What Is a Privacy Policy? Everything Businesses Need to Know

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP October 20, 2023

Generate a Free Privacy Policy
What-Is-a-Privacy-Policy-01

Knowing about privacy policies is essential for business owners in our digitally dominated world.

Nearly all of us operate online daily, giving websites, apps — and perhaps even household items — access to endless amounts of our personal information.

Privacy policies are no longer skippable walls of text we should expect our consumers to agree to without reading.

In this guide, I’ll cover what a privacy policy is, what goes into one, what laws affect it, and the possible consequences of not having one — and much more.

Table of Contents
  1. What Is a Privacy Policy?
  2. Why Are Privacy Policies Important?
  3. Do I Need a Privacy Policy?
  4. Which Laws Require a Privacy Policy?
  5. Which Platforms Require a Privacy Policy?
  6. What Are the Benefits of a Privacy Policy?
  7. What Do Privacy Policies Include and Cover?
  8. What Are the Penalties for Not Having a Privacy Policy?
  9. Where Do You Need To Display Your Privacy Policy?
  10. How Can You Enforce Your Privacy Policy?
  11. Options for Creating a Privacy Policy
  12. How To Maintain Your Privacy Policy
  13. Additional Legal Policies You May Need
  14. Summary

What Is a Privacy Policy?

Simply put, a privacy policy informs your website or app users how you collect and process their personal data.

It also tells them their rights over how their data gets processed and gives instructions for following through on those rights.

While the specific details included in your privacy policy depend on applicable data protection laws, it usually explains:

  • What personal information you collect
  • How you collect that information
  • Why you collect it, also known as your ‘legal basis’
  • Who you share the data with or sell it to

You’re most likely legally required to publish a compliant privacy policy depending on:

  • Where your business is located
  • Where your customers come from
  • How much data you collect
  • Your gross annual revenue

It’s important to note that privacy policies are not the same as your terms and conditions, which protect your business by outlining your rules of use, dispute resolutions, and payment terms.

Furthermore, privacy policies are not like disclaimers, which usually go inside your terms and conditions and are used to remove liabilities from your plate.

If your company operates online in any capacity, you should have all of these necessary website policies posted to your platform. But this guide focuses on privacy policies, so let’s not get too off-topic here.

Legal Definition of a Privacy Policy

The legal definition of a privacy policy and what specifically must go into it depends on what laws apply to your business because they often require different things.

To help you out, the table below compares the legally necessary information you must include in your privacy policy based on 12 of the most significant data protection laws.

Data Privacy Law Privacy Policy Obligations
🇪🇺 General Data Protection Regulation (GDPR)
  • What personal data you collect
  • How you collect it
  • Why you collect it (aka, your legal basis)
  • Who you share it with
  • How long you’ll store it for
  • Explain if and how you transfer it internationally
  • Explain how consumers can request rectification, data erasures, and objections
  • Explain your consumers’ right to lodge complaints
  • Explain when the data isn’t collected from the individual
  • Explain if you use automated decision-making
🇬🇧 The Data Protection Act (UK GDPR)
  • What personal data you collect
  • How you collect it
  • Why you collect it (aka, your legal basis)
  • Who you share it with
  • How long you’ll store it for
  • Explain if and how you transfer it internationally
  • Explain how consumers can request rectification, data erasures, and objections
  • Explain your consumers’ right to lodge complaints
  • Explain when the data isn’t collected from the individual
  • Explain if you use automated decision-making
🇺🇸 Amended California Consumer Privacy Rights Act (CCPA & CPRA)
  • A description of consumer rights
  • Two or more methods for submitting consumer requests to act on those rights
  • Categories of personal information collected
  • The sources where you collect the personal data
  • Your business or commercial purpose for collecting it
  • The categories of or third parties whom you share the data with, if any
  • A list of the categories of personal information shared or sold to any third-parties
  • A separate list of the categories of data disclosed to others for business purposes
🇺🇸 California Online Privacy Protection Act (CalOPPA)
  • State the effective date
  • List the types of data you collect and how users can opt out of data collection
  • Say how users can request to review or delete their data
  • Explain how changes and updates to the privacy policy are communicated
  • Say if the data will be shared with third parties
  • Say whether Do Not Track or “DNT” requests are honored or not
🇺🇸 Virginia Consumer Data Privacy Act (VCDPA)
  • Your purpose for processing personal data
  • Categories of data processed
  • Categories of data shared with or sold to third parties
  • Disclose the categories of the third parties themselves
  • Explain how consumers can submit requests
  • Provide a mechanism for appeal of decisions related to consumer requests
  • Disclose the processing of personal data for targeted advertising
  • Provide the right to opt-out of data processing
🇺🇸 Connecticut Data Protection Act (CTDPA)
  • The categories of personal data processed
  • The purpose of processing it
  • How consumers can exercise their rights, including their right to appeal
  • The types of personal data shared with third parties
  • Information about the third parties
  • A way the consumer can contact you online
🇺🇸 Colorado Privacy Act (CPA)
  • What personal data you collect or process
  • Your purpose for collecting and processing it
  • An explanation of users’ rights and how they can act on them
  • Details about how a user can appeal your choice regarding their request
  • Your company contact information
  • Categories of data shared with third parties, if any
  • The categories of third parties the data gets shared with, if any
  • If the personal data is sold to third parties for targeted advertising
  • How users can opt out of the processing of their data for targeted advertising
🇺🇸 Children’s Online Privacy Protection Act (COPPA)
  • Name, address, and phone number of your company
  • The types of information collected
  • How the information is collected
  • How you use the collected information
  • If you disclose the information to third parties and how those parties use it
  • A description of a legal guardian’s option to consent to the data collection without agreeing to the disclosure of that information to third parties
  • An explanation of parental rights regarding the processing of children’s information
🇨🇦 Personal Information Protection and Electronic Documents Act (PIPEDA)
  • State your purposes for the data collection
  • Explain and implement security measures to protect it
  • Explain transparent, open details about your data handling practices
  • Say how you meet the 10 fair information principles outlined by the law
🇦🇺 Australia’s Privacy Act of 1988
  • Your company name and contact details
  • What personal information you collect and store
  • How you collect it and where you store it
  • Reasons why you need to collect it
  • How you use and disclose it
  • How users can access their personal information or ask for a correction
  • How users can lodge a complaint, and how you respond to these complaints
  • If you’re likely to disclose user data outside of Australia, and if so, to what countries
🇳🇿 New Zealand’s Privacy Act of 2020
  • Explain why the data is collected
  • State who receives the data
  • Say if giving the data is compulsory or voluntary
  • State what happens if users don’t share their data
  • Provide an explanation of users’ right to request to access or correct their data
🇿🇦 South Africa’s Protection of Personal Information Act (PoPIA)
  • Your company’s full name and address
  • The categories of data you collect or process
  • If data is not collected from the user, explain the source from which it’s collected
  • The purpose for why you collect and process the data
  • If giving the information is compulsory or voluntary
  • The consequences if a user does not share their data
  • A list of other relevant laws authorizing (or requiring) the collection of data
  • State if you plan to transfer the data outside of South Africa
  • Who you share the data with
  • Explain your users’ rights to access and rectify their personal data
  • Explain your users’ right to object to the processing of their data
  • Explain your users’ right to submit a complaint to the Information Regulator

Other Names for a Privacy Policy

You can use several names for your privacy policy, like privacy notice or privacy disclosure.

But for legal compliance reasons, try not to use a misleading or abstract title so it’s obvious to users what the document is.

Here are the most common names for a privacy policy (other than, of course, privacy policy):

  • Privacy Notice
  • Privacy Agreement
  • Privacy Disclosure
  • Privacy Statement

Why Are Privacy Policies Important?

Privacy policies are important because they help ensure you follow relevant data protection laws, keeping your business out of trouble and helping you avoid potentially massive fines.

Furthermore, a good privacy policy helps build and maintain trust with your users because it tells them what you’re doing with their personal information when they use your website or app.

Various consumer and data privacy statistics suggest that people will abandon their shopping carts or ditch your service if they think you’re dishonest about how you handle their information:

  • 60% of users say they would spend more money with a brand they trust to handle their personal data responsibly. (Global Consumer State of Mind Report 2021)
  • 84% of users are more loyal to companies with strong security controls. (Salesforce)
  • 48% of users have stopped buying from a company over privacy concerns. (Tableau)

So, put a privacy policy on your website or app to retain more customers, attract new shoppers, and prevent yourself from getting hit with legal penalties.

Do I Need a Privacy Policy?

Yes, if your business operates online in any capacity, you need a privacy policy. Posting one is a matter of legal compliance and a business best practice.

But you also may be required to have one if you:

  • Own a website: Websites often collect personal data from visitors, and therefore they need privacy policies, whether for an online clothing store, a basic photography website, or some other ecommerce businesses.
  • Develop apps: Android, iOS, and Facebook app developers must have a privacy policy for the app to pass the final review process.
  • Run a small business: Size doesn’t matter much regarding privacy compliance, so even small businesses need privacy policies. Most fall under laws with broad thresholds, like the GDPR and CalOPPA.
  • Use third-party software or services: Many third-party services, including Google Analytics and Shopify, require you to post a privacy policy and follow any applicable data privacy laws as part of their terms of use agreements.
  • Collect information about your employees: Sometimes called an ‘Employee Monitoring Policy,’ you may need to provide your employees with details about the data you collect about them, both for in-person and work-from-home roles.
  • Own a basic blog: Even simple blogs should have a privacy policy because internet users expect to find one and may assume you’re dishonest or sneaky if they don’t see one on your site.
  • Own a marketing agency: Yes, even marketing agencies need privacy policies, as these groups typically work with large amounts of personal data and are subject to following all applicable data protection laws.
  • Have a dropshipping store: Dropshipping stores also need privacy policies, especially if they fall under any data privacy laws or take part in international data transfers, which are subject to specific legal guidelines.

Which Laws Require a Privacy Policy?

Several data protection laws from around the globe require a privacy policy either directly or indirectly, including the following:

  • General Data Protection Regulation (GDPR)
  • Data Protection Act (UK GDPR)
  • Amended California Consumer Privacy Act (CCPA/CPRA)
  • California Online Privacy Protection Act (CalOPPA)
  • Virginia Consumer Data Privacy Act (VCDPA)
  • Connecticut Data Protection Act (CTDPA)
  • Colorado Privacy Act (CPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australia’s Privacy Act of 1988
  • New Zealand’s Privacy Act of 2020
  • South Africa’s Protection of Personal Information Act (PoPIA)

Some of these laws, like the CTDPA and the VCDPA, clearly say you must give users a privacy notice. (This is just another name for a privacy policy, as we discussed above.)

Others provide guidelines you can quickly meet using a privacy policy, like the ten fair principles outlined by PIPEDA.

Which Platforms Require a Privacy Policy?

Besides legal compliance, several third-party platforms stipulate that you must publish a privacy policy to use their services. They usually specify this in their terms of service agreement.

In this next section, I’ll walk you through some obligations outlined by major third-party services relevant to websites and apps.

Websites

If you own a website, you may be required to post a privacy policy by the terms of use outlined by whatever content management system or service you use.

For example, you should plan to make a privacy policy if you:

Apps

Meta, Google, and Apple require developers to post a compliant privacy policy as part of the final app review process before they can get published on their various app stores.

For example, you should prepare a privacy policy if you:

What Are the Benefits of a Privacy Policy?

Privacy policies benefit both your business and consumers, making them a win-win for everyone involved. In particular, they help:

  • Protect your business from violating data privacy laws: I’ve mentioned this a few times, but privacy policies are necessary if you need to comply with any data privacy laws, and posting one can help prevent you from getting fined.
  • Build trust with your users: People want to know who has access to their personal data and what’s happening to it, so posting a privacy policy shows new and returning consumers that you’re honest and transparent about your data processing activities.
  • Create awareness and help educate your staff: Cybercrime is increasing rapidly, and personal data is often the subject of these attacks. By raising your privacy awareness and posting a comprehensive privacy policy on your website, it’ll be easier to educate your team about privacy issues and prevent your business (and consumers) from falling victim to a data breach or leak.
  • Fosters a safer, more user-friendly internet: We all use the internet, business owners and consumers alike. Don’t you want to know what happens to your data when browsing shops or apps online? Posting a thoughtful privacy policy shows that you take data privacy seriously, which leads to a more user-friendly and safer internet for all of us.

What Do Privacy Policies Include and Cover?

Privacy policies include almost every detail about your data processing activities that you can imagine, and they also cover the rights your users have and explain how they can act on them.

In this next section, read about nearly every applicable clause that a privacy policy should have, and remember that not all of these may apply to your business.

Introductory Clause

Your privacy policy should have a clear, easy-to-read introductory clause that provides your company name, explains to whom the policy applies, and defines relevant terms to be used throughout the policy.

This section is also a good place to link to other relevant documents you want your users to have access to, like your terms and conditions or cookie policy.

I recommend you also put a ‘last updated’ date in this first section of your policy.

Below, see a great sample of an introductory clause from the language learning tool Duolingo’s privacy policy.

Duolingo-privacy-policy-Introductory-Clause

What Personal Data You Collect

All privacy policies must disclose what personal data you collect from your users.

Keep it simple and clean by listing all categories of personal information you process, including sensitive personal data.

Below, see a good example of how to format this clause easily from the video streaming service Netflix’s privacy policy.

Netflix-privacy-policy

How You Use the Data

You must explain why you collect user data, also known as your legal basis, somewhere in your privacy policy.

Regulations like the GDPR, the VCDPA, and others require this, and your reasoning is subject to specific legal grounds.

See below how the social media video-sharing platform TikTok handles this clause in their privacy policy.

TikTok-privacy-policy

How You Collect Personal Data

For legal compliance reasons, you must disclose how you collect personal data from your users in a clause in our privacy policy.

Common methods for data collection include:

  • Voluntarily provided by the individual
  • Through payment screens or checkout pages
  • Filling out an online form
  • Placing cookies on users’ browsers
  • In-person or in-store recordings

Below, see how succinctly TikTok writes this in their privacy policy (they then expand upon this information further in their policy).

TikTok-privacy-policy-personal-data

If You Share the Data With Third Parties

If you plan to share the personal data you collect with any third parties, you must say so in your privacy policy.

List what categories of third parties you share or sell personal information to, explain why you share or sell the data, and say how it gets shared with the other entities.

See a great example of how to write this clause in the screenshot below, which is from the video meeting platform Zoom’s privacy policy.

Zoom-privacy-policy

An Explanation of Your Users’ Legal Rights

You must explain what rights your users have over their personal information somewhere in your privacy policy.

The rights provided by each law vary slightly, but most of them grant the right to:

  • Access their personal data
  • Request to amend or correct their data
  • Request to delete their data
  • Limit the use of their data
  • Obtain a portable copy of their data
  • Opt into or opt out of certain data processing activities

Below, see how TikTok writes this clause in their privacy policy.

TikTok-privacy-policy-Users-Legal-Rights

A Method for Following Through on Data Privacy Rights

Most data privacy laws also require you to explain how your users can follow through on their applicable data privacy rights in your privacy policy.

You might achieve this by:

The screenshot below shows a sample of this clause from Zoom’s privacy policy.

Zoom-privacy-policy-Data-Privacy-Rights

Details About International Data Transfers

You must explain if you plan to transfer personal data internationally in a clause in your privacy policy and list what countries the data may get transferred to.

For example, under the GDPR, you must disclose if an adequacy decision exists regarding the data transfer or if you use another transfer mechanism.

Below, see how Duolingo handles this clause in their privacy policy.

Duolingo-privacy-policy-International-Data-Transfers

Data Retention Policy

Regulations like the GDPR require you to explain your data retention timeline and protocols within a clause in your privacy policy.

You must state how long you plan to store the data for or give the process you’ll use for determining when you’ve achieved your lawful goals for using the data.

To avoid legal issues, don’t keep data for longer than necessary.

Below, see how Zoom writes this clause in their privacy policy.

Zoom-privacy-policy-Data-Retention-Policy

Safety and Security Measures

Laws like the GDPR and the CCPA hold businesses accountable for implementing safety and security measures to protect personal data from breaches, leaks, or other cybercrimes.

Taking the following precautions is recommended:

  • Pseudonymize the data
  • Encrypt the data
  • Ensure ongoing confidentiality, integrity, resilience, and availability of your processing system
  • Implement a way to restore the availability or access to personal data should a breach occur
  • Have a process for routinely testing, assessing, and evaluating the effectiveness of your security protocols

See a sample of this clause from TikTok’s privacy policy below.

TikTok-privacy-policy-Safety-and-Security-Measures

Updates to Your Privacy Policy

You should include a clause in your privacy policy explaining when you’ll make updates and how you’ll inform your consumers about those changes.

Under the CCPA, you must update it at least once every 12 months. Plus, some laws, like the GDPR, expect you to re-obtain user consent if you change what data you’re processing or your purposes and use of the information.

Below, see an example of this clause from Duolingo’s privacy policy.

Duolingo-privacy-policy-Updates

The Right to Lodge a Complaint

Under laws like the GDPR and PoPIA, you must explain in your privacy policy that consumers can submit a complaint about you if they think you’re violating their privacy rights.

If possible, provide the correct contact information by region for the appropriate person or entity to submit those complaints.

See a sample of this clause in the privacy policy from Netflix below.

Netflix-privacy-policy-Right-To-Lodge-a-Complaint

Children’s Data

If your website or app targets children, you must include specific information to comply with relevant laws like COPPA, which are meant to protect minors and young people.

For example, you must inform parents or legal guardians of their right to opt their children into data processing.

See how Duolingo writes this clause in their privacy policy below.

Duolingo-privacy-policy-Childrens-Data

Company Contact Information

Many data protection laws require you to include your proper company contact information directly in your privacy policy. This ensures that users know who to contact if they have questions about the details of your policy.

Below, see an example of how Duolingo writes this clause in their privacy policy.

Duolingo-privacy-policy-Company-Contact-Information

What Are the Penalties for Not Having a Privacy Policy?

The penalties for not having a privacy policy change depend on what law you’ve violated.

The table below compares the non-compliance punishments for the 12 data protection laws covered throughout this guide.

Data Privacy Law Penalties for Violating the Law
General Data Protection Regulation (GDPR)
  • Maximum penalty of €20 million ($21 million) or 4% of their annual global turnover of the preceding year (whichever is higher)
  • Less severe infractions top out at €10 million ($12 million) or 2% annual global turnover of the preceding year (whichever is higher)
The Data Protection Act (UK GDPR)
  • Up to £17.5 million or 4% of the global revenue of the preceding year, whichever is greater
  • Or up to £8.7 million or 2% of the worldwide turnover of the preceding year, whichever is greater
Amended California Consumer Privacy Act (CCPA/CPRA)
  • Up to $2,500 per non-intentional violation
  • Up to $7,500 per intentional violation or for offenses involving the personal information of minors under age 16
  • Consumers can pursue private action against a business for the following reasons:
    • Nonencrypted and non-redacted personal information is compromised
    • Email addresses in combination with a password or other details permitting access into an account are breached
California Online Privacy Protection Act (CalOPPA)
  • Up to $2,500 per violation
Virginia Consumer Data Privacy Act (VCDPA)
  • Up to $7,500 per violation
Connecticut Data Protection Act (CTDPA)
  • Up to $5,000 per willful violation
  • Plus equitable remedies, including restitution, disgorgement, and injunctive relief
Colorado Privacy Act (CPA)
  • A range from $2,000 to $20,000 per violation plus possible criminal liabilities
Children’s Online Privacy Protection Act (COPPA)
  • Up to $40,654 per violation
Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Up to $100,000 (CAD) per violation
Australia’s Privacy Act of 1988
  • $2,500 (AUD) per person, other than a corporate body
  • Up to $55,000 (AUD) for a corporate body
New Zealand’s Privacy Act of 2020
  • Up to $10,000 (NZD)
South Africa’s Protection of Personal Information Act (PoPIA)
  • Up to R10 million (about $549,000), up to 10 years in jail, or both.

As you can see, some of these laws, like the amended CCPA, give individual users the right to pursue privacy action against you.

Others, like PoPIA, could potentially lead to criminal charges.

You’d also face public backlash from your customers, which could cause you to lose sales.

Where Do You Need To Display Your Privacy Policy?

Where you display your privacy policy also depends on what data protection laws apply to your business, and you should plan to post it in multiple spots.

Regulations like the GDPR and CCPA require you to present your consumers with certain information at or before the points where data collection occurs.

So, I recommend putting your privacy policy in all of the following spots:

  • The footer of your website: This is where most people look for your policy, and since it always stays the same no matter where users end up on your site, it helps ensure they always have access to it.
  • A static menu of your app: If you own an app, link your privacy policy in a fixed menu so your users can always locate the information.
  • Payment screens or checkout pages: Payment screens usually collect personal information from users, so this is a legally necessary place to link to your privacy policy.
  • Profile or new user account creation pages: To set proper user expectations, give them a link to your privacy policy before they create a profile or user account. This is another area where data collection typically occurs.
  • Linked to your consent banner: Along with a cookie policy, consider also putting your privacy policy on your cookie banner and request that your users read it and choose if they agree. This proves they’re fully informed before they continue accessing your services.
  • App store listings: Put a link to your privacy policy on any app listing pages so users can read the agreement before downloading your platform. Many app stores require this before they’ll approve your app for publishing.
  • In your marketing emails: A link to your privacy policy within your marketing emails helps keep your users informed and allows them to access it as needed.

How Can You Enforce Your Privacy Policy?

Your privacy policy is not a document that you need to enforce. Instead, it explains your data processing activities to inform the people who may use your website or app.

In fact, your business is held accountable for following everything you write in your privacy policy, not your consumers. It’s also your responsibility to ensure that it meets all obligations outlined by any data privacy laws that may impact your company.

A better question to ask yourself is: Is your privacy policy compliant? 

Because if the answer is no, all liabilities fall on your business.

Options for Creating a Privacy Policy

When it comes to making a privacy policy for your website or app, you have a few options:

  • Use a managed solution like a generator
  • Use a free template
  • Write it yourself

Contrary to popular belief, unless you collect highly sensitive personal information or process massive amounts of data, you typically don’t need to rely on a lawyer for your privacy policy.

Let’s discuss these privacy policy solutions so you can choose the best method for your business needs.

Managed Solution

The easiest way to make a privacy policy for your platform that adequately follows data privacy laws is to use a managed solution like Termly’s free Privacy Policy Generator.

To use the generator, you answer simple questions about your business, and it creates a compliant policy based on your answers. If you need help, our legal team provides tips for most sections, and we have a great group of customer support staff ready to chat.

Our privacy policy generator features clauses that comply with several data privacy laws, and we update it regularly to keep up with any new or changing legislation.

See what it looks like in the screenshot below.

Termly-Privacy-Policy-Generator

Free Template

Another good option is our free privacy policy template, which takes a little more work but is still relatively quick and easy.

With a template, you manually fill in the blank sections with details about your business. Ours features all the necessary clauses to comply with several of the data privacy laws mentioned in this guide.

Below, you can see an example of what it looks like.

Termly-Free-Privacy-Policy-Template

We have guides and templates for privacy policies, no matter your need.

Templates by Industry or Privacy Law Templates by Platform or Service

Do-It-Yourself

You can also write your privacy policy, but I only recommend this if you have extensive data privacy and legal knowledge or access to a lawyer.

If you try this, use easy-to-read language, and don’t leave anything out. Violating these data privacy laws — even by mistake — still leads to fines.

You should also plan to regularly review and update your policy and develop a process for keeping up with new or changing data privacy laws.

How To Maintain Your Privacy Policy

Maintaining your privacy policy is an integral part of legal compliance. You should plan to review and update it regularly and have a process in place for informing your users whenever you make any changes.

Reasons to update your privacy policy include:

  • You made a general update or change regarding your data collection and processing activities.
  • You must comply with the CCPA, which states that you must update your policy at least once every 12 months.
  • You want to collect new types of personal information from users not previously outlined in your privacy policy.
  • You’re using a new third-party service or will share the data you collect with a new entity.
  • You changed how you want to use the personal data you collect to something not previously expressed in your privacy policy.

To inform users of your updated privacy policy, you can:

  • Send out an email with a link to the new policy and an explanation of what changed
  • Use a pop-up notification on your website or app so anyone who visits is informed about the changes
  • Publish a blog post that explains to users that you’ve changed your privacy policy
  • Put a ‘Last Updated’ date clearly on your privacy policy — in the introduction section is best

I recommend implementing all of the above solutions so that as many of your users as possible can see the changes you’ve made to the agreement.

It’s also a good idea to provide an archive of past versions of your policy somewhere on your app or website. This way, you can prove that you’ve kept up with the appropriate changes based on any laws that may impact your business.

A privacy policy is only one of several different legal documents you might need for your website, app, or platform.

Depending on the industry you’re in and what services you provide, you may need a:

  • Consent Management Platform (CMP): To set your website or app up for full compliance under most data privacy laws, you may need to use a Consent Management Platform and set up a cookie consent banner that allows your users to opt into or out of certain data collection practices, based on applicable laws.
  • Cookie Policy: Cookies qualify as personal information under most of the data privacy laws mentioned in this guide. You should create a compliant cookie policy that tells users what cookies your website leaves on their browsers and how they can control them.
  • Terms and Conditions Agreement: If you run a website, creating a terms and conditions agreement helps protect your business by explaining the rules of use and limiting some of your liabilities. You can include clauses to outline your dispute resolution and governing laws and explain processes like your payment terms.
  • Acceptable Use Policy (AUP): If your business allows users to interact with one another, post their own content, or fosters an interactive community, you should create an Acceptable Use Policy that explains all acceptable and prohibited uses, behaviors, and activities on your platform.
  • Return and Refund Policy: If you run an ecommerce store, create a return policy to help answer common customer questions about if you offer returns, refunds, or exchanges and how long customers have to request one.
  • Shipping Policy: If you send goods through the mail, create a shipping policy so consumers know all details about your shipping and handling practices, like where you ship to, how much it might cost, and a timeline for how long it usually takes for people to receive their packages.
  • End-user License Agreement (EULA): For apps or software developers, creating a EULA helps protect your technology that’s available for public use.
  • Disclaimers: Most businesses need to create at least one disclaimer on their site to help remove (aka, disclaim) liabilities from their plates.

Summary

You now know what a privacy policy is, why they’re so important, and if you need one (which, let’s be real, you do!).

No matter what kind of business you own, a privacy policy helps you comply with data privacy laws and shows consumers that you respect their personal information.

With tools and privacy compliance partners like Termly, there’s no need to stress about making a privacy policy for your website or app. Just use our Privacy Policy Generator and rest easy knowing you’ve created a policy that complies with several of the world’s most prevalent data protection laws.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources