In this article

Sign up for our newsletter

Share this article

It's important to know how to draft a privacy policy that accurately reflects your data practices. Here are some tips on how to avoid common pitfalls. 


Any company aiming to comply with privacy laws and regulations has to start in one place: the privacy policy. That's where a privacy regulator will look if there's a concern about your data practices or you experience a data breach.

While privacy policies have a reputation as verbose multi-page documents crawling with legalese that the common user has neither the legal degree nor patience to digest, they're changing. 

A couple of years ago, the EU enacted the General Data Protection Regulation (GDPR), which is seen as the gold standard in privacy law globally. And then the rest of the world started to follow suit. Since the EU GDPR passed, countries including Brazil, China, India and Canada have passed or are in the process of passing similar privacy laws.

Those legislative changes, combined with a heightened consumer awareness of data privacy risks based on news-making breaches, has put the heat on companies to exemplify strong data privacy programs. 

While the GDPR requires companies collecting data to publish privacy policies, in the U.S., they're mandated by state and local regulations, sometimes industry-specific, given that the country still doesn't have a federal privacy law. 

It comes down to this: Do what you say, and say what you do.

But here's a little more detail on how to do that. 

First, don't copy and paste another company's privacy policy and then switch out their name for yours. It might seem like an obvious tip, but it's a rather persistent practice. That's according to 

Dennis Dayman, chief privacy officer at Maropost, a cloud-based marketing platform, has been helping companies on their data privacy for 25 years. He's written his fair share of privacy policies and read far more of them. 

"That's probably the biggest thing I run into these days is people trying to try and copy and paste policies as their own," Dayman said. "They just say, 'I'm gonna grab this as a beginning template.’ But it doesn't necessarily have the same data collection practices as the company they copied it from." 

It's especially dangerous when companies falsely claim within their privacy policies they're certified under Privacy Shield, a data-transfer mechanism with strict requirements and enforced by the Federal Trade Commission. This month, the FTC settled with five companies who falsely claimed self-certification under Privacy Shield. Some of these cases might have been the result of "borrowing" another company's policy language rather than an outright intent to falsify their certification status

In some cases, the policy is overwritten. If you're a small company, for example, and you don't yet collect massive pools of data, you have much less to protect and therefore disclose about how you're doing that. A small company need not use Google's privacy policy as a template. 

It's important to know your specific data collection practices before publishing a policy designed to articulate what you do with customer data. 

Catherine Dawson, a privacy attorney who's (full disclosure) now Osano's general counsel, said she often sees the same misstep. 

"Lawyers borrow language from other legal documents all the time, and often it makes sense.” she said. "It's not necessarily a bad thing to look at someone else's privacy policy and reuse language that you like, but it's an easy temptation to cut and paste wholesale from another privacy policy. And that can be a dangerous practice, because if it's not tailored to your business, you may have inadvertently described a privacy practice that is not yours." 

But potentially the greatest challenge companies face is trying to tell users in the privacy policy how their data is treated in ways that both make simple sense to the user and still go far enough to protect the company against potential litigation. 

That can be difficult, but Dayman thinks about it simply.

"I always talk about applying the grandmother test," Dayman said. "I come from the digital marketing side of things when it comes to use of data. "Would you do this to your grandmother? Would you collect this data and use it the way you want to on your grandmother? Privacy has to be as hyper transparent for your grandmother to use as well. You've got to be very careful in drafting that." 

A great way to ensure the text is accessible to the average person, Dayman recommends pulling people from inside your building — building being a metaphor in these times of COVID — and asking them to read the policy. Does it make sense to them? Is it filled with legal and technical jargon that only a lawyer could understand?

Writing in legalese has been one of the hallmarks of bad privacy policy," Dayman said. A lot of these social media companies have had these privacy polices that were just pages and pages long. A lot of people are feeling like they've been tricked into giving their data." 

Dayman recommends keeping it simple. If you're using words like "jurisdiction" or "precedence," you might be taking the wrong approach. 

"Those are really nice words to use from a legal perspective, but find other ways to say that if you can," he said. 

Dawson agreed, but said there's a reason people fall back to legal jargon sometimes, especially if the company relies heavily on third-party data and vendors. 

"It can be hard for people to articulate clearly how their data is shared with third parties," Dawson said. "It's not that folks are trying to hide the ball, but more that the online advertising ecosystem is complex. It can be challenging to describe accurately and clearly how the data you collect flows through that ecosystem and how it is combined with other data."

Okay, so, you won't copy and paste your policy directly from another company's website, and you'll use layman's terms. But who should be at the table when you sit down to write your privacy policy or notice? 

Daymen said it's best to take a "top-down" mentality. Aim to get buy-in from your CEO and the board, if possible. "Getting buy-in from the executive and those who make decisions about the company is highly important," he said. 

But it's also important to pull in various business groups who might not seem obvious. The IT team, the engineering team and even the sales team all touch and use customer data at some point, so it makes sense that they would at best provide input on the policy or at least review a draft to ensure what's being conveyed about company practices maps to how their department uses data. 

"You don't always know what the engineering team is doing with the data. Sometimes they have to use data to test systems, and you have to figure out whether you have to make a statement (about that in your policy)," Dayman said. 

The bottom line, said Dawson, is to roll up your sleeves and fully understand all of your company’s data practices. If you get the fundamentals wrong, your policy will fall short. Be as straightforward as you can in your descriptions of those practices and then ensure the rest of the organization doesn’t deviate from those descriptions. 

Privacy enforcement agencies globally have said, "'Your privacy policy should convey what practices you have with respect to people's data,'" she said. "You need to say what you do and then do what you say." 

privacy policy checklist

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article