5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 25, 2024
Published: June 1, 2022
Maybe you’re just starting a new business and have recently launched a website or application. Maybe you’ve recently expanded into new markets and territories. Maybe recent data privacy news has made you reconsider how you’re managing users’ data. Whatever the cause, you’ve decided it’s time to draft or revise your privacy policy.
Okay — maybe this isn’t the most thrilling part of your work. But a well-crafted privacy policy can bring with it a whole host of benefits. You’ll:
Unfortunately, it’s hard to get a sense for what you need to incorporate into your own privacy policy by looking at other organizations’ policies. Don’t worry; we’ve got you covered. Use this privacy policy checklist to become compliant.
Since your business, your industry, your vendor relationships, your data processes, and governing jurisdiction are all unique to you, you can’t just copy-paste somebody else’s privacy policy. Some of the basic information common to all privacy policies can be lifted and shifted, but realistically, it’s best to just draft your own policy with the pertinent details of your business based on this privacy policy checklist.
You know that building trust with current and potential clients is paramount to building your business. You also understand that collecting data is imperative while building relationships. Privacy policies can help you build trust while achieving compliance with the authorities.
If you operate within or have users within a jurisdiction with a data privacy regulation, you’re legally required to include a privacy policy or an equivalent disclosure on your website or application. Article 13 of the General Data Protection Regulation (GDPR), for instance, doesn’t explicitly mention a privacy policy, but does assert that “the controller” — that’s you — “shall, at the time when personal data are obtained, provide the data subject with all of the [relevant privacy] information.” You don’t have to communicate this info in a privacy policy per se, but it really is much more convenient to keep a dedicated page or channel covering all the required privacy information — i.e., a privacy policy.
Section 7 1798.130.(5) of the California Consumer Privacy Act (CCPA), on the other hand, does explicitly require a privacy policy.
Other states and countries have similar stipulations, either implicitly (like the GDPR) or explicitly (like the CCPA). What’s more, privacy policies aren’t just guidelines — you have to do what you say you do in your privacy policy. If not, you’re liable to face enforcement actions from the Federal Trade Commission, EU data governance authorities, and other organizations depending on your users’ geography.
Say you’re a small business that only sells products in California. Obviously, you’ll want to craft a privacy policy that complies with the CCPA (and the soon-to-be-effective CPRA), but you may think that it’s not necessary to comply with regulations like the Virginia Consumer Data Protection Act (VCDPA), let alone South Africa’s Protection of Personal Information Act or the EU’s GDPR.
This approach, however, could be short-sighted. Once you have customers, users, or data subjects in any of those jurisdictions and meet the applicability requirements — even if your business isn’t located within them — then you are still beholden to those regulations. So, it makes sense for you to plan ahead.
Fortunately, most regulations have significant overlap. When in doubt, adhere to the GDPR and the CCPA/CPRA, as these are broadly considered to be the gold standard of data privacy regulations.
If you follow this privacy policy checklist, you’ll be in a fairly strong position. We’ve made sure to include information required by most major data privacy regulations. However, the best way to minimize risk is to consult with legal experts who understand the relevant laws and regulations that apply to your business.
First and foremost, your privacy policy should include your organization’s full name, address, and any other contact information you can provide. If you have a data protection officer (DPO) or an equivalent individual at your organization, you should provide their information as well.
Under the GDPR, a DPO is required if you process sensitive data on a large scale or monitor individuals on a large scale. Hospitals, security companies, and the like are good examples of organizations that need a DPO. For more specifics on the GDPR DPO requirement, see Article 37 of GDPR. Even if you don’t meet those requirements, keeping a dedicated privacy professional on staff isn’t a bad idea.
You’ll want to describe the categories of personal information collected, sold, shared, and disclosed within the preceding 12 months as well as details on what types of personal information you collect from users. This could include, for example:
Different regulations have different categories of data that you should disclose. When in doubt, try to follow the CPRA’s guidance, which requires that categories of collected data must be “described in a manner that provides consumers a meaningful understanding of the information being collected.”
Additionally, it’s a good idea to disclose that you do not collect the personal information of minors, if that’s the case. If you do collect the personal information of minors, you should seek legal counsel’s help in making sure you are handling that data and the disclosure properly.
You will need to describe how you collect or source data, including a description of the categories of sources. While you likely collect some information from the user directly, it’s possible you collected information from a third party, such as a government database, internet service providers, advertising networks, and so on.
What do you intend to do with your users’ data? It could be for fraud prevention, a better customer experience, marketing purposes, or any other reasonable use case for user data. Furthermore, it’s a good idea to delineate the purpose behind each category of personal information that you listed in item two of this list. If you don’t have a good reason to collect a given category of data, then most data privacy regulations require you to not collect it at all.
Note that if you intend to use personal information for targeted advertising, many regulations require you to clearly and conspicuously disclose that fact, as well as the fact that the consumer can opt out of this processing.
In addition, most major privacy laws require that you disclose whether consumer data will be used in automated decision-making processes, how consumer data impacts this decision-making, the associated results and consequences, and the users’ right to opt out of that decision-making. Often, these automated processes can include an element of bias, a reality that these laws try to mitigate with this requirement.
You’ll also want to take note of your legal basis behind data collection. The GDPR, for instance, lists out the following as acceptable legal bases for collection:
Make sure you clearly describe the rights the user (or data subject) you are collecting data from possesses and how they can exercise these rights.
These can vary from regulation to regulation, but generally, data subjects have:
Your privacy policy should disclose whether or not you sell personal information, whether you have sold personal information in the last 12 months, and which categories of personal information you have sold. Under the CCPA, you only had to disclose if you sold data — that’s changed under the CPRA, which stipulates that you disclose both shared and sold data.
If possible, provide the specific details of the recipient. Under the CCPA/CPRA, you also have to inform your users about which categories of recipients you sell their data to or share their data with (e.g., suppliers, credit reference agencies, government departments).
Transferring data into another country or state can expose your users’ data to greater risk. If you operate out of California or the EU, for instance, and transfer data to a jurisdiction with less robust data protection laws, the recipient may treat your users’ data with less than the respect it deserves.
However, it’s possible to establish safeguards to enable a compliant data transfer. Typically, this takes the form of a contractual agreement (specifically, the GDPR’s Standard Contractual Clauses) between your organization and the receiving party affirming that they will treat your users’ data to the same standards as yourself.
Indicate what categories of data that you collect are required or are optional. If your users decline to share data that would be useful for marketing and analytics purposes, they can still use your website, make a purchase, use your app, or engage in whatever other activity serves as the focal point of your relationship. On the other hand, if you operate an e-commerce business and they refuse to share their address with you, you won’t be able to ship them the products they order. Depending on the nature of your organization, the type of data that needs to be collected in order to serve your users will vary.
How long do you intend to retain the different categories of your users’ data? If you’re uncertain about the exact answer, under what circumstances will you no longer need a user’s data? Explain what criteria you will use to determine when you’ll delete that data.
Certain regulations require that you state your security measures in a privacy policy, while others merely require that you maintain them — in any case, it’s still a good idea to include them in your privacy policy. This builds trust with your users and signals that you take their privacy seriously. You might indicate whether you pseudonymize and/or encrypt personal data, whether you can back up and restore data in the event of an emergency, whether you comply with security standards like SOC 2, and more.
If you provide a financial incentive, a price difference, or a service level difference based on a user’s data choices, you have to include what’s called a “Notice of Financial Incentive” under the CCPA/CPRA. This disclosure needs to contain:
As your organization evolves and laws change, your policies will too. Tell consumers how you’ll let them know about future changes to your data management plan.
Was your data protection strategy updated a week ago or a decade ago? Show full transparency by including the effective date of your current privacy policy.
Unfortunately, the majority of policies on the web present their readers with a confusing mishmash of legalese and technical jargon. In fact, according to one analysis based on readability metrics like sentence length and complexity, Facebook’s privacy policy was only slightly easier to read than Immanual Kant’s infamously dense Critique of Pure Reason.
Do your users a favor and spend time crafting a privacy policy that anybody can understand. It’s not just a nice thing to do: when users understand what you’re doing with their data, they’re more likely to do business with you and less likely to make complaints or leave negative reviews should they make an unexpected discovery.
What’s more, spending time to write a clear privacy policy is actually an activity that brings you closer to compliance. In fact, article 12 of the GDPR stipulates that privacy policies must be delivered “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
If you follow the guidance in this privacy policy checklist, you’ll be on the right track when it comes to clarity, but there’s always room for improvement. If you’re looking for inspiration, here are some notable privacy policies that we think do a great job of including all the requisite information and presenting it in an easy-to-understand way:
Snap Inc.
Twitter
Google
More important than having a comprehensive privacy policy is actually doing all the things you promise within it. Adhering to your privacy policy will help you keep your organization secure, improve your data governance practices, and keep you in compliance.
But this can be a daunting task. Implementing a data privacy policy is a multifaceted and far-reaching endeavor, one that requires significant technical expertise. And when the consequences of failure are crippling fines and a major loss of user trust, doing what you promise to do in your privacy policy can feel a little nerve-wracking.
That’s why the team at Osano focused on developing a solution that makes achieving compliance simple, reliable, and trustworthy. Using the Osano consent management platform, you can execute on a number of their privacy policy concerns, including:
Sign up for a demo or a free trial and enjoy the peace of mind that comes with knowing you’re delivering on what you promise in your privacy policy.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.