Editor's note: We've partnered with technology company Atticus AI to provide insights on complex legal topics such as brand rights, contracts, and policies to benefit the Polywork community.
A privacy policy is a legal document explaining how a company handles user data. This may include personal details like names and addresses, as well as browsing patterns and purchase history.
Here, we outline how to create your very own privacy policy. Throughout this post, we’ll use 1Password’s privacy policy, which is clear, concise, and among the highest scorers against our Privacy Scout rubric, as a model throughout this article (you can view our analysis of 1Password’s privacy policy here).
Privacy policies: An introduction
Privacy policies are consumer-facing documents. They are typically written in plain language and free of legal jargon. It is important for privacy policies to be made easily accessible, for instance, in a website’s footer.
A privacy policy is required by law for almost every company that handles user data. In the EU, this is notably governed by GDPR (General Data Protection Regulation). In the U.S., this is notably governed by CCPA (California Consumer Privacy Act), COPPA (Children’s Online Privacy Protection Act), among others.
A privacy policy typically begins with a short introduction. It explains who the company or service provider is and the general philosophy encapsulated in their privacy policy. Your introduction should include a description of your company or service, your company’s stance towards user data, and a high-level description of how your company uses user data.
Here’s what 1Password’s Introduction looks like:
We use your data solely to provide you with Services in which you enroll and to provide you an enhanced user experience when you visit our Website. Our business is providing 1Password products and Services to you, the customer. We have no desire or interest to use or transfer the limited data we acquire for any other purposes.
Data collection & usage
After the introduction comes the real content of the privacy policy, beginning with a list of all data that your company collects (or plans to collect) from users and how it uses that data.
Transparency and detail is key here. Your policy should detail all the types of personal data you gather, such as names, email addresses, browsing habits, IP addresses, and any other user-specific information. You should also explain how the different data is used by your company or service.
Darlin Alberto
For example, if you use Rollbar for error monitoring, you might explain how the user’s IP address, operating system, and device make and model are collected, and how that information may be used to debug errors in the system to provide a better user experience.
Here’s an excerpt of 1Password’s description of the data it collects:
Secure Data are the data that we are not capable of decrypting under any circumstance. It includes all information stored within vaults in 1Password accounts. These data are encrypted using secure cryptographic keys that exist only in the possession and under the control of our customers. We have no way of accessing or providing decrypted Secure Data, and we never receive copies of unencrypted Secure Data.
We inevitably acquire Service Data about your usage of 1Password, your account, and your payments through operating our services. Service Data are kept confidential. It is visible to our staff and includes, but is not limited to, server logs, billing information, client IP addresses, number of vaults and number of items in vaults, company or family name, and email addresses.
As long as you are using our services, we retain the right to hold and use Service Data to provide our services, troubleshoot problems, analyze the performance and demands on our services, and to provide our payment processors with the information they need to process payments.
Data sharing
These days, it is not uncommon for user data to be shared with third parties. This may be to offer a critical service like credit card information to a payment processor. But this may also be for non-critical functionality, like serving targeted advertisements.
Users in California and the EU have the right to not have their data shared for purposes non-critical to the core offering of a company or service. Depending on the size of your company and where your users are located, failure to comply with this may grant the consumer the right to sue your company for user data violations.
Here’s an excerpt from 1Password’s policy:
Unless We tell you otherwise, or unless otherwise stated in this Privacy Policy or required by law, We do NOT sell or rent your personal information to any third parties. However, We might share your personal information with Our service providers, such as Our hosting services providers.
User rights
Next, your policy should clearly explain what rights your users have over any personal data collected by your systems. With the passing of GDPR, companies with users in the EU have little room for negotiation. GDPR makes it very clear– EU citizens have the right to access, update, delete, and download all data a company has collected about themselves.
Here’s an excerpt from 1Password:
You may export your 1Password data at any time you wish during the life of your account. If you discontinue payment, your account will enter a frozen (read-only) state for a period not less than six months during which you may still retrieve and export your data.
Your Right to Know What We Know
You have the right to know what we know about you and to see how that data is handled. You may request a screenshot of what we can see about you in our back office systems. However, to protect customer privacy, such requests must be carefully authenticated beyond demonstrating control of the customer’s email address.
Your Right to Have Your Data Erased
As we are merely custodians of your data, account owners have the right to instruct us to remove data permanently from our systems. To ensure that no one’s data is deleted without their consent, you must first delete your account through an authenticated session. After your account has been deleted, the account owner may contact us and ask for the data to be expunged. Once the request is authenticated, the data will be removed from our active systems within 72 hours.
Data security
Your policy should detail any data security practices you implement to secure user data. For example, sensitive user information may be encrypted before being stored. Or user information may have strict access controls, limiting the number of company employees who can access user data.
1Password’s data security practices are described throughout their policy; here are some excerpts:
We understand and accept our responsibility to protect Service Data and Secure Data. We use strict access control mechanisms, network isolation, and encryption to ensure that Secure and Service Data is only available to authorized personnel. Additionally, Secure Data cannot be decrypted even by those who do have access to it.
Child data policy
Your policy should describe the minimum age required to access your services. For services intended for users below the age of 16, you must provide a method for verifiable parental consent to be obtained. For example, this can be by requiring a credit card number to be provided on account creation.
Usually, the easiest way to comply with this requirement is by stating an age restriction for using your service, as 1Password has done:
Data breach notification
In the event of a data breach, EU citizens have the right to be notified within 72 hours. Your policy should describe what your planned response will be in the event of such a breach.
This is 1Password’s policy:
Privacy Policy changes
Your privacy policy should outline how and when the policy might be updated and the method of informing users about these changes. Your privacy policy must be updated if you change what data you collect or how it’s used, if new laws in any relevant jurisdictions are passed, or if you enter new markets with different privacy laws.
Any changes to your privacy policy should also be made available, either through a changelog or through a public archive.
1Password keeps a detailed change log of their privacy policy changes, along with this excerpt:
Contact information
Lastly, your privacy policy should include contact information for users with any questions or concerns about how their data is handled. If your company collects particularly sensitive information (like health data, or racial data), GDPR may necessitate that you appoint a Data Protection Officer, responsible for informing and advising the organization and its employees in their compliance with GDPR.
1Password provides their company address and an email address for inquiries.
Darlin Alberto
Drafting a privacy policy: Final thoughts
Creating a privacy policy can be confusing and intimidating, but we hope that after reading this article, you have a clearer idea of the fairly sensible aims behind a privacy policy. Users have the right to know how companies collect and utilize their personal information, who that information is shared with, and how it is secured. Writing a thoughtful privacy policy is the first step in building a long-lasting and trusting relationship with your users.
We built Privacy Scout, a privacy policy analyzer, to help both consumers and companies understand and navigate privacy policies. Privacy Scout analyzes any privacy policy on the web in plain English, tells you what may be missing, and finally assigns a score, so you can easily compare it with others.
Once you’ve created your own privacy policy, you can upload it to our platform to see how it compares with others.
Disclaimer: The information in this article is for general informational purposes only and is not legal advice. Consult with a qualified attorney for advice regarding your individual situation.