How to Write A Website Privacy Policy

Data privacy attorneys are often called upon to draft a privacy policy for a company to link to their landing page. You know, the little link that says either “Privacy” or “Legal” that nobody clicks on and nobody reads—at least until there is a data breach or a misuse of data. Then, every comma, semicolon or word choice is scrutinized to ensure that the company gave adequate notice to consumers of its privacy policies and practices. The difference between a well-drafted privacy policy and a poorly drafted one can mean the difference between millions of dollars of damages or regulatory actions.

A website privacy policy is a legally binding contract between the company that collects data and the consumer that provides that data which outlines how a website collects, uses and protects the personal information of its users. It is an essential aspect of any website, as it helps users understand how their data is being used and protected. However, inaccuracies or incompleteness in privacy policies can lead to legal or regulatory trouble for businesses. All too often, companies merely look up what they believe to be a “good” or “comparable” website privacy policy from a company engaged in similar activities and copy and paste (and global search and replace.) Alternatively, they may use either standard clauses or forms or companies that offer website policy drafting services to create their privacy policies. In many cases, this works out fine. The problem is not that the policy is good, bad or indifferent. It is that the policy does not accurately reflect what the company is doing now or what it does in the future. Thus, the first step in writing a website privacy policy is to not write. It is to gather information and listen.

Pitfalls to Avoid

One of the biggest pitfalls of an inaccurate or incomplete privacy policy is the potential for legal or regulatory trouble. If a website collects personal information from users and does not have a privacy policy—or has an inaccurate or incomplete one—it can lead to legal or regulatory trouble. Some of the pitfalls to avoid when writing a privacy policy include:

Inaccurate or incomplete information: A privacy policy that does not accurately reflect how personal information is collected, used, or shared can lead to legal or regulatory trouble.
Failure to comply with laws: If a website collects personal information from users, it is important to comply with all relevant laws and regulations. Failure to comply with these laws can result in legal or regulatory trouble.
Failure to update: As a website evolves, it is important to update the privacy policy to accurately reflect any changes in how personal information is collected, used or shared. Failure to update the privacy policy can result in legal or regulatory trouble.
Misleading statements: A privacy policy that contains misleading statements can also lead to legal or regulatory trouble.
Lack of clarity: A privacy policy that is not clear or easy to understand for users can also lead to legal or regulatory trouble.

Distinguishing between Website and Overall Privacy Policies

It is important to distinguish between website privacy policies and overall privacy policies. Website privacy policies are specific to data collected through a website, while overall privacy policies may include ordinary business communications, email, purchasing and shipping data, etc. Thus, if a company purchases sales leads, including names, addresses, contact information, demographics, etc., or uses an online CRM program like Salesforce, this data collection practice is typically not governed by a website privacy policy. If, on the other hand, the company integrates this data with data collected on or through the website, then this needs to be addressed in the website policy. A website privacy policy typically includes the following:

-An explanation of the types of personal information that are collected, such as name, email address, phone number and browsing history.
-How the personal information is collected, such as through cookies or online forms.
-An explanation of how the personal information is used, such as for marketing purposes or to improve website functionality.
-Information on how the personal information is protected, such as through encryption or other security measures.
-Information on how users can opt out of data collection or request that their personal information be deleted.

Overall privacy policies may include additional information, such as how personal information is collected through email or other forms of communication, how it is used for business purposes and how it is protected.

Put simply, the website privacy policy outlines (1) what data you are collecting, (2) why you are collecting the data, (3) how you are using the data, (4) with whom you are sharing the data, (5) how you are protecting the data and (6) what the consumer’s rights are with respect to the data (e.g., right of access, right of accuracy, right to be forgotten). Depending on the jurisdiction and the data, you may need to address issues of opting in and opting out of data collection, deletion of old or obsolete data, special issues with respect to data about race, gender identity, political affiliation, etc. and data about children.

Clear Language

A website privacy policy should be written in plain language that is easy to understand for the average user. While it may be tempting to use legal terms or jargon, doing so can make the privacy policy difficult for users to understand. This can lead to confusion, frustration and a lack of trust in the website. In addition, using legal terms or jargon may not be legally necessary. While there may be some legal terms that need to be included in a privacy policy, such as the terms of service, most of the privacy policy should be written in plain language.

The purpose of a website privacy policy is to inform users about how their personal information is being collected, used and protected on the website. To achieve this goal, the privacy policy should be written in a way that is clear and easy to understand for users of all ages and backgrounds. After writing the policy, it might be a good idea to run it through an online “readability” scoring program. Or you can do the “grandma” or “bubbie” test. Ask your grandmother (or borrow a grandmother) to read the policy and explain it back to you. If you get a blank stare, maybe reconsider your policy or lineage.

Keep it Accurate

The biggest problems for companies are that their website privacy policies are inaccurate, incomplete or incomprehensible or that they simply are not following their own policies. Thus, in both drafting and publicizing the policy, it is important to get buy in from all stakeholders—those who develop the IT behind it and those who use the data collected. After the policy is written, disseminate it internally to all relevant employees with the question, “Are we doing this?” Often, a company decides to use data in a way that is inconsistent with its privacy policy without ever informing those responsible for the policy. This typically comes under the broad rubric of “Wouldn’t it be cool if we just ….” Any time databases are linked, data is shared, transmitted or used, company personnel should be trained to ask, “Do consumers know we are doing this?” and then, “Do consumers really know we are doing this?” If there is any doubt about it, you can either not use the data in that way or update your privacy policy to reflect the new data collection or use practices (in some cases). Inaccuracies or incompleteness in privacy policies have led to legal or regulatory trouble for many companies. Some examples include:

Facebook: In 2018, Facebook faced scrutiny over its data privacy practices after it was revealed that political consulting firm Cambridge Analytica had gained access to the personal information of millions of Facebook users without their consent. Facebook’s privacy policy at the time did not accurately reflect how users’ data was being used, which led to a $5 billion settlement with the Federal Trade Commission.
Google: In 2012, Google was fined $22.5 million by the Federal Trade Commission for misrepresenting its privacy policy. Google’s privacy policy at the time stated that it would not combine data from different Google services, but in reality, it was combining data to create a more complete picture of users’ online behavior for advertising purposes.
Vizio: In 2017, TV manufacturer Vizio settled with the Federal Trade Commission for $2.2 million over allegations that it collected data from millions of its smart TVs without users’ consent. Vizio’s privacy policy did not accurately disclose how the company was collecting data from its TVs.
Uber: In 2017, ride-hailing company Uber agreed to pay a $20 million settlement to the Federal Trade Commission over allegations that it misled drivers about the amount of money they could earn and the cost of financing a vehicle through Uber’s Vehicle Solutions program. Uber’s privacy policy did not accurately disclose the terms of the program.
Delta Airlines: In 2018, Delta Airlines settled with the California Attorney General’s Office for $50,000 over allegations that its privacy policy did not accurately disclose its use of third-party analytics services. Delta’s privacy policy stated that it did not share personal information with third parties for marketing purposes, but it did share personal information with third-party analytics services.

Difference Between Truthful and Accurate

I would advise companies not to get “cutesy” in drafting these policies. As an example, the College Board—the entity responsible for administering the PSAT and SAT exams (among others)—had a privacy policy that the only data it would share with colleges, universities and funding sources like scholarship granting entities would be a student’s name and email address. It went on to collect a great deal of profile information about applicants, including high school, grades, interests, courses, family matters and the like. Why were they collecting this data if the only data they were sharing was a student’s name and email address?

What they didn’t tell applicants was that their customers—the colleges and scholarship programs—would make specific requests for lists of students who met certain criteria. If a college was looking to recruit female engineers with a 3.8 GPA or above who attended a rural high school and played lacrosse, the College Board would provide a list of names and email addresses. Technically, the privacy policy was accurate. The only information “shared” was the name and email address. But the College Board used the entire set of data collected to share that data. A reasonable reader of the privacy policy would not know that. In addition, while the College Board said that it was sharing the data with “funding entities” that offered scholarships, it did not require those entities to use that data only for reviewing scholarships. Some of these entities that offered scholarships included the Department of Defense, the CIA, the NSA and other government entities. It’s not clear that a ninth grader seeking to take the PSAT exam is consenting to give their algebra test results to the CIA. The same is true for companies like Meta’s Facebook. Rather than, for example, providing a distributor of insulin with a list of Facebook users with diabetes (or doctors who treat diabetes)—which would be “sharing” the data, Facebook will disseminate the insulin ad to those users on behalf of their customer—the advertizer. A Facebook user might not know that the company has collected information about their blood sugar levels and is using it to get paid for delivering ads related to insulin, and indeed the simple phrase “We don’t share your data with anyone,” might lead one to believe that the data is not being so used. A better approach might be to say, “While we don’t share your data with our advertisers, we use your data on behalf of the advertisers to deliver their ads to people they want to see based on the tons of personal information we have collected about you.” That’s probably why I am not in marketing.

Similarly, I would avoid generalities like “We use your data to provide you personalized services.” You want the language to be broad enough to allow for potential future uses of data that you may not have anticipated but accurate enough to give notice to users of what you intend to do with their data.

Local Rules

It goes without saying that the internet is everywhere—which is why I am saying it. As a result, even a mid-sized company in Euclid, Ohio might have to comply with the privacy laws of Singapore, the EU, Mexico, Canada or—god forbid—California. The degree to which they have to comply, and the specific language they need to have on their website may depend on the nature of their business operations and the data collected.

If You Say It, Do It

Writing the policy is the first step. Staying in compliance is just as important if not more so. Make sure you disseminate the policy internally and train everyone on what you have promised. For example, you might say that you don’t share PII with anyone outside your organization. But you may have to share it with auditors, privacy auditors, outside counsel or others. Your privacy compliance policies may be subject to review by third parties in a merger, acquisition or due diligence program. If you say it, mean it.

Don’t Forget Security

Various laws and regulations require companies not only to protect the privacy of data but in doing so, also provide a reasonable level of data security. That also may mean imposing a duty of security on any third-party vendor who can use or access that data or the computers or networks on which that data is stored or through which it is transmitted. Not only must you have a meaningful security program (and often a written information security policy (WISP)), but that program must be reasonably comprehensive and appropriately described in the privacy policy. Statements like “Securing your data is our highest priority,” or “We use state-of-the-art security” are not only not descriptive, they can be dangerous. Similarly, statements like “We use SSL to secure all of your data,” ignores that SSL is merely a means of securing data in transmission and says nothing about the security of data at rest. As such, it creates an inaccurate description of security and creates a false impression among consumers. Indeed, the FTC has, in some cases, found such expressions to be deceptive trade practices.

Update and Review

It is important to update and review your privacy policy at least once a year, and whenever there is (1) a change in ownership, (2) a major change in data collection or use practices, (3) major technological changes (e.g, migration to cloud, transfer of data centers, etc.) and (4) changes in the law or geography of the company or its customers. The four worst words a lawyer (or CISO) can hear are “Oh, by the way…” The problem is that someone in sales, marketing, product development, etc. gets some idea like “Hey, why don’t we train an AI model on our existing databases to promote more efficient use of our customer relations? Blah blah blah…” What they are proposing is to have a machine make some use of customer information for some purpose. Is this permitted under the privacy policy? Is it covered? Did anyone think to ask?

Privacy policies typically also include a method for consumers to contact the company about privacy complaints, to obtain access to their personal information or to correct incorrect data. This may be a website or an email address. Make sure that the contact information is correct, the email address operational and that it is monitored. Often, companies will have the email account set to [email protected] redirected to [email protected], the chief privacy officer or legal counsel or CISO, or whatever. When Joe Blow moves on to another job, make sure that the emails are directed to the right person or job description.

Reviewing and updating the privacy policy can be tricky—not just to keep the policy updated, but to ensure that users accept the terms of the new policy. Usually, the initial policy includes language (potentially unenforceable) that says something like “We change our policies all the time. By using this website you agree to all updates to our policy.” Alternatively, it might say, “Every time you visit the website, you agree to the most recent policy.” Note the substantial difference between the two. In the former, the consumer agrees in the past to changes in the policy in the future, about which they have no notice, have given no meaningful assent and for which they have been provided no compensation. It’s not clear that this is even a “contract.” In the latter case, those who at least visit the website (some act) are deemed to have accepted the new terms—but have they accepted the terms for data transferred in the past, or only for data given after the assent? And what is the “consideration” provided for the new terms? Remember, privacy policies are contracts and are governed by general principles of contract law. By updating their privacy policies, companies run the risk of creating pools of personal data—that collected in version one, revision two and and revision three, each with their own notice and consents. A person who gave their data under policy version one may not have consented to the use of the data under the terms of the policy in revision three. Your privacy policies should account for the potential future changes.

Other Website Contracts

Remember, the website privacy policy also has to be read in conjunction with other website contracts like the end user license agreements, software license agreements, software-as-a-service agreements or website terms of use or terms of service. These agreements are generally more extensive and define the rights and responsibilities of both parties. They may including things like limitations on damages, arbitration and choice of law provisions, notice and consent provisions and other terms. Whenever you draft or redraft any of these policies, it is important to make sure that the terms of these contracts remain consistent with each other.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark