${Title}

How to write a Privacy Policy

Christina Keough
Last Updated:

7 Oct 2022

Published On:

9 Sep 2022

min read

Preview Image

 

Today, more than ever, websites and applications can very easily and effortlessly collect personal information from their users. This makes it essential that businesses do what they can to reassure users and maintain transparency. 

 

One way in which businesses can do so is by having a solid privacy policy in place. Note that this in fact not optional if your application, app or website collects data and information from its users. Before collecting any personal data, you must first and foremost have a privacy policy to govern the process.


The following is a guide you can follow whilst you write your privacy policy. Note that depending on where your business is based, you may have to pay attention to certain jurisdictional or local requirements.

 

 

What is a privacy policy?  

A privacy policy is a legal document/statement that explains how a website, application or organisation gathers and deals with personal data users share with them. It also explains why this information is being collected, and how users can limit the sharing of their personal data if they wish to.  

 

Why do I need a privacy policy? 

In addition to more obvious purposes like explaining how personal data will be used and processed and legal reasons, privacy policies serve a few more important purposes: 

    • It provides users with more control and say over their own information

    • Increases transparency & trust

    • Decreases the possibility of legal costs and issues in the future

    • Improves reputation and user perception of the brand

    • Enables businesses to use such data 

 

What constitutes personal data? 

While this may vary depending on the laws in your jurisdiction, personal data is generally defined as information or data that relates to an individual or individual(s). That is to say that such information must make a given individual distinguishable from other individuals. 

 

 

Examples of personal data include an individual’s name, location data, identification or passport number, their email address, etc. 

 

Again, the exact meaning varies depending on applicable privacy laws in your jurisdiction.

 

 

Privacy Policy Best Practices 

To make sure you are following legal requirements and giving your users the best possible experience, it is highly recommended that you adhere to the following: 

    • Follow legal guidelines and regulations in your jurisdiction 

    • Write your policy in simple and clear language, free of legal or technical jargon 

    • Keep updating your policy alongside any changes in the law, news or your business. 

    • Make sure you notify your users of any changes in your privacy policy 

    • Make sure users can easily opt out or take charge of their personal data if they choose 

    • Ensure that the privacy policy is displayed in an obvious way 

 

 

How do I write a Privacy Policy?

Again, there is no formula – what your privacy policy contains is highly dependent on the nature of your business. Since writing a policy from scratch can be difficult, we would recommend using the Docpro privacy policy template as a starting point. 

 

Nonetheless, if you do choose to create your own, here are six of the most important and basic sections of information that every privacy policy should contain. Note that this is not a comprehensive list and can be customised as required. 

 

 

1. What data is being collected and why? 

 

In this section, you need to make clear what kind of personal data your application or organisation collects, and where it is collected. You should also explain why data collection at that specific point is needed. For example, if you have a monthly newsletter, you might explain that users’ names and email addresses are collected at the point of user registration for the purpose of adding them to the newsletter list. 

 

Due to the level of detail required in this section, it may be beneficial to review every part of your application or run an audit to determine exactly the point at which these different types of data are collected. 

 

 

You should try to break down this information by using a list format. Make sure you are as detailed as possible, so users know what to expect whilst using your application.

 

 

2. How is this data being collected? 

 

In addition to what type of data you plan to collect and at which specific points you plan to do so, you should explain how you want to collect this data. There are of course many ways data can be collected – via surveys, analytics, web tracking, IP addresses, etc. Some ways are less obvious than others – so it may be beneficial to divide this section into two; one addressing information that the user must ‘give’ and the other on the ways information is collected automatically or via third parties. 

 

Your privacy policy must be as technical and specific as possible – vague language is not ideal.

 

 

3. How will this information be used, and for how long? 

 

Here you should explain what their information will be used for. Ideally, you should list all the possibilities out. Some examples of ways in which personal information might be used include keeping users updated, advertisement or marketing purposes, curation of content, enabling the personalisation of services, etc. 

 

An example of a clause you can include here is a communication clause. A communication clause tells users why and how you plan to contact them using their personal contact details. It should also make clear how users can opt-out of communications. 

 

In addition to this, you may want to say how long you plan to store this data. Is the length of storage justified by how you plan to use this information? Be clear and straightforward. 

 

 

At this point, you may want to emphasise how valuable this information is for those purposes, so users are assured that their data is not being used for arbitrary purposes. This is especially important as many websites sell user data to third parties for marketing purposes or profit. Disclosing how you plan to use such data can bring users peace of mind, particularly when it is being used solely to benefit the application/website and in turn, their user experience. 

 

 

4. How will this information be kept safe? 

 

Here, you will have to break down what relevant security measures you have implemented to handle personal data with care. Explain what safeguards you have in place and how the robust security system you have in place will ensure that users’ data will not be breached. 

 

Ultimately, it is important that users understand the security system in place to protect their data – and of course, the reassurance that the security system is in fact a robust one.

 

 

5. Does your application or website use third-party services/involve third parties? 

 

Here you will want to specify whether there are any third-party services integrated into the website, or if you are planning to permit third parties to access user data. Often, platforms or applications do engage third-party affiliates and affiliates to carry out services for them.  

 

 

If your application does involve third parties, make sure you help users understand why their data and information must be shared with those parties. Typical reasons for sharing data with third parties include advertising purposes, analytics services, technical or customer services, etc. At this point, you may also want to reassure users that these third parties are also committed to a similar level of protection and security.

 

 

6. Changes to the privacy policy 

 

In this section, you should tell users that you have permission and the right to alter the privacy policy at any time. You should also inform users how they will be notified – ie. through a certain communication medium. 

 

It is important here to emphasise that users will be notified as soon as any changes are made. This is because there should not be any delays. 

 

 

To sum it up, writing a solid, user-friendly privacy policy ensures that both users and the business on the other end are protected legally. In addition to the legal benefits, a clear privacy policy increases transparency and has the potential to improve a business's reputation.

 

 

Frequently Asked Questions (FAQ)

 

 

1. Where should a privacy policy be placed (on a website or app)? 

 

Karyna Pukaniuk, Head of Legal at Lawrina is of the opinion that Data Protection Laws, especially GDPR, set requirements that Privacy Policy has to be placed in a prominent, easily located place on a website or app. 

 

This is down to personal preference - as long as it is obvious and prominent to users on the website. Generally, privacy policies tend to end up being in the header menu, footer, or in the ‘about us’ section.  

 

In addition to this, you might also have users tick a check box to acknowledge that they have read the privacy policy, accompanied by a link to the policy via a checkout form.

 

 

2. Is privacy policy a legal requirement?

 

Yes, they are generally required by law. However, there is not one overarching law that governs this and stipulates what the policy should contain. Instead, the extent to which a privacy policy is required varies depending on the privacy laws which are applicable in your jurisdiction. Also, Apple and Google require the apps listed on their platform to have a privacy policy.[1]

 

In the US for example, there are many laws at a state and federal level, as well as specific requirements stipulated by the trade commission that businesses should pay attention to. In the European Union, on the other hand, the GDPR is the presiding directive which determines what businesses in the EU must follow. 

 

3. Does every privacy policy need to be GDPR compliant?

 

General Data Protection Regulation (GDPR) is a regulation in EU law, so if your company does business in the EU and collects any data from clients in the EU, it should reflect disclosure and transparency requirements set out in the EU GDPR.[2]

 

Hence, any business that stores personal information from EU citizens or individuals in the EU must comply with the GDPR. This includes local businesses which operate in the EU, as well as foreign companies that collect personal data of individuals located in the EU.  

 

4. How soon must users be notified of any changes in the privacy policy, and how can the business make this clear? 

 

As soon as any change is made, users should be notified promptly. Notification is crucial for your privacy policy to be legally valid. Further, transparency is essential when it comes to dealing with personal information. If your business is subject to GDPR then it's a legal requirement to notify users of any updates to the privacy policy.[3]

 

[1] Brian Heller, Partner, Outside GC LLC

[2] Laila Ghauri, Esq.,Trademark and Business Attorney, Antares Law Firm

[3] Laila Ghauri, Esq.,Trademark and Business Attorney, Antares Law Firm

 

Disclaimer: Please note that this is a general summary of the position under common law and does not constitute legal advice. As the laws of each jurisdiction may be different, you may wish to consult your lawyer. 

 

Christina Keough

Christina is a Legal Writer at DocPro. Christina manages the legal articles and blogs, identifies legal topics, and invites lawyers and legal experts to contribute. Christina holds a law degree from a leading university. If you would like to become a blog contributor to DocPro, please click the link below:

DocPro Legal Contributor

Keywords:

Privacy Policy

,  

Simple Privacy Policy Example

,  

Privacy Policy Template

,  

Privacy Policy Summary

,  

Sample Privacy Policy Pdf

,  

Whatsapp Privacy Policy

,  

Privacy Policy Generator

,  

Facebook Privacy Policy

,  

Privacy Policy Example

,  

Privacy Policy Accessibility

,  

Privacy Policy Accept

,  

Privacy Policy Applies

,  

Privacy Policy Ads

,  

Privacy Policy Best Practices

,  

Privacy Policy Boilerplate

,  

Join Now

You are Master and Commander of
Thousands of Documents

Join one of the largest online documents database created by legal
professionals, with easy to use tools for customization and
jurisdiction selection engine