Skip to Navigation Skip to Content

🔥 BLACK FRIDAY: 30% off everything. Use code BLKFRI24 at checkout 🔥

So, you need a privacy policy. Maybe it’s for your website, maybe it’s for your app, either way, it probably sounds near impossible to create one on your own! Well, what if we told you, it’s actually quite straightforward? We’ll walk you through the different ways you can create one, including the steps on how to write one yourself.

Disclaimer:

Nothing in this guide is legal advice, we’re simply providing you with the tools you need to create a compliant policy, it’s up to you to do the research required to ensure legal compliance.

Jump straight to the action

It’s likely that all of you reading this are at different stages of acquiring a privacy. Decide which of the following statements describes your situation to head straight to the information you’re searching for.

  1. If you know what a privacy policy is, but haven’t the first clue how to make one, we recommend reading from the next section.
  2. If you know about all the helpful tools that write a privacy policy for you and are still certain you want to write your own, head straight to our guide.

Good luck!

Save time writing your privacy policy with GetTerms

Privacy Policy Generator

Should you be writing your own privacy policy?

Is it okay to write your own privacy policy, or should you hire a lawyer to do it? Great question! Let us start by saying, hiring a lawyer isn’t the only alternative. Actually, you have 4 options: Hiring a lawyer, using a policy generator, following a template and writing your own. The best solution depends on what’s most important to you. Do you want to spend as little time on it as possible? Do you want to spend as little money as possible? How important is the quality of the policy itself?

When you should hire a lawyer

Time: 3/5, Cost:1/5, Quality:5/5

Hiring a lawyer is always going to be the best way to create a privacy policy, it ensures compliance, and your policy will be tailor made to your business. On the flip side, it’s also super expensive, and in most cases, complete overkill. If you’re running a small business, there are better options for you right now.

That said, even for small businesses, we would suggest that you consult a lawyer to write your privacy policy if any of the following applies to your business’s operation.

  • You handle highly sensitive personal information such as health information or medical records, extensive financial data, or specifically handle children’s personal information.
  • You run a large-scale operation, collecting very large amounts of personal information across multiple jurisdictions
  • You trade in personal information as part of your core business

If none of the above apply to you, the next 3 options might be a better fit

When you should use a privacy policy generator

Time: 5/5, Cost:4/5, Quality:4/5

Privacy policy generators are specifically designed to make writing a privacy policy a 5-minute task. A trustworthy privacy policy generator like GetTerms gets you ready for compliance with global privacy laws in the time it takes to make a cup of coffee.

By asking carefully constructed questions about your business, document generators are able to tailor your policy to perfectly fit your operations. They also keep your policy up to date with changing privacy laws. This means you won’t need to pay for extra legal advice each time the laws change.

When it comes to cost, they’re also extremely affordable, with both free and paid options available online. Some paid options also come with a range of documents like terms and conditions, return policies, and EULAs. Ours even includes a cookie banner and cookie consent management platform!

When it comes to free options, just know that not all of them are truly compliant with privacy laws like the GDPR and CCPA and lack features like support for affiliate links and google analytics. Make sure you check this, or just play it safe and try GetTerms! (We also have a free tier for personal use)

Try our Privacy Policy Generator

When you should use a template

Time: 4/5, Cost:5/5, Quality:1/5

Privacy policy templates are great for personal use, the main downside is that they still require a lot of work.

With a template, you’ll just need to just replace some placeholder text with information about your business. The hard part is understanding which clauses apply your business and knowing when to remove the ones that don’t.

A template will always be a one size fits all approach, which is usually fine for personal use, but we don’t recommend them for businesses. Business’s put themselves at far greater risk of fines if their policy isn’t compliant.

Try our privacy policy template

When you should write it yourself

Time: 1/5, Cost: 5/5, Quality: 3/5

If none of the above work for you, all that’s left is writing your own. As with templates, we only recommend this for personal use.

The upside of writing your own policy is that once you’re done, you’ll have a policy tailored to your business and it won’t have cost you a dime.

The downsides are 1) the amount of time involved and 2) the risk that you miss something critical and open yourself up to legal issues. Remember, you don’t just need to create the document, you’ll also need to spend time understanding which laws apply to you, making sure your policy meets their requirements.

If you’re up for, we’re here to make your life easier by showing you the ropes. Just remember who helped you out if you ever decide you’re ready to try a more professional option ;).

How to write your own privacy policy

If you’ve decided to write your own privacy policy, then time is of the essence, let’s get started. Make sure you follow each step carefully!

1. Prioritize transparency above all else

The purpose of a privacy policy is to provide a window through which your website’s users can look to see how your business handles their personal information. Some data privacy laws have some extra requirements, but we’ll get to that part later. For now, just remember that the goal is to be open about how you handle personal data, covering all aspects relevant to your operations and data collection practices.

2. Keep it simple

When it comes to writing an important legal document such as a privacy policy, you might think you need to be extremely dry and technical. This is absolutely not the case, just take a look at the BBC’s privacy policy.

Here at GetTerms, we’ve written over 500,000 privacy policies. In our opinion, the most important thing is that your policy is in plain language that people can understand. We recommend avoiding legal jargon or complex terms – just use clear, simple language that explains how your business handles personal information. Your aim is just as much to build trust as it is to meet all legal requirements.

The BBC's explanation of personal data

The BBC’s hilarious explanation of personal data

3. Gather the information you’ll need

Before you start writing, you’ll need to gather some information.

There are several privacy laws around the world, each of them has their own requirements which we will tell you about later. For now, take a look at your analytics and identify which regions your users live in. You’ll need to abide by the laws of their countries, not yours.

If you don’t have analytics, you might need to take an educated guess here or just take into account global privacy laws.

Define which privacy laws apply to you

More than 20 countries require you have a privacy policy, many of them also have additional requirements you’ll need to consider. We’ve included the biggest privacy laws around the world below. Do some research and identify which laws apply to you and take a look at our guide to global privacy laws!

U.S. State Privacy Laws

  • Children’s Online Privacy Protection Act (COPPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)

European Union

  • General Data Protection Regulation (GDPR)

Canada

  • Personal Information Protection and Electronic Documents Act (PIPEDA)

Australia

  • Privacy Act 1988

India

  • Information Technology Rules 2011

Identify what personal data your website collects from visitors

Next, you’ll need to make a list of all the types of personal data your website is collecting. Personal data is any information that can be used to identify a person. This includes things like name, phone number, location, or email address.

If you have a marketing agency, ask them whether they use any of the following services. At a minimum, they’re probably using Google Analytics.

  • Tracking and/or analytics services
  • Opt-in email services, e.g. for newsletters
  • Advertising display services

If you manage your website on your own, just know that your site is collecting personal data if you have a contact form, collect emails for a newsletter or use third-party services like Google Analytics, Google Ads, Meta Ads etc.

4. Write the essential clauses in your privacy policy

With all of the above covered, please open your document editor of choice and grab a coffee. We’re going to show you how to write the essential clauses your privacy policy will need to include.

What is a clause?

A clause is a specific section within a legal document that explains the rights, responsibilities, and rules that parties must follow. In the context of a privacy policy these are the specific sections or statements that explain one particular aspect of how an organization handles personal information.

Opening Statement

Your opening section prefaces the rest of your policy, it’s where you introduce your business and provide some information that helps readers understand the rest of the document.

  1. Begin with a simple welcome. State your business name, list your website address, and mention that you follow privacy laws.
  2. Define personal information. Explain what counts as personal data in simple terms with examples like names and addresses. Feel free to use our definition if you like.“Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use a website or online service”
  3. Finally, we recommend that you include a bit of a disclaimer around third-party links. You’ll likely be linking to other websites from yours, and you don’t want to be responsible for their negligence. Explain that your policy only covers your website, tell your users that you’re not responsible for other websites, and remind them to check other sites’ policies if it concerns them.
The BBC's privacy policy introduction

The BBC’s privacy policy introduction

Ways that you collect personal data

Here you’re defining the different ways you collect data. This falls under two categories: “voluntarily provided” information and “automatically collected” information.

“Voluntarily provided” information refers to any information your users knowingly and actively provide to you, be it through a contact form or when using or participating in any of your services and promotions. If your website collects data that is provided voluntarily, you’ll need to state that your website may collect data when it is “Voluntarily provided” in your policy.

“Automatically collected” information refers to any information automatically sent to you by your users’ devices in the course of accessing your products and services. If your site uses cookies, or tracking services, this applies to you. If your website collects data automatically, you’ll need to state that data is “Automatically collected” in your policy.

You can use our privacy policy’s ‘information we collect‘ section as a guide, just make sure to tailor it to your business.

an example of information we collect example from our own privacy policy

An example of an ‘information we collect’ clause from our own privacy policy

What personal data you collect

This section forms the most important part of your whole privacy policy. This is where you add your list the types of personal data that your website collects, a requirement of most privacy laws and regulations around the world.

Personal data is categorized as device data, personal data or sensitive data. You’ll need to use these categories in your policy and list the types of personal data you collect within them. Take a look at our privacy policy to see how we handle it.

Device data

Does your website collect any device data? if so, list it in your privacy policy.

This might include:

  • Device Type
  • Operating System
  • Unique device identifiers
  • Device settings
  • Geo-location data

Note: If you use Google Analytics 4, by default you’re collecting the following device data:

  • Approximate geolocation (Geo-location data)
  • Browser and device information (device type, device settings, operating system, unique device identifiers)

Personal data

Does your website collect any personal data via forms or account signups? If so, list it in your policy.

This might include:

  • Name
  • Email
  • Social media profiles
  • Date of birth
  • Phone/mobile number
  • Home/mailing address

Sensitive Information

Does your website collect any sensitive information? It is imperative that you add this to your privacy policy as sensitive information often requires additional data protection measures.

This might include:

  • Racial or ethnic origin
  • Political opinions
  • Religion
  • Trade union or other professional associations/memberships
  • Philosophical beliefs
  • Sexual orientation
  • Sexual practices or sex life
  • Criminal records
  • Health information
  • Biometric information

When you collect personal information

Here you’ll need to inform your users about situations when you might collect their personal information. Try to think hard about this. To get you started, here are some of the common collection events.

You might collect personal information from your users when they:

  • Contact you via contact form, email, social media, or on any similar technologies
  • Register for an account
  • Enter any of your competitions, contests, sweepstakes, and surveys
  • Sign up to receive updates from you via email or social media channels
  • Use a mobile device or web browser to access your content
  • Mention you on social media

What you use personal data for

Here you’ll need to inform your users when and how you might use the personal data you collect. If you’re sure that you’ve listed everything, it’s worth stating that you don’t use personal data to do anything outside of the purposes you’ve stated.

Typically, most businesses use personal data they collect personal data to:

  1. Provide and improve their services
  2. Communicate with their users
  3. Manage their business operations
  4. Meet any legal obligations

Security of personal information

This section explains how your business protects customer data and clearly states your security responsibilities, as well as your users’ own responsibilities for securing their personal data. Take a look at our privacy policy’s section on ‘storing and protecting your personal information‘ as an example.

  1. Start with a clear statement about your security commitment – use plain language to explain how you protect data
  2. Add a realistic disclaimer about security limitations – be honest, no system is perfect
  3. If your customers can create accounts on your platform, you’ll want to explain that your customers have security responsibilities as well. Afterall, you have no control over their passwords strength, or how they store it.
an example of keeping information secure privacy policy clause from Youtube's privacy policy

Keeping information secure clause from Youtube’s privacy policy

Here’s an example:

“We protect your personal information within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. However, while we use the best available security tools, no storage system is 100% secure, so we cannot guarantee absolute security of your data. You also play a role in keeping your account safe by choosing strong passwords and keeping them private.”

How long you keep your personal information

This section tells your users how long you keep their information and why.

  1. Start with your basic data retention rule – e.g. you only keep data while you need it.
  2. Provide a clear data retention period, e.g. “while you have an account with us”
  3. Explain what happens when you no longer need the data – use simple terms like “delete” or “remove” that your users will understand
  4. Include a disclaimer for exceptions to your normal data retention practices, e.g. you might retain information for longer than expected if the law requires you to do so.

Here’s an example:

“We only keep your information while we need it for our services. After that, we delete it or make it anonymous by removing your name and any details that could be used to identify you. The only time we may retain your personal information for longer is if we are required to do so for compliance with our legal, accounting, or reporting obligations.

Children’s Privacy

If your business specifically and intentionally collects personal data from children under the age of 13, then you skipped over our recommendations on when to speak with a lawyer, its time to hit the pause button. Laws like the Children’s Online Privacy Protection Act (COPPA) have very specific requirements around the handling of your personal data. We cannot provide guidance on this.

However, if your business does not specifically and intentionally collect personal data from children under the age of 13, you’ll still need to disclose this.

State that you do not aim any of your products or services directly at children under the age of 13 and that you do not knowingly collect personal information about children under 13.

Disclosure of Personal Information to Third Parties

If you share any personal information with third parties, you’ll need to disclose who in this section.

Here are some examples of typical third parties you might be sharing information with.

  • A parent or affiliated company
  • Third-party service providers like Google Analytics
  • Employees, contractors, and/or related entities
  • Agents or sub-contractors

Here’s how we handle this.

 

The data protection rights of your users

Laws like the GDPR, CCPA, PIPEDA and The Privacy Act require you to clearly state the individual rights of your users and provide instructions for your users to follow if they wish to exercise their rights.

The below rights should cover most jurisdictions, adapt each of them to suit your needs and include them in your policy.

  1. The right to be informed: Your users have the right to know why their data is being gathered, who’s in charge of it, and what rights they have over their own information.
  2. The right to access: Your users can ask you for details regarding the personal info you hold about them, and you must provide it.
  3. The right to rectification: If your users think any information you have on them is wrong or outdated, they can tell you, and you must fix it.
  4. The right to erasure: Your users can ask you to delete their personal info, and you must do your best to remove it from your records.
  5. The right to restrict processing: Your users can ask you to limit how you use their data in certain situations, like if they’re worried about its accuracy.
  6. The right to object to processing: Your users can tell you to stop using their info for things like marketing, and you must respect their wishes to be anonymous unless you have a compelling legitimate reason not to.
  7. The right to data portability: Your users can request a copy of their data in a format that’s easy to use. They also have the right to request that you send their data to a third party.

We can’t promise the above list covers your needs. To be safe, make sure you know the rights of your users, defined by their given country’s privacy law.

How you use cookies

Cookies and cookie consent are now heavily regulated in many countries. Most privacy laws and regulations require you to include the following cookie related information in your privacy policy:

  1. An explanation of what cookies are
  2. A list of the cookies your website uses
  3. The data you collect through cookies and how it is used
  4. Instructions for changing cookie choices or opting out of cookie data collection

If you’re not sure what cookies are active on your website, our compliance pro package comes with an automatic website cookie scanner that does this for you (and everything else for that matter).

An example 'use of cookies' section from Netflix's privacy policy

An example ‘use of cookies’ section from Netflix’s privacy policy

The limits of your privacy policy

This section is where you disclose the extent of your privacy policy. This limits your exposure to potential legal issues. You’ll mainly want to explain that your privacy policy only applies to your business and that you have no say over any other business’s data processing practices, even if you mention or link to them on your website.

For example, we know that not everyone cares about privacy as much as we do, but, on occasion we need to link to external sites. Some of these sites might not take good care of our users’ data. To protect ourselves, and inform our readers, we state in our privacy statement that “Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices”.

What happens when you make changes to your privacy policy

Here, you’ll need to clearly state that you will notify your users if you update your privacy policy, and how you will do so. This is a requirement of the GDPR, CCPA, CalOPPA, and PIPEDA.

Your chosen notification method can be as simple as a clause in your privacy policy, stating the date your policy was last updated. You might also use an email announcement, or a pop-up notice on your website. Whatever your choice, just let your users know in your privacy policy.

How your users can contact you in regard to privacy

In this section, you’ll need to provide contact details for the person you’ve made responsible for responding to inquiries regarding personal data – aka a Data Protection Officer (DPO). You’ll also need to provide instructions on how your users can contact you if they have any queries regarding the use of their personal data.

5. Tailor your privacy policy to the relevant privacy laws

Depending on which privacy laws apply to you, you’ll need to add a few disclosures to your privacy policy for compliance with the relevant data privacy laws.

U.S. State Privacy Laws

For businesses operating in, or collecting personal data from, citizens of California, Colorado, Delaware, Florida, Virginia, and Utah, you’ll need to add a few clauses to your privacy policy.

Do Not Track

Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked.

While this isn’t widely supported yet, you’ll still need to state whether or not your website has the ability to stop tracking when it sees a “Do Not Track” signal. If not, you can say something along the lines of “At this time, we do not respond to browser “Do Not Track” signals.”

California Privacy Laws – CPPA

California residents have specific privacy rights under CCPA/CPRA, including the right to know about data sharing for marketing and the possibility of financial incentives in exchange for personal information. You’ll need to include a few points addressing this.

  1. A statement about California residents’ rights regarding marketing information sharing
  2. An explanation of any financial incentives you offer in exchange for personal data
  3. Instructions on how to ask about the information you release to other organizations for marketing purposes.

California Notice of Collection

You’ll need to include a list of the different categories of personal information you’ve collected in the past 12 months as per the CCPA/CPRA requirements.

  1. List the specific data categories you collect
  2. Provide a time period of collection (past 12 months)
  3. Purpose of collection and use

Right to Know and Delete

You’ll need to disclose all California residents’ rights to request information about how their data is collected, used, and shared, as well as their right to request deletion of personal information as per the CCPA/CPRA’s transparency requirements.

  1. List the specific rights of your users regarding personal information
  2. Explain how they may exercise these rights
  3. Provide a realistic timeframe you will respond to requests

Shine the Light

This section addresses California Civil Code requirements for businesses to disclose how they share personal information with third parties for direct marketing purposes

  1. State your users right to request marketing information sharing details
  2. Explain how your users can submit requests for marketing information collected about them
  3. State any required information your users need to provide in their requests
An example shine the light clause from The Walt Disney Company

An example ‘shine the light’ clause from The Walt Disney Company

General Data Protection Regulation (GDPR) Compliance (EU)

For businesses operating in or collecting personal data from citizens of the European Union, you’ll need to include a few disclosures in your privacy policy.

Data Controller / Data Processor

The GDPR distinguishes between organizations that process personal information for their own purposes (known as “data controllers”) and organizations that process personal information on behalf of other organizations (known as “data processors”).

You’ll need to provide a definition for a data controller and data processor and state which of these your organization falls under.

Legal Bases for Processing Your Personal Information

You’ll need to explain the reasons that provide a business with “lawful basis” for collecting personal information: consent, contractual obligation, legitimate business needs, and legal obligation.

  1. Provide a clear explanation of each legal basis
  2. Your process for seeking consent to collect data of users under the age of 16
  3. Instructions for users that wish to withdraw consent
Example Legal bases for processing from atlassian

Example Legal bases for processing from Atlassian

International Transfers

You’ll need to outline how you protect any personal data when moved outside the European Economic Area

  1. List the measures you go through to protect user data during data transfer
  2. List any countries where data might be transferred

‘International data transfer’ clause from Nvidia’s privacy policy

 

Rights and Control

Here you’ll need to detail what rights and control your users have over their personal information, under the GDPR this includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

  1. Provide an explanation of each right
  2. Provide instructions for making a request regarding personal data
  3. Provide a realistic timeframe you will respond to requests within
  4. List any exceptions or limitations to these rights

UK General Data Protection Regulation (UK GDPR)

For businesses operating in or collecting data from citizens of the United Kingdom you’ll need to include the following disclosures to comply with the UK GDPR.

 

Data Controller / Data Processor

As with the EU GDPR, you’ll need to state whether your business is a data controller or a data processor

Third-Party Provided Content

Explain how your business collects information about its users from other sources, like partner businesses or public social media profiles

Additional Disclosure

Outline how your business uses personal information for marketing research and improving your website’s experience

Information No Longer Required

Describe what happens to your user’s data when it’s no longer needed – whether it is deleted or anonymized. You’ll also need to provide exceptions to the rule, for example when you’re legally required to keep it.

Legal Bases for Processing

As with the EU GDPR here you’ll need to outline the reasons that provide a business with “lawful basis” for collecting personal information: consent, contractual obligation, legitimate business needs, and legal obligation.

Data Subject Rights

List the rights of your users over their personal information. As per the UK GDPR, users have the right to

  1. Restrict Processing
  2. Object
  3. Be Informed
  4. Access
  5. Erasure
  6. Portability
  7. Rectification
  8. Data breach notification
  9. Complain

Australian Privacy Act (APP)

For businesses operating in Australia or collection personal data from Australian citizens, you’ll need to include the following disclosure

International Transfers of Personal Information

Warn users that when their data is shared with organizations outside Australia, these organizations might not follow Australian privacy laws, limiting users’ legal protections.

Personal Information Protection and Electronic Documents Act (PIPEDA)

For businesses operating in Canada or collecting data from Canadian citizens, you’ll need to include the following disclosures.

Additional Scope of Personal Information

You’ll need to explain that personal information includes more than just identifying details – it covers your financial data, opinions, appearance, and any communications with you.

Valid Consent

Here you’ll need to describe how and when you can use your users personal information, emphasizing that your users must understand what they’re agreeing to and can withdraw permission at any time.

International Transfers of Information

Here you’ll need to state that while you prefer keeping data in Canada, you might sometimes use services in other countries, noting that privacy laws may vary the countries where these services are located.

Customer Data Rights

In this section you’ll need to outline the basic rights of your users, under PIPEDA, these rights are

  1. The right to Withdraw Consent
  2. The right of access under PIPEDA
  3. Right of rectification under PIPEDA

Compliance with PIPEDA’s Ten Principles

Next, you’ll need to state your commitment to following Canada’s privacy law framework, PIPEDA and its 10 principles of privacy.

The PIPEDA’s ten principles of Privacy are:

  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting collection
  5. Limiting use, disclosure and retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Customer access
  10. Challenging compliance

Cookie Compliance

Finally, you’ll need to state your commitment to responsible email marketing, promising no spam, no selling of email addresses, and proper handling of your user’s personal data.

And with that, you’re good to go!

Hopefully, the above helps you write a privacy policy you’re confident with. It’s not an easy feat, so give yourself a pat on the back once you’re done! If you’re left feeling less confident that you’re ready to write your own, try our privacy policy generator, we even have a free tier to give you an idea of how it works.