How to Write a Privacy Policy

Last updated on 01 July 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)

How to Write a Privacy Policy

A Privacy Policy is a document that notifies your website's users on specific issues concerning their personal, private information. Specifically, it lets users know what type of information you collect, why you collect it, how you will use it, whether you share or sell it, and how you will protect it.

Today, a Privacy Policy is required in practically every nation that has the internet. Outside of the fact that this document is compulsory, it's also instrumental in assuring your website visitors that your business is reputable and worthy of their trust.

With that said, you might be asking yourself, "Okay, how do I write a Privacy Policy?"

We'll show you how.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Before You Write Privacy Policy, Know the Laws

The first thing you should do if you plan to write your own Privacy Policy is to familiarize yourself with the various significant laws requiring you to have one. That way, you can know what these laws demand and what your Privacy Policy should disclose to your website's users and why.

Once you're familiar with the demands of these major laws, go back over precisely what information your website asks for. Pay attention and document precisely how you manage that data, and how and where you store it. You'll need to be able to disclose all of that in your Privacy Policy.

Below are some of the main global privacy laws you must consider:

The EU's GDPR

The GDPR is currently one of the world's most strict and broadly-reaching privacy law. It affects businesses around the world that interact with or reach people in the EU.

If you must comply with the GDPR, you'll need a Privacy Policy with some specific information included within in. For example, your Privacy Policy needs to inform users of their GDPR-granted rights, what your lawful basis for processing data is, and provide a way for users to contact you.

Your Privacy Policy needs to be written in clear language that an average person can understand, and you must make the policy easy to find and access.

CalOPPA in the U.S.

While the U.S. does not yet have a broad federal law that places privacy protection requirements on companies, California has a few state laws addressing privacy protection. Since California is a large population center in the U.S., it's essentially impossible to transact American business without involving customers living in California.

CalOPPA (California Online Privacy Protection Act) requires developers to create a Privacy Policy and display a conspicuous link to it on their websites. This is required of all developers who collect personally identifiable information like names, street addresses, telephone numbers, birth dates, and email addresses.

To comply, you need to pay attention when designing your website. Customers must find the link to your Privacy Policy easily and not have to dig through text, graphics or other distractions to access it.

COPPA in the U.S.

COPPA (Child Online Privacy Protection Act) is a U.S. law that affects privacy practices for websites and apps directed at children under 13. It contains additional protections if you create online products for children.

Privacy Policies adapted for the COPPA law must be clearly posted and address the fact that you collect personal information from children under 13. It grants rights to parents to verify consent, review the information, make requests, and deny future access to the data.

COPPA Privacy Policies are more complex and go beyond the basic drafting instructions addressed in this guide. Many companies, like Tumblr, limit use of their apps to those age 17 and older in order to avoid COPPA requirements.

PIPEDA in Canada

If you're transacting business in Canada, you're held to the requirements of PIPEDA (Personal Information Protection and Electronic Documents Act).

The law affects all businesses (including foreign ones) that collect, use, and store personal information provided by customers.

PIPEDA requires that you:

  • Draft a clear Privacy Policy that informs users of your information practices
  • Collect personal information by fair and lawful means
  • Secure consent before collecting personal data

Like with CalOPPA in the U.S., your Privacy Policy should be easy to find on your website.

Also, during the signup form, use clickwrap to assure users accept the terms of your Privacy Policy to secure consent. You may wish to add banners and other prompts that warn users that you're requesting personal information.

DPA in the UK

In the UK, the Data Protection Act 1998 (DPA), addresses how business, the government, and organizations use personal information. Through its "Principles of Data Protection", the DPA law assures information is collected, used, and stored securely.

If you are transacting business in the U.K., you must assure:

  • Collected information is used fairly and lawfully
  • Data is used for limited and specific purposes
  • Information is used only to the extent that it is adequate and not excessive
  • The information you store is accurate
  • No data is stored for longer than necessary
  • Security for data in your possession
  • Respect for users' rights including correcting data, denying future access or providing notification if there is a breach
  • No data transfer to entities outside the U.K. without adequate levels of precautions

Many of these principles are addressed well through a complete Privacy Policy. You also need to make the effort to provide comprehensive data security.

Privacy Act in Australia

Like the U.K. law, Australia's Privacy Act 1988 also contains privacy principles governing the collection and handling of personal data.

Under these principles, you must provide:

  • Clear explanations on how personal data is collected and managed
  • Anonymity or pseudonymity when requested
  • A destruction process if you receive unsolicited personal information
  • Notification to users if you collect personal information
  • Disclosure of direct marketing efforts if your service includes it
  • Limited distribution of data outside of Australia
  • A way for users to access and correct personal information you collect
  • Effective security procedures for protecting personal information

Unlike the other laws, this one only applies to Australian businesses and agencies. However, if you run a health service provider, it will apply to you even if you are a foreign business. When it comes to health information, the requirements are relevant to all entities who interact with Australian citizens.

How Can I Write a Privacy Policy for My Website?

How Can I Write a Privacy Policy for My Website?

Review Data Collection and Use

Before you start writing, it's necessary to take an inventory of what data you collect and what you use it for.

The less personal information you request, handle, and store, the easier it is to write your Privacy Policy. You can make this work for you by reviewing the necessity of collected data.

Take an honest assessment of the user data you collect (or wish to collect) and its necessity.

For example, if you're providing an app that allows users to track mental health symptoms, do you really need a medical record number, home address or primary care provider's name?

In this example, it's likely easier to request a username and email address at signup or allow the user to participate anonymously.

However, if your app alerts users to health test results, you actually require more personal information. In this case, you'll need to assure a good Privacy by Design approach to data security and keeping users informed.

Performing this audit makes compliance easier, too. The jurisdictions listed above encourage developers to only request as much personal data as necessary. A critical assessment of the minimum data you need for your website or app to work proves essential in this area.

After you have a good level of insight into your own business practices, you might want to take a look at examples of Privacy Policies on the websites of your competitors (or those you know do business in the same nations as you).

There are free Privacy Policy generators and templates accessible online. However, you choose to get your Privacy Policy written, here are some things to keep in mind.

When you start writing your Privacy Policy, make sure you do the following:

  • Make sure the Privacy Policy is visible - Think about putting a link to the policy in your website's header or footer on every page. Put a link to the Privacy Policy on any landing page, squeeze page, etc. in a prominent place on any form that collects user data so that visitors can check your policy.

    Note how Amazon places its Privacy Notice in the footer of its website:

  • Amazon website footer with Privacy Notice highlighted

  • Be transparent - Don't try to hide anything from your website's users. Remember that a Privacy Policy is not just a requirement of law; it is also a commitment to treat your user's personal, perhaps very sensitive information with respect. You should ensure that your Privacy Policy reflects your actual data practices accurately.
  • Keep your policy up to date - If there are any changes in how you collect information, how you store it, or if there are changes in whether you share or sell that information, or in how you protect it, be sure to update your Privacy Policy accordingly.

Clauses for Your Privacy Policy

Include the following in your Privacy Policy:

  • What kind of information is collected, and how
  • How you use the information
  • If/when you disclose the collected information to third parties
  • How you protect the information you collect
  • What rights users have regarding the collection and use of their information
  • Notification of changes to your practices and Privacy Policy
  • Your contact information for any questions users may want to ask

Let's take a look at some examples of each of these clauses.

What Information You Collect

The easiest way to address this section is with a list. You can use bold type, headings or a bulleted list - whatever you prefer.

There are Privacy Policies that crowd this information into a paragraph format. That is not easy for users to read. A list is easily digested and understood.

Also, the list acts as a checklist so you can be sure you did not miss anything. That also assists with compliance.

Here's how Amazon breaks this information down by category to readers, letting them know that it collects information automatically, as well as what the user provides and from other sources:

Amazon Privacy Notice: What personal information about customers does Amazon collect clause

From within this section, the reader is linked to a more detailed list of specific types of information, which is very helpful:

Amazon Privacy Notice: Examples of personal information collected clause

Pandora offers a similar list using bold type and paragraphs to describe the information it collects. This is a sample of the types of data it collects and how it gathers it:

Pandora Privacy Policy: Information We Receive or Collect from You clause excerpt

How You Use the Information You Collect

This is another long and important section to write in your Privacy Policy since your compliance with privacy laws may depend on it. Consider this section as an opportunity to explain to users why you use and disclose the data you collect.

Like the section on type of information and how it is collected, these provisions also benefit from a bulleted list.

However, when it comes to the use of information, there's often a need to provide reassurance. If this is your situation, you can present those provisions after your bulleted list.

Pandora does just that in this informative list:

Pandora Privacy Policy: How We Use Information We Receive or Collect clause excerpt

Your list should include how data collection benefits users but also your business model. This is not advertising your services but offering transparency. Even if you collect data to monitor patterns and satisfaction in order to develop new features, that still needs to be revealed to your users even if that effort never helps them.

Any Disclosure of Information to Third Parties

There are situations where you may disclose user data to third parties and you need to let your users know about this possibility in your Privacy Policy.

You could be ordered by a court to do so or provide the data to a hired consultant. There are likely situations where you would share this data that have not occurred to you.

That is why you need to address how you share information with third parties - even if you have never felt the need to do so.

You don't want to face liability because you shared data with third parties in order to better understand the performance of your website or app.
Explaining in your Privacy Policy how you share data you collected covers these situations.

Here's how Pandora notes how information will be shared, with a section focused on third-party sharing, specifically:

Pandora Privacy Policy: How Information is Shared clause - Third Party section highlighted

How You Protect Information You Collect

This clause doesn't need to be long or detailed. You basically just need to state that you do have security measures and safeguards in place to protect the information.

Here's a basic but adequate example from Datadog:

Datadog Privacy Policy: Security clause

This example from ABC Fitness shows a greater level of specifics and details, such as what steps employees take to increase data security:

ABC Fitness Privacy Policy: Information Security clause excerpt

If you can give your users specific information here without compromising your own security, do that. Common practices like SSL encryption and HTTPS access are worth mentioning and that detail will not compromise your proprietary interests. It will gain your users' confidence.

User Rights

The rights of users to delete data, make changes, and review data should also be clear in your Privacy Policy.

Many privacy laws, such as the GDPR, include specific rights you must give to users. Make sure you're familiar with these nuances when writing your User Rights clause or clauses.

Here's how Ancestry outlines what rights users have, and how the rights can be exercised:

Ancestry Privacy Statement: Your Rights and Choices Regarding Your Personal Information clause

Here's how Sony Pictures has a clause specifically addressing rights that California residents are given:

Sony Pictures Privacy Policy: Overview section - California Privacy Rights and Choices

Notification of Changes to Your Privacy Policy

This is technically a right granted to a user but it often occupies its own heading in a Privacy Policy. If you change your information practices and your Privacy Policy, users must be informed.

Giving yourself the duty to notify users of changes gives you more responsibilities, but this is also in the interest of transparency. Even if only a few users read that announcement on a revised Privacy Policy, you still satisfied your obligation.

These clauses also grant you the right to make changes. This is vital if this is your first Privacy Policy or you released an app that's different from your other products so that you have room to update your Policy as new issues arise and as you tweak and update the app itself and how it functions.

Errors may arise as you distribute your new app and run the next version of your website and you need the tools to address any errors you may have. One of these tools includes updating your agreements.

Here's an example of an email sent out by Reddit that alerts its users of updates and changes to the Privacy Policy:

Screenshot of Reddit Privacy Policy updates email

And here's how Pandora notes in its Privacy Policy that the policy may be updated and changed periodically, and how users can be aware of the updates:

Pandora Privacy Policy: Changes or updates to the Privacy Policy clause excerpt

Your Contact Information

Good Privacy Policies end with contact information in case users have questions. You can provide this in any format you wish including email addresses, mailing addresses, telephone numbers or links to online forms.

These clauses tend to be very short and to the point, like Pandora's seen here:

Pandora Privacy Policy: Contact Us

If you handle especially sensitive information like medical history or home addresses, you may want to dedicate a separate email address for these questions. That allows for a timely response and better service to your users.

Your Privacy Policy is a major component of user confidence and legal compliance.

These guidelines will help you write a basic Privacy Policy that's effective and compliant in the main jurisdictions around the world.

If you spend time considering your information practices and gathering details before you draft, this task will be less daunting and your finished Privacy Policy will be accurate, thorough and as complete as possible.

How Can I Write a Privacy Policy for My Mobile App?

How Can I Write a Privacy Policy for My Mobile App?

Your app is basically no different than a website when it comes to Privacy Policies. To be compliant with most major legislation, you need a Privacy Policy for your mobile app if your app collects a user's data.

Moreover, developers must keep in mind that app stores like Apple's app store and Google Play insist that Privacy Policies be included inside apps themselves and in-app store listings.

As with websites, remember that Privacy Policies help inspire engender trust between you and your app's users. They provide users with a sense of security and comfort, knowing that you care about their sensitive information and its security.

Places to include a link to your mobile app Privacy Policy include:

  • Within the app store listing
  • Whenever you ask for permission to use personal data, such as to access photos or a mobile device's microphone
  • On an account sign-up and login page
  • On a checkout or payment page
  • In an About menu or legal page inside your app

Can I Copy-Paste Someone Else's Privacy Policy?

Can I Copy-Paste Someone Else's Privacy Policy?

In essence, you could use someone else's Privacy Policy as a template. However, copying everything word for word and then expecting the document to be fully applicable to you and your business could be short-sighted.

Consider the fact that merely copying and pasting doesn't provide you with a tailor-made Privacy Policy that covers your business's specific needs.

For example, you could violate your own policy if you lifted a clause from someone else's Privacy Policy, stating that you don't share private, identifiable data with third parties when you actually do.

That's why it's best to exercise caution. Customizing your Privacy Policy to your business's specific needs is the better option.

Do I Need a Lawyer to Write a Privacy Policy?

The short answer is "no." You don't need a legal professional to write your Privacy Policy. However, that's not to say you shouldn't hire one. It truly depends on how in-depth you need your Privacy Policy and what considerations must be taken into account.

If your data collection needs are very complex, you may want to have an attorney who is familiar with the data privacy laws in the country you intend to do business in, and who speaks the native language, go over your proposed Privacy Policy.

Another reason you might wish to use a lawyer to write your Privacy Policy is if you do business all over the place. Maybe your website's users come from the EU, North America (specifically California), and Brazil. You'd want to be assured that your Privacy Policy covers all eventualities so that you're guaranteed to be compliant with all major laws.

However, no law demands you hire an attorney to write your Privacy Policy. Plus, there are great templates and online generators that can help you draft a Privacy Policy without the need for legal advice and that are actually tailored to the needs of you and your website (or app's) users.

To make things even easier, use our Privacy Policy Generator.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Jocelyn Mackie

Jocelyn Mackie

Former civil litigation attorney. Content legal strategist at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.