notes](https://releases.usercentrics.com/en)
- [Developer Documentation](https://usercentrics.com/docs/)
- [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/)
- [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/)

## Company
- [About Us](https://usercentrics.com/about-us/)
- [Press](https://usercentrics.com/press/)
- [Our Offices](https://usercentrics.com/contact/)
- [Trust Center](https://trust.usercentrics.com/)
- [Careers](https://usercentrics.com/career/)
- [Open Positions](https://apply.workable.com/usercentrics/)
- [Diversity & Inclusion](https://usercentrics.com/dei/)

## Support
- [General Support](https://support.usercentrics.com/hc/en-us)
- [Contact Sales](https://usercentrics.com/book-a-consultation/)
- [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new)
- [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing)
- [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340)
- [Partner Login](https://partnerportal.usercentrics.com/)
- [Partner Program](https://usercentrics.com/partner-program-overview/)
- [Affiliate Program](https://usercentrics.com/affiliates/)

## Legal
- [Terms & Conditions](https://usercentrics.com/terms-and-conditions/)
- [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/)
- [Privacy Policy](https://usercentrics.com/privacy-policy/)
- [Legal Notice](https://usercentrics.com/legal-notice/)
- [Legal Documents](https://usercentrics.com/legal-documents/)
- [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/)

© 2026 Usercentrics GmbH