How to write a privacy policy: 2022 regulations

How to write a privacy policy: 2022 regulations

In today’s volatile digital environment, user privacy has become a commodity. This uproar in privacy concerns has led to the tightening of many privacy laws across the globe.

While different countries have their respective regulatory bodies, data collection is controlled in a similar matter.

The misuse of user data in the past has led to sharper privacy practices, more regulatory oversight, and consequently, more fines in case you disobey.

How to write a privacy policy

  1. Include your business name and contact information
  2. Mention what type of information you collect
  3. Explain how and why you collect data
  4. Describe how users can opt-out
  5. Mention if user data is shared with third-parties
  6. Specify how long you will retain user data
  7. Explain how you’ll protect the personal data you collect
  8. Describe the dispute resolution process
  9. Mention what happens if your online business transfers ownership
  10. Put everything together in one template
  11. Quick privacy policy best practices checklist
  12. What should a privacy policy include?
  13. Nail your privacy policy now!

Why does my website require a privacy policy?

If you’re doing any type of online commercial activity, you must include a comprehensive privacy policy on your website, especially if your business operations are based in a heavily regulated area.

For example, Europe has enacted a General Data Protection Regulation (GDPR) law that regulates data privacy and imposes strict penalties for companies that fall short of meeting their requirements.

The GDPR is valid only in Europe and the European Economic Area (EEA), as well as foreign companies that do business within this region.

Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) that controls how you use, disclose and collect information.

The USA doesn’t have a dedicated federal data privacy law similar to GDPR, but it boasts a set of separate national laws and acts that had been put in place to ensure privacy compliance, such as:

  • COPPAChildren’s Online Privacy Protection Act which controls how you can collect online information about children under 13 years of age, enforced by the Federal Trade Commission
  • CCPACalifornia Consumer Privacy Act which deals which privacy rights and consumer protection in California
  • CalOPPACalifornia Online Privacy Protection Act which requires online services and commercial websites to include a privacy policy on their website

So, why does your website require a privacy policy?

Because it is a legal requirement in most countries. If you’re operating in any of these countries, you’re going to face some harsh monetary fines if you don’t comply with the local rules and regulations or the federal law.

Here’s one staggering example — for not protecting their user privacy and falling victim to a data breach, British Airways was initially fined over $200 million.

While the fine was later reduced to around $30 million, this still goes to show that you can face some serious consequences if you don’t comply.

How to write a privacy policy for a website?

There are a couple of main ways to go about writing the company’s privacy policy legal document, namely:

  • Hiring a law firm: Reliable legal advice, but also the most expensive option out there. Having your privacy statement drafted by lawyers can cost anywhere from $275 for simple policies to over $5,000 for complex policies.
  • Writing it yourself: The cheapest, but the most difficult and time-consuming. If you’re not very familiar with rules and regulations, you may fail to include important information and risk your business.
  • Using a privacy notice template: The quickest, cheapest, and easiest way to go about handling your website privacy policy.

So, you can issue bulletproof privacy policies and finish them off with a legitimate signature in a matter of minutes. Not only is this cost-effective but it saves you a lot of time in the long run.

Regardless of which option you decide to go for, it’s important to ensure that you’ve dotted all the i’s and crossed all your t’s.

The only way to know that you have a good privacy policy is to be aware of what exactly you need to include. The safes bet is to use a ready-made privacy policy template, but if you like to get your hands dirty, you can try doing it on your own.

Below, you’ll find more information on which types of data you must mention in your own privacy policy.

01. Include your business name and contact information

The first rule of writing your online privacy policy is to use plain language with correct legal terms, without overcomplicating it.

At the beginning of the document, you should list your company’s information, namely address, name, email address and phone number.

We also recommend encouraging your website visitors to use the previously mentioned information to contact you in case they have any questions or concerns regarding the policy.

This shows that your company is transparent, has nothing to hide and encourages open communication, which is always a good look.

02. Mention what type of information you collect

The term ”personal data’‘ is very exhaustive and more complex than you might think. It does include the regular stuff like credit card information, IP address and phone number, but also less conspicuous items like location, number plates and other online identifiers.

Personal data describes any ”the physical, physiological, genetic, mental, commercial, cultural or social identity” that are specific to the subject.

Make sure to use specific terms instead of broad ones.

For example, instead of saying ”we collect contact information,” say ”we collect your telephone number, email address and physical address.” This ensures that there’s no confusion that can lead to issues down the road.

03. Explain how and why you collect data

The next important this is to mention why and how your website collects data.

There are many different ways to collect user information, such as:

  • contact forms
  • cookies
  • surveys
  • course registrations
  • email newsletter
  • website analytics (e.g. Google Analytics)

After explaining what we said above, also mention why you’re collecting data. Is it for research purposes? Is it for marketing purposes?

Do you plan to resell the data? Do you plan to notify customers about news, updates and promotions? Do you need this information for processing orders?

Regardless of the reason, your customers have the right to know what companies are doing with their information, so don’t forget to include this in your policy.

04. Describe how users can opt-out

One of the main goals of laws like GDPR and CCPA is to give users more control over the information websites collect about them.

When users allow you to collect their data, that doesn’t mean that they’ve allowed you to collect it indefinitely. At one point, they might want to withdraw their permission and you’re bound by law to let them do so.

Your privacy statement for the website should describe which options users have in case they want to revise any previously-given permissions.

This includes:

  • Right to request data amendments
  • Right to request you to delete the acquired information
  • Right to review the collected information

Describe the process for all three instances in detail and provide users with helpful links and resources that will make the whole process easier and more convenient.

05. Mention if user data is shared with third-parties

If you plan on sharing any user data with third parties, always include a disclaimer in your privacy policy. Third parties include service providers, marketing partners, consultants, credit card processors, etc.

Not disclosing this information puts you at legal risk, because most laws and regulations prioritize transparency.

For example, imagine you shared user information with your marketing agency and you forgot to add a third-party sharing disclosure on your website.

Then, the said marketing agency suffers a data breach and all their data is stolen, including your clients’. You would not only risk your company’s reputation, but you’ll also receive some hefty fines for not being transparent with your customers.

06. Specify how long you will retain user data

According to GDPR, you can only keep the collected user data no longer than it’s necessary for the purposes it was initially obtained for.

The GDPR doesn’t specify a particular timeframe, which is why you should revise this section regularly to ensure compliance.

For example, if you’re collecting data for a contract, you’re legally allowed to store this data for as long as the contract is valid. As long as the data is relevant, you have the right to process it.

Make sure to be very clear and specify a timeframe within which you’ll delete the data once it expires.

While it’s not necessary, you can also add a dedicated ”Data Retention Policy’‘ where you’ll explain different instances and be more specific.

07. Explain how you’ll protect the personal data you collect

Preserving the integrity and security of collected user data is imperative. Your customers are putting their trust in you by allowing you to gather their information.

Your responsibility is to enforce strong security measures to ensure that there’s no data leakage.

Mention how you’re protecting the user information (e.g. using SSL or other computer safeguards). Don’t be too specific in this section.

If you reveal too much, malicious actors will know how to bypass your security measures and compromise the integrity of your website. Instead, be broad and only mention general security practices.

08. Describe the dispute resolution process

A standard website privacy policy should also describe how the dispute resolution process works. Some companies tend to add this section to their Terms and Conditions policy.

We recommend including it into your privacy policy as well, to cover all the bases.

Despite your best efforts to preserve harmony and keep a good relationship with your customers, legal disputes are likely to occur at some point.

Add a sentence or two about dispute resolution and how you handle it (third-party dispute resolution service provider, contact form, customer service, legal firms, etc.)

09. Mention what happens if your online business transfers ownership

Business ownership transfers are a very common occurrence and you never know if and when your website will be a subject of it.

Even if you don’t have any plans to sell your company at this particular moment, it is still a viable possibility in the future.

Including this clause will save you from any possible liability in case you eventually decide to sell your business.

This clause ensures that users are aware that their information might be handed over to a new entity in case of an acquisition.

We also recommend including a clause explaining that, while you’ll use your best efforts to secure your website, you cannot guarantee that it won’t fall victim to malicious exploits.

Nothing is foolproof and you should protect yourself as much as possible in case a data breach happens.

10. Put everything together in one template

Phew! Now that you’ve included everything needed for your privacy policy, collect all the sections and create a template. This is going to save you a lot of trouble and headaches in the long run.

For example, if you decide to create more websites in addition to your existing service, you’ll need a custom privacy policy for every one of them. Instead of going through the strenuous process of drafting it from scratch, you’ll be able to use templates and create privacy policies within minutes.

Legal documents are very complex, which is why having templates on hand will be a true lifesaver. PandaDoc offers all-inclusive privacy policy templates that will protect your business’s interest.

They are compliant with most existing laws and regulations worldwide and will shorten the policy-making process tenfold.

Quick privacy policy best practices checklist

We’ve already discussed the most important contents of every privacy policy. What we didn’t discuss is how to approach the writing process itself.

Here are some tips and tricks on how to make your privacy policy accessible, clear, and understandable:

What should a privacy policy include?

Here’s a quick rundown of the most important items to be found in your company’s privacy policy:

  1. Company information: Name, address, phone number and email address.
  2. Type of collected data: Write this information in specific detail (credit card information, location, IP address, etc.) and note how and where you collected the said data.
  3. Mention the lawful basis for collecting data: Explain which law you’re relying on that gives you permission to collect the mentioned data.
  4. How you protect collected data: Which safeguards are put in place to ensure maximum data security.
  5. How long you’ll retain the collected information: Specify the timeframe within which you plan to use and retain the collected information.
  6. How you’re using the collected data: Explain what exactly you’re doing with user data – marketing purposes, notifications, order processing, data analysis, etc.
  7. List data subject rights: The GDPR law notes eight different types of data subject rights. List and explain them on your website as follows:
  • Right of access
  • Right to be informed
  • Right to erasure
  • Right to object
  • Right of rectification
  • Right of portability
  • Right to restrict processing
  • Rights in relation to automated data processing and profiling

Nail your privacy policy now!

Privacy policies may seem like redundancies for many people. But if you want to run a serious business based on integrity and transparency, then you simply must include a proper privacy policy on your website.

If not for the sake of transparency, then do it for the sake of your business.

After all, you are legally obligated to notify your customers about how you handle their data. If you don’t include this on your website, you’re risking some serious consequences that can damage your operations.

PandaDoc makes it easy for you to generate any type of business or legal document within minutes. We also offer over 750 ready-made business templates that are expert-vetted and easily customizable.

Navigate to our business template library, choose your favorite type and customize it in less than 5 minutes.

Sign up for our 14-day free trial to see why leading businesses across the globe chose PandaDoc as their main document creation tool.

Frequently asked questions

  • If you’re wondering how to write a privacy policy for a small business, we’re happy to report that the process is pretty much the same as when dealing with larger companies but less comprehensive. It’s easier because your operations likely aren’t that massive and complex just yet, which is why you’ll have to cover less information.

  • A privacy policy template is a pre-made privacy policy, created and approved by legal experts, which is customizable and lets you custom tailor it to your business needs.

  • Yes, you can use a privacy policy template on your website, as long as it’s customized to fit your business’s peculiarities. Don’t only copy and paste a random template you found online without any modification or assurance that the template is following all best legal practices.

    There’s a bunch of websites whose top priority is earning ad money over the quality of service, so they don’t care to update their templates.

    PandaDoc offers expert-vetted customizable templates that are always up-to-date and very easy to use.

  • You can use free privacy policy generator tools that are available through a quick Google search. The downside of using free tools is that they’re often unreliable and outdated. You’re better off paying a reasonable fee for expert-vetted customizable templates like the ones PandaDoc offers than risking your company’s integrity and well-being by trying to do it for free without proper oversight.

Yauhen is the Director of Demand Generation at PandaDoc. He’s been a marketer for 10+ years, and for the last five years, he’s been entirely focused on the electronic signature, proposal, and document management markets. Yauhen has experience speaking at niche conferences where he enjoys sharing his expertise with other curious marketers. And in his spare time, he is an avid fisherman and takes nearly 20 fishing trips every year.

Related articles