What is a privacy policy and why do you need one?

What is a privacy policy and why do you need one?

Privacy policies help organizations comply with privacy laws by communicating to users about data collection used by websites and apps.
by Usercentrics
Dec 6, 2021

What is a privacy policy meant to communicate? Most websites and apps collect data from users via cookies and other tracking technologies. These technologies do everything from helping to make websites work correctly, enable ecommerce, and collect visitor statistics and user behavior information. (Learn more about cookies.) Some of this information can be collected without notifying users, but in most cases, a clear and accessible privacy notice is required.


Global privacy laws require organizations to clearly communicate specific information about what data is collected, for what purpose, who it may be shared with, and how it is secured. This is what a privacy policy is for (also called a privacy notice), and is why you need one as part of your data compliance strategy for the GDPR, CCPA, LGPD and other regulations.

Privacy policies and understanding personal data and collection

What is personal data?


Most websites and apps collect functional, statistical, or marketing data via cookies and other tracking technologies. Privacy laws typically define this information as the personal data of the users from whose online activities it’s collected. Such data can be used to identify an individual, so it is legally protected. Personal data can include information like:

  • First and last name
  • Email address
  • Account username
  • Phone number
  • Browsing history
  • Credit card number
  • IP address

Some personal data is also classified as “sensitive” if it could be used to inflict harm, such as health information, religious affiliation, sexual orientation, or racial background.


(Learn more: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?)



How do I know what cookies my website uses?


Websites and apps use cookies and other tracking technologies for everything from making the website function correctly to enabling ecommerce to gathering marketing data.


Using a scan to audit your website’s cookies is a great first step to understand what personal data you collect and how information about that data and cookie use must be communicated in your privacy policy.

Users’ privacy rights

Privacy laws like the GDPR, CCPA or POPIA require that users be notified when their personal information is collected, including, for example, from GDPR Article 13:

  • Who is collecting the information, who their representative is, and their contact information
  • The purpose(s) and method(s) for collecting the information
  • The categories and specific information is being collected
  • The legal basis or legitimate interest for the data collection
  • Any third parties used to collect the information or with it may be shared
  • The contracts or adequacy agreements with any third parties that will access the data
  • The safeguards in place to protect the information


This information is included in a privacy policy, and must be specific to each organization depending on their operations, data collected and relevant legal jurisdictions. In many cases, users must also be provided with the option to consent to or decline the collection or sale of their personal information as well as a process to do so. This information should also be part of a legally compliant privacy policy.


Privacy laws typically protect consumers by stipulating that those who decline the collection or processing of their personal information cannot be denied access to products or services, or otherwise discriminated against by a company, for refusing consent for data collection or use.

In many jurisdictions, the legal requirements for and contained in a privacy policy depend on where users are located. They do not depend on the type or size of business or revenue, if the website is used for ecommerce or whether or not it requires account creation. If you have EU customers, for example, you need a GDPR-compliant privacy policy.


It is important to know what data your website or apps collects, how it’s used, and what laws are applicable to your company to ensure your privacy policy is complete and accurate. It also needs to be regularly reviewed and updated as operations, technologies and the regulatory landscape change. A privacy policy is a legal document, and as such we recommend working with qualified legal counsel and having a corporate Data Protection Officer.


Failure to comply with privacy policy requirements can contribute to regulatory noncompliance and penalties like heavy fines, prosecution, loss of business licences, data deletion and reputational damage to the company.



Third-party services and privacy policies


There is the legal requirement that a privacy policy must outline third parties that will have access to or process the data you collect. However, it goes both ways. Many third parties require website and app operators to post a privacy notice if they use the third party services.


This can include in-page or in-app advertising, analytics services, ecommerce or app store usage and more. Services from large companies like Apple, Google, Facebook and Amazon are very widely used, and all of those require the companies that use their services to communicate with visitors or users what data they collect, for what purposes, and what is done with it.

Benefits of a good privacy policy

In addition to being a legal requirement, a good privacy policy is also important for your brand and for building user relationships. Consumers are increasingly aware of their online privacy and the mass collection of their data. They may not understand adtech in depth, but they shouldn’t have to exercise their rights and have confidence in the websites they visit, the apps they use and the companies they do business with.


Making it clear what data you collect, how it’s used, who has access to it and how you keep it safe shows users that your company has mature processes in place to respect and safeguard privacy. It shows you respect the people who provide their time, data and money to your company, and that you aren’t just interested in strip mining their information. A clear, up-to-date and easily accessible privacy policy is a great tool for demonstrating your business’ principle of transparency and to build user trust.

How to write a good privacy policy

Organizations need to audit their data collection and processing to know what data they collect, how it’s used and secured and who has access to it. This information is key to an accurate privacy policy. You will also need to know who is the organization’s responsible party and contact person to ensure that information is correct and available as well.


DIY, copy, or policy generator


You can draft your privacy policy from scratch, or use a privacy policy generator or tool with privacy policy templates. It can be a page published on your website, or hosted by a privacy policy service and linked from your homepage or footer. It just has to be easily accessible to visitors and easy for them to understand, as well as kept up to date.


Copying a privacy policy directly from another website is not a good idea, as that document was designed for a specific company, and it would be easy to miss necessary changes to make it fit your business’ needs, thus preventing you from being compliant with GDPR policy or other laws.



Data Processing Services


There are potentially thousands of Data Processing Services (web technologies) that can be used on websites, and which collect and process user data. That means you potentially need to keep many of them organized and list them in your privacy policy.


Usercentrics maintains a text database for more than 1,000 Data Processing Services that can be embedded as a template into your privacy policy. Save yourself time and resources from managing and maintaining this list manually.


We also regularly update the database, so the technologies included are up to date, helping maintain your privacy compliance and the seamless access to relevant information for your users. Companies can and should adjust these templates according to their operational needs.


Learn more about the Dynamic Privacy Policy feature.



Cookie policy vs. privacy policy


A cookie policy is different from a privacy policy, as it only covers information relating to cookie usage, and a privacy policy covers much more information regarding data processing, data subject rights, data processor responsibilities, and more. Sometimes cookie policy information is found within a privacy policy as part of it.


If you would be interested in learning more about a tool to help you create a customized, legally compliant privacy policy for your business, get in touch to learn more.

Home Resources Article What is a privacy policy and why do you need one?

Related Articles