Skip to Navigation Skip to Content

A privacy policy (sometimes called a privacy statement or privacy notice) is a statement or legal document that explains some or all the ways that a party handles the personal data it collects through its website and operations. Typically, a privacy policy outlines what personal data is gathered, how it’s used, stored, protected, and shared, as well as the rights of individuals in regard to personal information. Businesses are required to have a privacy policy by law in the European Union, several US states, Canada, Australia and more than 20 other countries around the world.

What is personal data?

Personal data, also known as personal information or personally identifiable information (PII), is any information that can identify or be linked to a specific living person.

Create a Privacy Policy in under 5 minutes

Privacy Policy Generator

The purpose of a privacy policy

The purpose of a privacy policy is to protect the data privacy rights of individuals and keep companies accountable for any personal data they collect. To break it down further, a privacy policy’s purpose also depends on whether you’re a business providing a privacy policy or an individual being presented one.

  1. As a business, the purpose of your privacy policy is to provide your customers with transparency around your data handling practices.
  2. As an individual, the purpose of a privacy policy is to inform you about:
    • What personal data an organization will collect when you use their website or services
    • Your rights regarding your personal data
    • How to access your information, request corrections, or file complaints about data mishandling

Which businesses need to have a privacy policy?

Any business that collects personal data through its website or operations will need a privacy policy. In addition to being legally required in most countries, privacy policies are also required by many popular third-party services. Businesses using services like Google Analytics, Google AdSense, or Apple Business Manager must have a privacy policy regardless of legal requirements.

Still unsure? Check out our article – Does my website need a privacy policy?

What must be included in a standard privacy policy?

The contents of a privacy policy will largely depend on the applicable data privacy laws in your country and those of your users. To further complicate things, if you receive traffic from multiple jurisdictions, you’ll need to address the privacy laws of each jurisdiction. Don’t let this stress you! Many global privacy laws share common privacy policy requirements.

A standard privacy policy will need to include:

  • An introduction that states the company’s name and explains who the privacy policy applies to
  • An outline of the types of personal data a business collects and stores
  • How personal data is collected, including forms, cookies, or tracking tools
  • Legal basis for collecting personal data and how it will be used
  • Whether the business shares collected personal data with third parties
  • How the business protects personal data it collects from unauthorized access
  • How long personal data is kept and when it will be deleted
  • The privacy rights of people whose personal data the business collects
  • How individuals can view, correct, or delete any personal data the business collects about them
  • Contact details and steps for filing and handling privacy-related complaints
  • How changes to the privacy policy will be communicated
  • Whether personal data will be transferred internationally and the specific destination countries for such transfers

Examples of great privacy policies

We searched over 100 websites for examples of good privacy policies with all the necessary elements and mandatory information, e.g. legal basis, identity and contact information, categories of personal data collected, data subject rights, etc. There were a few standouts.

Privacy policy example #1: Information Commissioner’s office (ICO)

With maybe the most comprehensive privacy policy on our list, the ICO has undoubtedly covered their bases when it comes to their data handling practices. Small businesses won’t need to go into such depth, though if they did, they could be sure their privacy compliance is in order.

What we like about the ICO approach is that they’ve tried to ensure their privacy policy is digestible, with different sections of the policy on separate pages. The ICO’s statement on data protection rights even offers further reading for those looking to better understand their rights. They also clearly explain how they share personal information, including when they have legal basis to do so.

If you want to ensure your privacy policy is GDPR compliant, start by looking at the Information Commissioner’s Office Privacy Notice.

ICO Privacy Notice

Example privacy policy from the Information Commissioner's Office

Example privacy policy from the Information Commissioner’s Office

Privacy policy example #2: Der Spiegel

Der Spiegel (The Mirror), a German weekly news magazine published in Hamburg, provides another stellar example of a privacy policy done right.

While not as extensive as the previous ICO example, Der Spiegel has prioritized all information regarding cookies in the very first paragraph and gone as far as to integrate their cookie consent mechanism into their privacy notice, allowing their readers to conveniently withdraw consent or update their consent preferences.

If it’s within scope, integrating similar functionality into your privacy policy will mean a great deal to your readers, whether they are privacy-sensitive or not.

Der Spiegel Privacy Policy (English Translation)

Example privacy policy from Der Spiegel's website

Example privacy policy from Der Spiegel’s website

Privacy policy example #3: IBM

IBM, one of the world’s oldest and largest technology companies, collects vast amounts of personal and sensitive data daily. This scope makes the comprehensiveness of their privacy policy incredibly important. The reason we chose to include IBM’s Privacy Statement is due to its clear communication of the company’s legal basis for handling personal data.

IBM categorizes its legal bases for data collection into four sections: (1) data necessary for performing contracts with users, (2) data necessary for IBM’s or third parties’ legitimate interests, (3) data collected with user consent, and (4) data required by legal obligations. Each section explains its respective legal basis and provides examples of when IBM might collect information under that particular basis.

Explaining legal bases for collecting personal data is a cornerstone requirement of the GDPR. Following IBM’s approach to this requirement helps ensure your business’s privacy statement meets even the toughest compliance standards.

IBM Privacy Statement

Example privacy policy from IBM's website

Example privacy policy from IBM’s website

The risks of not having a privacy policy

Trust us when we say, you’ve got a lot to lose by not having a privacy policy, be it through fines or fleeing customers.

Heavy Fines

The primary risk that most businesses face by not displaying a privacy policy is being handed heavy fines and penalties. The consequences of not having a privacy policy can be financially devastating – up to $7,500 per intentional violation under CPRA and up to €20 million under GDPR.

Country wide bans

Even if you operate in a country without data privacy laws, you’re still taking a risk by not having a privacy policy. While the enforcement of fines across jurisdictions is beyond the scope of this article, your service could be banned in regions where you ignore local laws. This risk isn’t worth taking, especially since compliance software typically costs just a few dollars per month, with some providers even offering lifetime licenses.

Yes, we mean us! – See our pricing

Loss of customers

Having a privacy policy isn’t just about meeting compliance requirements and avoiding fines. Today’s customers are well aware of threats to their data privacy. Companies like AT&T and Optus suffered irreparable damage to customer trust after devastating data breaches. In recent years, consumers have become increasingly savvy, and they will notice poor data handling practices. Following the 2022 data breach, Optus lost up to 10% of its mobile customers.

Privacy policy generator

How to create your own privacy policy

If you want to create a privacy policy for your business, you have 4 options: Hiring a lawyer, using a policy generator, following a template or writing your own. The best solution depends on what’s most important to you. Do you want to spend as little time on it as possible? Do you want to spend as little money as possible? How important is the quality of the policy itself?

For small businesses, we suggest using a privacy policy generator to create your privacy policy. They’re affordable and get you compliance-ready for a fraction of the cost of hiring a lawyer to draft you one. GetTerms has been used by over 500k customers, offers tailored policies starting at $49 and includes a money-back guarantee.

Privacy Policy Generator