How to Write a Privacy Policy

A Privacy Policy is an agreement that explains how you collect, use, manage, and disclose user data.

A Privacy Policy is required by most jurisdictions in the world. and with consumers being more savvy about information security as time goes on, a Privacy Policy offers reassurance so users will trust you with their information.

The type of information you handle affects the complexity of your Privacy Policy. These instructions address writing a basic Privacy Policy that will help you comply with various laws.

Before You Write Your Privacy Policy

Since a Privacy Policy is a legal requirement, you need to spend time planning before you write it.

Address the following issues in a brainstorming session with other employees or spend quality time reflecting on them so you do not overlook essential elements of your Privacy Policy.

Relevant Laws

Privacy laws  all tend to cover the same general subject matter --Privacy-- but you may have additional requirements that are relevant in one jurisdiction but not another.

For example, if your website caters mainly to American customers but you start offering services in the E.U., your Privacy Policy for those websites will be different from the American version.

These are the main laws you must consider:

EU Privacy Directive

Initially passed in 1995, the E.U. Privacy Directive was enhanced in 2015. All companies based in an E.U. member state or performing business in one must comply with it.

The law requires developers to protect data that personally identifies an individual. This includes full names, dates of birth, identifying numbers, and even email addresses.

If there's a data breach, you're automatically responsible.

Your Privacy Policy needs to inform users of their rights and explain how you protect data.

Also, your description of the data you collect needs to be clear so users are on notice and can make an informed decision on whether to use your app or website.

CalOPPA in the US

While the U.S. does not have a broad federal law that places privacy protection requirements on companies, California passed a state law imposing privacy protection. Since California is a large population center in the U.S., it's impossible to transact American business without involving customers living in California.

CalOPPA (California Online Privacy Protection Act) requires developers to create a Privacy Policy and display a conspicuous link to it on their websites. This is required of all developers who collect personally identifiable information like names, street addresses, telephone numbers, birth dates, and email addresses.

To comply, you need to pay attention when designing your website. Customers must find the link to your Privacy Policy easily and not have to dig through text, graphics or other distractions to access it.

Onyx Coffee Lab provides a good example here:

COPPA in the US

COPPA (Child Online Privacy Protection Act) is a U.S. law that affects privacy practices for websites and apps directed at children under 13. It contains additional protections if you create online products for children.

Privacy Policies adapted for the COPPA law must be clearly posted and address the fact that you collect personal information from children under 13. It grants rights to parents to verify consent, review the information, make requests, and deny future access to the data.

COPPA Privacy Policies are more complex and go beyond the basic drafting instructions addressed in this guide. Many companies, like Tumblr, limit use of their apps to those age 17 and older in order to avoid COPPA requirements.

PIPEDA in Canada

If you're transacting business in Canada, you're held to the requirements of PIPEDA (Personal Information Protection and Electronic Documents Act).

The law affects all businesses (including foreign ones) that collect, use, and store personal information provided by customers.

The PIPEDA law requires that you:

• Draft a clear Privacy Policy that informs users of your information practices,
• Collect personal information by fair and lawful means, and
• Secure consent before collecting personal data

Like with CalOPPA in the U.S., your Privacy Policy should be easy to find on your website.

Also, during the signup form, use clickwrap to assure users accept the terms of your Privacy Policy to secure consent. You may wish to add banners and other prompts that warn users that you're requesting personal information.

DPA in the UK

The U.K. act, the Data Protection Act 1998 (DPA), addresses how business, the government, and organizations use personal information. Through its "Principles of Data Protection", the DPA law assures information is collected, used, and stored securely.

If you are transacting business in the U.K., you must assure:

• Collected information is used fairly and lawfully,
• Data is used for limited and specific purposes,
• Information is used only to the extent that it is adequate and not excessive,
• The information you store is accurate,
• No data is stored for longer than necessary,
• Security for data in your possession,
• Respect for users' rights including correcting data, denying future access or providing notification if there is a breach, and
• No data transfer to entities outside the U.K. without precautions

Many of these principles are addressed well through a complete Privacy Policy. You also need to make the effort to provide comprehensive data security.

Privacy Act in Australia

Like the U.K. law, Australia's Privacy Act 1988 also contains privacy principles governing the collection and handling of personal data.

Under these principles, you must provide:

• Clear explanations on how personal data is collected and managed,
• Anonymity or pseudonymity when requested,
• A destruction process if you receive unsolicited personal information,
• Notification to users if you collect personal information,
• Disclosure of direct marketing efforts if your service includes it,
• Limited distribution of data outside of Australia,
• A way for users to access and correct personal information you collect, and
• Effective security procedures for protecting personal information

Unlike the other laws, this one only applies to Australian businesses and agencies. However, if you run a health service provider, it will apply to you even if you are a foreign business. When it comes to health information, the requirements are relevant to all entities who interact with Australian citizens.

Review Data Collection and Use

The less personal information you request, handle, and store, the easier it is to write your Privacy Policy. You can make this work for you by reviewing the necessity of collected data.

Take an honest assessment of the user data you collect (or wish to collect) and its necessity.

For example, if you're providing an app that allows users to track mental health symptoms, do you really need a medical record number, home address or primary care provider's name?

In this example, it's likely easier to request a username and email address at signup or allow the user to participate anonymously.

However, if your app alerts users to health test results, you actually require more personal information. In this case, you'll need to assure a good Privacy by Design approach to data security and keeping users informed.

Performing this audit makes compliance easier too. The jurisdictions listed above encourage developers to only request as much personal data as necessary. A critical assessment of the minimum data you need for your website or app to work proves essential in this area.

Writing the Privacy Policy

The following is the general order for your Privacy Policy clauses. You will notice in the examples that most companies use plain language and formats that users can comprehend.

After you read this article, use our Privacy Policy Generator tool for free here.

Information Collected

The type of information you collect and how you collect it can be combined in one section. If they are in separate sections because of the detail you must provide, the sections should always be next to each other in the Privacy Policy.

The easiest way to address this section is with a list. You can use bold type, headings or a bulleted list--whatever you prefer.

There are Privacy Policies that crowd this information into a paragraph format. That is not easy for users to read. A list is easily digested and understood.

Also, the list acts as a checklist so you can be sure you did not miss anything. That also assists with compliance.

LinkedIn takes the most detailed approach. That is likely due to the fact it collects immense personal data including full names, city of residence, job history, and certifications.

These are the first two paragraphs of LinkedIn's section on information collection. It lists a type of information and then offers an explanation:

Pandora offers a similar list using bold type and paragraphs to describe the information it collects. This is a sample of the types of data it collects and how it gathers it:

There are also brief examples that do not cover pages of a Privacy Policy. Rovio, the creator of the Angry Birds franchise, combines the type of information collected with how it is gathered.

As a game developer, Rovio collects less information than LinkedIn and Pandora since it does not require names or payment information. That is likely why Rovio keeps this section short:

The Rovio example emphasizes the need for a list format. Unless your data collection is limited, you should avoid crowding this information into one paragraph, even if it's as short as Rovio's.

Use of Information

This is another long and important section to write in your Privacy Policy since your compliance with privacy laws may depend on it. Consider this section as an opportunity to explain to users why you use and disclose the data you collect.

Like the section on type of information and how it is collected, these provisions also benefit from a bulleted list.

However, when it comes to the use of information, there's often a need to provide reassurance. If this is your situation, you can present those provisions after your bulleted list.

Pandora starts its section on use with the list format:

After the list, it adds two paragraphs on the distribution of email addresses and other contact information. This is likely due to customer concerns they discovered as they ran their business:

If you have not come across specific concerns, a bulleted list may be enough for your purposes. BBC's reasons for user data including a personalized experience as a user accesses the news. Its section on use is limited to a list:

Your list should include how data collection benefits users but also your business model. This is not advertising your services but offering transparency. Even if you collect data to monitor patterns and satisfaction in order to develop new features, that still needs to be revealed to your users even if that effort never helps them.

Disclosure to Third Parties

There are situations where you may disclose user data to third parties and you need to let your users know about this possibility in your Privacy Policy.

You could be ordered by a court to do so or provide the data to a hired consultant. There are likely situations where you would share this data that have not occurred to you.

That is why you need to address how you share information with third parties -- even if you have never felt the need to do so.

You don't want to face liability because you shared data with third parties in order to better understand the performance of your website or app.
Explaining in your Privacy Policy how you share data you collected covers these situations.

Pandora addresses disclosure with plain language and a bulleted list:

It also adds reassurance about personal information. Like in the examples above, this is a separate paragraph after a bulleted list:

Rovio takes a riskier approach because its paragraph on disclosure does not have a separate heading. It is more difficult to locate:

A general statement regarding disclosure is likely legally sufficient. But it's not reassuring to users and if you see many opportunities to disclose to third parties, offer details. Also, like the first two sections, this one should have its own heading in your Privacy Policy.

Protection of Information

Describing how you keep data secure is a legal requirement in the U.K. and a courtesy everywhere else. You can gain or lose users based on how they feel about your security measures.

While addressing this in the Privacy Policy places a contractual obligation on you to maintain security, it also offers transparency and reassurance.

This does not have to be a long section in most cases. Rovio summarizes its efforts as follows:

Amazon UK must follow the Data Protection Act 1998. Its security efforts are described in more detail to meet the principles of that law. If a user wants to inquire further, Amazon UK provides a link to a separate page on information security:

LinkedIn is primarily a U.S. networking service but it still explains how it enhances security:

If you can give your users specific information here without compromising your own security, do that. Common practices like SSL encryption and HTTPS access are worth mentioning and that detail will not compromise your proprietary interests. It will gain your users' confidence.

Rights of Users

The rights of users to delete data, make changes, and review data should also be clear in your Privacy Policy.

This is especially true if you transact business in the U.K.

Amazon UK uses a list and plain language. There are also links if users want to unsubscribe from lists or avoid solicitation:

BBC gives each right a separate heading. It's not under some blanket section of "rights" or choices. This includes users accessing their data:

And deleting their data:

There is also a right to reject cookies:

Both approaches here will work well for user rights. Don't forget to provide links to detailed sections and contact information in case users want to access or restrict their data.

Notification of Changes

This is technically a right granted to a user but it often occupies its own heading in a Privacy Policy. If you change your information practices and your Privacy Policy, users must be informed.

Giving yourself the duty to notify users of changes gives you more responsibilities, but this is also in the interest of transparency. Even if only a few users read that announcement on a revised Privacy Policy, you still satisfied your obligation.

These clauses also grant you the right to make changes. This is vital if this is your first Privacy Policy or you released an app that's different from your other products so that you have room to update your Policy as new issues arise and as you tweak and update the app itself and how it functions.

Errors may arise as you distribute your new app and run the next version of your website and you need the tools to address any errors you may have. One of these tools includes updating your agreements.

This portion of your Policy receives its own section and is usually short. LinkedIn offers this provision regarding changes to the Privacy Policy:

Pandora offers a notification section that provides timeframes of when changes go into effect:

You may notice this section includes acceptance language. Do not forget to add that if users continue with your app or website after the changes, that means that they accepted the new terms.

Contact Information

Good Privacy Policies end with contact information in case users have questions. You can provide this in any format you wish including email addresses, mailing addresses, telephone numbers or links to online forms.

LinkedIn includes contact information for within and outside the U.S., depending on where a user lives:

Pandora guides users to the "Listener Support" team but also provides a mailing address:

If you handle especially sensitive information like medical history or home addresses, you may want to dedicate a separate email address for these questions. That allows for a timely response and better service to your users.

Your Privacy Policy is a major component of user confidence and legal compliance.

These guidelines will help you write a basic Privacy Policy that's effective and compliant in the main jurisdictions around the world.

If you spend time considering your information practices and gathering details before you draft, this task will be less daunting and your finished Privacy Policy will be accurate, thorough and as complete as possible.

To make things even easier, use our Privacy Policy Generator tool for free here.