In today’s volatile digital environment, user privacy has become a commodity.

This greater understanding of privacy concerns has led to the tightening of privacy laws across the globe.

That’s why you need to think about how to write a privacy policy.

While different countries have their respective regulatory bodies, data collection is controlled in a similar manner.

The misuse of user data in the past has led to tighter privacy practices, more regulatory oversight, and consequently, more fines.

It’s vital to bear these legal requirements in mind when creating a privacy policy.

What is a privacy policy?

A privacy policy on a website is a statement explaining how you collect and use your web visitors’ data.

It should lay out what type of information you collect from users or visitors, your reasons for doing so, and what use you put it to.

Your privacy policy should also explain the methods you use to collect data.

For instance, are you using cookies? What a user can do to limit the data you collect from them is also an important element of any privacy policy.

Now you know what a privacy policy is, it’s time to think about whether your website needs one.

Privacy Policy Template

Used 5521 times

This distribution agreement template is designed to help UK distributors accelerate their document signing process. Download your free copy today.

Use this template – free

Why does my website require a privacy policy?

If you’re doing any type of online commercial activity, you must include a comprehensive privacy policy on your website, especially if your business operations are based in a heavily regulated area.

For example, Europe has enacted a General Data Protection Regulation (GDPR) law that regulates data privacy and imposes strict penalties for companies that fall short of meeting their requirements.

The GDPR is valid only in Europe and the European Economic Area (EEA), as well as to foreign companies that do business within this region.

Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) that controls how you use, disclose, and collect information.

The USA doesn’t have a dedicated federal data privacy law similar to GDPR, but it boasts a set of separate national and state laws and acts that have been put in place to ensure privacy compliance, such as:

  • COPPA — Children’s Online Privacy Protection Act which controls how you can collect online information about children under 13 years of age, enforced by the Federal Trade Commission
  • CCPA California Consumer Privacy Act which deals which privacy rights and consumer protection in California
  • CalOPPA — California Online Privacy Protection Act which requires online services and commercial websites to include a privacy policy on their website

So, why does your business require an online privacy policy?

Because it is a legal requirement in most countries.

If you’re operating in any of these countries, you’re going to face some harsh monetary fines if you don’t comply with the local rules and regulations or the federal law.

Here’s one staggering example — for not protecting their user privacy and falling victim to a data breach, British Airways was initially fined over $200 million.

While the fine was later reduced to around $30 million, this still goes to show that you can face some serious consequences if you don’t comply.

How to write a privacy policy for a website

There are a couple of main ways to go about writing your company’s privacy policy legal document.

Hiring a law firm

Reliable legal advice, but also the most expensive option out there.

Having your privacy statement drafted by lawyers can cost anywhere from $275 for simple policies to over $5,000 for complex policies.

Writing it yourself

The cheapest, but the most difficult and time-consuming.

If you’re not familiar with rules and regulations, you may fail to include important information and risk your business.

Using a privacy notice template

Using a privacy notice template: The quickest, cheapest, and easiest method to choose when deciding how to write a privacy statement.

Issue bulletproof privacy policies

You can issue bulletproof privacy policies and finish them off with a legitimate signature in a matter of minutes.

Not only is this cost-effective but it saves you a lot of time in the long run.

Regardless of which option you decide to go for when writing a privacy policy, it’s important to ensure that you’ve dotted all the i’s and crossed all your t’s.

The only way to know that you have a good privacy policy is to be aware of what exactly you need to include.

The safest bet is to use a ready-made privacy policy template, but if you like to get your hands dirty, you can try doing it on your own.

Below, you’ll find more information on which types of data you must mention, along with other tips on how to draft your own privacy policy.

01. Include your business name and contact information

The first rule of writing your online privacy policy is to use plain language with correct legal terms, without overcomplicating it.

At the beginning of the document, you should list your company’s information, namely address, name, email address, and phone number.

We also recommend encouraging your website visitors to use the previously mentioned information to contact you in case they have any questions or concerns regarding the policy.

This shows that your company is transparent, has nothing to hide and encourages open communication, which is always a good look.

02. Mention what type of information you collect

The term ”personal data’‘ is exhaustive and more complex than you might think.

It does include regular stuff like credit card information, IP address, and phone number, but also less obvious information like location, number plates, and other online identifiers.

Personal data describes any of ”the physical, physiological, genetic, mental, commercial, cultural or social identity” that are specific to the subject.

Make sure to use specific terms instead of broad ones.

For example, instead of saying “we collect contact information,” say “we collect your telephone number, email address, and physical address.” This ensures that there’s no confusion that can lead to issues down the road.

03. Explain how and why you collect data

The next important step is to mention why and how your website collects data.

There are many different ways to collect user information, such as:

  • contact forms
  • cookies
  • surveys
  • course registrations
  • email newsletter
  • website analytics (e.g. Google Analytics)

Do you plan to resell the data?

Do you plan to notify customers about news, updates, and promotions? Do you need this information for processing orders?

Regardless of the reason, your customers have the right to know what companies are doing with their information, so don’t forget to include this when writing a privacy policy.

04. Describe how users can opt-out

One of the main goals of laws like GDPR and CCPA is to give users more control over the information websites collect about them.

When users allow you to collect their data, that doesn’t mean that they’ve allowed you to collect it indefinitely.

At one point, they might want to withdraw their permission and you’re bound by law to let them do so.

Your privacy statement for the website should describe all the options users have in case they want to revise any previously-given permissions.

This includes:

  • Right to request data amendments
  • Right to request you to delete the acquired information
  • Right to review the collected information

Describe the process for all three instances in detail and provide users with helpful links and resources that will make the whole process easier and more convenient.

05. Mention if user data is shared with third parties

If you plan on sharing any user data with third parties, always include a disclaimer in your privacy policy.

Third parties include service providers, marketing partners, consultants, credit card processors, etc.

Not disclosing this information puts you at legal risk, because most laws and regulations prioritize transparency.

For example, imagine you shared user information with your marketing agency and you forgot to add a third-party sharing disclosure on your website.

Then, the said marketing agency suffers a data breach, and all their data is stolen, including your clients’.

You would not only risk your company’s reputation, but you’ll also receive some hefty fines for not being transparent with your customers.

06. Specify how long you will retain user data

According to GDPR, you can keep the collected user data no longer than necessary for the purposes it was initially obtained for.

The GDPR doesn’t specify a particular timeframe, which is why you should revise this section regularly to ensure compliance.

For example, if you’re collecting data for a contract, you’re legally allowed to store this data for as long as the contract is valid.

As long as the data is relevant, you have the right to process it.

Make sure to be very clear and specify a timeframe within which you’ll delete the data once it expires.

While it’s not necessary, you can also add a dedicated ”Data Retention Policy’‘ where you’ll explain different instances and be more specific.

07. Explain how you’ll protect the personal data you collect

Preserving the integrity and security of collected user data is imperative.

Your customers are putting their trust in you by allowing you to gather their information.

Your responsibility is to enforce strong security measures to ensure that there’s no data leakage.

Mention how you’re protecting the user information (e.g., using SSL or other computer safeguards). Don’t be too specific in this section.

If you reveal too much, malicious actors will know how to bypass your security measures and compromise the integrity of your website. Instead, be broad and only mention general security practices.

08. Describe the dispute resolution process

A standard website privacy policy should also describe how the dispute resolution process works. Some companies tend to add this section to their Terms and Conditions policy.

We recommend including it in your privacy policy as well, to cover all the bases.

Despite your best efforts to preserve harmony and keep a good relationship with your customers, legal disputes may occur at some point.

Add a sentence or two about dispute resolution and how you handle it (third-party dispute resolution service provider, contact form, customer service, legal firms, etc.).

09. Mention what happens if your online business transfers ownership

Business ownership transfers are a very common occurrence and you never know if and when your website will be subject to it.

Even if there are no plans to sell the company at this particular moment, it is still a possibility in the future.

Including this clause will save you from any possible liability in case you eventually decide to sell your business.

This clause ensures that users are aware that their information might be handed over to a new entity in case of an acquisition.

We also recommend including a clause explaining that, while you’ll use your best efforts to secure your website, you cannot guarantee that it won’t fall victim to malicious exploits.

Nothing is foolproof and you should protect yourself as much as possible in case a data breach happens.

10. Put everything together in one template

Phew! Now that you know what to write in a privacy policy, collect all the sections and create a template. This is going to save you a lot of trouble and headaches in the long run.

For example, if you decide to create more websites in addition to your existing service, you’ll need a custom privacy policy for every one of them.

Instead of going through the arduous process of drafting it from scratch, you’ll be able to use templates and create privacy policies within minutes.

Legal documents are very complex, which is why having templates on hand will be a true lifesaver.

PandaDoc offers all-inclusive privacy policy templates that will protect your business’s interests.

They’re compliant with most existing laws and regulations worldwide and will drastically shorten the policy-making process.

Quick privacy policy best practices checklist

We’ve already discussed the most important contents of every privacy policy.

What we didn’t discuss is how to approach the writing process itself.

Here are some tips and tricks on how to make your privacy policy accessible, clear, and understandable:

how to write a privacy policy

What should a privacy policy include?

Here’s a quick rundown of the most important items to be found in your company’s privacy policy:

  1. Company information: Name, address, phone number, and email address.
  2. Type of collected data: Write this information in specific detail (credit card information, location, IP address, etc.) and note how and where you collected the said data.
  3. Mention the lawful basis for collecting data: Explain which law you’re relying on that gives you permission to collect the mentioned data.
  4. How you protect collected data: Which safeguards are put in place to ensure maximum data security.
  5. How long you’ll retain the collected information: Specify the timeframe within which you plan to use and retain the collected information.
  6. How you’re using the collected data: Explain what exactly you’re doing with user data – marketing purposes, notifications, order processing, data analysis, etc.
  7. List data subject rights: The GDPR law notes eight different types of data subject rights. List and explain them on your website as follows:
  • Right of access
  • Right to be informed
  • Right to erasure
  • Right to object
  • Right of rectification
  • Right of portability
  • Right to restrict processing
  • Rights in relation to automated data processing and profiling

Data Processing Agreement Template

Used 4907 times

Legally reviewed by Sharita Jennings

An arrangement between a data controller and a data processor, such as a third-party service provider, is known as a Data Processing Agreement Template.

Use this template – free

Privacy policy examples

Canva

The people behind the online graphics design tool Canva have created a thorough privacy policy that leaves no stone unturned in terms of why and how they collect and process user data.

Throughout this privacy policy example, Canva has not dipped into legalese but has chosen to break down complex terms into simple language that mirrors their website — reassuring users that their data is in safe hands.

Canva has included highlighted summary sections throughout the privacy policy that make for easy skimming instead of reading walls of text.

Canva’s privacy policy has some extra details, too.

Specifying their use of web beacons (also known as clear GIFs) and log files in a detailed way, Canva has gone the extra mile to ensure its users understand exactly what happens with their data when they use the website.

They even go so far as to explain what happens to user data if they sell the business further down the line.

This unusual approach is great for delivering transparency to users and goes against competitors who tend to include this detailed data information behind cookie policies.

Slack

The privacy policy you find on Slack’s site is clear, clean, and fresh.

Slack has taken steps to reassure users on how their data is transferred between different countries and how they adhere to privacy laws, such as GDPR.

The use of plenty of white space, together with useful subheadings, make it easier to read than most privacy policies.

Slack has implemented a handy table of contents so that you can skip ahead to sections of interest, making for an intuitive and simple user experience.

Airbnb

Airbnb’s privacy policy, like Slack’s, is a simple and clean approach to a privacy policy.

There are no colorful graphics to this comprehensive privacy policy. They keep it simple with helpful sections for skim reading purposes.

They’ve also included their other business policies in the sidebar so you can reference them with ease.

Airbnb has chosen to display the previous version of its privacy policy, so users can check what they’ve added, removed, or changed.

This transparent approach helps to build trusted relationships with Airbnb’s customers.

Nail your privacy policy now!

Privacy policies may seem redundant for many people.

But if you want to run a serious business based on integrity and transparency, then you simply must include a proper privacy policy on your website.

If not for the sake of transparency, then do it for the sake of your business.

After all, you are legally obligated to notify your customers about how you handle their data.

If you don’t include this on your website, you’re risking serious consequences that can damage your operations.

PandaDoc makes it easy for you to generate any type of business or legal document within minutes.

We offer over 750 ready-made business templates that are expert-vetted and easily customizable.

That includes a ready-made privacy policy template. Expertly created to ensure it covers all the bases you need, you can simply tailor and customize the template to your site and business.

That way, you keep your website users and visitors happy and ensure your business stays on the right side of the law.

Sign up for our 14-day free trial to see why leading businesses across the globe chose PandaDoc as their main document creation tool.

Disclaimer

PandDoc is not a law firm, or a substitute for an attorney or law firm. This page is not intended to and does not provide legal advice. Should you have legal questions on the validity of e-signatures or digital signatures and the enforceability thereof, please consult with an attorney or law firm. Use of PandaDocs services are governed by our Terms of Use and Privacy Policy.

Originally published December 17, 2021, updated January 17, 2023

Frequently asked questions on how to write a privacy policy

  • If you cater to EU customers, you need a GDPR compliant privacy policy for websites, which includes informing your users in simple terms why you’re processing their data, and how long you will store it for.  

    Under GDPR regulations (and to adhere to most other legislation), you must tell your users about their eight rights.

    The right:

    • to be informed
    • of access
    • to rectification
    • to erasure
    • to restrict processing
    • to data portability
    • to object
    • to automated decision making and profiling

  • Child-friendly websites require a privacy policy that satisfies relevant legislation in their jurisdiction, for instance, the requirements of COPPA (Children’s Online Privacy Protection Act).

    If your site allows users under the age of 13, and collects data or information from them, the following is some of the information your privacy policy must include: 

    • The type of data collected 
    • The contact details of all operators 
    • How parents can view, edit or delete any data

  • To write a privacy policy for an eCommerce website, you must clearly identify the types of data collected through your store, together with how and why it’s collected, recorded, stored, and deleted.

    There will also be some specific factors that relate only to your eCommerce store, such as how you advertise, your products, payment data, and how payment processors are involved with your site and your data.

  • Because bloggers collect personal reader information, a privacy policy is required. 

    To get started, check out this free privacy policy template. You’ll need a list of personal information that you collect via a blog, such as registration and credit card details, and then go on to explain how and why you use this data. 

    For example, you may use reader data to improve services, process payments, or personalize content. 

     

  • If you’re wondering how to write a privacy policy for a small business, we’re happy to report that the process is pretty much the same as when dealing with larger companies but less comprehensive.

    It’s easier because your operations likely aren’t that complex just yet, so you’ll have less information to cover.

  • A privacy policy template is a pre-made privacy policy, created and approved by legal experts, which is customizable and lets you tailor it to your business needs.

  • Yes, you can use a privacy policy template on your website, as long as it’s customized to fit your business’s particulars. Don’t copy and paste a random template you found online without any modification or assurance that the template is following best legal practices.

    There are many websites with the top priority of earning ad money over quality of service, meaning they don’t update their templates.

    PandaDoc offers expert-vetted customizable templates that are always up-to-date and very easy to use.

  • You can use free privacy policy generator tools that are available through a quick Google search – “how to write a privacy policy for free” should do the trick.

    The downside of using free tools is that they’re often unreliable and outdated.

    You’re better off paying a reasonable fee for expert-vetted customizable templates like the ones PandaDoc offers than risking your company’s integrity by trying to do it for free without proper oversight.