Privacy Policy Template

Download our free privacy policy template to create your own privacy policy notice, with tips on how to keep compliant with data protection laws.

Privacy Policy Template

June 30, 2021

As the number of data breaches have increased over the years, it's unsurprising to see that people are now more protective of their privacy than ever before. There's also a growing awareness of the importance of controlling your personal data, especially with the advent of GDPR (General Data Protection Regulation) and other data protection policies.

With all these extra risks and growing consumer awareness, it's vital that you have a robust privacy policy to protect yours and your customers' data. First and foremost, it's a legal requirement. UK and EU data protection laws state that you need to tell individuals how you are gathering and using their personal data. Luckily, you can do this through a simple privacy policy, and write your own using a privacy policy template.

A well-thought-out website privacy policy does more than show that you're complying with the law. It also shows that you care about your customers, and any visitors to your website. It demonstrates transparency, showing your customers that there is nothing sinister behind your need to gather certain information about them which can be vital to the day-to-day running of your business. If you're upfront with the reasons behind why you collect customer data, it can only improve your reputation as a business to be trusted.

In this article we talk you through what you need to include in a privacy policy, why your business needs one and guide you through creating your own. You can write your own from scratch, but we've also created a handy privacy policy template for you to download to make things easier and ensure you don't miss anything vital.

What is a privacy policy?

A privacy policy is a legal document that explains how you will collect, store and use personal information from people who visit your website. It should include the contact information for the company's data controller, as well as point visitors to the right person if they wish to make a complaint.

A privacy policy shouldn't be confusing or full of technical jargon. It should be written in clear language that is easy to understand, and freely accessible to anyone visiting your website.

Can I write my own privacy policy?

Yes, you can write your own privacy policy yourself. It's important to remember that this document is for your customers to read. This means that it will need to be explicit, but easy to understand.

We've put together a simple guide to walk you through the steps and items you should include in your privacy policy. We've also created an easy template for your to download and use.

However, you should remember that this is your business, and that the data you collect is unique to you. Therefore you should edit and tweak this template to make sure you cover all the needs of your business, and ensure that any visitors to your website have all the information they need about how you collect, use, store and process any data you gather.

Can't I just copy another privacy policy?

No. In order to cover yourself legally, your privacy policy needs to be specific to the data your business collects, so this isn't something you can just copy-paste from somewhere else. 

However, you can save time by using this guide and free privacy policy template we've created for you.

Do I really need a privacy policy? 

If you collect personal data then yes, global privacy laws mean you need a privacy policy. Without one, you leave yourself vulnerable to huge fines that could ruin your company. It's probably one of the most important legal documents you will create for your business.

If you gather any information on your visitors then you need to specify this information in your privacy policy. This is more than just getting users to give you their information when signing up to a service. It's also about software working behind the scenes to track visitors to your website. 

Simply put, if you have a website that: 

  • Collects user data through a service like Google Analytics;
  • Uses contact forms to collect personal data;
  • Asks users to subscribe to email newsletters or other communications and updates, 

then you need a privacy policy. In fact, if you use Google Analytics, then you should already know that their Terms & Conditions specify that you have to have a privacy policy.

What is personal data?

Personal data is information that information that can be used to identify any living individual. Examples of personal data include:

  • Names
  • ID numbers (like your passport or National Insurance number)
  • Email address
  • Home address
  • IP address
  • Medical data
  • Location data (such as the GPS data on your mobile phone)
  • Cookie IDs (more on these later)

There are also other categories of personal data covered under the GDPR legislation such as political and religious beliefs, sexual orientation or racial and ethnic origin.

If you collect or process any of this sort of personally identifiable information then you'll need to explicitly state what you're collecting in your privacy policy. You'll also need to be clear on why you're gathering this data and what you intend to do with it.

Have a cookie

It seems that you can't go anywhere on the web without a website asking you if you're OK with cookies. Rather than the tasty treat, this refers to a website that leaves data (cookies) on a user's computer. 

These cookies help the website remember certain data about the user, making it easier and faster for them to log in when returning. They can also remember what items were in a user's shopping cart on an online marketplace or track browsing history.

You can choose to include a section about cookies in your privacy policy document, with a link to more detail in your cookie policy. This section should inform readers:

  • What cookies are and if they are active on your site
  • What user data your cookies track
  • The legitimate purpose for tracking this data
  • What happens to this data and where it gets sent

Legally, European GDPR and the California Consumer Privacy Act (CCPA) require you to have a cookie policy on your website, so this is a good prompt to add a link to it in your privacy policy and make sure it's up to date.

Should a lawyer write it?

There's no legal requirement that says you have to have a lawyer-up to write your privacy policy. You can hire a lawyer to do it for you, but it can cost between £500 and £5000, so a DIY approach may be right for you. 

If you're a small business, then following a set guide and sample template is a simple way to get your privacy policy up and running. After all, no one knows your business better than you! You'll know exactly what data your website gathers and why, and can communicate this to your visitors in language they can understand.

However, if your business is more complex, then it may be a good idea to get some outside legal help. The total cost of having a lawyer write a privacy policy for you may go up depending on the nature of your business. A specialist lawyer may cost more so don't forget to factor this into your budget.

There are privacy policy generators online that you can use if you need a bit of extra assistance, but these usually cost a one-off fee.

If you collect large amounts of personal user data or have users in a variety of different countries or locations, then getting legal advice may be a good idea. If your business is relatively simple and you only collect a few types of data, then writing your own privacy policy is more straightforward and something you can handle yourself.

How GDPR affects you

General Data Protection Regulation (GDPR) came into force in 2018. Widely considered to be the world's strongest data protection legislation, it is a privacy and security law that was drafted by the European Union, but applies to businesses around the world, as long as they deal with data related to people living in the EU.

This means that UK businesses are required to follow the regulations, even post-Brexit. After the launch of GDPR the UK created the Data Protection Act (2018), replacing the Data Protection Act of 1998.

In the UK, the Information Commissioner's Office (ICO) can bring criminal proceedings where non-compliance with privacy laws have been found. Website owners can be fined up to £5000 in the Magistrates Court, and this fine can hit an unlimited amount if the case is tried on indictment and heard by the Crown Court.

Any business that falls foul of GDPR legislation leaves themselves open to eye-watering fines. A company can be fined up to €20 million or 4% of global revenue (whichever is higher). Data subjects can also sue for damages, so it's vital that your privacy and data policies are up to scratch.

There are 99 articles in the GDPR, and Articles 1213 and 14 detail exactly how to create a privacy policy that is compliant with the regulations. 

According to GDPR, businesses must provide a privacy policy which is:

  • Concise, easy to understand and transparent
  • Easy to access
  • Free to access (e.g not behind a paywall)
  • Written in clear, easy-to-understand language

When writing your privacy policy, it's advised that you stay away from unclear language. Avoid phrases like "may" or "might" as these are vague, and now is the time to be explicit. The GDPR guidelines have some example phrases which are unclear, and better examples you can swap them out for. You can access these and find good practice examples here.

What to include in your privacy policy 

Now you're ready to start writing your privacy policy – but you may be unsure about exactly what you need to include. Fortunately, we've thought of that for you.

Here, we've included the key points that your privacy policy needs as well as a handy sample privacy policy template for you to download and use.

Clear copywriting

Before you even start, it's important to remember that the language should be kept clear and simple. It’s not just what you say but how you say it. Now isn’t the time to confuse people with technical, overly complicated language. They need to know what you’re doing with their data and have the right to be told simply and clearly.

Here's an example of unclear phrasing from the official EU GDPR guidelines:

  • “We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).

which the guide suggests you could improve by saying:

  • “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalisation entails and how the interests attributed to the data subject have been identified).

This document also needs to be concise. A Carnegie Mellon study found that the average length of a privacy policy is 2,500 words, so don't worry about writing a privacy encyclopaedia. If you want some inspiration, why not check out our own privacy policy.

One final thing to remember: you want your privacy policy to be brief, but don't use this as an excuse to skip a section.

Your nominated data controller

A data controller is the person who decides how and why personal data is processed. This is different to a data processor, who is responsible for processing personal data on the data controller's behalf and Data Protection Officer, who ensures that businesses apply the laws protecting peoples' personal data.

According to Article 13 (1)(a) of GDPR, you need to give information on "the identity and the contact details of the controller and, where applicable, of the controller's representative".

This means you need to give the name and contact information of your data controller. Their full name and email will do.

Legally, not every business has to have a Data Protection Officer, but if you do have one, make sure that you provide their contact details as well.

Who you are

It may seem obvious, but people need to know exactly who you are, and how to contact you and your company.

Even if you provide your contact details elsewhere on your website, give the information here in your privacy policy as well. Make sure to include:

  • The company name
  • Address
  • Phone number
  • Email address

If you're based outside of the EU and have a representative, add their contact details here as well.

The type of information you collect

The kind of information you collect and process will vary depending on the kind of business you have. Some will only need emails for newsletters, while e-commerce companies will need a range of financial data.

You must include all the data that your company collects, stores and processes, and be as specific as possible. For example, if you're an e-commerce company, telling your customers that you're collecting "financial information" is a little vague. Be clear about what you're using and why. For example, you could say that you're collecting credit card information for payment purposes at the checkout.

The legal basis of processing

Under GDPR, you legally have to have a legitimate reason for collecting and processing personal data. As such, your privacy policy needs to state the purpose you have for processing any relevant data-related information you collect.

Be clear on the purpose behind using people's personal data. If you're using it for marketing or for processing orders, then say so.

You can also say how you will protect this personal data. This will reassure your customers and add an extra layer of transparency to your privacy policy, which will boost your credibility and trustworthiness.

How long data will be stored

You can't keep hold of customer data forever. Apart from clogging up your storage, GDPR legislation says that you can only keep personal data for as long as the legal basis for processing is applicable.

Let your customers know how long you intend to keep their personal information (if you can't be sure, just say that you won't keep it for longer than necessary) and let them know when it will be removed. You could also share the criteria that decides how long you keep this information for so that readers of your privacy policy understand you're not holding on to it for longer than strictly necessary.

Are you sharing personal data?

If you are, be explicit. If another company processes data on your behalf then write it here. You don't have to name every company involved, but you can share the names of categories that these companies fall under.

If data is being processed by third-party services, or going outside of the EU, say so.

Data subject rights

There are eight data subject rights that you need to include in your privacy policy:

  1. The right to be informed. You need to keep people informed about what data you're collecting, what you intend to do with it and why. You also need to inform people about how long you will keep hold of their personal data and who it will be shared with.
  2. The right of access. Individuals have a right to receive a copy of any personal data your business holds on them. As well as including this in your privacy policy, you'll need to be prepared for any subject access request.
  3. The right of rectification. If a company holds inaccurate personal data on an individual, then they have the right to ask the company to correct that data.
  4. The right to be forgotten. People can ask that a company erases their personal data. This is usually under certain circumstances, for example if the personal data is no longer necessary for the purpose which the company originally collected or processed it for.
  5. The right of portability. People can ask that their personal data is transferred to another organisation or service. 
  6. The right to restrict processing. Individuals can restrict or limit how their personal data is used. 
  7. The right to object. If an individual is unhappy with how any of their personal data is being processed, they have the right to object.
  8. Rights in relation to automated decision making and profiling. Article 22 (1) of GDPR says that “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” If an individual believes that their data is being processed unlawfully, then they can ask businesses for a copy of their automated processing activities.

Cookies

If you use cookies, provide a brief explanation about what they are and why you use them. This need only be a short paragraph, and you can add a link to your more detailed cookie policy if readers want more information.

Do you link to external sites?

If you have a blog or newsletter, then you probably link to other websites, or you may link to other products and services on your own website. If so, then this is a good time to remind readers that your privacy policy only extends to your own site.

It's worth mentioning that you have no control over these other sites, reminding people to check their individual privacy policies for their own protection.

Business transfers

If you've only just launched your business, you're probably not thinking about what would happen if you should sell or lose your business. It's good to be prepared for the future and any eventuality, so use this section to tell people what will happen to their personal data if you should sell up or go bankrupt.

Right to complain

Hopefully no one will ever want to make a complaint about you and how you handle data, but none of us can predict the future. 

If an individual wants to complain, show that you're willing to help them. Give them the details to contact you and the ICO. Once again this shows that you care about your customers' data and want to abide by the rules.

Changes to policy

Remind people that you will make changes to your privacy policy over time. Show them how old your current privacy policy is by including a date saying when the document was last updated.

Summary

By writing a robust privacy policy, you can protect yourself and your business from potential lawsuits and ensure that you are following the latest privacy laws. It also shows your customers that you are a business that takes its data collection practices seriously, and can be trusted with users personal information.

By following our guide and privacy policy template, you can create your own privacy policy using clear and plain language. As with any legal document, if you have any concerns or queries, it's important that you seek your own legal advice. We're sure that you'll find this guide and accompanying template useful, but we're not lawyers, so we'd recommend speaking to a legal expert to make sure that you have all the bases covered.

Join us in creating the new age of accounting.

Simple language, simple software, so that you can spend less time dealing with admin and more time focusing on what really matters.

Daniel Hogan

Daniel is a Deloitte-trained, fully qualified Chartered Accountant with experience in the finance software space. It was during his tenure managing a finance system in the UK that he grew dissatisfied with the lack of synergy and automation in the space, compelling him to co-found Ember.