What Makes a Good Privacy Policy?

A strong privacy policy protects your business and your customers from unauthorized data access and use. If you gather any type of data on your website or app users, you need this policy in place. The privacy policy outlines how your business collects, stores, uses and shields personal information.

More than half of American adults (53%) have decided not to use a service because of data privacy concerns, according to data collected by the Pew Research Center. Understanding applicable laws and best practices allows you to create a comprehensive, effective privacy policy for your website or app.

Characteristics of a Good Privacy Policy

A privacy policy should be clear, thorough and easily accessible to your users. As you begin to draft this document, prioritize these key components.

Legal Compliance

Familiarize yourself with the legal landscape before you create your privacy policy. Businesses must comply with national and global privacy laws when handling personal data.

Although the specific regulations vary by industry, most companies with websites and apps should abide by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) /California Privacy Rights Act (CPRA).

The GDPR law applies to businesses that store and use data from European Union (EU) residents or operate in the EU. Under the GDPR, your company must:

  • Be transparent about how you protect and handle private user data
  • Get user consent before collecting data
  • Give users an easy way to access, change and delete information you store about them

The CCPA and CPRA apply to businesses that handle data from California residents or operate in California. These laws prohibit discrimination against customers who exercise their privacy rights. They also require you to:

  • Let users access and delete their personal data
  • Be transparent about what type of data you collect and why
  • Allow users to opt out of having their data sold

Virginia and Colorado are currently the only other states with data privacy laws. Federal privacy laws focus on a specific type of data rather than private information as a whole. For example, the Health Insurance Portability and Accountability Act protects medical data while the Fair Credit Reporting Act regulates how companies can share consumer credit reports.

To comply with the applicable regulations, your company's privacy policy should include these key elements.

Explicit User Consent

Both the GDPR and the CCPA/CPRA require businesses to get explicit consent before collecting user data. Most sites install a pop-up at the bottom of the screen that explains the consent policy and includes "I agree" checkboxes. Uncheck the box by default so the user must check to give clear consent. You may also want to incorporate additional consent boxes for different types of data use, like sharing information with third parties or sending targeted marketing communications.

Keep detailed user consent records that note the date and method of consent. You should also provide a simple way for users to withdraw consent if they want you to stop collecting their data.

Data Collection

Specify the types of personal data you collect, such as name, email and IP address. The example below comes from the Snapchat privacy policy.

Snapchat Privacy Policy Information you provide clause

Purpose of Data Use

In this section, clearly state the company's reasons for collecting and using personal data. For example, Snapchat starts with a general explanation of how and why they use member information. The policy also links to a table with details about each type of collected data and its purpose:

Snapchat Privacy Policy How we use information clause

Below this introduction, the Snapchat privacy policy provides more information about common purposes. It explains how the company uses data to deliver relevant ads, operate and maintain its service, improve features, conduct research, and get in touch with members if necessary.

Third-Party Sharing

If you share data with other individuals, businesses or organizations, your privacy policy should disclose this information and identify these organizations. Here's an example of how Snapchat publishes information about third-party sharing.

Snapchat Privacy Policy How we share Information clause

The rest of the section goes into further details about what type of data they share with other users of the service, third-party apps, partners, affiliates, vendors and other groups.

User Rights

In this section, outline the data-related rights of your users and explain how they can exercise these rights. Here's an example:

Data subject rights clause in a Privacy Policy

Data Security

Your privacy policy should describe the measures you use to protect personal user information. See the example below, which mentions various levels of security. It also provides a link and an expandable button so readers can dive deeper if they want further details.

About 70% of Americans feel their data is less secure than it was five years ago, so steps to shield their information give them the peace of mind they need to interact with your business online.

Data security clause in a Privacy Policy

Cookies and Tracking

Explain the use of tracking technologies such as cookies. You can draw inspiration from eBay's blurb below, which directs users to locations where they can obtain additional information.

Cookies clause in a Privacy Policy

Updates to the Policy

Let users know how you'll tell them about changes to the privacy policy. You can post updates to the webpage where the policy lives, as in the example below from the iHeartRadio privacy policy. In some cases, you may have a legal obligation to directly communicate privacy policy changes by emailing or otherwise contacting users.

Here's an example:

Changes clause in a Privacy Policy

Accuracy

Your privacy policy must accurately reflect your actual privacy practices. Misleading or false information can lead to legal issues and damage your reputation.

Regularly reviewing and updating the policy can ensure it remains accurate. Periodically audit the company's data handling practices, checking them against the statements in your privacy policy. Make sure you have consistent protocols across all your online platforms, like websites, mobile apps and employee intranets.

When you change the way you use or access customer data, communicate with your users about the change. In addition, update the privacy policy right away to reflect the new process.

Support for Privacy Rights

Give your users the information and access they need to exercise their privacy rights. The privacy policy should include easy ways for users to:

  • Opt out of data collection or processing
  • Request that you delete their data
  • Change incorrect information in their personal data
  • Access and download their data

Make sure you also have dedicated user support channels. Establish a specific phone number or email address for privacy questions and requests, and set user expectations about when they can expect a response to their queries. The privacy policy should also include a non-discrimination clause, which lets users know you won't discriminate against them for exercising their privacy rights.

Clear, Understandable Language

Write your policy in plain language that users can easily understand. Avoid technical terms and legal jargon where possible. If you have to use complex words, provide readers with a short definition.

Consider navigation when structuring your privacy policy. Headings and subheadings help users find the information they want quickly. Bulleted and numbered lists also support comprehension. When explaining how your company collects and uses data, illustrate each point with a real-world example that speaks to the reader.

Responsive, Accessible Design

Make it simple for all users to access your privacy policy. They should be able to get to the privacy policy from anywhere on your website or app. Add links to the policy in prominent places such as:

  • Checkout pages
  • Registration forms
  • Website and app footers
  • Navigation menus

Select a clear, legible font and use large print. Design the privacy policy with a responsive layout, which means it adjusts automatically to the size of the user's screen.

Practical Steps to Create a Good Privacy Policy

Step 1: Identify Your Data Collection Practices

Begin with an internal audit of your data collection practices. First, list all the types of personal data your business collects. Add a second column with the source for each type of data, such as a third-party service, software cookie or website form. In the third column, list how you use each type of data, displaying a clear purpose for collecting personal information.

Step 2: Understand the Legal Requirements

Familiarize yourself with the applicable privacy laws for your business. Consider the requirements of your physical business location as well as any geographic area where you have users. At a minimum, most companies should comply with the GDPR and CCPA.

Step 3: Draft the Privacy Policy

Use the information you gathered in steps 1 and 2 to outline your company's privacy policy. You should include these basic sections:

  • Introduction: Briefly explain the purpose of the privacy policy.
  • Data Collection: Detail the types you collect and describe the collection method for each category.
  • Data Use: Explain the purpose of your data collection activities.
  • Data Sharing: If you share user data with third parties, disclose the name of the third-party service and the reason for data-sharing.
  • User Rights: Outline the rights users have to access, download, alter and delete their personal data.
  • Data Security: Describe your company's data collection measures.
  • Child Privacy Clause: Under the federal Children's Online Privacy Protection Act (COPPA), you cannot collect personal data from people younger than 18. This clause states that your site does not knowingly gather or use personal data from children and gives users a way to contact you if they believe you have done so in error.
  • Limitations: In this section, establish limits to the protection extended by your privacy policy. For example, you can include language that limits your legal liability for actions by third-party vendors who handle your user data.
  • Cookies and Tracking: Explain the use of cookies and tracking technologies to collect user data, if applicable.
  • Changes to the Policy: Tell users how you'll communicate privacy policy changes.
  • Contact Information: Provide contact details for privacy-related inquiries.

Step 4: Refine Your Draft

Review the draft carefully to edit for clarity and simplicity. Make sure to use simple language and avoid jargon. Organize and break up large blocks of information with headings, subheadings and lists. Double-check the content to ensure consistency with your actual data practices.

Step 5: Seek Legal Review

Have your privacy policy reviewed by an attorney for compliance with applicable laws. This step helps identify any legal gaps or inaccuracies.

Step 6: Train Employees

Before you make the policy public, plan an internal roll-out with robust employee training. Your team should understand the legal implications of the privacy policy and the role they have in compliance.

Step 7: Publish the Policy

To officially implement your privacy policy, display it in a prominent place on your website and app. A link to the policy should also appear on every page where you collect personal information, such as registration and check-out forms.

Step 8: Regularly Review and Update

Privacy practices and laws evolve over time. A periodic review of your privacy policy maintains compliance and accuracy. The policy should always remain current with changes in your data practices and applicable laws.

A well-crafted privacy policy builds trust with your users and bolsters the reputation of your business. It also helps you avoid significant fines for compliance issues and puts potential consumers at ease with using your website or app. You can protect your business and your customers even further by collecting the minimum data necessary for your intended use.