How to Write a Privacy Policy

Written by Alison Page (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

How to Write a Privacy Policy

If you have a website or mobile app that collects personal data from its users, you will need a Privacy Policy. A Privacy Policy is required by law in many countries.

What is a Privacy Policy and what are the legal requirements governing Privacy Policies? How do you go about writing a Privacy Policy? Let's find out.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

What is a Privacy Policy? defines a Privacy Policy as follows:

"Statement that declares a firm's or website's policy on collecting and releasing information about a visitor. It usually declares what specific information is collected and whether it is kept confidential or shared with or sold to other firms, researchers or sellers."

For online businesses that own or operate a mobile app or website, a Privacy Policy is required for you to operate within the law.

Your Privacy Policy is where you disclose, at minimum, what personal information you collect from your users, how you collect the information, how you use it, and whether you share it with any third parties.

Check almost any website footer and you'll surely find a link to one of these required agreements.

Laws governing Privacy Policies

Privacy Policies are mandatory in many countries for websites and apps that collect or use personal data from users. These laws are aimed at protecting consumers and their personal, private information.

If you plan to make your website or mobile app available to users who reside outside of your home country, which you surely do, you must be aware of what these laws require when it comes to your Privacy Policy.

Some of these laws include the EU's GDPR, Canada's PIPEDA and CalOPPA in the United States.

Planning a Privacy Policy

The first phase of writing your Privacy Policy should involve planning your Policy's content.

Careful planning and consideration of what you need to include in your Privacy Policy will ensure that nothing is overlooked and will also make writing the Policy far easier.

During the planning phase, consider the following points:

  • The less personal user data you request, store, and handle, the easier it will be to write your Privacy Policy.
  • Assess the user information that you want to collect through your site or app and consider it's necessary that you collect it. For example, if your website provides an email newsletter, would collecting a user's state of residence and birthdate really be necessary? In this example, all you really need is an email address so that your newsletter can be emailed to the user.
  • Get familiar with your data collection and processing habits. Remember, the point of your Privacy Policy is to disclose specific information to your users, so you'll need to be aware of what you're doing so you can communicate it in your Policy.

Note that it's important to avoid complex legalese in your Privacy Policy. You must use plain language that users can easily understand.

The Policy should also be laid out in a clear format that is easy to navigate and isn't too complicated or confusing.

Santander's Privacy Privacy Statement is divided into short, easy-to-read and understand paragraphs with bold text headings and lists:

Santander Privacy Statement: Excerpt of intro clauses

Clauses of a Privacy Policy

Here's a breakdown of some of the main clauses to include in your Privacy Policy.

Information Collection

You need to disclose the types of personal data that your site or app collects and how it is collected. Some companies combine this information into one clause, while others separate it into two separate ones.

Most companies use a list format for this section to make the information clear and easy to read.

In addition, a list format can double as a checklist, helping to ensure that you do not omit anything.

LinkedIn has a very detailed Data We Collect clause within its Privacy Policy. The company collects a vast amount of personal data from its users, including their full names, employment history, qualifications and city of residence. Because of this extensive amount of data collection, it's very important that the company clearly explains all of this and the purpose of this data collection to their users.

In the example below, you can see the data collected is detailed and an explanation as to why it is needed is offered.

LinkedIn Privacy Policy: Data We Collect clause excerpt

Use of Information

This section should explain to your users how and why you use the information that you collect from them.

Explain to your users how the collection of data can benefit them and how it is used by your business. This also applies to data that is collected as part of your website metrics and is used to monitor customer satisfaction and purchasing patterns.

Here's how LogMeIn discloses this information in a clear, easy to follow way:

LogMeIn Privacy Policy: How We Use the Information We Collect and Receive clause

Third Party Disclosure

Most users are concerned about their personal information being shared with third parties. Let your users know whether you share their personal data with anyone else, and under what circumstances you do so.

In the following example, you can see that Amazon UK explains its policy on data sharing clearly and in detail, with each relevant section broken down separately.

Amazon Europe Privacy Notice: Sharing your personal information clause excerpt

Information Protection

Reassure your users that the personal information you store is stored securely. While you don't have to give specifics in this clause about exactly how you secure the data, make it clear that you do take steps and have protocols for security.

A short section is generally sufficient to address this requirement, as can be seen in this example from Vitality's Privacy Policy.

Vitality Privacy Policy: Internal Security Procedures Clause

Note that SSL encryption is mentioned, explaining to users that their data is kept confidential and secure. This is a good method of gaining users' trust and reassuring them, without giving away too much about your site's security provisions.

Note that Vitality has also included a disclaimer which states that no system can ever be regarded as 100% secure. You should include this in your clause as well.

Rights of Users

You must also include a section with your Privacy Policy that covers the rights of users. This is especially relevant if your Privacy Policy needs to be GDPR-compliant.

This section should explain that users have the right to make amendments to their data, to delete data, to review the information on them that you hold and other rights. This is important because users must know that they can protect their privacy and remove personal information at any time.

Royal Mail includes a section in its Privacy Notice called Your Legal Rights where user rights are clearly set forth and described:

Royal Mail Privacy Notice: Your Legal Rights clause excerpt


The EU Cookies Directive applies to EU-based companies or companies that target individuals in the EU whose websites use cookies. If this is you, you must have a stand-alone Cookies Policy.

Companies that don't fall under the Cookies Directive can simply include a Cookies Clause within their Privacy Policy to disclose the use of cookies.

In the case of Santander's UK site, you can see in the example below that their Privacy Statement contains a Cookies Clause that includes a link to their stand-alone Cookies Policy.

Note that users are also offered the option to disable cookies if they want to.

Santander Privacy Statement: Cookies clause

Notification of Changes

A Notification of Changes clause is usually included under its own section in the Privacy Policy.

Informing users that you have made changes to your Privacy Policy helps to enhance your company image of transparency and openness. In addition, this clause grants you the right to make alterations to your Privacy Policy when needed.

This can be useful if you need to change the type of client data you collect and how you store it in the future.

Royal Mail keeps its Notification of Changes clause limited to just two sentences, including an indication of when the last Privacy Policy was updated:

Royal Mail Privacy Notice: Changes to Privacy Notice clause: 2018

Contact Information

Most Privacy Policies end with a Contact Information clause, allowing users to get in touch quickly and easily if they have any questions or concerns about your use of their personal data. This helps show that your company is open, honest, and happy to discuss the use and protection of users' personal data with them.

Provide as much contact information as you can, or at least the best ways that users can get in touch with you such as telephone numbers, email addresses, terrestrial mailing addresses, or links to online forms. The BBC's Contact Information clause provides separate contact details for overseas users:

BBC Privacy Policy: How can I contact the BBC clause


When writing your Privacy Policy, don't forget to:

  • Take the time to consider and review your information collection requirements and practices.
  • Establish a comprehensive list of all places on your site where you collect personal information from users, both directly and indirectly.
  • Identify all third parties that may be collecting information from your users.
  • Ensure you are compliant within the jurisdiction of your business.
  • Ensure you are compliant within the jurisdictions of your website and app users.
  • Ensure you are compliant with privacy requirements of third parties.
  • Give users the opportunity to update, remove or transfer their personal information from your database.
  • Use language in your Privacy Policy that is simple, user-friendly and conveys a corporate culture of transparency and security.