How to Write a Privacy Policy

Any app or website that collects personal data from its users is required by law to have a Privacy Policy. The policy must disclose the data being collected from site users, and the reasons it is collected.

Internet privacy laws apply to companies operating out of the legal jurisdiction, but also to any website or app that collects data from users who reside within their jurisdiction.

Some of the main laws you may need to comply with are:

  • The California Online Privacy Protection Act of 2003 (CalOPPA)
  • The Children's Online Privacy Protection Act (COPPA) in the US
  • The Children's Internet Protection Act of 2001 (CIPA) in the US
  • The Computer Fraud and Abuse Act of 1986 (CFAA) in the US
  • The Data Protection Act 1998 (DPA) in the UK
  • The Privacy Act 1988 in Australia
  • The Data Protection Directive (Directive 95/46/EC) in the EU which will be replaced by the General Data Protection Regulation (GDPR) in May, 2018

These laws all require websites to disclose information about the data they collect from users. Some aspects vary among them, so be sure you are compliant with all regulations that apply to you and your users.

CalOPPA is a good standard to follow as its guidelines have been a model for other internet privacy laws and there is a good chance that your app or website will serve users who reside in California.

Second to this, you should comply with GDPR regulations if you currently serve users in the EU or plan to in the future.

How to Structure a Privacy Policy

How to Structure a Privacy Policy

The laws requiring your app or website to post a Privacy Policy also dictate what needs to be included in your policy. Below is an easy-to-follow guide for what should be included in a Privacy Policy and how to organize it.

Part 1: What personal data are you collecting?

The first section of a Privacy Policy usually declares that the app or website collects personal data from its users. It should specify what data is collected and how that data is collected.

For example, there is a big difference between a website that has a sign-up form requesting first name and email address compared to a website that stores information about a user's IP address, location, search habits, or purchase history.

If your app or website does not collect personal data from your users, it is still a good idea to let them know that in your Privacy Policy.

Here is an example from Disconnect.me:

Screenshot of Disconnect.me Privacy Policy: Information We Don't Collect Clause

By being transparent with this information you are not only complying with the law but also building trust with your customers or clients.

Part 2: How is the data used?

The second part of a Privacy Policy usually explains how the data is used. This may be as simple as sending receipts to the provided email address, or as in-depth as sharing information with third-parties to enhance the functionality of the app or website.

For example, if in part 1 you declared that you collect location data, some users may be uncomfortable with this.

If, however, you explain in part 2 that you simply collect location data in order to provide them with correct pricing ($ vs £, for example), this may reduce the concerns they have about the data you are collecting.

By letting your users know how you are using the data you collect, you have an opportunity to teach them about the functionality of your website or app and use that as a selling point.

Below is an excerpt from LukieGames.com explaining why they collect user data:

LukieGames.com: Privacy Policy -  Why We Collect Personal Data Clause

It is also important to let users know if you are sharing or selling their data to a third-party. Once again, this is about transparency and the rights of the user to know how their personal data is being used.

Part 3: How is that data protected?

At the core of a Privacy Policy, the objective is to protect the user's personal data. Letting your users know what information you are collecting and how you are using it is important, but so is letting them know that their data is being used responsibly and protected so they have nothing to worry about.

For example, a customer may not be comfortable storing their credit card information on most websites.

If, however, you explain how their personal data is kept safe using cutting-edge security with virtually no chance of being compromised, you may be able to alleviate concerns and allow them to utilize the full functionality of your website.

Below is an example from LukieGames.com:

LukieGames.com: Privacy Policy - Protection of Information Clause

Again, this section of your Privacy Policy is not only about compliance with the law, but also an opportunity to highlight your trustworthiness and authority.

Part 4: What rights do your users have?

This section of your Privacy Policy should inform users of the choices and rights that they have regarding their personal data on your app or website.

It may be as simple as "if you don't agree to our policies, do not use our website," or as in-depth as showing them how to opt-out of certain services, cancel a mailing list, delete their account, or block cookies and location data in their browser.

Below is an example from Zappos.com:

Zappos.com: Privacy Policy - How We Collect and Use Data Clause

Different users have different opinions on the collection and usage of their personal data. It is your responsibility to let them know what choices they have when it comes to the collection and usage of their personal data on your website or within your app.

Once again, this can be a great opportunity to be helpful and build trust with your user-base.

Part 5: Other Privacy Considerations

Depending on the functionality of your app or website, there may be other factors you wish to discuss with your users.

This may include details about making an online purchase, not sharing personal information with other users on a social website, or getting a parent's permission before using a gaming website for minors.

Consider who will use your app or website and how, and cater your Privacy Policy to cover those needs.

Below is an example of Amazon.com's policies regarding minors:

Screenshot of Amazon.com Privacy Policy: Minors Clause

Another important piece of information to include in your Privacy Policy is how you will notify users if things change.

For example, if you begin using a new analytics software that collects new data from users, you may send out an email to your clients notifying them of this change and/or post on your website that policies have changed and when the changes went into effect.

Screenshot of Amazon.com Privacy Policy: Last Updated August 29, 2017 - see changes pointed

Some special conditions may require you to comply with additional regulations regarding your Privacy Policy. If your website collects or processes any of these types of data from users, additional laws and regulations may apply:

  • Medical information
  • Financial information
  • Credit reports
  • Any personal information from minors

Be sure to comply with any additional legislation as these types of information are considered to go above and beyond standard website and business functions and require additional protection.

Other best practices include asking your users to accept the terms of your Privacy Policy and providing them with contact information in the event that they have any questions or concerns.

Sample Privacy Policy

Sample Privacy Policy

While there are many ways to write a Privacy Policy, the above samples cover the main aspects of a Privacy Policy.

The more complex an app or website is, the more complex its Privacy Policy will be in order to cover all aspects of data and privacy.

For example, the Privacy Policy on Amazon.com is several times larger than the above samples in order to cover all of the different kinds of data that they collect and the uses for that data. As a leading website, Amazon.com offers a thorough and helpful Privacy Policy to the benefit of their customers.

Sample Privacy Policy for a Simple Website

Here's how it looks:

Screenshot of a sample Privacy Policy for a simple website

Here's the full text:

This website collects location data and requests name and email address upon registration, and uses third-party tracking software.

This website collects user data regarding their location and upon registering you will be asked to fill out information such as your name and email address.

Location data is used to provide you with accurate information depending on your state or country of residence. Your name and email address will only be used in the profile you create and for our mailing list.

We take great care to secure our user information by implementing advanced encryption technology and firewall security measures. Your privacy and security are important to us!

This website uses cookies to personalize your experience. These cookies allow us to suggest topics that we believe you may be interested in based on your interest in other topics.

Users are able to turn off location services by choosing "Block" instead of "Allow" when prompted upon visiting our website. You may also turn off location services in your browser. Please note that by not allowing us to access your location services, the data provided may be less accurate or less specific than intended.

Users are able to block cookies via their browser settings. Please note that this may disrupt certain functionality on the website that could affect user experience. Blocking cookies will also disable the "recommended for you" features on the website.

If you disagree with any aspects of this Privacy Policy, you have the right to decide to not use this website. By using this website, you agree to and understand the Privacy Policies we have in place.

This website uses third-party tracking software that may collect data about your habits on our website. You can find more information about this functionality on our Terms & Conditions page.

If you have any questions or concerns, please visit our FAQ or contact us at the email address on our Contact page.

Sample Privacy Policy for an Ecommerce Website

Here's how it looks:

Sample Privacy Policy for an Ecommerce Store

Here's the full text:

Effective as of July 2017

We care about your privacy! We promise not to misuse, exploit, or sell any of the information that you provide on our website. All of the information you provide to us is used to complete purchase orders. The information needed to process purchases is secured in our records and kept safe and confidential. We do not share user data with any third-party entities.

The information required to place a purchase order at checkout is as follows:

Your name

Shipping address

Billing address

Email address

Phone number

All of our records are protected by Secure Sockets Layer (SSL) software that encrypts information to prevent unauthorized access to your personal data.

Other Things to Remember

Other Things to Remember

Be as detailed as possible when writing your Privacy Policy for your app or website. Consider all relevant functionality as well as all requirements to stay compliant with laws pertaining to you and your users.

Your Privacy Policy, although a legal requirement, is intended to be read and understood by the average user. You may want to think about your Privacy Policy in the same way that you would think about any content on your app or website. This information should be easy to understand and use simple language.

A Privacy Policy that is unnecessarily long, poorly organized, or full of legal jargon is useless to the average internet user. If your users cannot understand your Privacy Policy, then you are not complying with privacy laws.

Your Privacy Policy should be a helpful section of information that is carefully laid out and easily digestible so your users can fully understand the information provided. After all, this information is for the benefit of your users, not for the government or lawyers.