What Makes a Good Privacy Policy

Global and local laws require a Privacy Policy when collecting a user's personal data. This article details what makes a good Privacy Policy.

What Is a Privacy Policy?

A Privacy Policy outlines information, including the personal data you collect. It also contains information on how you use it, who has access to it, and how you protect it. You must make your policy public, and people must agree to it before using your website, app, or product.

What Are Personal Details?

Personal details are personally identifiable information that is unique and pertains to an individual. Personal details include:

  • Full name, maiden name, mother's maiden name
  • Social Security Number
  • Driver's License, passport, or other ID number
  • Credit card numbers
  • Personal bank information
  • Personal or business phone numbers
  • Personal or business phone addresses

Note that other data, such as place and date of birth, isn't necessarily personal. Different people can share this information. However, when combined with other personal information, anyone can use it to identify a specific person.

What Makes a Good Privacy Policy

A good privacy policy must be legally compliant and easy to understand to establish user trust and mitigate legal risks.

Legally Compliant

Your Privacy Policy must include the following:

  • What type of information you will collect from users
  • How you will use that information
  • How will you share that information
  • The security measures used to protect the information
  • Any age restrictions to using your product or service
  • How you will notify users about any changes

Easy to Read

Here are some considerations to make your Privacy Policy easy to read and understand:

  • Keep your policy free from complex language and legalese
  • Use short sentences and paragraphs
  • Keep the policy easy to access
  • Have your Privacy Policy available in multiple languages

Creating a Privacy Policy

Privacy policies keep you compliant with the law and provide transparency for your readers and customers. Your Privacy Policy will have specific wording depending on what data you collect and how you use it.

However, all Privacy Policies should contain the following:

Essential Information

In the US, Privacy Policies must contain information as outlined in the California Online Privacy Protection Act, or CALOPPA.

The law requires you to include two essential clauses: the type of data collected and the reason why you collect it.

Narratize, a generative AI app, states what information they collect:

Narratize Privacy Policy Information we collect clause

Narratize also states how they will use the information they collect:

Narratize Privacy Policy How we use information clause

A Way To Accept or Opt Out

CALOPPA also requires you to include a way for users to review and change the type of information you've collected. You also must give users a way to opt-out:

Here's an example, again from Narratize:

Narratize Privacy Policy Additional rights clause

Effective Date

The legislation requires your policy to contain the date it goes into effect, an update notice, and any changes to the agreement since then.

Narratize states how they will notify users of any updates:

Narratize Privacy Policy Changes clause

What Additional Details Should Your Business Include In a Privacy Policy?

Consider adding the following to your Privacy Policy.

Include your business information

Add your business name, address, and contact information.

Be clear about who will have access to the personal data you collect

If you sell personal data to a third party, you will need to disclose that.

Who can potential users contact if they have questions about your policy

Include contact information for your legal team.

How do you practice safe handling, and how long is information kept

Users will want to know how safe and how long you'll keep their data.

Explain how you get personal data

Detail how you gather a user's data by polls, surveys, tracking, or other means.

Inform users of risks and expectations

Users must know what privacy risks they may encounter while using your product, website, or app.

Disclose how you handle "Do Not Track"

Identify how you handle the Do Not Track option. DNT is a clause that lets users know you respect their decision not to be tracked by advertisers and third parties.

What Laws Require Privacy Policies?

Here are details of a few laws that require Privacy Policies.

Children's Online Privacy Protection Act

The Children's Online Privacy Protection Act (COPPA) requires online services for children 13 years of age or younger to acknowledge that they're collecting personal information from a child. It applies to both US and globally-based businesses.

Your website must comply with COPPA if any of the following applies:

  • Children 13 or younger may use your product, and you collect personal data
  • Children 13 or younger may use your product, and you allow third parties to collect their data
  • Your website doesn't target children, but children use your service, and you collect their data

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) states that customers have control over personal details that businesses collect about them. The law secures privacy for users by the following customer rights:

  • The right to know what personal information a business collects
  • The right to know how that personal data is shared
  • The right to delete most of the personal information collected
  • The right to opt out of sharing their data
  • The right to non-discrimination or retaliation for exercising these rights
  • The right to correct inaccurate personal information
  • The right to limit the use of personal information that businesses collect

California Privacy Rights

The California Privacy Rights Act of 2020 (CPRA) builds on previous privacy rights stated in The California Consumer Privacy Act (CCPA) by allowing customers to request that the business collecting their data disclose what information is collected. It enables users to either opt out of selling their personal data or to delete it.

Additional Laws That Require Privacy Policies:

  • The Americans With Disability Act (ADA)
  • The Cable Communications Policy Act of 1984
  • The Computer Fraud and Abuse Act of 1986
  • The Computer Security Act of 1997
  • The Consumer Credit Reporting Control Act
  • Maryland's Personal Information Protection Act (PIPA)
  • Virginia's Consumer Data Protection Act (VCDPA)
  • Louisiana's Database Security Breach Notification Law
  • New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD)

Global Privacy Policies

Specific laws have different requirements, depending on where people use your app or website.

The European Union's General Data Protection Regulation, GDPR, is meant to give users better control over collecting and removing their private information. The GDPR applies to all companies that process the personal data of EU citizens.

Canada's Personal Information Protection and Electronic Documents Act, PIPEDA, controls how privately owned businesses collect and use personal information. It includes investigating and enforcing laws and compliances.

The United States California Online Privacy Protection Act, CalOPPA, safeguards anyone in California by requiring a prominently placed Privacy Policy from any website that collects their personal information.

Biometric Information in Privacy Policies

Biometric information refers to technology such as face and fingerprint recognition. Biometric data is protected under the law. For example, Utah's Genetic Information Privacy Act, (GIPA), details how direct-to-consumer (DTC) genetic testing companies should obtain users' consent to collect and use their biometric information.

Users have the right to access and remove their genetic data from DTC companies.

Additional Biometric Laws That Require Privacy Policies

  • Texas: Capture or Use of Biometric Identifier Act (CUBI)
  • Arizona: HB 2478
  • Oregon: Consumer Information Protection Act (OCIPA)
  • Washington State: HB 1493
  • Illinois: Biometric Information Privacy Act (BIPA)

Where To Display and Link Your Privacy Policy

According to CalOPPA, your policy must be easy to locate. Best practices are to include links anywhere you collect personal information, such as:

  • Account sign up
  • Email or SMS notification during sign-up
  • During checkout on e-commerce sites
  • Site footers
  • Terms and Conditions page or within other legal agreements

Western Union, a money-sending app, links its Privacy Policy in its footer:

Western Union website footer with Privacy Policy link highlighted

Western Union also mentions their Privacy Policy in its Terms and Conditions page:

Western Union Terms and Conditions Privacy clause

Options When Creating a Privacy Policy

There are a few ways to write your Privacy Policy. Here are a few examples.

Hire a lawyer

Hiring a lawyer may be the easiest way to ensure you have a legally compliant Privacy Policy. However it is also the most expensive.

Write it yourself

Writing a Privacy Policy yourself can be difficult and time-consuming. You may also inadvertently leave out information required by law.

Use a template or generator

Using a template or generator is the most cost and time-effective. Answer a few questions, and get a template or complete policy you can download immediately.

What are the Consequences of Not Having a Privacy Policy?

The most considerable consequences of not including a Privacy Policy on your website are:

  • You would be breaking the law
  • You could be fined
  • Your customers can lose trust in your product

Updating Your Privacy Policy

You should include the following when updating your Privacy Policy:

  • A link to your updated Privacy Policy page
  • A brief description of what's changed
  • Why changes were made, and what they mean for users
  • When the changes come into effect

You should notify users of any changes within two weeks or as soon as possible. You can also let users know the changes are already in effect.

When creating your original Privacy Policy, decide how to send updates. Include the update method in that policy. You can update users using email, a website popup, or an on-site news release.

Here's an example of an updated Privacy Policy from Klarna, a Fintech company. It's easy to read and includes what's changed, the effective date, and a link to the update online:

Klarna update to privacy policy notice

The notification comes via email and outlines what's changed from the previous policy:

Klarna update to privacy policy notice - Notable changes excerpt

What Happens if a Company Changes its Privacy Policy Without Notifying Users?

If you fail to notify users of changes to your Privacy Policy, you risk a lawsuit.

A Good Privacy Policy Key Takeaways

When creating a good Privacy Policy, it's helpful to remember the following:

  • The law requires the creation of good Privacy Policies. Your policy should be legally compliant and easy to understand.
  • Online Privacy Policies should be easy to find on your website or app and be available in multiple languages.
  • Your Privacy Policy should include facts about how user's personal information is collected, used, stored, and shared.
  • When updating, be sure to detail any changes to your Privacy Policy should be outlined in an easily accessible notification.