What Makes a Good Privacy Policy

If you're trying to improve your Privacy Policy, or need to create a new one, you need to know how to make it high quality. A good Privacy Policy should always be compliant with privacy laws, clear, up-to-date, and easy to find on your website or app.

In this article we'll explain what a Privacy Policy is, and what laws require you to have one. Then, we'll go into detail about what your Privacy Policy should have in it, how to create and display it, and how to get proper consent from your customers or users. All of these factors combined are what can make a Privacy Policy good or bad.

What is a Privacy Policy?

A Privacy Policy is a legal document that explains to your customers or users how you will:

• Collect personal data
• Use personal data
• Manage, store and protect data
• Share their data
• Update them about changes to your policy
• Uphold their privacy rights, such as the right to erasure
• Notify them of data breaches

Privacy Policies must be used whenever you are collecting personal data from someone. This includes through your business operations, websites and online services, or mobile apps.

In many jurisdictions a Privacy Policy is required by law. Your users or customers must agree to this Privacy Policy before you collect their personal data.

Personal data includes information such as:

• Name or email address
• Address
• Credit card number
• Birthdate
• Social security number
• Location data
• IP address

In addition, many third parties require you to have a Privacy Policy if you want to use their services. This includes, for instance, selling things on platforms like Facebook, services such as Google Analytics, or the Apple App Store.

What Laws Require Privacy Policies?

Laws that require Privacy Policies include, among many others:

• The General Data Protection Regulation (GDPR) in Europe
• "The Data Protection Act (DPA) in the United Kingdom
• The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
• The California Online Privacy Protection Act of 2003 (CalOPPA) in California

Each of these laws has a different approach to how privacy should be protected.

For example, the GDPR applies to organizations with a presence in the EU, or those who are collecting or processing the data of EU residents. The GDPR is guided by a number of principles, such as transparency, accountability, and data minimization. It also contains specific provisions such as Article 13, that explain what your Privacy Policy (in the GDPR, known as a "Privacy Notice") should contain.

It also contains a set of rights that data subjects have. This includes the right to erasure of their data when consent is withdrawn (known as the "right to be forgotten), the right to find out what data an organization has about them (known as the "right of access"), and the right to rectification (i.e. correcting inaccuracies). These rights must be covered by your Privacy Policy if the GDPR applies to you.

Another example of a law that might apply to you is PIPEDA. In contrast to the wide reach of the GDPR, PIPEDA only applies within Canada.

Like the GDPR, it requires you to have a Privacy Policy if the law applies to you. It states, for example in Principle 8 - Openness, that an organization "shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."

Canada's PIPEDA has similar principles and requirements as the GDPR, in terms of data minimization and accountability. PIPEDA contains no right to erasure for data subjects, although data must be deleted or anonymised when it is no longer being used. These are just some of the differences between the two laws, although both require you to have a Privacy Policy.

As you can see, privacy laws vary depending on the jurisdiction, and you may need to follow different legal rules depending on where your users come from, not just where you are based. Consider carefully which of these laws apply to you, and seek legal advice if you aren't sure. Many of these laws have penalties for non-compliance.

Regardless of which law applies to you, the clarity, honesty, and readability of your policy is important wherever you are.

In addition, as laws change, or if your business expands into new markets, you need to change your policy to reflect this.

Let's look at the details of what goes into a good privacy policy in more detail. After that, we'll address how to display the policy, and how to get consent.

What are the Components of a Good Privacy Policy?

A Privacy Policy should always contain the sections required by laws that apply to your business, and should also be accurate and honest, kept up to date, and easy to understand.

Let's look at the components of a good-quality Privacy Policy, and how it should be written.

It's Accurate and Honest

Privacy Policies must be accurate and honest about what data your business is collecting, and how you will use it. If you are, for example, going to share data with third parties, you must specify this in your policy and not hide it from your users.

For example, Apple clearly outlines in its Privacy Policy several ways in which the company will share customer data, and the details of how that sharing will take place.

Apple increases clarity by highlighting particular words in bold, to make it obvious how data will be shared, and with who. It also uses bullet points to increase readability. This is a good way of providing accurate and honest information about your data sharing practices:

It's Updated Regularly

Privacy Policies must be updated regularly to reflect any changes in your business or organization's internal policies about data collection. A Privacy Policy should also be updated when there are changes to the relevant laws, or if there was a mistake or oversight in the previous policy.

You must notify your users when you make an update to your policy.

Here's an example of an email from Pinterest, explaining that its Privacy Policy has been updated:

In this example you can see that Pinterest has given a date at which the new Privacy Policy and Terms of Service take effect. This gives people an opportunity to stop using the services if they don't like the new Privacy Policy or no longer agree to it.

Pinterest has also explained why the policies have changed, including specifically that laws have changed in Europe, and to describe more clearly how data is collected and used. This also helps users to understand what changes have taken place, and which parts of the new policy they might need to pay close attention to.

It's Written in Language that is Easy to Understand

A good Privacy Policy also language that is clear and easy to understand.

This means that the policy should not be written with confusing legal terms or jargon. Avoid legalese. Instead, it should be understandable by the average person who might be reading the Privacy Policy as a user.

Here's an example from Google that shows how a Privacy Policy can be written using clear language. Google explains in simple terms that it collects information about user activity, and gives an example of what it uses this data for.

You can also see that the list of bullet points is clear and uncomplicated. The section also contains links so that a person reading the policy can easily find more information about each of these details:

Writing a Privacy Policy in this way makes sure that your users know what they are agreeing to, when they consent to it so that they can use your services.

Now that we've looked at the content of the Privacy Policy, it's also important to remember that you must display the policy in a place your users can find it.

In addition, you must get proper consent from your users or customers before they use your services. Each of these is also an important factor in making your Privacy Policy a good one.

How Should You Display a Privacy Policy?

A Privacy Policy should always be displayed in a place that is easy to find, and clearly visible.

There is no specific legal requirement for where the Privacy Policy must go on your website or app, but many laws have requirements that it should be conspicuous to users. Under the GDPR, for example, a Privacy Policy should be "easily accessible." It should not be hidden or concealed.

A Privacy Policy should be displayed:

• On web forms where users can submit data
• In the email footer of any emails you send
• In the website footer
• In the app menu
• On checkout and payment screens if you are selling goods or services

For example, the example below shows how CNN displays a link to its Privacy Policy on the web form in which users can sign up for newsletters.

It also provides some additional information in this notice, explaining a little bit about what the email address will be used for if it is entered into this web form to receive newsletters. Links are also provided to the Terms of Use, Privacy Policy, and a list of affiliates, so that users can get all the information they need, before they sign up:

Here's another example from NPR, showing how it displays its Privacy Policy in the footer of the website.

This is a good example of how you can make the text relatively conspicuous. Some websites display the link to the Privacy Policy in very small writing, or obscured against a background. NPR's links are clear and obvious:

How Do You Properly Get Consent to a Privacy Policy?

For a good Privacy Policy you need to make sure that you get consent from your users. This consent should be both meaningful and informed. This means that your users should know what they are agreeing to, and their consent should be active and clear (i.e. unambiguous).

If your Privacy Policy is very hard to understand, or is hidden away somewhere where nobody can find it, any consent to it is unlikely to be meaningful and informed. This can lead to compliance issues or legal penalties if a dispute ever arises in relation to your policy or practices.

As discussed in the section above, when your Privacy Policy is honest, up to date, and written in clear language, your users can be properly informed about what they are agreeing to. They also need to show that their consent is active in some way. This can be done through:

• Including a checkbox where the user can click "I agree"
• Having a clear statement next to a button or web form explaining that the Privacy Policy applies
• Using banners or pop-ups

Here is an example from Everbowl that shows the first approach by including a checkbox within the newsletter sign up form to obtain active consent:

This example also shows the good practice of including a link to the Privacy Policy itself, with the checkbox on the web form.

Summary

A good Privacy Policy is one that complies with relevant laws, is easily accessible, easy to understand, and one that has been actively consented to by your users. Checking which laws apply to you is an important first step.

Once you know which laws apply to you, we suggest that you use a Privacy Policy Generator like ours to generate a compliant policy.

Next, always make sure that the content of your policy is clear, honest, and up to date. Finally, make the link to your Privacy Policy easily accessible and visible, and obtain proper consent from your users.

With all of these components, you can be sure that your Privacy Policy is a good one. This will enable you to meet the legal requirements for any privacy laws you must comply with, while helping your user base understand your privacy practices.