The Ultimate Privacy Policy Checklist

Maybe you’re just starting a new business and have recently launched a website or application. Maybe you’ve recently expanded into new markets and territories. Maybe recent data privacy news has made you reconsider how you’re managing users’ data. Whatever the cause, you’ve decided it’s time to draft or revise your privacy policy.

Okay — maybe this isn’t the most thrilling part of your work. But a well-crafted privacy policy can bring with it a whole host of benefits. You’ll:

• Stay in compliance with major data privacy regulations like the CCPA/CPRA and GDPR
• Demonstrate to your users that you respect their privacy and will treat their data responsibly
• Reduce your risk exposure in the event of a data breach or lawsuit
• Demonstrate to third parties that you meet their data privacy standards and are therefore a reliable partner
  
  

Unfortunately, it’s hard to get a sense for what you need to incorporate into your own privacy policy by looking at other organizations’ policies. Don’t worry; we’ve got you covered. Use this privacy policy checklist to become compliant.

Here’s what to know first

Don’t just copy-paste

Since your business, your industry, your vendor relationships, your data processes, and governing jurisdiction are all unique to you, you can’t just copy-paste somebody else’s privacy policy. Some of the basic information common to all privacy policies can be lifted and shifted, but realistically, it’s best to just draft your own policy with the pertinent details of your business based on this privacy policy checklist.

You know that building trust with current and potential clients is paramount to building your business. You also understand that collecting data is imperative while building relationships. Privacy policies can help you build trust while achieving compliance with the authorities. 

Privacy policies are mandatory and enforceable

If you operate within or have users within a jurisdiction with a data privacy regulation, you’re legally required to include a privacy policy or an equivalent disclosure on your website or application. Article 13 of the General Data Protection Regulation (GDPR), for instance, doesn’t explicitly mention a privacy policy, but does assert that “the controller” — that’s you — “shall, at the time when personal data are obtained, provide the data subject with all of the [relevant privacy] information.” You don’t have to communicate this info in a privacy policy per se, but it really is much more convenient to keep a dedicated page or channel covering all the required privacy information — i.e., a privacy policy.

Section 7 1798.130.(5) of the California Consumer Privacy Act (CCPA), on the other hand, does explicitly require a privacy policy.

Other states and countries have similar stipulations, either implicitly (like the GDPR) or explicitly (like the CCPA). What’s more, privacy policies aren’t just guidelines — you have to do what you say you do in your privacy policy. If not, you’re liable to face enforcement actions from the Federal Trade Commission, EU data governance authorities, and other organizations depending on your users’ geography.

Think broadly

Say you’re a small business that only sells products in California. Obviously, you’ll want to craft a privacy policy that complies with the CCPA (and the soon-to-be-effective CPRA), but you may think that it’s not necessary to comply with regulations like the Virginia Consumer Data Protection Act (VCDPA), let alone South Africa’s Protection of Personal Information Act or the EU’s GDPR.

This approach, however, could be short-sighted. Once you have customers, users, or data subjects in any of those jurisdictions and meet the applicability requirements — even if your business isn’t located within them — then you are still beholden to those regulations. So, it makes sense for you to plan ahead.

Fortunately, most regulations have significant overlap. When in doubt, adhere to the GDPR and the CCPA/CPRA, as these are broadly considered to be the gold standard of data privacy regulations.

Double-check with legal counsel

If you follow this privacy policy checklist, you’ll be in a fairly strong position. We’ve made sure to include information required by most major data privacy regulations. However, the best way to minimize risk is to consult with legal experts who understand the relevant laws and regulations that apply to your business.

Privacy Policy Checklist: What to include in your policy

1. Your business and contact information

First and foremost, your privacy policy should include your organization’s full name, address, and any other contact information you can provide. If you have a data protection officer (DPO) or an equivalent individual at your organization, you should provide their information as well.

Under the GDPR, a DPO is required if you process sensitive data on a large scale or monitor individuals on a large scale. Hospitals, security companies, and the like are good examples of organizations that need a DPO. For more specifics on the GDPR DPO requirement, see Article 37 of GDPR. Even if you don’t meet those requirements, keeping a dedicated privacy professional on staff isn’t a bad idea.

2. The categories of data you collect

You’ll want to describe the categories of personal information collected, sold, shared, and disclosed within the preceding 12 months as well as details on what types of personal information you collect from users. This could include, for example:

• Personal identifiers, such as names, email addresses, identification numbers, and the like
• Geolocation data
• Demographic data, such as race, gender identity, age, and the like
• Internet activity data
• And more

Different regulations have different categories of data that you should disclose. When in doubt, try to follow the CPRA’s guidance, which requires that categories of collected data must be “described in a manner that provides consumers a meaningful understanding of the information being collected.”

Additionally, it’s a good idea to disclose that you do not collect the personal information of minors, if that’s the case. If you do collect the personal information of minors, you should seek legal counsel’s help in making sure you are handling that data and the disclosure properly.

3. The sources of the data or how you collect data

You will need to describe how you collect or source data, including a description of the categories of sources. While you likely collect some information from the user directly, it’s possible you collected information from a third party, such as a government database, internet service providers, advertising networks, and so on.

4. The purpose of data collection

What do you intend to do with your users’ data? It could be for fraud prevention, a better customer experience, marketing purposes, or any other reasonable use case for user data. Furthermore, it’s a good idea to delineate the purpose behind each category of personal information that you listed in item two of this list. If you don’t have a good reason to collect a given category of data, then most data privacy regulations require you to not collect it at all.

Note that if you intend to use personal information for targeted advertising, many regulations require you to clearly and conspicuously disclose that fact, as well as the fact that the consumer can opt out of this processing.

In addition, most major privacy laws require that you disclose whether consumer data will be used in automated decision-making processes, how consumer data impacts this decision-making, the associated results and consequences, and the users’ right to opt out of that decision-making. Often, these automated processes can include an element of bias, a reality that these laws try to mitigate with this requirement.

5. The legal basis of data collection

You’ll also want to take note of your legal basis behind data collection. The GDPR, for instance, lists out the following as acceptable legal bases for collection:

• User consent (which is the most common basis used today)
• A contractual obligation
• A legal obligation requiring your organization to process user data (e.g., a lawsuit or subpoena issued by a governmental entity.)
• Vital interest; that is, that processing the user’s data is necessary to preserve life, safeguard fundamental rights, support humanitarian emergencies, and other select circumstances.
• Public interest
• A legitimate interest in processing the user’s data (another commonly used basis, though you’ll need to disclose the nature of your legitimate interest)

6. The consumer’s rights

Make sure you clearly describe the rights the user (or data subject) you are collecting data from possesses and how they can exercise these rights.

These can vary from regulation to regulation, but generally, data subjects have:

• The right to access personal information
• The right to rectify incorrect personal information
• The right to object to the processing of personal information
• The right to withdraw consent to the processing of personal information
• The right to lodge a complaint with a supervisory authority (which varies depending on where the data collection occurs)
• The right to appeal a business’s decision with regard to a data subject’s request
• And more depending on your and your users’ location

7. Who you share personal information with

Your privacy policy should disclose whether or not you sell personal information, whether you have sold personal information in the last 12 months, and which categories of personal information you have sold. Under the CCPA, you only had to disclose if you sold data — that’s changed under the CPRA, which stipulates that you disclose both shared and sold data.

If possible, provide the specific details of the recipient. Under the CCPA/CPRA, you also have to inform your users about which categories of recipients you sell their data to or share their data with (e.g., suppliers, credit reference agencies, government departments).

8. Whether the data will be transferred across borders and how

Transferring data into another country or state can expose your users’ data to greater risk. If you operate out of California or the EU, for instance, and transfer data to a jurisdiction with less robust data protection laws, the recipient may treat your users’ data with less than the respect it deserves.

However, it’s possible to establish safeguards to enable a compliant data transfer. Typically, this takes the form of a contractual agreement (specifically, the GDPR’s Standard Contractual Clauses) between your organization and the receiving party affirming that they will treat your users’ data to the same standards as yourself.

9. Whether data collection is voluntary or mandatory

Indicate what categories of data that you collect are required or are optional. If your users decline to share data that would be useful for marketing and analytics purposes, they can still use your website, make a purchase, use your app, or engage in whatever other activity serves as the focal point of your relationship. On the other hand, if you operate an e-commerce business and they refuse to share their address with you, you won’t be able to ship them the products they order. Depending on the nature of your organization, the type of data that needs to be collected in order to serve your users will vary.

10. Your data retention policies

How long do you intend to retain the different categories of your users’ data? If you’re uncertain about the exact answer, under what circumstances will you no longer need a user’s data? Explain what criteria you will use to determine when you’ll delete that data.

11. Your security measures

Certain regulations require that you state your security measures in a privacy policy, while others merely require that you maintain them — in any case, it’s still a good idea to include them in your privacy policy. This builds trust with your users and signals that you take their privacy seriously. You might indicate whether you pseudonymize and/or encrypt personal data, whether you can back up and restore data in the event of an emergency, whether you comply with security standards like SOC 2, and more.

12. Your financial incentive programs

If you provide a financial incentive, a price difference, or a service level difference based on a user’s data choices, you have to include what’s called a “Notice of Financial Incentive” under the CCPA/CPRA. This disclosure needs to contain:

• A brief summary of the program
• A detailed description of the program
• Info on how the consumer can opt in
• A right of withdrawal
• An explanation of the value provided by the program

13. How you will communicate changes to your policy

As your organization evolves and laws change, your policies will too. Tell consumers how you’ll let them know about future changes to your data management plan.

14. Effective date

Was your data protection strategy updated a week ago or a decade ago? Show full transparency by including the effective date of your current privacy policy.

Pro tip: Make your privacy policy easy to understand

Unfortunately, the majority of policies on the web present their readers with a confusing mishmash of legalese and technical jargon. In fact, according to one analysis based on readability metrics like sentence length and complexity, Facebook’s privacy policy was only slightly easier to read than Immanual Kant’s infamously dense Critique of Pure Reason.

Do your users a favor and spend time crafting a privacy policy that anybody can understand. It’s not just a nice thing to do: when users understand what you’re doing with their data, they’re more likely to do business with you and less likely to make complaints or leave negative reviews should they make an unexpected discovery.

What’s more, spending time to write a clear privacy policy is actually an activity that brings you closer to compliance. In fact, article 12 of the GDPR stipulates that privacy policies must be delivered “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

If you follow the guidance in this privacy policy checklist, you’ll be on the right track when it comes to clarity, but there’s always room for improvement. If you’re looking for inspiration, here are some notable privacy policies that we think do a great job of including all the requisite information and presenting it in an easy-to-understand way:
Snap Inc.
Twitter
Google

The kicker?

More important than having a comprehensive privacy policy is actually doing all the things you promise within it. Adhering to your privacy policy will help you keep your organization secure, improve your data governance practices, and keep you in compliance.

But this can be a daunting task. Implementing a data privacy policy is a multifaceted and far-reaching endeavor, one that requires significant technical expertise. And when the consequences of failure are crippling fines and a major loss of user trust, doing what you promise to do in your privacy policy can feel a little nerve-wracking.

That’s why the team at Osano focused on developing a solution that makes achieving compliance simple, reliable, and trustworthy. Using the Osano consent management platform, you can execute on a number of their privacy policy concerns, including:

• Gathering and managing consent for data collection in compliance with the data privacy laws of over 50 countries — and doing it with just one additional line of JavaScript on your website
• Providing data subjects an easy way to make access requests and exercise their rights
• Discovering the personal data relevant to a data subject, ensuring you can quickly respond to their requests and respect their rights
• Assessing the data practices of over 14,000 vendors, enabling you to partner and share user data with only those vendors that meet your standards

Sign up for a demo or a free trial and enjoy the peace of mind that comes with knowing you’re delivering on what you promise in your privacy policy.