How To Write A Privacy Policy For Your Website

Creating a privacy policy for your website can sometimes get backburnered because figuring out how to write a privacy policy isn’t exactly why you decided to become a business owner. ...

Image of an iPad showing the legal guide.


Get a quick crash course in the laws that affect your business and other ways you can protect yourself from legal headaches.

How To Write A Privacy Policy For Your Website

Creating a privacy policy for your website can sometimes get backburnered because figuring out how to write a privacy policy isn’t exactly why you decided to become a business owner. ...

Image of an iPad showing the legal guide.


Get a quick crash course in the laws that affect your business and other ways you can protect yourself from legal headaches.

Creating a privacy policy for your website can sometimes get backburnered because figuring out how to write a privacy policy isn’t exactly why you decided to become a business owner. 

The legal stuff is pretty stinking boring, and writing a privacy policy probably sounds like the ultimate snooze-fest… or worse, the kind of thing that has you waking up in a cold sweat. 

But here’s the thing…

You are legally required to have a privacy policy for your website, so skipping it could land you in legal hot water. 

The good news is that writing a privacy policy doesn’t have to be a daunting task. 

Whether you’re using a template generator or decide to write your privacy policy yourself, you should really know what’s in there… and why! 

That’s what we’ll cover in this post. 

Let’s dive in…

What We'll Cover...

Your Privacy Policy Needs To Include Provisions To Cover All The Privacy Policy Laws

Man with squinting eyes looking over the eyeglasses on his face. Both hands are holding the side of the eyeglass frame. Topic: how to write a privacy policy

A privacy policy is a legal document designed to outline what type of information you collect from your visitors and subscribers, how you use that information, and how you share it with third parties. 

Unfortunately, figuring out what to include in a privacy policy isn’t as simple as looking at a single law… because there isn’t one! 

Multiple countries and states have rules and regulations that set out who is required to have a privacy policy and what information has to be included in that policy. That can make it a pain in the rear to figure out how to write your website privacy policy (or to figure out what you need to make sure is included in a privacy policy template you use!).

While you could spend time trying to figure out which laws apply to you and which don’t, that’s probably not the best use of your time. As long as the rules don’t impose too much of a burden, your best bet is to craft a privacy policy that complies with all of the different rules. 

When it comes to most businesses, you need to make sure you write your privacy policy to include all the provisions set out in three sources: the Children’s Online Privacy Protection Act (COPPA), the California Online Privacy Protection Act (CalOPPA), and the General Data Protection Regulation (GDPR). 

Before we go through HOW to write your privacy policy, let’s take a quick look at the laws that your privacy policy is meant to satisfy. 

Children’s Online Privacy Protection Act (COPPA)

Child sitting on sofa with ipad device in hand looking at device as the light from screen lights up her face. Has overlay image of "lock" icon to the side of child's face. Teddy bear placed next to child on the sofa. Topic: how to write a privacy policy

The Children’s Online Privacy Protection Act (COPPA) is the only federal law that governs online privacy in the United States, and it is one of the oldest online privacy laws on the books (it was passed in 1998). 

But COPPA is fairly limited. Its primary goal is to ensure that parents have control over the information collected about their young children by websites. Specifically, COPPA provides that websites are not allowed to collect personal information from individuals younger than 13 years old without first obtaining direct, verified consent from their parents to collect that information. 

If you’ve ever wondered why sites like Roblox ask if the user is younger than 13… COPPA is the reason! Under COPPA, a parent needs to be the one who initially signs the child up and who consents to the collection of information. 

If you are building a website or other online platform that is directed to children younger than 13, you should consult with a privacy law expert to craft the right policies and procedures to ensure you’re complying with COPPA. That’s beyond the scope of this post. 

Later in this post, we’ll be talking about how websites that are NOT specifically intended for young children need to address COPPA compliance. 

The California Privacy Policy Law (CalOPPA)

Logo-type image in circle shape. On border of circle it reads "California Consumer Privacy Act" with dark blue background. Inside the circle shows an image of the state of California in dark blue with a lock icon in gold. It reads "CCPA". Topic: how to write a privacy policy

The only other law in the United States that is relevant to your website privacy policy is the California Online Privacy Protection Act (CalOPPA), which has been around since 2004. 

Under the law, every website that serves California residents and collects personally identifiable information from them is required to provide a privacy policy on their website. This policy must disclose what information is collected, who the information is shared with, the effective date of the policy, how the site informs visitors of changes to the policy, and information about how the site will respond to “do not track” settings on your browser. 

You may have heard of a more recent law called the California Consumer Privacy Act (CCPA), but that law only applies to you if your revenue is more than $25 million, you’re collecting information from more than 50,000 California residents a year, or you are a data broker who collects and then sells information. So… I’m guessing it doesn’t apply to YOU!

The General Data Protection Regulation

Image of man's torso, head not visible. Has dark suit and tie on while holding a device with one hand. Other hand is scrolling in device. Above device shows images of faceless, basic person silhouette and reads "GDPR" in the middle. Topic:  how to write a privacy policy

Finally, let’s talk about the General Data Protection Regulation (GDPR), which is the EU’s privacy law that went into effect on May 25, 2018, and explaining its complexities is actually one of the things that first brought me to prominence in the online world. 

While the GDPR isn’t specifically about privacy policies, it does have specific requirements for privacy policies that your website needs to follow. If you are collecting personal information from people in the EU (hint: you are), you’re required to disclose certain things at the time of collection. You accomplish this with your privacy policy. 

The GDPR provides that the disclosure should use plain language so readers can easily understand what is happening with their data. 

Among other things, the GDPR requires us to tell people what information we’re collecting, how we’re collecting it, our legal basis for collecting it, what we’ll do with it once it’s collected, and who we share it with. 

The GDPR also requires you to inform visitors of certain rights that they have when it comes to their data. Think of it as something like the Miranda warnings that police officers are required to give… only you’re the one who has to provide the warnings. 

What To Include When Writing Your Privacy Policy

Image of right hand with black marker writing "privacy policy" on white background with black underline.  Topic: how to write a privacy policy

Now that we’ve covered the legal requirements, let’s take a closer look at the different pieces you’ll need to include when you go to create your privacy policy. 

I know that examples are always better than just a description, so the discussion of how to write each section of your privacy policy will involve both a description and sample language from my privacy policy.

Start With An Introductory Section

Pretty much every privacy policy should start with an introduction setting out the name of your company, the name of your website, and the fact that agreeing to the terms of the privacy policy is a condition for using the site. 

After this introduction, you’re ready to write the meat of your privacy policy. 

Address Children Under 13 Using Your Site

Assuming that your site isn’t intended for children under 13, you’ll want to include a provision saying as much… but also including a way for parents to contact you to request deletion of any information their children might share. 

For inspiration, this is the clause we have in our privacy policy: 

Image of snippet from Privacy Policy reads" Children Under The Age of 13 -- Our Website is not intended for children under 13 years of age. No one under the age of 13 may provide any information to or on the Website. We do not knowingly collect personal information from children under 13. If You are under 13, do not use or provide any information on this Website or on or through any of its features/register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website or provide any information about Yourself to us, including Your name, address, telephone number, email address, or any screen name or user name You may use. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If You believe we might have any information from or about a child under 13, please contact us at

Remember from the discussion of COPPA, that you have to provide a route for parents to seek deletion… so don’t skip this part of your privacy policy. 

Outline The Information You Collect

Next up, you’ll want to write sections in your privacy policy to comply with the requirements of CalOPPA and the GDPR that you disclose what you collect and how you are collecting it. 

You’ll want to craft multiple sections that fall under this general definition, starting with a broad explanation like this:

Image of snippet from Privacy Policy reads: TYPES OF INFORMATION WE COLLECT ABOUT YOU -- When You access the Website, the Company will learn certain information about You during Your visit.

Information You Provide To Us. The Website provides various places for users to provide information. We collect information that users provide by filling out forms on the Website, communicating with us via contact forms, responding to surveys, running queries on our search feature, providing comments or other feedback, and providing information when ordering a product or service via the Website.

We use the information You provide to communicate with You, deliver the requested product and/or service, improve our overall site performance, and provide You with offers, promotions, and information.

Information We Collect Through Automatic Data Collection Technology. As You navigate our Website, we use automatic data collection technologies such as cookies, pixels, server logs, and analytics software to collect certain information about Your equipment, browsing actions, and patterns. This will generally include information about Your location, traffic patterns through our website, and any communications between Your computer and our Website. Among other things, we will collect data about the type of computer You use, Your Internet connection, Your IP address, Your operating system, and Your browser type.

The information we collect automatically is used for statistical data, to target messages to particular users, and to improve our Website and service offerings. To the extent that You voluntarily provide personal information to us, our systems will associate the automatically collected information with Your personal information.

You can also get more specific in the first section and lay out the particular types of information you collect (e.g., names, emails, addresses, etc.).

Beyond the general statement, you’ll want to include a cookie disclosure so that people understand you are using cookies and tracking pixels. Here’s an example:

Image of snippet from privacy policy that reads: USE OF COOKIES
Like other commercial websites, our website utilizes a standard technology called “cookies” and server logs to collect information about our site’s use. Information gathered through cookies and server logs may include the date and time of visits, the pages viewed, time spent at our site, the websites visited just before and after our own, and Your IP address.

A cookie is a very small text document, often including an anonymous unique identifier. When You visit a website, that site’s computer asks Your computer for permission to store this file in a part of Your hard drive specifically designated for cookies. Each website can send its cookie to Your browser if Your browser’s preferences allow it, but (to protect Your privacy) Your browser only permits a website to access the cookies it has already sent to You, not the cookies sent to You by other sites.

The Company uses various tracking pixels, including without limitations those provided by Google, Meta, TikTok, and HubSpot. These pixels track visitors to our websites to tailor advertising messages users see while visiting our site and other websites. The Company reserves the right to use these pixels in compliance with the policies of the various social media site.

The last paragraph in that section addresses CalOPPA’s requirement that you inform visitors how you’ll respond to do not track requests set on visitors’ web browser. The default is to not respond to them. 

Finally, you should include a section that covers how you handle information that people send you via email (or through any forms on the website): 

Image of snippet from Privacy Policy that reads: EMAIL INFORMATION & POLICIES
If You choose to correspond with us through email, we may retain the content of Your email messages, Your email address, and our responses. We provide the same protections for these electronic communications we employ to maintain information received online, by mail, and by telephone. This also applies when You register for our website, sign up through any of our forms using Your email address, or make a purchase on this site.

We are committed to keeping Your email address confidential. We do not sell, rent, or lease our subscription lists to third parties and will not disclose Your email address to any third parties except as allowed in the Disclosure of Your Information section.

We will maintain the information You send via email in accordance with applicable federal law.

In compliance with the CAN-SPAM Act, all emails sent from our organization will clearly state who the email is from and provide clear information on contacting the sender. In addition, all email messages will also contain concise information on removing Yourself from our mailing list so that You receive no further email communication from us.

Our emails allow users to opt out of receiving communications from our partners and us by following the unsubscribe instructions at the bottom of any email they receive from us at any time.

Users who no longer wish to receive our newsletter or promotional materials may opt out of receiving these communications by clicking on the unsubscribe link in the email.

Taken together, these clauses will cover your bases when it comes to describing the information you collect from people. 

Explain Why You Collect The Information And How You’ll Use It

Once you’ve explained what information you’ll collect, it’s time to explain why the heck you’re collecting it. Both CalOPPA and the GDPR have provisions that are implicated here. 

To meet the requirements, you need to explain the purpose for collecting and using the information (the why), how you’ll use it, and a legitimate reason for you to be collecting it in the first place.

There are multiple reasons you might be collecting the information, including:

  • To deliver a good or service
  • To track preferences so you can deliver a better experience later
  • Fulfilling contractual duties
  • To send further marketing information to the user

The key here is to describe all the ways you’ll use the information collected. In my privacy policy, we start with a section titled Why We Collect Information:

Image of snippet from Privacy Policy that reads: WHY WE COLLECT INFORMATION
The Company collects Your information to record and support Your participation in Your selected activities. We collect Your information if You register to download a book or resource, sign up for our newsletter, and/or purchase a product from us. We use this information to track Your preferences and to keep You informed about the products and services You have selected to receive and any related products and/or services. As a visitor to this Website, You can engage in most activities without providing any personal information.

If You opt to receive any free resources, participate in any free training programs, register for a webinar, register for a live event, register for a seminar, or purchase any products sold by the Company on this Website, we will automatically enroll you to receive our free email newsletter. You can unsubscribe anytime if You do not wish to receive this newsletter. We include an “unsubscribe” link at the bottom of every email. If You ever have trouble unsubscribing, You can email requesting to unsubscribe from future emails.

That section is largely about explaining the motivation for collecting information… but you also need a section explaining how you use it once it has been collected. Here’s how we handle that:

Image of snippet from privacy policy that reads: HOW WE USE THE INFORMATION THAT YOU PROVIDE TO US
We use the personal information you provide to us differently on our Website and within the Software.

On Our Website. We use personal information for purposes of presenting our Website and its contents to You, providing You with information, providing You with offers for products and services, providing You with information about Your subscriptions and products, carrying out any contract between You and the Company, administering our business activities, providing customer service, and making available other items and services to our customers and prospective customers.

From time to time, we may use the information You provide to make You offers to purchase products and services provided by third parties in exchange for a commission to be paid to us by such third parties. If You opt to participate in such promotions, the third parties will receive Your information. From time to time, we may use the information You provide to us to display advertisements to You that are tailored to Your personal characteristics, interests, and activities.

In Our Software. We use the personal information you provide to us and that our system automatically collects to deliver the services provided by the Software. Among other things, we use the information you provide to compile the legal documents and agreements you request and to provide guidance in the Software’s other core functionalities.

When writing this section of your privacy policy, broadly describe the ways you might use the information. 

Alongside how we use your information is how long we retain your information. The next section includes this:

Image of snippet from privacy policy that reads: RETENTION OF DATA AND PERSONAL INFORMATION
We retain your data and personal information so long as reasonably necessary for its intended uses.

The personal information that you choose to provide by interacting with our website (e.g., your name and email address provided on an opt-in form) is maintained until either you ask us to delete it or we decide to delete that information from our marketing automation provider.

The personal information collected automatically by outside tracking pixels is stored consistent with the privacy policies and data retention policies of the companies that provide that data.

So long as you remain a subscriber of the Plainly Legal™ Software, our system will retain the data and personal information you provide within the Software until you choose to delete that information or the results created using that information (e.g., agreements generated by our system using your inputs). When a user deletes information, our system will retain it in an archived state for a period of six months so that it can be retrieved upon request of the user.

When users unsubscribe from the Plainly Legal™ Software, our system will archive all of their data for a period of six months after their subscription ends. If You resubscribe within those six months, You will be able to retrieve that data. After six months, we will permanently delete the data and it will not be retrievable.

If You are a subscriber who wishes your data to be deleted immediately without an archive period, you may request for your data to be deleted consistent with the process outlined in the Users’ Rights section below.

Explain Who You Will Share The Information With

Next up, you need to explain who (outside your company) may have access to the information people share with you. 

Many people default to saying that they won’t share the information with anyone… but that is not true. You will almost certainly be sharing information with third-party service providers who are helping you in your business. 

Moreover, you’ll want to leave room to share the information in certain legal contexts (e.g., a lawsuit against a customer, if you sell the company, or if you are required by law to do so). 

Here’s how we have addressed this disclosure requirement:

Image of snippet from privacy policy that reads: DISCLOSURE OF YOUR INFORMATION
As a general rule, we do not sell, rent, lease, or otherwise transfer any information collected from You. We may disclose Your personal information to our subsidiaries, affiliates, service providers, and technology partners to provide our services to You. The following

We may disclose Your personal information to a third party, including a lawyer, our payment processor, or collection agency, to enforce our terms of service or any other agreement between You and the Company.

We may provide Your information to any successor in interest in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company’s assets and/or business.

We may disclose information when legally compelled to do so, in other words, when we, in good faith, believe that the law requires it or for the protection of our legal rights or when compelled by a court or other governmental entity to do so.

We crafted this section very carefully to simultaneously give people confidence that we aren’t going to be sharing their information willy-nilly while also protecting our backside if we need to share it for a legitimate reason. 

Explain EU Visitors’ Rights Under The GDPR

The last major component you’ll need to create when you’re writing your privacy policy is a section setting out certain rights that people in the EU have under the GDPR. 

This is one of the quirks of the GDPR. Your privacy policy has to include a section informing visitors of their rights. This section isn’t so much about your business practices; it is a recitation of rights. 

Here’s how we handle this in our privacy policy:

Image of snippet from privacy policy that reads: GDPR Rights
If you are within the European Union, you are entitled to certain information and have certain rights under the General Data Protection Regulation. Those rights include:

We will retain the any information you choose to provide to us until the earlier of: (a) you asking us to delete the information, (b) our decision to cease using our existing data providers, or (c) the Company decides that the value in retaining the data is outweighed by the costs of retaining it.

You have the right to request access to your data that the Company stores and the rights to either rectify or erase your personal data.

You have the right to seek restrictions on the processing of your data.

You have the right to object to the processing of your data and the right to the portability of your data.

To the extent that you provided consent to the Company’s processing of your personal data, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based upon consent that occurred prior to your withdrawal of consent.

You have the right to lodge a complaint with a supervisory authority that has jurisdiction over issues related to the General Data Protection Regulation.

We require only the information that is reasonably required to enter into a contract with you. We will not require you to provide consent for any unnecessary processing as a condition of entering into a contract with us.

Don’t Forget These Odds-And-Ends

Your privacy policy also needs to include: (1) its effective date, (2) how you’ll notify visitors of changes to the policy, and (3) your contact information. 

These sections aren’t hard to write… but don’t forget them. 

How Should You Create Your Privacy Policy?

Image of top of typewriter that shows typed paper that reads "Privacy Policy".

Now that we’ve covered the legal requirements and addressed the key sections you’ll need to create for your website privacy policy, the only question is how you should go about creating the darn thing. 

You could certainly write your privacy policy from scratch. 

But, I wouldn’t recommend it. That is NOT a good use of your time. 

Instead, we recommend using Plainly Legal™’s smart Legal Doc Generator, where you can draft a rock-solid website privacy policy in minutes!

Click here to learn more about how Plainly Legal™ can help you protect your online business!

Get the guide right in your inbox now!

    We respect your privacy. That’s why we never sell your information to anyone and only send you emails you’ve expressed interest in. Read our entire privacy policy.

    Get the guide right in your inbox now!

      We respect your privacy. That’s why we never sell your information to anyone and only send you emails you’ve expressed interest in. Read our entire privacy policy.

      Access the replay before it expires in...

      This replay has expired!

      Get Instant Access to the tutorial now!

      Get the guide right in your inbox now!

        We respect your privacy. That’s why we never sell your information to anyone and only send you emails you’ve expressed interest in. Read our entire privacy policy.

        See Plainly Legal™ In Action

        Get notified when the
        Plainly Legal™ Affiliate Program

        Fill out the form below to be notified as soon as the Plainly Legal™ affiliate program opens for registration!