How to Write a Privacy Policy

Last Updated on November 13, 2020

They’re complicated and not especially fun to write, but privacy policies are necessary to protect and respect our users. This post offers guidance on the elements you need in your policy and why they exist. We based the steps outlined below on GDPR guidelines, because it’s the best framework for drafting comprehensive policies, regardless of whether your company must comply with GDPR. 

This post is simply a guide—you should always check with your attorney to finalize any policy. 

Want to know how much privacy policies matter? Check out our previous post, Should Your Website Have a Privacy Policy?

Introduction and Definitions

The first step to creating your privacy policy is the introduction, or summary. The purpose of this section is to provide an overview of what information your privacy policy will cover and why you’re collecting user data in the first place. This is where you can communicate to readers that you value and respect their privacy (AirBnB and Spectrum.chat do a good job of this). 

Also include: 

• Contact information
• The date the privacy policy was last updated
• A list of terms and definitions. Your privacy policy is essentially a contract between your company and each website visitor, so you should help them understand uncommon terms.

Principles for Processing Data

When you explain why you collect data and that you take privacy seriously, you should also briefly cover the principles you follow for processing data. Article 5 of the GDPR lists six principles all companies must abide by when collecting and processing personal data. These principles are listed below, and you can also find more information about them here.

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality 

This section is a chance to be transparent and promise customers that you: 

• Believe user privacy and data protection are human rights 
• Take protecting privacy seriously and recognize the duty you have to the people whose data you process 
• Only collect and process data when it is absolutely necessary 
• Will always make it clear why you collect data, how it will be used, and how long you will hold it for 
• Will not spam them and will give them the option to unsubscribe 
• Will not share their personal information without their permission 

Types of data

Most E.U. and U.S. regulations require companies to report the types of data they’re collecting. The GDPR says specifically calls out personal data and sensitive personal data. Your policy should be absolutely clear about every single type of data you deal with, and why you need to be handling that data.  

Users may be unaware you’re collecting data like IP addresses and cookies. To be transparent, many organizations break up this part of their privacy policy into sub-sections of “data you provide to us” versus “data collected by our website.” 

Personal Data

Personal Data includes any information that relates to an identifiable, living person. This includes a wide range of information relating to that person or a combination of information which, if put together, means that the person can be identified. The specifications under GDPR for personal data are very broad, so it’s likely that your company processes some type of personal data from site visitors, even if they never directly contact you or give you their name and email address. 

Examples of personal data include: 

• Name
• Address
• Email Address
• Phone Number
• IP Address
• Cookies

Sensitive Personal Data 

Sensitive Personal Data (sometimes also referred to as “special category data”) includes much more specific personal data such as an identification number or one or more factors specific to a person’s physical, mental, physiological, economic, cultural, or social identity. 

Examples of Sensitive Personal Data includes:

• Date of birth
• Ethnic origin
• Politics
• Religion
• Genetics
• Social Security number
• Biometrics
• Health
• Sex life and/or sexual orientation
• Trade union membership

How You Use Data 

GDPR regulations require that you lay out your purposes for processing personal data in your privacy policy, and why you have a good reason to do so. Consider this section the overall “what,” “how,” and “why,” that data is being used. 

Examples of what some companies list in this area include:  

• Verifying site users’ identity
• Personalizing the advertising they see on the website so that it is more relevant to them  
• Improving the design and style of the website
• Sending them service messages about their subscription or account registration
• Enabling them to share your content with others using social media or email
• Compiling customer reviews
• Conducting market research
• Granting them access to a subscription
• Informing them about products, services or promotional offers they might find interesting (if they have chosen to receive those types of communications)
• Logging and using information about any service errors or interruptions on the site that they may have experienced in order to create fixes and make technical improvements.

Legal Basis for Collecting Data

Under GDPR, you must have a good, legal justification for processing personal data. And your privacy policy must outline the details of that legal basis. 

Part 1 of Article 6 gives examples of possible instances/scenarios when it is lawful to collect and process personal data:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

What does this look like in real life? You could develop one statement for a single legal basis. Or you could show the correlation between types of data, the activity, and why you need to use it. The Pint of Science Festival is a good example of an organization clearly laying out its legal basis.  

Third Parties

You are permitted by GDPR to share personal data, as long as your privacy policy is transparent about it and provides details of the broad types of companies (payment processors, data collectors, mail carriers, etc.) with whom you share data. However, if you’re using any third parties and have a data processing agreement with them, be sure to check their terms and conditions, because some of them (like Google Analytics) require they be named specifically in your privacy policy. 

The privacy policy for Speckyboy provides a good overview to readers of third parties they use to collect data and the ones they send the data to, and why.  

Children’s Privacy

Per the Children’s Online Privacy Protection Act of 1998 (COPPA), no company or organization may knowingly collect personally identifiable information from anyone under the age of 13. Your privacy policy should include a brief statement that your product/service does not address children, and that if a parent or guardian becomes aware that their child has provided you with data they should contact you, so you can remove that information from your servers.  

Consumers’ Rights to Their Data

Consumers have rights to the data you have collected about them, so you need to tell them what they can do. Some examples:  

• They can request information about what data has been processed, who else outside of your company may have received access to it, how long their data will be stored, where/how the data was collected, etc.
• They may request you correct/rectify the record of their personal data if it is inaccurate
• They have the right to request your company erase any of their data or cease processing it

The International Association of Privacy Professionals (IAPP) does a great job of this on their privacy policy page in the “Data subject rights” section. 

Contact Information

Provide up-to-date contact information on your privacy policy so people can contact you with questions or concerns, exercising their rights to their data, etc. Even better than an email or phone number would be to have a Designated Protection Officer (DPO) to handle all privacy-related communications, if your company needs that level of oversight.  

Best Practices 

Layout

Consider how your privacy policy will be displayed on your site. A good place to start is the Privacy by Design Framework (PbD), a best-practice framework for user privacy that was originally created in the 1990s. Work with a designer or developer to ensure that it’s not just huge blocks of text, but is broken up into readable chunks. 

Walmart offers an intuitive layout. They condense the majority of the content, and if the user wants to see additional information, they simply click “More” to expand the text block. 

Location

Make the privacy policy and cookie policy links easily accessible from all pages of your site (these are typically found in the footer of websites). Privacy policies should especially be present during checkout/booking processes. A good practice is to include a link up in the order confirmation box too, not just in the footer. 

Next Steps

Policy Generators

Free and paid privacy policy generators are all over the place. You can research them and pick one to use as a basic template as you draft your company’s privacy policy.  

Consult with a Lawyer

After your draft is complete, or if you already have a policy, consult with a lawyer to help you determine the application of relevant data privacy laws to your company’s specific circumstances. 

Conclusion

You should strive for a readable, user-friendly privacy policy. Whether it’s read or not doesn’t matter—it protects everyone involved. Companies with forward-thinking approaches to data privacy gain an advantage over those who simply view privacy as an unimportant requirement. Remaining transparent and ethical will ensure that no matter what happens with GDPR, CCPA, or any future legislation, you remain a positive, trustworthy source for your customers.  

We understand how overwhelming these requirements can be. And we’re here to help. Contact us if you want to discuss how to get started with a privacy policy, or if you need help drafting one. 

Disclaimer

This blog post provides information about data privacy laws to help you understand the potential legal issues associated with them, but should NOT be considered legal advice. We highly recommend you consult with a lawyer to determine the application of data privacy laws to your company’s specific circumstances. While we have conducted extensive research to determine that our content here is as accurate as possible, you should consider this blog post as intended for informational purposes only.