Do I Need a Lawyer to Write a Privacy Policy?

Do I Need a Lawyer to Write a Privacy Policy?

You don't necessarily need a lawyer to write a Privacy Policy for your website or mobile app.

There is no legal requirement that a lawyer be involved when writing your Privacy Policy. With the amount of resources, information and how-to guides available online today, you should be able to quite easily draft your own basic Privacy Policy.

However, you may want to have a lawyer write your Privacy Policy. The more complex your business practices are, the more you may benefit from legal assistance.

For example, if you run a small personal blog that only collects email addresses to send your monthly newsletter, you probably won't need a lawyer. But if you run an ecommerce business that ships to customers around the world, legal assistance may be helpful since your Privacy Policy will be a bit more complicated.

We'll take a look at some of the reasons why you don't need a lawyer to write a Privacy Policy, and some of the reasons why you may want to get a lawyer involved.


Why You Don't Need a Lawyer to Write a Privacy Policy

Why You Don't Need a Lawyer to Write a Privacy Policy

There are two main reasons why you don't need a lawyer to write a Privacy Policy.

The first reason is exactly that: You are not legally required to have a lawyer write your Privacy Policy.

While laws do require you to have a Privacy Policy and often dictate what the policy must include, laws don't address how you get to the end result. You are free to use a lawyer, but you do not need to if you feel comfortable drafting the policy yourself.

The second reason is because since Privacy Policies are such common agreements, there are a number of helpful resources online that can assist you when creating a Privacy Policy without the need for legal advice or assistance.

Some of these resources include affordable Privacy Policy generators, free Privacy Policy templates and informative blogs.

Online Resources For Creating a Privacy Policy

Online Resources For Creating a Privacy Policy

If you use a Privacy Policy generator, you'll typically pay a one-time small fee that's far less expensive than a lawyer. You'll answer a number of questions about your business practices and a custom Privacy Policy will be generated for you.

Free Privacy Policy templates are widely available online. While this can be the most affordable option, note that it's also the most basic and least customized option. Make sure you use a template from a highly reputable source and tailor it for your specific business practices. Otherwise, you may end up without key clauses and legally-required sections.

Informative blogs can help you write your Privacy Policy by sharing useful information and real-life examples of what to do and what not to do with your own policy. They can also help you really understand the laws and processes behind creating a Privacy Policy.

For the most part, Privacy Policies are fairly standard and include information about the following:

  • What personal information you collect
  • How and why you collect it
  • How you use it
  • How long you retain it for
  • How you protect it
  • Any legally-granted rights users have regarding all of this
  • Your contact information

This may sound like a lot. However, if you have a good grasp on your internal practices and/or have a smaller business that only collects minimum information for basic purposes, you should fairly easily be able to address each of the points above simply by using online resources.

When Would You Want a Lawyer to Write a Privacy Policy?

When Would You Want a Lawyer to Write a Privacy Policy?

Even though you don't legally need to use a lawyer when writing your Privacy Policy and there are a ton of online resources to help you draft your own, there are situations where you may want to seek the expertise of an attorney.

When deciding if you should enlist a lawyer, consider the complexity of your business.

Ask yourself the following questions:

  • Do you collect a large amount of personal information from your users?
  • Do you have an ecommerce component?
  • Do you have users in multiple countries or legal jurisdictions?
  • Do you transfer data to or from third parties?

As a rule of thumb, the more personal data you collect and the more far and wide your user base is, the more complex your Privacy Policy (and privacy practices) will become.

This is because you'll need to disclose each piece of data you collect, along with information about how you collect it, how you use it and so forth as noted above.

If you collect one or two simple things, this will be pretty straightforward. But you can see how things can get complex if you collect many different pieces of data for a variety of purposes and from a range of sources.

Do You Collect a Large Amount of Information?

Do You Collect a Large Amount of Information?

Consider an ecommerce store that collects sensitive financial information, mailing addresses, phone numbers and uses retargeting cookies to advertise to customers after they leave the site. You can see how this would be more complex than someone who runs a personal blog to showcase artwork with no option to purchase, and only collects email addresses.

Here's an excerpt from Amazon's Privacy Notice that discloses how the company uses personal information it collects. Because Amazon is a large, international company that provides goods and services, from grocery delivery to audio books, you could imagine how its Privacy Notice would be quite complex:

Amazon Privacy Notice: For What Purposes Does Amazon Use Your Personal Information clause

Amazon uses personal information for things like personalizing product recommendations, providing voice, image and camera services, to process and deliver orders and to prevent fraud.

Contrast this with Luke Storey's Privacy Policy. Luke Storey runs a podcast and website, so his Privacy Policy is far less complex than Amazon's:

Luke Storey Privacy Policy: How Your Information is Used clause

Information is used for more basic things like communications, improving the website and resolving problems.

Things can get even more complicated and complex if your user base is broad and international.

Do You Have International Users?

Do You Have International Users?

A number of countries and U.S. states have privacy laws in place that you'll need to comply with if you have users in those regions. For example, if you collect simply an email address from an individual in the European Union, your Privacy Policy will need to be compliant with the EU's General Data Protection Regulation (GDPR).

The GDPR is quite strict and has a number of specific requirements for a Privacy Policy, including disclosing user rights and the legal bases for processing personal information. Here's an example of a clause required by the GDPR, from the AAAS Privacy Policy:

AAAS Privacy Policy: GDPR Legal Basis for Processing Personal Information chart

California also has strict privacy laws like CalOPPA and the CCPA.

Sony Pictures' Privacy Policy has a brief overview section at the beginning where it summarizes important information. In this overview, Sony includes a short clause that directly addresses California residents:

Sony Pictures Privacy Policy: Overview section - California Privacy Rights and Choices

This summarized overview section links to other sections of the Privacy Policy where more relevant information can be found, such as the detailed, thorough clause about California privacy rights. Here's just an excerpt:

Sony Pictures Privacy Policy: California Privacy Rights clause

Children are also offered special protections under privacy laws like California's Children's Online Privacy Protection Act (COPPA). If your business is aimed at children or you knowingly have children using your site or service, your Privacy Policy requirements will increase.

Edutopia's Privacy Policy includes a clause that addresses children under the age of 13:

Edutopia Privacy Policy: Childrens clause

You may want to consider having a lawyer write your Privacy Policy if your business collects a large amount of personal information and/or has users in other countries with complex privacy laws.

Another reason you might want to use a lawyer to write your Privacy Policy is if you just don't have the time to create one yourself. Time is money. You may prefer to focus exclusively on growing your business and let a lawyer handle your legal agreements.

However, note that using a Privacy Policy generator is exponentially cheaper than using a lawyer and will actually save you time, too. You won't have to call and speak with an attorney or set up an appointment to head to an office. In just a few minutes at your computer you can have your Privacy Policy ready to go.

To summarize, you technically and legally do not need a lawyer to write a Privacy Policy. There are a number of resources available to help you create your own.

However, if your business collects a lot of personal information and does business far and wide, having a lawyer write your Privacy Policy can help ensure you cover all bases and comply with all applicable laws.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.