How to Write a Privacy Policy

What is a Privacy Policy?

A privacy policy is a statement of a business or website’s policy on visitor data collection and how they use that data. This includes what’s kept confidential, what’s shared, and what’s sold to other organizations. A privacy policy is required by law for any business that has a website or a mobile app. Writing one may seem intimidating if you’ve never done it before, but follow this step by step guide and you’ll have a good privacy policy in no time. 

Important Privacy Laws

The legal requirements for website privacy policies vary by country and age of target audience. Here are a few notable ones: 

The General Data Protection Regulation (GDPR)

Countries of jurisdiction: The European Union 

Year implemented: 2018

The GDPR is currently one of the strictest and most broadly reaching privacy laws in the world. It applies to any business in the world that interacts with EU citizens. 

If your business is required to comply with the GDPR, your Privacy Policy needs to inform users of their GDPR-granted rights, your lawful basis for processing the data your website collects, and your contact information.

The GDPR also requires privacy policies to be written in plain language and easy to locate on your website. 

The California Online Privacy Protection Act (CalOPPA) 

Country of jurisdiction: The United States (California)

Year implemented: 2004

At the moment, the US doesn’t have a federal privacy law like some countries do. CalOPPA is a state law in California, but it’s the gold standard of working with US businesses since it’s nearly impossible as an online business to work with the United States and have no users from California. 

To comply with CalOPPA, you’re required to create a privacy policy and display a conspicuous link to it on your website. 

The Child Online Privacy Protection Act (COPPA)

Country of jurisdiction: The United States

Year implemented: 2000

COPPA is a U.S. law regarding privacy practices for websites and apps directed at children under 13. COPPA-compliant privacy policies are more complex than privacy policies. For example, they must grant children’s parents the right to verify consent, review personal information, make requests, and deny future data access. This is why many social media companies have age limits to avoid COPPA requirements.

The California Consumer Privacy Act (CCPA)

Country of jurisdiction: The United States

Year implemented: 2018

The CCPA is the most comprehensive data privacy law  to be passed by a US state. It was intended to give California residents more control over the information that businesses collect on them. It has many similarities to the GDPR, except it’s not as strict about cookie collection. 

The Personal Information Protection and Electronic Documents Act (PIPEDA) 

Country of jurisdiction: Canada

Year implemented: 2000

PIPEDA affects all businesses with users in Canada that collect, use, and store customers’ personal information.

To comply with PIPEDA, you must:

• Display a privacy policy that clearly informs users of your information practices
• Get consent before collecting personal data
• Make your privacy policy easy to find on your website (like CalOPPA)

The Data Protection Act (DPA)

Country of jurisdiction: The United Kingdom

Year implemented: 1998

The DPA applies to anyone who does business with the UK. To comply, you’re required to make sure:

• Any information you collect is used fairly and lawfully
• You only collect the data you need for a specific purpose
• The information you store is accurate and secure
• Data is not stored longer than necessary
• UK users’ data isn’t transferred to entities outside the U.K. without adequate precautions

The Privacy Act 1988

Country of jurisdiction: Australia

Year implemented: 1988

This privacy act only applies to Australian businesses except for health service providers.  Foreign health services that interact with Australian citizens are required to comply with the requirements, including:

• Clear explanations on how you collect and manage personal data
• Anonymity or pseudonymity upon request
• Outlining a destruction process for any unsolicited personal information you receive
• Disclosure of direct marketing efforts
• Limited distribution of data outside of Australia
• A way for users to access and correct personal information you collect

Topics for Every Privacy Policy

Which User Information is Collected

This is where you state what personal data you collect from your users or visitors, including but not limited to

• Names
• Phone numbers
• Addresses
• Email addresses
• Credit card details
• Ages
• IP Addresses

Methods of User Data Collection

You are required to inform users how you collect data about them. This includes geographical location tracking, partnerships with any third-party services, et cetera.

User Data Usage

You’re also required to include what your visitors’ private information is used for after you collect it. Some examples of uses include: 

• Advertising purposes 
• Legal basis
• A personalized customer experience
•  Payment processing

Children Under 13

Even if children aren’t the target audience of your website, your privacy statement is required to include a clause that addresses the privacy of children under 13. 

If your website targets adults, then a simple statement in your policy should suffice. But if children or teenagers are part of your target audience,  you’ll need to include more information to comply with COPPA.

Communications

At some point, you will probably want to get in touch with your customers, and they may want to contact you. Because contact information includes personal information, it's necessary to include a communications clause.

Business Transfers

A business transfer clause lets users know that their personal information will be transferred to a new owner if your business is acquired by another entity. Even if you don’t plan to sell your business, including a business transfer clause is still a good idea. This clause can  limit your liability if you do sell your business in the future.

Dispute Resolution

This clause is what it sounds like: a description of measures your business takes to resolve privacy-related disputes. Your terms and conditions should include a more detailed outline of governing law, but it’s a good idea to include a short dispute resolution clause in your privacy policy. 

Future Changes to Privacy Policy

This section should inform users of your right to make changes to the Privacy Policy at any time, and of their right to know about it. It should let users know that they will be notified of any changes at the time the changes occur and which method of communication you will use for notifications.

User Rights

Your privacy policy should clearly state the rights of users to delete, make changes to, and review data. 

The GDPR and some other privacy laws include specific rights you are required to give users. Before you write your user rights clause, read up on those for the laws that are applicable for your business.

Your Business Contact Information

This is where you provide a list of ways users can contact you if they have any questions or concerns about their privacy. If you can point them to a specific email address or department for privacy, this will show that you are committed to protecting their privacy. 

Clauses Some Businesses Need

Depending on the products and services you provide, the types of information you collect, and you use the information, you may need to include some of the following clauses:

Cookies Policy

Cookies can be a lengthy topic, so it’s a good idea to give them a separate policy. Even if your business doesn’t use cookies to gather user information, a third party software or plugins on your website or mobile app might use them.

Make sure your cookies policy includes:

• What cookies are
• How and why you use them
• Which types of cookies your business uses
• What each type of cookie is used for

Third Party Access

Most websites and mobile apps use third party services for some tasks. If you use any third party affiliates, you’ll need a Third Party Access to Information clause to inform users who these third parties are and why they need access to their data. 

User Data Retention

A data retention clause is necessary for any websites with subscriptions or user accounts. The purpose is to let users know their rights to delete their subscriptions and accounts, and inform them of any information that the database will save after they delete their accounts.

Website Privacy Policy Best Practices

• Write your privacy policy in plain language, avoid legalese
• Include a table of contents
• Make section headings clear
• Update your policy regularly
• Be transparent and keep your promises
• Make it easy and intuitive for users to change and delete their personal information and opt out of marketing communications
• Follow the federal trade commission’s recommendations for protecting users’ personal information
• Keep your security measure up to date 
• Ask for as little personal information as possible

Do I Need a Lawyer to Write a Privacy Policy?

You are not required to hire a lawyer to write your privacy policy. It could still be a good idea to hire an attorney who is familiar with data privacy laws to review it with you, especially if you have complex data collection needs, do business in multiple countries, or need to be COPPA-compliant. 

There are several great privacy policy templates and free privacy policy generators for all kinds of business needs that can help you draft a privacy policy without legal advice.

How Sav Can Help

Here at Sav, we’re dedicated to creating and protecting your digital identity from your domain to your website to the products and services you sell. Create an account today to get started.