What Does a Privacy Policy Need to Include?

Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)

What Does a Privacy Policy Need to Include?

If you've ever wondered what a Privacy Policy needs to include, you're in luck. This article is going to give you the nuts and bolts.

First, you should know that laws are changing worldwide with new data privacy regulations going into effect. Many of these rules update and expand upon existing data privacy laws, and so business owners must ensure they comply with whatever geographic location they happen to do business.

In practical terms, this means that the privacy policy for your website, app, blog, etc. might need to handle the legal privacy requirements of multiple countries.

For example, suppose you do business in the State of California and in European countries. In that case, your Privacy Policy is going to need to address the demands of California's Consumer's Privacy Act (CCPA). It will also need to abide by the European Economic Area's General Data Protection Regulation (GDPR).

It's important to keep in mind that these laws apply to your business, whether you are physically located in California or the European Economic Area. If you merely do business in those geographic regions, these laws apply to your company, and your Privacy Policy must reflect that.

Because of the above, it is generally considered a good rule of thumb to ensure that your Privacy Policy, which is legally mandated, adheres to the strictest terms. That way, you will automatically be covered should you happen to do business in an area that doesn't have the same kind of stringent requirements.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What are the Key Components of a Privacy Policy?

What are the Key Components of a Privacy Policy?

The key components of any Privacy Policy should include clauses and sections that disclose the following information:

The Policy's Effective Date

Always include the date that the Privacy Policy became effective, or the date of its last update. This is typically included at the beginning of the policy, as you can see here from Pandora:

Pandora Privacy Policy with last updated date highlighted

Who Owns the Website or Mobile App

This can be part of an introduction clause, such as this clause from Pandora that notes the official business name, and that the policy applies to itself and its subsidiaries:

Pandora Privacy Policy: Intro clause

What Information is Being Collected, and How

Let users know what information you are collecting. Be as specific as possible, like Pandora is here with listing out each different data type in a separate section:

Pandora Privacy Policy: Information We Receive or Collect from You clause excerpt

The clause also includes how the data is collected, such as when a user registers, signs up for a subscription, or responds to ads.

How You Use the Collected Information

This clause is where you let users know what you'll be doing with the collected personal information. As always, be as specific as possible without being overly complex in language.

Here's how Pandora does this:

Pandora Privacy Policy: How We Use Information We Receive or Collect clause excerpt

Using a list format makes a clause like this easier to read and helps with clarity.

Will you Share or Sell User Information to Third Parties

This is a very important clause, as users have the right to know not only what you do with their information, but if any other company who isn't you will also have access.

Here's how Pandora lets users know who information may be shared with, under what circumstances, and how the sharing will be done:

Pandora Privacy Policy: How We Share Information We Receive or Collect with Others clause excerpt

List of User Rights

You'll need to let users know what their rights are, and how they can exert them. These rights may only apply to people in certain jurisdictions, such as rights specifically granted to people in California via state laws.

Here's how Pandora lets users know about their rights and how they can exert them:

Pandora Privacy Policy: Your Privacy Rights Under State Laws clause excerpt

How Updates to the Privacy Policy Will Be Communicated

Let users know how you will inform them if or when you make material changes to the Privacy Policy. This is typically done via email or through a pop-up notice the next time a user visits a website or uses a service that has an updated Privacy Policy.

Here's how Pandora notes that users should check the policy page periodically, and also that any material changes will come with notice, likely via an email:

Pandora Privacy Policy: Changes or updates to the Privacy Policy clause excerpt

Why Should My Privacy Policy Be Unique?

Why Should My Privacy Policy Be Unique?

Your Privacy Policy needs to reflect your company's actual privacy practices. Ideally, it should be custom-tailored to ensure that you are legally protected based on the legal jurisdictions and geographical boundaries within and across which you may do business.

While many of the clauses seem fairly boilerplate and the same across the board, they still need to be specific to your own practices and must be accurate.

Without your own custom Privacy Policy, you could run into some issues.

Your Privacy Policy should be unique because it's an actual legal contract. A Privacy Policy is a legal agreement between those who use your business' website, mobile app, or your blog for that matter. Depending on how the Privacy Policy is written, it could have incredible legal consequences for your company.

For instance, if you cobble together a Privacy Policy by copying and pasting from a competitor's policy, yours may have legal gaps of which you're unaware. If someone challenges the way you use their private information in court, and you aren't covered the way you think you are, your company could face enormous fines and other penalties.

You Could Lose Customers

Consider what might happen if you tell your clients, customers, website visitors, etc. one thing in your Privacy Policy, but that policy omits vital information or describes a data collection process you don't even use.

If those individuals discover that your business has practices that your Privacy Policy says you don't, it's a breach of trust. For example, maybe your Privacy Policy says you don't share or sell data to third parties, but you actually do.

Recall the maxim that people do business with those whom they know, like, and trust. If you break the trust of those who use your website, blog, or app, they're not going to want to use your products or services any longer. You're going to make them angry, and then through word of mouth, each one is likely to tell about fifteen other people.

Your company could suffer a severe backlash along with potentially awful PR because you made a wrong choice. You don't want to put your company in the position of having to do damage control for years to come.

What Should a Privacy Policy Include for My Mobile App?

What Should a Privacy Policy Include for My Mobile App?

Most points that apply to website Privacy Policies also apply to any Privacy Policy you create for your mobile app.

For example, you need to let users know:

  • What kind of personal data you collect
  • How the user's data is collected
  • How your app's users can ask for more information on the data you collect
  • What you plan to use someone's personal data for
  • About any third-party apps, integrations, etc. that access data through your app

Moreover, you need to pay attention to any requirements made by the various app stores. For instance, the Google Play Store requires apps to have a prominently displayed Privacy Policy and Google also details the "must haves" within.

At the end of the day, if your app interacts with users at all, you need a Privacy Policy to ensure that you're in compliance with global legal requirements.

What Should a Privacy Policy Include for My Website?

What Should a Privacy Policy Include for My Website?

In brief, everything discussed up to this point are elements that ought to be considered when it comes to the contents of the Privacy Policy you place on your website.

Remember that if your company collects and uses data through your website that includes personal information from clients, customers, subscribers, or just visitors, you need to place a link to your Privacy Policy in prominent locations on your site such as the header or footer.

Recall that your Privacy Policy is intended to inform users, but it's also intended to provide your business with certain legal protections. Don't engage users without it.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

William Blesch

William Blesch

Legal and data protection research writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.