How to Write a Privacy Policy

Sign up for our newsletter

Any company aiming to comply with privacy laws and regulations has to start in one place: the privacy policy. That's where a privacy regulator will look if there's a concern about your data practices or you experience a data breach.

While privacy policies have a reputation as verbose, multi-page documents full of legalese which the layman has neither the legal degree nor patience to digest, they're changing.

In 2018, the EU enacted the General Data Protection Regulation (GDPR), which is seen as the gold standard in privacy law globally. And then the rest of the world started to follow suit. Since the EU GDPR passed, countries including Brazil, China, India, Canada, and others have passed or are in the process of passing similar privacy laws. Many U.S. states have passed their own data privacy laws too, like the California Privacy Rights Act (CPRA) and the Texas Data Privacy and Security Act (TDPSA).

Those legislative changes, combined with a heightened consumer awareness of data privacy risks based on news-making breaches, have put the heat on companies to implement strong data privacy programs. Part of what makes for a robust data privacy program is a documented privacy policy.

What Is a Privacy Policy?

While the GDPR requires companies collecting data to publish privacy policies, in the U.S., they're mandated by state, local, and industry-specific regulations, given that the country still doesn't have a federal privacy law.

It comes down to this: Do what you say, and say what you do.

In essence, a privacy policy is just that—a means of formalizing your privacy practices and serves to inform others what those privacy practices are.

Why Do I Need a Privacy Policy?

There are a few benefits to developing a privacy policy.

Obviously, there’s the benefit of meeting regulatory requirements. Without a privacy policy (and without an accurate privacy policy), you’ll be liable to be penalized under the data privacy laws we’ve already mentioned.

However, there are additional benefits to developing a privacy policy.

For one, it helps you define a framework for your privacy program. Having to sit down and explicitly state how you handle personal data at your organization forces you to think about what you actually do with that data and what you actually should be doing.

And in a world where consumers are increasingly aware of data privacy concerns, keeping a clear and informative privacy policy serves as a signal that your organization cares about consumer rights.

Privacy Policies: Dos and Don’ts

First, don't copy and paste another company's privacy policy and then switch out their name for yours. It might seem like an obvious tip, but it's a rather persistent practice.

That's according to Dennis Dayman, chief privacy officer at Maropost, a cloud-based marketing platform, who has been helping companies with their data privacy for 25 years. He's written his fair share of privacy policies and read far more of them.

"That's probably the biggest thing I run into these days is people trying to try and copy and paste policies as their own," Dayman said. "They just say, 'I'm gonna grab this as a beginning template.’ But it doesn't necessarily have the same data collection practices as the company they copied it from."

In some cases, the policy is overwritten. If you're a small company, for example, and you don't yet collect massive pools of data, you have much less to protect and disclose. A small company wouldn’t need to use, say, Google's privacy policy as a template.

It's important to know your specific data collection practices before publishing a policy designed to articulate what you do with customer data.

Catherine Dawson, a privacy attorney, said she often sees the same misstep.

"Lawyers borrow language from other legal documents all the time, and often it makes sense,” she said. "It's not necessarily a bad thing to look at someone else's privacy policy and reuse language that you like, but it's an easy temptation to cut and paste wholesale from another privacy policy. And that can be a dangerous practice, because if it's not tailored to your business, you may have inadvertently described a privacy practice that is not yours."

But potentially the greatest challenge companies face is telling users how their data is treated in a way that both makes sense to the user and still protects the company against potential litigation.

That can be difficult, but Dayman thinks about it simply.

"I always talk about applying the grandmother test," Dayman said. "I come from the digital marketing side of things when it comes to the use of data. "Would you do this to your grandmother? Would you collect this data and use it the way you want to on your grandmother? Privacy has to be as hyper-transparent for your grandmother to use as well. You've got to be very careful in drafting that."

A great way to ensure the text is accessible to the average person, Dayman recommends recruiting people from your organization and asking them to read the policy. Does it make sense to them? Is it filled with legal and technical jargon that only a lawyer could understand?

Writing in legalese has been one of the hallmarks of bad privacy policy," Dayman said. “A lot of these social media companies have had these privacy policies that were just pages and pages long. A lot of people are feeling like they've been tricked into giving their data."

Dayman recommends keeping it simple. If you're using words like "jurisdiction" or "precedence," you might be taking the wrong approach.

"Those are really nice words to use from a legal perspective, but find other ways to say that if you can," he said.

Dawson agreed but said there's a reason people fall back to legal jargon sometimes, especially if the company relies heavily on third-party data and vendors.

"It can be hard for people to articulate clearly how their data is shared with third parties," Dawson said. "It's not that folks are trying to hide the ball, but more that the online advertising ecosystem is complex. It can be challenging to describe accurately and clearly how the data you collect flows through that ecosystem and how it is combined with other data."

Okay, so, you won't copy and paste your policy directly from another company's website, and you'll use layman's terms. But who should be at the table when you sit down to write your privacy policy or notice?

Daymen said it's best to have a top-down mentality. Aim to get buy-in from your CEO and the board, if possible. "Getting buy-in from executives and those who make decisions about the company is highly important," he said.

But it's also important to pull in various business groups who might not seem obvious. The IT, engineering, and sales teams all touch and use customer data at some point, so it makes sense that they should provide input on the policy or at least review a draft to ensure what's being conveyed about company practices matches how their department actually uses data.

"You don't always know what the engineering team is doing with the data. Sometimes they have to use data to test systems, and you have to figure out whether you have to make a statement (about that in your policy)," Dayman said.

The bottom line, said Dawson, is to roll up your sleeves and fully understand all of your company’s data practices. If you get the fundamentals wrong, your policy will fall short. Be as straightforward as you can in your descriptions of those practices and then ensure the rest of the organization doesn’t deviate from those descriptions.

Privacy enforcement agencies globally have said, "'Your privacy policy should convey what practices you have with respect to people's data,'" she said. "You need to say what you do and then do what you say."