How to Write a Privacy Policy Like a Pro | A Complete Guide for Beginners

What is a privacy policy? How is it affected by privacy laws, and what other info should I know about?

We’re answering these questions and more in this step-by-step guide on how to write a privacy policy.

We’ll discuss a quick overview of privacy policies, how to write them, why you should include them, and laws you should know about.

Privacy Policy: A Quick Overview

Before you write a privacy policy for your own website visitors, you must first understand what it is and why it’s important to have one.

A site’s privacy policy is a legal document that tells website visitors the website’s policy on how it will collect data and whether it’s kept confidential or shared with other firms or other tracking technologies.

Information collected can include:

  • Name
  • Date of birth
  • Contact details like your email address
  • Location/postal address/physical address
  • IP addresses
  • Payment details like credit card details or debit card numbers
  • Social security or social insurance numbers
  • Purchase activity

That last one, in particular, is something for which the effects can be seen by the average daily internet user like you.

Have you ever searched for something like “best TVs in 2022”, browsed a few articles about them, and suddenly saw TV ads when you watched a YouTube video?

That’s because the websites you’ve visited have performed data collection and relayed it to advertisers on YouTube.

On each website that users visit, the website footer usually has the privacy policies outlined to inform users and give them the option to agree and continue or to opt out.

Why Are Privacy Policies Important?

You might be asking yourself: Why is including this important? Won’t users still browse our websites even without seeing how we collect personal information?

It’s because having a privacy notice and a policy on your website is one of the most important legal requirements to fulfill.

We’ll discuss how different privacy laws affect how to write a privacy policy after the step-by-step guide.

How to Write a Privacy Policy in 10 Steps

Write a Privacy Policy in 10 Steps

There are a few steps in making a privacy policy. Follow them closely so you won’t make mistakes and accidentally break any laws!

Step 1: Include Which Parts of the Users’ Personal Data Your Website or App Collects

Be specific. Saying that you will “collect private information” can be too general and not tell users exactly what data will be collected.

Instead, outline the specific personal data collected by your website. This can range from a few items to a long list, depending on how much data your website collects.

For example, instead of saying, “we collect data”, say, “we will collect your email address, app users’ browsing activity, and postal addresses”.

Place this at the very beginning of your privacy statement because this is often the part most users are interested in reading before they agree to data collection.

PRO TIP: Remember to use plain language when coming up with this part of the privacy policy. Technical jargon will only confuse the average user.

Step 2: Explain Why You’re Collecting Personal Data

The next step is to notify users why you’re collecting their personal information. People want to know where the data will be used before agreeing to have it collected.

Some examples of this include planning to resell the data and use it in business practices, for research purposes, or for news updates and promotions.

FOR EXAMPLE: A great example of explaining this to users is a small business like a bakery collecting the address and phone number of the user to use it to make deliveries quicker.

Step 3: Explain How You Will Collect Information

Next, you’ll want to go into detail on how you’ll collect personal information. There are a few ways to do so, including:

  • Online forms
  • Email newsletters
  • Cookies
  • Website analytics like Google Analytics
  • Course registrations
  • Contact forms
  • Surveys

You’ll want to include this in your privacy statement because it lets users know where they can expect to input their personal data.

Step 4: Provide Users the Option to Opt Out

Another common option you’ll see on websites is the option to disagree with privacy policies. Privacy law demands that users have more control over collected data.

Even when users initially agree to the privacy policy of a website, it doesn’t automatically mean that they will agree to let you keep the information indefinitely.

They might want to pull out their data or change it at a future date, and you must comply with that request, as privacy law requires.

Your privacy statement should include the ways that users can request their personal information to be altered from your website’s servers. This includes:

  • Right to review collected information
  • Right to request that the website should delete data
  • Right to request data amendments

You should describe the process for all three on your privacy statement to help the users with these processes if they wish to do any of them.

Make sure to link your Data Subject Access Request form in your privacy policy.

Step 5: Tell Users if Their Collected Data Will Be Shared With Third Parties

Another important thing you shouldn’t forget to include is how the personal data will be shared with third parties like other websites or companies.

When data sharing with these third parties, you must include a disclaimer/disclosure in your own policy. Not doing so can put you at legal risk.

There are multiple ways you may want to share your customers’ personal data with third parties.

FOR EXAMPLE: If you’re an online seller of clothes and apparel, you might need to share user data with credit card companies to process payment information.

Then, what if the credit card company’s servers get hacked, and the user’s personal data gets leaked?

Not only will your own company’s reputation be SMEARED, but you’ll get into LEGAL TROUBLE too.

Step 6: Explain How Long You Will Retain the Collected Information

Data privacy laws aren’t just concerned with the use of personal information right now. It’s also concerned with how you’ll use that data down the road.

According to the GDPR (General Data Protection Regulation) from the European Economic Area, you’re only allowed to keep data no longer than necessary for its intended use case.

For example, when doing data collection for a contract, data usage can only apply up until the contract ends. Afterward, you must DELETE IT.

This is something you need to specify in your privacy policy. Include how long you’ll use it or an optional Data Retention Policy for specific use cases.

This Data Retention Policy can include information on additional uses for customers’ data other than what was originally intended.

Step 7: Specify Your Personal Information Protection of Users’ Data

Remember the data leak example we gave earlier? That’s definitely not something you want to happen to your website and users!

Remember that users are putting their trust in you that their data is stored securely.

Therefore, other than implementing strong security measures like physical access controls, the other thing you need to do is explain how you’ll protect personal information.

However, we recommend not being TOO specific with enumerating the data security measures you’re implementing.

Hackers might read that specific information and figure out how to bypass your data security measures and computer safeguards.

However, there’s one more important thing to point out: Even if your website or app isn’t targeted toward children, you need to include extra provisions for their data privacy.

If your website or app collects data on children 13 years old or younger, you need to include a statement that addresses child privacy.

According to the Children’s Online Privacy Protection Act or COPPA, you must follow the correct separate privacy policy for collecting data for children under 13 years old.

Step 8: Outline the Dispute Resolution Process

The next step is something your users will hopefully never have to use but is something you should include anyways.

Standard website privacy policies include how their dispute resolution process works. Most companies tend to add this to their Terms and Conditions policy.

Even though you might do your best to have a good relationship with your users or customers, at some point, legal disputes might happen.

In your own privacy policy, you should include at least one or two lines on how you handle disputes, which can include contact forms, customer service, legal firms, and more.

Step 9: Explain Your Online Business Transfer Clause

Many businesses go through transitions throughout their lifespan. One of the common things that can happen is a transfer of ownership.

Including this as a disclaimer in your privacy notice will help let users know that their personal information might be transferred to another entity if the business is transferred.

Doing this will prevent you from getting into any legal trouble if your business transfers to another owner, along with the personal information of your users.

Additionally, do your best to include information and disclaimers saying that you’ll do your best to prevent any data leaks from happening to customer information.

Make sure you state that, after the data is transferred, you can’t guarantee the same level of data privacy security or privacy practices for your users’ secured files.

Step 10: Put All of This in an Easily Understood Way

The final step is to review everything you’ve written down so far. Revise any grammatical errors, check spelling, and organize it into easily browsable sections.

Separating each clause required in your privacy notice into different sections isn’t required, but we highly recommend doing so.

This makes updating your privacy policy in the future a lot easier, as you can find each section easily. The same goes for people trying to find specific information in your policy.

The wording you should use should be simple but precise. Both average users and legal entities should be able to understand what you’ve written down.

This is probably one of the most important parts of how to write a privacy policy. What use is your privacy notice if your users don’t understand it?

The Clauses and What You Should Include in Privacy Policies

The clauses that you should include are these 8 that we’ve described in various steps in the previous step-by-step guide:

  1. Types of information to be collected
  2. How you’ll use the information
  3. Third-party disclosures
  4. How you’ll protect the personal information
  5. Data subject rights
  6. Notification of future changes to the privacy statement
  7. Cookies notice
  8. Contact information

WARNING: Failure to include these clauses in your privacy policy can net you some legal troubles.

For example, if you don’t have disclosures on future changes to the privacy notice, users might be able to sue you if they don’t like the changes and weren’t informed about it beforehand.

Privacy Laws You Should Know About

Whether you’re an individual, small business, or a corporation, everyone needs to follow laws when making a website online.

Even if you live in the USA and the servers for your website are located here, it doesn’t mean you can disregard rules made in the European Union.

The nature of the internet means that your website will probably be accessed worldwide, meaning you must abide by the laws wherever your website can reach.

Making a comprehensive privacy policy is crucial to ensure you don’t run into any legal trouble in any region.

Europe: GDPR

The European Union has enacted the General Data Protection Regulation or GDPR. This regulates data privacy in Europe and has strict penalties for websites that don’t comply.

Even though the GDPR is only valid in the European Economic Area, it still applies to foreign businesses or entities doing business within the area.

Canada: PIPEDA

Canada’s specific privacy concerns are handled by the Personal Information Protection and Electronic Documents Act or PIPEDA for short

Similarly to GDPR, PIPEDA is only valid in Canada, but applies to foreign businesses or entities doing business within the area.

USA: COPPA, CCPA, CalOPPA

The USA doesn’t have one general federal data protection law, but it does have several separate privacy laws:

COPPA

COPPA stands for Children’s Online Privacy Protection Act.

This law controls the collection of data for children under the age of 13 and is controlled by the Federal Trade Commission.

CCPA

This is the California Consumer Privacy Act, which is a law dealing with privacy rights and consumer protection laws specifically for the state of California.

CalOPPA

CalOPPA stands for California Online Privacy Protection Act. It requires online commercial websites and online services to include privacy policies on their website.

Therefore, if you’re based in the state of California, you’d need to follow the COPPA, CalOPPA, GDPR, and CCPA guidelines.

This is because your website is still accessible in Europe, even if you’re based in California.

Frequently Asked Questions

Now that you know more about how to write a privacy policy, you might still have other questions about them. We’ve answered the most commonly asked ones below:

Can I Write My Own Privacy Policy?

Yes, you can write your own privacy policies. As long as you follow the step-by-step guide that we’ve included here, you won’t have a hard time.

However, if you’re in a bigger company with a dedicated legal team, we’d suggest passing your privacy policy by them before posting.

There are also many templates available online, which can make the process a lot faster and help you not miss any important information you should include.

Can You Copy and Paste Someone’s Privacy Policy?

No, you cannot, as it’s illegal. Privacy policies are protected by copyright laws, so copying and pasting a company’s privacy policy and passing it off on your own violates that.

You might run into legal troubles and face fines if the company you copied from sues you for copying their privacy policy.

However, using free tools like templates online isn’t illegal. As long as you use your own terms and make them specific to your business, there shouldn’t be any issues.

Do I Need to Make a Separate Privacy Policy for Europe Regulations?

Most of the time, you don’t need to make a separate one. Just check which additional EU regulations are required and add them to your existing one.

However, if you’ve already made multiple privacy policies, then it might be best to have one separately for the EU so you don’t get confused.

Final Thoughts

Making a privacy policy can seem tricky at first; it’s a legal document, after all. For something that’s usually dismissed right away by most users, it carries a lot of importance.

Hopefully, this step-by-step guide made it easier for you to make a privacy policy by yourself! As long as you include all the necessary clauses we’ve listed, you’re good to go.

Just remember that if you’re unsure about anything, search it up or even ask a lawyer friend to see if your privacy policy checks out.