How to Write a Privacy Policy: 12 Steps for Compliance (2024)

Sixty-eight percent of consumers are either somewhat or very concerned about their online privacy. This was the finding of the International Association of Privacy Professionals (IAPP) 2023 Privacy and Consumer Trust Report, which surveyed close to 5,000 individuals across 19 countries.

This is why a comprehensive privacy policy is essential for every business with a digital presence. Not only will a clear and detailed privacy policy enable your business to comply with requirements of global data protection regulations, it also fosters trust with your customers.

In this guide, we’ll outline 12 critical steps to crafting an effective privacy policy that meets legal requirements and positions your company as a customer-centric and data-conscious organization.

If your organization collects and processes personal data, including customer names and email addresses, then you need a privacy policy on your website.

“As long as a business processes or handles personal information, they are required to publish a public statement on its site to fulfill its duty to inform data subjects. This includes the handling of very common aspects like contact information in contact forms, names, and contact information of the company’s employees. Essentially, this means that almost every company needs to be transparent with this information to fulfill legal obligations and be GDPR-compliant.” — Kevin Larsen, Web Developer at Mediaveien

While data privacy regulations around the world have different requirements regarding legal bases for data processing and data subject rights (of which consent is one option), the vast majority require organizations to notify data subjects about data collection, use, security, and their rights.

As the UK Information Commissioner’s Office states: “data protection is everyone’s responsibility, so every business — however small — needs a privacy policy when processing people’s data.”

The need for a privacy policy is not limited to commercial entities that profit from personal data. Other types of organizations that collect and use personal data include charities, governmental entities, and more. All of these must comply with data privacy laws.

Privacy policies are required by data privacy laws, including the General Data Protection Regulation (GDPR), Brazil’s General Law for the Protection of Personal Data (LGPD), and state-level data privacy laws in the United States, such as the California Consumer Privacy Act (CCPA). They can also be required by specific laws that cover operations where data processing takes place.

For example, as healthcare and financial services deal with sensitive personal data — which require specific safeguards and privacy measures under numerous privacy laws — organizations in these industries must follow strict policies and procedures regarding data use and security. The Health Insurance Portability and Accountability Act (HIPAA) in the United States is an example of this. Data privacy laws will often reference and defer to these laws in their texts.

But creating and maintaining a comprehensive privacy policy is good business practice, even if it wasn’t already a legal requirement. Being clear and transparent about data use and security — and making it easy for people to contact your organization and exercise their rights — strengthens your brand and fosters consumer trust.

Ensuring the privacy policy is up to date is also a natural extension of the kinds of regular reviews companies should undertake regarding data held, technologies in use, processing operations, employee access to data, IT security, and other conditions.

“Any business that gathers private data needs a privacy policy. Without a privacy policy, it’s easy to take a misstep when handling data, which can be catastrophic both from a legal and compliance standpoint as well as a reputational one.

Businesses and websites that publish a privacy policy alongside their privacy notice add an extra layer of transparency. By providing full details of how they handle private data they build trust with their clients and prospects from the first digital connection.” — Geoffrey Bourne, co-founder at Ayrshare

While privacy policy requirements are fairly standard among data privacy regulations, organizations should be familiar with the specific requirements in laws relevant to them.

Generally, your privacy policy must be easily accessible and use plain language. It should include:

• identity and contact details of the data controller (usually the website owner)
• contact details of the data controller and Data Protection Officer or comparable role
• processing activities and their purposes, including profiling or targeted advertising, and any processing activity directly undertaken or performed by third-party processors, e.g. involving newsletters, customer information, invoice data, social media, etc.
• legal basis of the processing and the reasoning behind it (where required)
• information about special categories of personal data, including that of minors and any sensitive personal data processed
• recipients of data (including for sharing, sale, or other use)
• information about data transfers to third countries and the suitable safeguards
• period for which data will be retained
• what data subjects’ rights are and how to exercise them
• information about the option to change/withdraw consent
• information about how to make a complaint or appeal to supervisory authorities
• existence of automated decision-making and its uses, especially where relevant for profiling and/or targeted advertising

Read next: Data privacy regulation in 2024: what we’re watching

Depending on the kind of business you run and the data protection regulations you need to abide by, your privacy policy will need to meet specific criteria.

While this is not a comprehensive overview for every type of business — nor a substitute for legal counsel — we’ll unpack the foundational steps you’ll need to take to write a privacy policy that will enable you to meet compliance requirements and keep it up to date.

“First, consider the essential data you will collect and how it will be used. Next, review the requirements to remain compliant. Remember, different regions have specific rules, and it’s essential to factor these in to be fully compliant. If sharing data with a third party, understand how they will use or share that data.” — Geoffrey Bourne, co-founder at Ayrshare

1. Familiarize yourself with the data privacy laws that affect you

When setting out to write a privacy policy, start by identifying which data privacy laws apply to your business, taking into account both where you operate and the locations of your customers.

Familiarize yourself with relevant laws — like the GDPR in the EU or the CCPA in California — since they dictate what your privacy policy must include. Understanding these requirements is essential for drafting a policy that not only complies with legal standards but also clearly communicates users’ rights.

It’s also important to be familiar with the requirements of additional laws that may not directly cover data privacy, but have important data privacy components. For example, the Digital Markets Act (DMA) in Europe, which has requirements that the law’s designated gatekeepers are also passing along to their customers (which number in the millions as the gatekeepers are influential global digital platforms). Other relevant laws could include the aforementioned HIPAA or the Children’s Online Privacy Protection Act (COPPA) in the United States.

2. Outline what personal information is collected

Your privacy policy needs to outline the types of personal information your business collects. This includes direct identifiers like names, phone numbers, and email addresses, as well as indirect data such as IP addresses, browsing activities, and payment details. Essentially, make a note of any collected data that can identify an individual, either alone or in combination with other data points.

Additionally, it’s crucial to be aware of sensitive personal information and what specific kinds of information relevant laws categorize as such. For example, the California Privacy Rights Act (CPRA) includes a category of “Sensitive Personal Information” (SPI), which is more strongly regulated.

Some of the information included under SPI is about ethnic backgrounds, religious beliefs, sexual orientation, and health and healthcare. These kinds of sensitive data can cause harm if misused and therefore require more in-depth protection measures and limits on their use.

3. Detail how you collect personal data

Next, your privacy policy should provide a transparent explanation of how your organization collects personal data.

This includes data gathered directly from users — such as when they explicitly opt in to data collection by filling out forms — as well data that’s collected through cookies and trackers that store browsing behaviors and preferences.

Detailing these methods in your privacy policy will help to ensure users are informed about what data is being collected and how.

4. Explain how the personal information is used

Your privacy policy should outline why you’re collecting personal data and how it will be used. Your specific reason could range from providing products or services and personalizing your website user experience to delivering targeted ads or creating user profiles.

Personal data should only ever be used for the declared purposes. If there’s a change in purpose or an additional use is proposed, you will need to obtain new consent from the users.

This is why it’s also important to regularly check your website for the data processing services in use, as they change over time. Also, third-party trackers can be nested or hidden and sometimes difficult to detect, but data controllers are responsible for disclosure about them as well.

Your privacy policy should also include a valid legal basis for processing personal data when required, e.g. by laws like the GDPR. Under that regulation there are six valid legal bases for processing user data, as outlined under Art. 6 GDPR.

Your privacy policy should disclose the parties with which your organization shares collected personal data, or to which the data may be sold. This includes any third-party data processors, such as marketing agencies, advertising companies, partners, vendors, and even the organizations who will be verifying your compliance.

Your policy should also address how personal data is transferred across geographical borders. Not all countries have equal and sufficient data protection standards, and typically there are agreements for adequacy of such measures before data is transferred internationally.

Given restrictions on international data transfers, you must inform users if data is being sent to a region different from where it was collected, especially if it’s one of these “third countries” with data privacy and protection policies that may not be considered adequate.

The EU, under the GDPR, has stringent requirements for such transfers, ensuring data only moves to regions with acceptable privacy and protection standards. Detailing these practices in your privacy policy will assure users that their information is handled legally and responsibly.

“The privacy policy must cover your own internal handling as well as those of third parties. Finally, consider the language you use. Over convoluted language can make the policy unclear to the public, instead use language that is easily understood by those who will ultimately read it.” — Geoffrey Bourne, co-founder at Ayrshare

6. Tell users how personal information is protected

Describe what your business is doing to protect customer data. Use this section to detail security practices that prevent the unauthorized access, disclosure, alteration, or destruction of personal data.

Common security measures include data encryption, multi-factor authentication, and the use of reputable third-party data security service providers. It’s also important to specify how long collected data is stored and the reason for this duration.

Your privacy policy should also describe how your business will respond to a data breach, with specific procedures and processes. This should include how you would notify affected individuals and regulatory authorities, per applicable laws, and the steps you’ll take to mitigate the overall impact.

7. Explain how users can opt out

Your privacy policy should clearly explain how users can revoke any permissions they previously granted. Specifics of this right vary across laws, but data subjects typically have the right to refuse or revoke consent or opt out of data processing for at least some data types and processing functions.

This can include opting out of data collection, processing, or sharing activities, even if they were initially agreed to. It can also include specific processing, like targeted advertising or profiling, or the use of the data in automated decision-making (e.g. using AI tools). Make sure that you provide detailed instructions on how users can do this, whether it’s through account settings, a consent banner, contacting customer support, or using specific tools like email unsubscribe links.

8. Include a specific period of time for which you will retain data

In your privacy policy, clearly state how long user data will be stored. This will depend on the purpose of data collection, as well as any relevant privacy laws.

Although the GDPR doesn’t include specific retention periods for different types of data, it requires data to be kept for only as long as necessary, i.e. to fulfill the processing purpose. As such, your privacy policy should clarify that your business will store user data only for the period needed to fulfill its purpose, in full compliance with legal obligations.

It should also state that, after this period, stored consumer data must then be securely deleted or anonymized. It’s also important to note that it’s possible that new consent may have to be obtained for processing the data while it’s still in use, depending on the relevant law.

9. Detail a dispute resolution process

Your privacy policy should have a clause that outlines how users can raise any concerns about how their personal data is handled.

Include the contact information of your designated Data Protection Officer (legally required in some cases, and just recommended in others), or the relevant department, as well as a feedback form where they can provide information directly.

Also include steps for submitting a complaint or appealing a decision by the company, e.g. refusal to act on a data subject request, along with a short explanation of how such disputes are typically resolved.

For example, your dispute resolution process might start with a consumer contacting your DPO via email. The company then reviews the complaint, aiming to resolve the issue within a specific timeframe, such as 30 days. If the dispute isn’t resolved internally within that time, users can then escalate their complaint to a relevant data protection authority.

10. Include privacy requirements for children

A section on child data privacy is required by regulations such as the Children’s Online Privacy Protection Act (COPPA) in the United States, and similar laws in other regions.

This clause should clearly state your practices regarding the collection, use, and disclosure of personal information from children under the age of 13 (or another age threshold depending on the country).

Note that under many laws, personal data belonging to children is automatically categorized as sensitive, and thus subject to the same stringent access requirements and protections.

You should also mention parental rights, including how parents or legal guardians can review their child’s information, request to have it deleted, and refuse any further collection or utilization.

Under some laws, like India’s Digital Personal Data Protection Act (DPDP Act) the rights and functions of legal guardians apply on behalf of people with disabilities who need representation as well.

11. Communicate users’ rights regarding personal information

Make sure that your privacy policy clearly describes the rights that users have regarding their personal information, which may vary by jurisdiction and are subject to change.

Under the GDPR, for instance, consent must be explicitly obtained before data collection, if user consent is the legal basis for processing that data. Conversely, the state-level privacy laws in the United States, such as the CCPA, do not require prior consent. Instead, users have the option to opt out at any point, though they may only be able to opt out of certain uses, and not all processing.

Users’ rights often include the right to access data, to request corrections or deletions, to data portability, and to opt out of data processing activities. Data protection laws also require that users who exercise their privacy rights are not discriminated against in any way.

12. Provide administrative information

Finally, your privacy policy should include key administrative details, like contact information and version history.

Your contact details and contact mechanism should be convenient and accessible to the average person, so ideally provide a mix of digital and physical contact methods if relevant to your company’s operations, like email address, web form, phone number, postal address, etc. There is also software available to automate data subject contacts, especially for data access requests.

Your administrative information should also describe when the privacy policy was last reviewed and updated, clearly showing what those updates were and when they were made.

To ensure transparency, it’s a good idea to include links to archived versions of the privacy policy. While sometimes a legal requirement, this also gives users the opportunity to see how the policy has evolved over time.

Following these 12 steps will help you to produce a clear and compliant privacy policy. However, writing and updating it takes time and effort, especially as global regulations change, new laws are passed, and the technologies and service providers that companies use evolve.

To better manage this, many companies use privacy policy templates and generators to streamline and automate many parts of the creation process.

In addition to saving time, privacy policy generators enable you to create privacy policies that comply with major data protection laws like the GDPR, CCPA, and more, and stay up to date with changes and new regulations.

Different organizations and platforms request and use personal data for different purposes. For example, an ecommerce website will have different tools and data collection purposes than a charity newsletter. How users are tracked in an app can also differ from cookie and tracker use in a web browser.

These platforms, including smart devices like connected TVs, must all communicate with users about data collection and use. There are tools that enable cross-device consent management to streamline these functions.

Privacy policy information for websites

Websites have unique data collection methods, such as cookies and other tracking technologies, which need to be communicated in a privacy policy, in addition to the more general information outlined above. Website-specific privacy policy information includes:

• cookies or other tracking technologies in use
• analytics and log files
• advertising
• third-party services
• marketing communications
• user-generated content and its use
• privacy and consent management for children
• external website links

Understanding the relevant data privacy laws for your specific organization is crucial. It’s also important to conduct regular data audits to clarify what data your website collects and how, and to ensure the privacy policy is accurate, up to date and compliant.

Privacy policy information for apps

Data protection authorities are increasingly cracking down on mobile applications, many of which have a poor track record with data privacy compliance.

In addition to the requirements outlined above, app-specific privacy policy information should also be included, like:

• mobile device permissions
• geolocation data
• mobile advertising
• in-app purchases and payment information
• integration with social platforms
• user-generated content and its use
• push notifications
• data backup and sync
• privacy and consent management for children
• app-specific security measures

Privacy policies tend to be long documents, so they’re often located on a dedicated web page or app screen. Links to this page should be accessible from elsewhere, such as the website header or footer, or mobile app settings.

Privacy information is often legally required at certain points on a website or app. For instance, a privacy notice should appear at the point of data collection, such as when the website or app first loads or when the user is about to complete a specific action. When a consent banner is in use, typically it will include a visible link to the privacy policy.

Other relevant points where privacy information should generally be present or accessible include:

• home page and landing pages
• first interface upon app loading
• account registration or signup page
• checkout process
• app store listing
• email communication

When creating and updating a privacy policy and/or privacy notifications, consult qualified legal counsel or an internal privacy expert, like a DPO (if one is required).

Organizations need to be clear and accurate on what data they collect and store, their means of doing so, how that data is used, and who it’s shared with. This is the only way to ensure accurate communication with data subjects and to safeguard their ability to exercise their rights. It also helps to ensure compliance with relevant data privacy regulations.

Keeping your privacy policy sufficiently detailed, compliant, and up to date can be challenging. Thankfully, tools are available to not only generate but also automate the maintenance of privacy policies.

For the best value, look for a tool that integrates with a consent management platform (CMP) to ensure the privacy policy stays accurate and up to date. A CMP like Usercentrics also enables consent collection and management at the point of data collection, which is vital for broad data privacy compliance.

It is additionally time- and resource-saving if the CMP enables regular automated scanning of the website or app to detect all cookies and other trackers currently in use, and updates the privacy policy and other relevant information sources accordingly.

If you have questions or are interested in implementing a compliant privacy policy for your website or app, or need a consent management platform to achieve compliance with privacy laws around the world, talk to one of our experts.