How to write a great privacy policy

When you’re collecting, storing or using personal data, it’s essential that you tell individuals exactly how you’re doing this and what it means for them.

The best way to do this is in a clear and plainly written privacy policy. Unfortunately, many companies still have lengthy and opaque policies that don't earn consumer trust.

We've put together the below to help you write a stellar privacy notice, suitable for all organisations.

Remember: you have to comply with both GDPR & the ePrivacy directive

This is because when a data privacy issue is raised, especially if it’s related to communications, regulators will go straight to the ePrivacy directive.

The ePrivacy directive has been in effect since 2002 and was updated in 2009, and it’s rules supplement GDPR - the two go hand in hand.

The ePrivacy directive requires ‘transparency’ and ‘affirmative consent’ to tackle problems like spam, excessive profiling and behavioural advertising. It also addresses the confidentiality of e-communications in more detail. For example, Facebook messenger or Whatsapp. It also addresses the monitoring of internet users using tracking technologies like cookies.

Your privacy policy template

Below is the structure of a great privacy policy, and we’ve made sure to add what you need to do to comply with the ePrivacy directive as well.

Remember, you need to notify the data subject of your privacy policy as soon as data is being collected.

1. Your contact details: For example, your business’ postal address, phone number, and email address.
2. What type of information you have For example, name, location, or search history.
3. How you get the information and what you do with it: For example, 'you provide us with most of the information we process because we need it to do X. We also gather information from third-party Y to do Z.
4. The legal bases we rely on: You need at least one legal basis for why you’re processing personal data. There are 6 legal bases: consent, contractual obligation, legal obligation, vital interest, public task, legitimate interests. If you rely on ‘consent’ you need to display it clearly and prominently and include a separate unticked opt-in box for direct marketing. If the legal basis is ‘legitimate interests’ you need to provide details of this, for example, 'we advertise XYZ’s products to you based on your order history on our site'. You can combine points 3&4 and display them in a table to make them easier to understand!
5. How we store your information: For example, 'your information is securely stored [location]. We keep [type of personal information] for [time period]. We will then dispose of your information by doing X'.
6. Your data protection rights: Remember that the right to object should be presented in an isolated form not just hidden in the bulk of the text, for example, 'your rights are the right of access, rectification, erasure, restriction of processing, object to processing and data portability. Here’s how you can object to processing…'
7. How to complain: For example, 'if you have any concerns about our use of your personal information, you can make a complaint to us at [contact details for data protection queries]. You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF'.

Our top tips

These are the areas we see a lot of privacy policies fall short in, so make sure you do the following:

Be transparent and precise

For example, 'we will retain your browsing history for advertising purposes.' Avoid using the following phrases: ‘we may…’ (either you do something or you don’t) or ‘we keep your personal data for as long as necessary’ (your organisation needs a specific policy in place for data storage so please share it). If you only do something in specific circumstances, be specific about what those circumstances are.

Consider a layered approach

Rather than pages of information that most people do not read, you can use pop up boxes on the website to display your privacy notice so that information is easier to follow, or use just-in-time notices, videos, icons and symbols and privacy dashboards.

Write in a style your audience would understand

As an example of this, compare ASOS’s privacy policy to Microsoft's. The former is written in a much more casual but clear style.

You need to identify ideally by name, or category, any recipients of the personal data you’re collecting.

Please avoid saying: ‘we share your personal data with trusted third parties’, this is classed as ambiguous language under GDPR, be clear about who you share your users' data with.

Examples

For a general idea, this is what the ICO has on their website to demonstrate what a good and privacy policy look like side by side: