Demystifying Privacy Law: Drafting a Privacy Policy


If your business collects personally identifiable information (or PII) about your customers, you will need a privacy policy to let them know how you plan to collect, use, share and secure information about them. In an increasingly digitalized world, privacy policies command nearly the same level of respect as mission statements. Privacy policies set out an organization’s first principles of consumer protection and provide a roadmap of how sensitive issues such as PII are handled. This article describes some of the factors that go into a well-drafted privacy policy--and the factors that we advise our clients to think through. 

Choosing Your Founding Principles

After laying out an approach with respect to PII, companies should identify and establish their convictions on the topic of information privacy and build a working policy around those principles. The Federal Trade Commission urges organizations to adopt the following three propositions as privacy pillars:

Privacy By Design

Privacy should be built in at every stage of product development.

Too often, consumer privacy issues are relegated to organizational back-burners. High-profile data breaches and widespread public concern over the security of personal information have made it perilous for companies to continue to ignore these matters. Institutional handling of such sensitive topics impact vital metrics of trust, accountability, and transparency. You should include privacy protections as essential ingredients in any services offered.

Simplified Choice

When engaging in transactions, consumers should feel empowered to make informed decisions about how their personal information will be used. Companies should build simple processes that allow clients to choose the extent to which their information will play a role in organizational actions, whether it be third-party data exchange or PII storage. Offer consumers clear options, and let them make the decisions.

Greater Transparency

When it comes to collecting and using customer information, companies should err on the side of transparency. It’s a bad idea to bury information policies in hyperlinked asides concealed by an avalanche of legalese. The more opaque the process seems, the less likely you are to gain the trust of your clients. Share openly, and make sure your customers know what is happening to their sensitive information.

Constructing An Elegant Statement

Once you’ve laid the bedrock for your organization’s privacy policy, it is time to pen the policy itself. The best privacy statements are simple, readable documents that outline procedures and collection practices while allowing consumers to exercise their discretion by choosing how their information is shared. The following suggestions borrow heavily from the California Attorney General’s guidelines on “Making Your Privacy Practices Public.”


Avoid lengthy, unreadable privacy policies couched in technical jargon and obscure legal phrasing. Use plain language and intuitive formatting, such as “layered” statements that rank and explain issues in order of relevance. Where possible, standardize your use of terminology and strive for succinct declarations.

Online Tracking

Make sure your organization’s policies regarding cookies and other online tracking methods are clear and easy to find. Where possible, ensure your customers are informed of the various “Do Not Track” protections available in most Web browsers, and describe your site’s response to “Do Not Track” requests.

Data Use & Data Sharing

Explain your use of personally identifiable information in simple, clear terms. Note any relevant storage or sharing procedures, and detail with whom and under what circumstances you intend to share PII, including how you intend to share information with law enforcement.

Individual Choice & Access

Where possible, describe the choices your customers have in how their personal information is shared, accessed, used and stored. Create opt-outs for certain non-vital uses of PII, and be sure to pinpoint your organization’s policies relating to unauthorized information use and the length of time sensitive details are stored in company servers.


Provide company contact information for customers who have questions relating to privacy issues, and highlight avenues of redress in the case of data breaches or other informational malfeasance.


Broadcast your intention to conduct regular privacy reviews. These reviews will ensure your company is living up to its promises, and will provide your customers with some much-needed peace of mind.

Privacy Certification Programs

Consider adopting privacy certification programs such as TRUSTe to better improve your institution’s handling of privacy-related matters and promote consumer trust as well as corporate accountability.

For more information on how to construct a great privacy policy, contact us.

DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.