How to Create a Privacy Policy for your Small Business

Data privacy should be at the heart of how you operate as a conscious small business, but it’s an area that’s often shrouded in mystery or complicated by language. This means that putting together a privacy policy template feels hard — even if there are tools that make it easy. 

To help you navigate the world of privacy policy templates, we’ve put together this comprehensive guide. Below you’ll find out what a privacy policy is, why it’s essential, what it contains, and how to create your own version for free in minutes.  

 What is a Privacy Policy?

At its most simple, a privacy policy is a legal document that outlines how you capture, store, use, and share someone’s data. It’s a useful notice that lets your users know exactly how you operate and shows that you care about the privacy and security of the data they share with you.

While most companies refer to this document as a privacy policy, you might also see it referred to as a privacy notice — or simply linked to on their website as a page titled ‘privacy’. However you choose to display it on your website is up to you, but we recommend keeping the same language throughout so it’s easier for users to understand.

👉 Looking for inspiration? Check out our list of the best privacy policy examples! 

Does Your Small Business Need a Privacy Policy?

In most cases, yes. If your website collects personal information from users or customers, you’ll need to write, publish, and enforce a privacy policy. 

This means that if you operate any of the following you’re likely to need a compliant privacy policy: 

• Service-based website
• Ecommerce website
• A blog that runs advertising programs, for example, Google Adsense

Mobile apps and desktop apps should also have a privacy policy too if they collect personal data. This means if you publish an app in the App Store, Google Play Store, Facebook App store, or have created your own desktop software, you’ll need a compliant privacy policy. 

 Why You Need a Compliant Privacy Policy

The main reason to have a compliant privacy policy is that it’s often required by law. Most jurisdictions require you to have and publish one if you collect personal data. And with so much business being done internationally, you need to consider the privacy laws of any locations where your customers reside — as that’s what applies to their relationship with you. 

Let’s take a look at some of the most common privacy laws and their legal requirements when it comes to privacy practices for websites. 

GDPR

If your audience is based in Europe or the UK, the General Data Protection Regulation (GDPR) applies. It’s a privacy law that gives people a range of rights over their data, and gives you plenty of responsibilities to keep it safe and use it appropriately. 

In order to comply, your privacy policy should mention the types of personal information you process — for example, name, email address, or payment details. You also need to confirm your lawful basis for processing that data. You can’t just use someone’s email address to send them promotional offers if they haven’t opted into that. 

For GDPR privacy policy compliance, you also need to confirm you have safeguards in place when transferring data subjects’ data outside of the EU. If you work with third-party services outside the EU or you’re based outside the EU yourself, you’ll need to make sure this is covered. You also need to mention your data retention policy and let people know how to access and update their personal information. 

LGPD

Brazil’s data privacy law, Lei Geral de Protecao de Dados (LGPD), shares lots of similarities with the GDPR. This means it’s easy to draft a privacy policy that’s compliant with both. 

To comply with LGPD, your privacy policy needs to confirm the categories of data you collect, how it’s done, the purposes for processing it, and how you process it. It’s also essential to cover data sharing, international data transfers, and give users information about their data subject rights and how to access them. 

Unlike GDPR, the LGPD requires you to have an appointed Data Protection Officer. The identity of and contact details for this person should be shared within your privacy policy. 

CalOPPA and CCPA

Unlike the EU, the UK, and Brazil, the United States doesn’t have a federal level privacy law that requires you to have a privacy policy. What it does have though is two laws in the state of California that are likely to apply — the California Online Privacy Protection Act (CalOPPA) and California Consumer Privacy Act (CCPA). 

The CalOPPA states that you must have a clearly displayed privacy policy on your website that covers the personal data you collect, plus how it’s stored, used, and shared with others. Unlike GDPR, there’s also a requirement to cover whether or not you respect ‘do not track’ signals. You also need to include a notice about tracking cookies including how they’re used and what data they collect. 

Users should have access to your privacy policy before their personal data is captured and used, and this is a key mention within the CCPA. You should display a notice that features a link to your privacy policy, making it easy for people to understand how their data is used. 

PIPEDA

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. It’s similar to other privacy laws, in that it’s designed to inform people about the collection and use of their personal data. 

As with other privacy legislation, to be compliant with PIPEDA you need to explain which types of personal information you collect and how it’s used — including whether or not it’s shared with others. You should also inform people how they can contact you to exercise their right of access. 

 9 Key Sections You’ll Find in An Effective Privacy Policy Template

Not every privacy policy will look the same, but the right privacy policy template will give you a strong foundation to help you build one that suits your business perfectly. 

Here’s what you’ll need to feature in your privacy policy document, broken down into user-friendly sections. 

1. Introduction

In this section, you’ll want to make a statement about who you are as a company and the purpose of this privacy notice. It’s common for you to include the following information here: 

• Company name
• Which privacy laws the privacy policy is compliant with
• An explanation of key terms used — like ‘personal data’ or who you mean when you say ‘we’ or ‘you’
• To what and when this privacy policy applies — for example, whether it covers third parties

Your introduction section doesn’t need to be long, but it should let any readers know what to expect from the rest of the document and give them a basic understanding of its purpose. 

2. Personal Data Collection and Use

One of the most important parts of your privacy policy template is where you lay out which data you collect, and how it’s stored, used, and transferred. This is often the part of your privacy approach that people are most interested in, as it directly relates to their personal information. 

Data Collection

In this section, you’ll want to confirm which personal data you collect. Personal data can include: 

• Name
• Phone number
• Address
• Email address
• Age 
• Sex or gender
• Race or nationality
• Religious beliefs
• Login or account information
• Credit card information 
• IP address
• Web browser or device type 

Think about not only the personal data you directly collect but the third-party services you use too. If you use tools like the Facebook Pixel or Google Analytics, these service providers will collect additional data. This is often covered by those tools’ own privacy policies, so you can direct users to review the third-party privacy documents to get a better understanding. 

Data Processing

Next, confirm the uses for this personal data. Some privacy laws, like the GDPR, require you to have a lawful basis for processing data. Setting out how you use data helps you show that you understand and care about your obligations. 

Some of the most common purposes for processing data include:

• To deliver products and services
• To make improvements to or develop those products or services
• To provide customer service and technical support
• To verify identity and enforce security
• To send relevant marketing communications
• To display more relevant or targeted social media advertising

Each business is different, so think about your own reasons for processing data and which of these may be applicable. 

Data Sharing

It’s also important to cover how you intend to or will share someone’s personal data with partners or third parties. If you do need to share data, set out here how it will be done, who it’s shared with, and for what purposes — similarly to how you cover data processing above. 

If you’ve already covered third parties in your policy, you can keep this section simple. For example, Enzuzo’s privacy policy template includes the following statement: “We will share your personal data with third parties only in the ways set out in this Policy or set out at the point when the personal data is collected.”

There will also be moments where you’re required to process or share information as a legal requirement. Let your users know that this may happen, and situations in which it may be applicable — for example at the request from a government authority. 

Data Sales

In most locations, you can’t sell a user’s personal information to another company or third party. In the State of California you can, so it’s wise to include a statement here to cover this. Under the CCPA, you need to legally inform people of any sale of data — including to whom it’s sold — and give users the right to opt-out of any sale. 

If you don’t sell user data and don’t intend to, include a disclaimer here to that effect. If it’s not present, users may be unsure whether their data may be sold in the future or not. 

3. Cookie Policy

While you can have a separate cookie policy document and web page, it makes sense to bundle it in with your other privacy notices. After all, cookies are one way that you collect personal data. 

Your cookie policy should explain what cookies are, and how your website uses them. Some of the most popular uses for cookies include: 

• Necessity: To actually provide your product or service
• Preference: To save useful information to make things easier or offer a more personalized service — like login details or your location
• Analytics: To better understand user behavior, to improve a product or service or tailor future campaigns
• Marketing: To provide a more personalized marketing or advertising experience — for example by displaying relevant product ads

If users can manage their cookie preferences, it’s helpful to include information here about how to do so. At a minimum, the CCPA requires you to inform users of which cookies are present, what type of data they collect, and how you intend to use that data. 

4. Retention & Deletion

While your users need to understand which personal data is collected, they also need to know how long you intend to keep it for and what the process for deletion looks like. 

You can keep it simple here and let people know that their user data will be kept for as long as it’s required to for the purposes of providing your products and services, and also in line with any legal requirements. You should also confirm what happens when you no longer need the data — in most cases it will be deleted or anonymized. 

5. Children’s Data

In most cases you won’t collect children’s data. For most jurisdictions, children are classed as people under the age of 16. If you do, make sure you follow the rules set out in the Children’s Online Privacy Protection Rule (COPPA).

Even if you don’t collect children’s data, you should display a statement here that confirms it. For example, our disclaimer on children’s data is: “We will not knowingly collect personal data from children under the age of 16 Years.”

6. Personal Data Rights

People’s personal data rights differ depending on where they’re located, and the privacy laws that apply. In some jurisdictions, data subjects have more rights than others.

In this section, you’ll want to acknowledge your obligations around complying with these rights. To make things really simple, our free privacy policy generator breaks this down into sections for each major privacy law. 

As well as outlining your users’ personal data rights here, you should share how they can action them. Give details on how someone can withdraw consent or view, update, or request the deletion of their data — whether that’s through an email address or a form. If you’re using Enzuzo, it’s really easy for customers to request or update personal information. 

7. Changes

This section can be short and sweet. Simply list when you’re likely to make changes to the policy, and how people will be kept informed. 

To keep things simple, say that the privacy policy may be updated at any time — and that if there are any changes users will be asked to review and re-accept your policy at the appropriate time. 

8. Complaints

Not everyone’s going to be satisfied all the time. To help everyone out, list a clear and easy way for people to reach you with a complaint. This may be through email, a contact form, a phone number, or a digital process. 

Often people have the right to take the complaint further if they’re not happy with the outcome. Make this clear to your users and direct them to their local data protection authority to continue the process. 

9. Contact Information

Lastly, finish your privacy policy or privacy notice by sharing your contact details. This makes it easy for people to get in touch with any questions or concerns they may have. 

In this section, feature your: 

• Company name
• Address 
• Phone number
• Email address

It may also be helpful to name the role or department that someone needs to contact — especially if you have more than one department that may be relevant. Signpost them to your data protection officer if you have one, or a more general mailbox if you don’t.

👉 Looking for more help? Check out our guide to email marketing compliance! 

 An Easy Way to Understand Your Requirements By Privacy Law

Still not sure which sections you need to feature to be compliant? It’s not always easy to know at a glance which privacy law requires which information to be made available, so here’s a table to help you figure things out: 

As you can see, there’s a huge variety in what’s required of you depending on the location of your users. With different privacy laws having different interpretations of what’s relevant for people to understand, it makes the most sense to create a privacy policy that caters to all. 

 Simple Online Privacy Policy Examples

You don’t need to look far to find great examples of online privacy policies. With most websites required to have them, it’s easy to take a look around and get a feel for how others structure and style theirs.

To give you some inspiration for how to format yours, here are a few privacy policy examples. 

Pinterest

Pinterest has a really unique take on the way they inform users about their different policies. They have a dedicated policy section, and within that sits their different documents — including their privacy policy. 

Pinterest’s privacy policy is really easy for users to navigate. It features a table of contents and clear headings, so people can just jump to the section they’re most interested in reading about. Another thing Pinterest does well is explain situations in which your data might be used, with examples that are relevant to the way people use it. 

While a privacy policy in this style may be overkill for your small business, it’s interesting to see how other companies tackle making data privacy a priority. It’s also a useful way to be able to understand different types of data, reasons for processing, and identify whether any of these might be relevant to your business. 

Shopify

Shopify is another big business, but their privacy policy is much shorter than Pinterest’s. This goes to show that it’s not always about how long or detailed your policy is — it’s the content within that counts. 

An interesting feature within Shopify’s privacy policy is their section on values. This does a great job at covering their stance on data security and reassures users that they’re willing to meet their obligations. 

Shopify also splits their privacy policy page by type, so users can find the most appropriate privacy policy for them. This is a small detail, but one that transforms the customer experience. Getting specific with the information you share with your audience is an impactful way to make sure it meets their needs. It also shows you appreciate the value of their time and attention, by only showing them what’s relevant. 

If you run a business that operates a lot of cookies, you could also look to Shopify’s cookie policy as a great example of how to be open and transparent with the data you collect. It lists out each cookie, along with a description on what it does or why it’s used. 

Enzuzo

Let’s take a look at our very own privacy policy. At Enzuzo, our privacy policy is streamlined, easy to understand, and simple for users to navigate. It features drop-down sections, so people can head straight to the section that matters most to them. This also means it’s not a daunting page for people when they first land on it.

With customers accessing our website from all over the world, being able to communicate in multiple languages and in the most personalized way is important. Users can toggle their location and language options to read the privacy policy in the language they know best. 

This kind of functionality doesn’t have to be complicated. Our own privacy policy was made using our privacy policy generator tool, so you can recreate your own and embed it on your website in no time at all. 

 Get Your Free Privacy Policy Template for Small eCommerce Businesses

We’ve covered all the sections you’ll need in a privacy policy and explored examples from other businesses. Now it’s time to take a look at how you can create your own privacy policy for free, in minutes. 

Privacy laws and what’s required of you can be confusing, but that’s what we’re here for. We’ve distilled our knowledge on everything data privacy to make it easier for you to create a compliant privacy policy, whether you’re an expert or not. 

You don’t need to spend thousands on drawing up a complex privacy policy to meet relevant laws. All you need is to understand the data you collect, how it’s used, and be able to communicate that to your users in a meaningful way. 

With our free privacy policy template generator, you can build a simple, effective privacy policy to embed on your website. It works on most services, including Squarespace, WordPress, Shopify, and Wix. And there’s no need to rely on a tech expert to do this — our useful walkthrough helps you make your website compliant in a few simple steps. 

Not only is our generator tool easy for you to use, but it provides your customers with a great user experience too. The simple design, user-friendly drop-down sections, and uncomplicated language means your customers can get the information they need without all the hassle. Plus, 

if you opt for our Starter plan, you can have your policy available in multiple languages and customize your template even further. 

Here’s an example of a compliant privacy notice created by our free privacy policy generator: 

If you’re ready to have a go at making your own, head to our privacy policy page generator now and get started on our free plan. 

Privacy Policy Templates FAQ

Looking for an answer to your burning question on data privacy or privacy policy templates? Here’s our take on some of the most popular questions on this topic. 

Is a Privacy Policy required by law?

Yes! A privacy policy is a requirement of various privacy laws across the world — if you operate a business that collects personal data.  

Locations such as Canada, Europe, Brazil, and parts of the USA all have different privacy laws that you need to consider. While each is unique, most agree on basic data privacy principles so it’s easy to create a privacy policy that’s compliant with their requirements. 

How do I create my own Privacy Policy?

There are several different ways you can create your own privacy policy. If you have the expertise, you can write your own that’s compliant with relevant legislation. You can also consult with a legal expert to help you understand how your business uses data, so you can create a valid policy. 

If you have a good idea of how your business collects, uses, and stores data, you can use our free privacy policy generator tool to build your own document. Add in the relevant information and you’ll be able to generate a simple, user-friendly privacy policy that meets your needs. 

How much does it cost to get a Privacy Policy?

Like most things in business, how much your privacy policy costs you will depend on what you need. If you need legal advice to better understand your position, that’ll add $$$ to your costs. The same applies if you instruct a legal or data privacy expert to come up with the wording for your privacy policy. 

The good news is that your privacy policy agreement doesn’t have to cost you anything. If you’re on a budget or want to invest your funds in another area, use our free privacy policy generator to build your own DIY policy. 

Can’t I just copy someone else’s Privacy Policy?

Copying someone else’s privacy statement is a bad idea. They’ve had it created based on their own unique business and requirements, which won’t be relevant to yours. 

Instead of giving into temptation to borrow someone else’s hard-earned work, use our free privacy policy generator to create your own in minutes. That way, you’ll have a document that’s tailored to your business and free from any potential copyright claim disputes. 

Where should my Privacy Policy be displayed?

Your privacy policy needs to be visible and easy for your users and customers to find, read, and agree to. It shouldn’t be hidden or provided in a format that’s hard for people to understand. 

Most companies create a dedicated privacy policy page and link to it somewhere obvious — typically in their website footer. This means it’s displayed on every page of the website and users can navigate to it from wherever they are. 

If you run an ecommerce store, you’ll also want to provide a clear link to your privacy policy at or before checkout. This gives people an easy way to read and agree to how you use and process their data before it happens. You should also provide a link to your policy when capturing data in other ways — for example if you have a pop-up to collect email addresses for a newsletter. 

What’s the difference between a  Cookie Policy and a Privacy Policy?

A privacy policy is a legal document that sets out how you capture, store, and process someone’s personal data. While a cookie policy also covers these points, it’s specific to one type of data collection — cookies. 

Some companies choose to have two separate documents for their cookie and privacy policies, while others bundle them into one document. With Enzuzo, you can easily add a cookie policy to your website privacy policy — without having to generate two pages. 

 Get a Compliant Privacy Policy Template the Easy Way

Data privacy shouldn’t be difficult for you to manage, and it shouldn’t be confusing for your customers either. Use this guide to help you build your own privacy policy template from scratch, or update an existing policy so that you’re happy it’s compliant. 

If you want to make the whole process even easier, use our free privacy policy page generator. It takes all the hard work out of building your own page manually and gives you the peace of mind that you’re covering all the basics to stay compliant.

Book a privacy audit today.