Laws such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA/CPRA) in the U.S. require your business to have a Privacy Policy. A Privacy Policy explains how you deal with the personal data of customers.

The Federal Trade Commission (FTC) issued a warning to several companies in 2023 that the misleading collection of confidential or sensitive data could result in hefty fines. If your Privacy Policy is inaccurate or misleading about how you use customer data, you could be at risk as well.

This article will look at what a Privacy Policy is, what privacy practices your business may be engaging in (or may need to), and why it's so important that the policy mirrors your business actions. We'll also look at how you can keep your Privacy Policy accurate and up to date.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is a Privacy Policy?

A Privacy Policy is a legal document that explains to users and customers how you collect, process, share, sell, transfer, or otherwise use their personal data. It is sometimes called personal information or personally identifiable information (PII).

Personal data can be data that identifies a person on its own, or data that can be combined with other data to identify a person. It includes information such as:

  • Email address
  • Physical address
  • Name or birthdate
  • Online identifiers
  • IP address
  • Location data
  • Shopping preferences
  • Sensitive information like religious affiliation, genetic data, criminal record, or sexuality

Global privacy laws require you to have a Privacy Policy that explains how you will use this PII. Many laws require you to get consent from your users or customers before you collect their data, and usually you may only process this data for specific, disclosed purposes. Transparency, accuracy, and clarity are important principles that govern data privacy laws around the world.

When you explain your data handling approach in your Privacy Policy, you'll need to make sure that this reflects your privacy practices.

Let's take a look at what those privacy practices can include.

What are Privacy Practices?

Privacy practices are the specific ways in which you deal with data collection, processing, sharing, security, and protection of personal data within your business.

A privacy practice may be that you follow the principle of data minimization, which means collecting only necessary data and nothing more. Other examples of privacy practices could be that you encrypt or pseudonymise all information that you collect from customers, or that you don't share or sell customer data to any third parties.

Privacy and security practices go hand in hand. Privacy practices usually relate to following important principles such as:

  • Collecting data lawfully and with consent when required
  • Data minimization (using as little data as possible)
  • Purpose limitation (being clear about your purpose for using data, and sticking to it)
  • Keeping data accurate and up to date
  • Deleting data when requested
  • Storing data only as long as you need it

Your website and business will need to have organizational practices that support these principles in actual, practical behavior when you deal with data.

Security measures such as encryption, physical hardware security, access management, and internal processes support these privacy practices. All of these things combined, protect your users from risk of breach or misuse of data, and protect you from legal action.

Use Guidelines from Official Bodies

To understand better which privacy practices can keep personal data private and secure, there are guidelines from official bodies such as the UK Information Commissioner's Office (ICO), which explain good practices for dealing with privacy and data protection.

This ICO FAQ, for instance, answers a lot of common questions that businesses might have about how to handle data safely.

Some examples of the questions it answers include:

  • We need to share personal data with another organization. Is this allowed?
  • What types of data need more protection?
  • How long should I store data?
  • Can I share data with the police or other law enforcement authorities?

The Commission nationale de l'informatique et des libertés (CNIL), the Data Protection Authority in France, also provides an extensive document in English about good data protection and security practices. This includes information on workstation security, access management, securing websites, managing incidents, and estimating risks.

Your Privacy Policy should match whatever practices you actually carry out, not practices that you plan to do later or feel you should do.

Every time you change your privacy practices or ways of handling data, you'll need to update your policy.

Let's go through why this matters so much.

Why Does Your Privacy Policy Need to Mirror Your Privacy Practices?

Your Privacy Policy needs to match your privacy practices so that you can comply with legal and compliance obligations, avoid penalties, build trust with your customers, and maintain good relationships with suppliers and partners.

Having a misleading or inaccurate Privacy Policy leaves you open to both legal and reputational risks.

Let's take a look at legal compliance issues first.

Complying with relevant laws such as the GDPR or CCPA (or other laws, depending on the jurisdiction), will mean that you need to transparently and accurately tell your users how you deal with their personal data.

For instance, if your Privacy Policy says you don't share data with third parties, but you actually do, this can be seen as misleading or deceptive conduct by the FTC in the U.S., and is also a violation of the GDPR and CPPA.

To Comply With the GDPR

The GDPR states in Article 5, which you can see below, that you must be transparent about what personal data you collect and process. It must also only be collected for specified and explicit purposes. Having a misleading Privacy Policy would not be transparent, and would not accurately specify the correct or explicit purposes of data collection either:

GDPR Article 5: Principles relating to processing of personal data excerpt

Compliance with the GDPR is one key reason why your Privacy Policy needs to be aligned with your actual practices.

To Comply With the CCPA

The CCPA also states that businesses must disclose how they collect, process and share personal data, and must tell consumers about their privacy rights. If your Privacy Policy disclosures are incorrect, you risk being in breach of this section of the CCPA:

CCPA: Disclose in a Privacy Policy section

The CCPA also highlights misleading and unfair conduct specifically in a section discussing situations in which data has been transferred to third parties. This section talks about how if a third party, that you have shared data with, changes their own policies about data processing, customers have to be notified. You can't use this process to retroactively update your policy that would be unfair or deceptive.

Basically, unfair and deceptive conduct is not allowed in your Privacy Policy, even if circumstances have changed and you have to make updates that could be difficult to carry out, e.g. contacting all customers who have been affected by a change relating to a third party's practices:

CCPA: Deceptive practices section

You Might Face Compliance Penalties

If you don't comply with the GDPR or CCPA, you can be fined large amounts.

For example, the penalties in the CCPA include injunctions (meaning you have to stop what you are doing), as well as thousands of dollars in fines per violation, as you can see in the section below. If you have many customers or users, each one of these can be a violation, and you could be facing very high penalty amounts.

CCPA penalties section

The penalties in the GDPR are even larger, up to 20,000,000 Euros, or 4% of worldwide annual turnover, whichever is higher.

The penalties that come from legal non-compliance are not the only consequence you could be facing, if your privacy practices don't match your Privacy Policy.

Let's take a look at some of the additional consequences now.

You Risk Losing a Trusting Relationship With Customers

If your Privacy Policy doesn't match your privacy practices, customers may lose trust in your website or company, and may even withdraw their business.

Privacy is also becoming an increasingly important issue in the minds of consumers: Forbes reports that one study found "86% of Americans are more concerned about their data security and privacy than they are about the state of the economy."

Relationships with Suppliers and Partners are at Risk

In many cases, a disconnect between the Privacy Policy and actual privacy practices can also cause problems between you and any suppliers, partners, or collaborators.

For example, Apple Safari requires that if you want to make an App for the App Store, you need to ensure that any third parties will provide "the same or equal protection of user data" as required by Apple in its Apple App Review Guidelines:

Apple App Review Guidelines: Data collection and storage section

This means, for example, if your Privacy Policy and privacy practices don't match, partners and collaborators who have to comply with similar obligations (such as those for Safari above) may not want to work with you.

This is because they can't guarantee that your privacy protections are good, and that your Privacy Policy is not misleading.

How Can You Keep Your Privacy Policy Accurate?

There are a number of ways that you can make sure your Privacy Policy remains accurate and is not misleading for users.

These methods include:

  • Carrying out internal privacy audits to check your practices
  • Update your Privacy Policy regularly
  • Use simple language in your Privacy Policy
  • Don't over promise and under deliver

Carry Out Internal Privacy Audits

An important first step is to carry out internal audits of your privacy and security processes. A privacy audit means that you check through how your business deals with privacy and data protection, making sure that it is compliant with legal obligations. You complete this process periodically e.g. once a year.

Accounting firm KPMG provides some guidelines for what you would usually ask during this process, such as:

  • What type of data is being processed? E.g. customer data, accounting data, employee data, marketing information
  • Where is the personal data located?
  • Who has access to the data?
  • Who is it shared with?
  • When must data be deleted to comply with legal requirements?
  • Is data actually deleted in line with these periods?
  • Through what processes is data deleted, and is it effective?

When you go through this process regularly, you are much more likely to have a clear idea of what your privacy practices currently are, and whether any improvements need to be made.

Update Your Privacy Policy Regularly

Once you know what your privacy practices are, and regularly conduct audits on this, you'll be able to update your Privacy Policy regularly.

Keeping your Privacy Policy updated regularly is a crucial step for making sure it reflects the current way that you deal with data in your company.

Data handling practices change. This is a normal and common occurrence for businesses globally. However, having good processes in place to regularly check your data handling processes is crucial.

You can see in this example from Upwork that its Privacy Policy was last updated in July 2024:

Upwork Privacy Policy with effective date highlighted - July 2024

This email from Upwork from a previous update also explains that its Privacy Policy is being updated, and asks for users to take a look and consent to the new policy:

Upwork Privacy Policy update email

Once you've made sure your Privacy Policy is up to date, it's also good to check whether the language you are using is clear and simple.

Use Simple Language in Your Privacy Policy

When your Privacy Policy is hard to read, or full of complex legalese, it may be hard to understand what your own policy is saying.

Using simple language can help to make it clear, both for the user, and for your own business. This makes it less likely to be misleading, and less likely that you will say things that are inaccurate or untrue.

Here's a good example from Google's Privacy Policy, using simple language and bullet points to provide a clear picture of what data Google collects from users through its services:

Google Privacy Policy excerpt

Making sure the language in your Privacy Policy is simple can help you to check more easily whether your policy and practices align.

It's better to tell your customers directly what you are doing, and offer them a clear opportunity to decide whether they consent to it or not, rather than hide it and hope for the best.

Providing a clear consent mechanism with a simply-worded and clear Privacy Policy protects you from legal issues.

Here's an example of a Privacy Policy from Undercover Germany, in which it discloses that it shares data with third parties:

Undercover Germany Privacy Policy: Sharing with third parties clause

It also uses a clear consent mechanism on its website in the form of a pop-up, with equal sized and same-colored "Accept" and "Deny" buttons, with links to its Privacy Policy and Legal notice:

Undercover Germany cookie consent notice

It is clear that data will be shared with third parties, and it is not hidden from the sight of users. Users also have a clear opportunity to read the Privacy Policy before they begin using the website, and agree to data collection. It's better to be upfront and direct about how you will handle data, and don't over-promise higher privacy standards than you actually employ.

Summary

Aligning your Privacy Policy with your privacy practices is a crucial but sometimes overlooked step. The Privacy Policy is not just a document that you can create without paying attention to the details. Rather, it must always mirror how you actually treat data.

With the TermsFeed Privacy Policy Generator, you can create tailored and customized Privacy Policies that match what you actually do. Through the generator, you're able to select options for how you deal with data, which will then be reflected in the wording of the policy.

Whichever Privacy Policy you create or use, make sure it's regularly updated, and that you regularly check on your business privacy practices through privacy audits as well. Without taking these important steps, you may be at risk of legal penalties, lost customer trust, and lost relationships with partners or suppliers.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy