What Makes a Good Privacy Policy?

When a founder has scarce resources to spare, developing a comprehensive privacy program may not rank the highest on a priority list. It’s tempting to sink a few hundred dollars into a template privacy policy and throw it on your website and hope that’s sufficient. But that approach can be short-sighted. The data tells us that your customers care about their privacy. While people easily share photos, videos, and personal information through social media, the vast majority believes that more should be done to protect their personal information, and many believe that private companies are the best to do this. 


Remember, a good privacy program is proactive, rather than reactive, and assumes that personal information will remain private by default. A founder considers how to protect the data, realizing that there is no one-size-fits-all approach to data security. A good privacy program is transparent and holds people accountable for protecting the privacy of consumers. A founder should think about privacy from the very beginning of her business plan, not moments before a product launch. 


A privacy policy is a crucial element of a robust privacy program.  And, for many companies, having a privacy policy is required by law. The European Union and the State of California, for example, require certain disclosures to users which are typically done through privacy policies. Even if you’re not subject to those laws, popular third-party services often require their customers to have privacy policies.  Google, for instance, requires companies that use Google Analytics to post and follow a privacy policy. And it’s just common practice to have a privacy policy if you collect personal information. 

The following steps can help you create a policy that stands out and demonstrates your commitment to your users’ privacy:

1. Be Accurate

Your privacy policy should tell the truth and describe what you do with personal information. One of the biggest legal risks is using a templated policy that hasn’t been customized for your unique business. A founder should think about the data she collects, what she wants to do with it, and what she needs to do with it. For instance, maybe you only use the information to send your consumers your newest product. Or maybe you pass along the information to a trusted third-party to process their payments. Maybe you analyze and aggregate it. Maybe you are positioning yourself for an acquisition and your valuable customer database will be sold with your company. Consider what you do and don’t do with your data and plan to be transparent with your users. 


2. Use Plain Language

The privacy policy on your website is an opportunity to communicate with your consumers and to demonstrate your commitment to their privacy. If your language is overly legalistic or confusing, it’s hard to be transparent. Remember, the goal is to let your users know what you are doing and how your privacy program protects their information.


3. Include Essential Information

All privacy policies should include at least the following:

  • What information you collect
  • What you do with the information
  • With whom you share the information 
  • How you collect the information, including whether you use automated means
  • How you protect the information
  • Rights your users have under the law
  • How users can opt-out of certain uses of their information
  • How you inform users if you change your practices
  • How your users can contact you

Certain laws require privacy policies to include certain things.  For instance, some laws require you to disclose that consumers have the right to access their information or to prohibit you from selling their personal information.  It’s important to know what laws apply to you so you can include that information in your document.


4. Follow Your Policy 

It should go without saying that you need to follow your policy. That means your people need to know what commitments you’ve made to your customers.  Teach employees to think about opportunities to protect sensitive information and make privacy a priority in your organization.


by Heidi Yernberg
Partner-In-Charge, Chicago