Skip to content

How to Write a Legally Compliant Privacy Policy for Your Website

Osman Husain 5/11/23 12:00 AM
how to write a privacy policy

Table of Contents

A privacy policy is a critical piece of information that every commercial operation needs if you’re leveraging a website as part of your customer outreach or sales strategy. 

Whether you’re aware or not, if you own or operate a website for the purposes of commercial enterprise, you don’t just need a privacy policy — you’re required to have it. It doesn’t matter whether you’re selling physical goods, marketing your plumbing business, or acting as an email list manager. 

Failing to create a privacy policy can come with hefty fines. However, something equally important is having a basic privacy policy for your website that covers all the required details. 

This includes an in-depth overview of how you’re using customer data, what data is being collected, who you’ll potentially share that information with, and how website visitors can opt-out of sharing their information or request that you delete it. If you’ve never given any thought to how to create a privacy policy for a website, then consider this a crash course in best practices for a company privacy policy.


Who Needs a Privacy Policy?

The simple answer here is, anyone operating a website for commercial purposes needs to write a privacy policy. It doesn’t matter whether you’re simply collecting emails for leads, have an ecommerce portal, or allow people to book services that must be paid offline in person. 

Likewise, you can be a massive multi-national corporation like General Motors, or a tiny corner pizza shop with a website that accepts online orders. If you’re using a website for any commercial purpose, your activities are regulated by the FTC and they expect you to explicitly outline to your audience how you’re collecting, using, or sharing their data. As such, you need a dedicated place for website privacy statements.


Why Are Privacy Policies Important?

To answer this question, we need to back up and first define “personally identifiable information.” This is a phrase you’ll see frequently used both in a business privacy policy template and in regulations governing its usage. 

Simply put, this refers to any information that can be used to directly identify a person. In more severe cases, this could be a person’s social security number, name, passport number, or banking information. More loosely, it can refer to someone’s zip code, IP address, or even their gender or date of birth. 

Whichever version you’re collecting, visitors that arrive on your site have the right to know exactly what you’re gathering from them, how you’re using it, and if you’re going to share it with “trusted third parties.” 

To piggyback on this idea, consider that there are more comprehensive privacy laws now. More importantly, major laws like the General Data Protection Regulation (GDPR) from the European Union, or the California Consumer Privacy Act (CCPA) here in the U.S. are quite explicit regarding how they expect commercial businesses to treat consumer data. 

As a caveat, even if you’re not located in these state or national jurisdictions, you’re not absolved from following the expectations that these policies outline. There’s a laundry list of multinational corporations that found themselves paying millions of euros or dollars to respective agencies for flouting privacy violations. Giant conglomerates can afford expensive litigation and settlements over violations. But more than likely the average small business can’t weather that storm. 


What Should Be In Your Privacy Policy?

Here’s a step-by-step guide to building your own privacy policy:


Step 1: Understand privacy laws. Verify what data privacy legislation applies to your business and get acquainted with all legal obligations.

Step 2: Engage in a privacy audit. A thorough privacy audit will determine every piece of personal information you collect from users.

Step 3: Explain your reason for collecting data. 

Step 4: Answer how you collect data - whether it’s via capturing email addresses, tracking cookies, or more.  

Step 5: Explain how you use the personal data. Laws like GDPR & CCPA require you to state how you use personal data, including if it’s shared or sold to any third parties.

Step 6: Highlight your safety practices, including how you handle data securely. Data privacy laws make this mandatory for businesses, too. 

Step 7: Inform about updates and changes to your privacy policy including how this correspondence will be delivered. 

Step 8: Add other relevant clauses like the rights of users and how you treat the data of minors (if collected). 


Privacy Policy Sections

We’re not going to lie, privacy policies can be heavy on jargon. However, they all tend to follow a similar formula. If you have the fortitude to read through a few policy templates for small business or major national competitors, you’ll probably see that they all follow a strikingly identical format. This is by design. 

Including the same boilerplate headers ensures that any required information is included that’s mandated from various governing bodies both domestic and foreign. 



As the header implies, this is your introduction. You’re going to list your business name — as well as if you’re operating under a different corporate entity. More importantly, this is where you confirm that your business is compliant with various privacy laws. 

Keep in mind that even if your business isn’t located in the same jurisdiction as a privacy law, you’re not exempt from legal action if you’re found to be non-compliant. This is because you can still get web traffic from those jurisdictions. So, unless you preemptively refuse to accept traffic from consumers in those areas, you’re still liable and held responsible for how you handle data collected from those jurisdictions. 

Additionally, you’ll need to clarify any terms that will be used in your privacy policy. This isn’t limited to including what is inferred under the term “personal data”. Definitions will also include who is being referred to when you use basic pronouns such as “you” or “we”. Finally, you’ll need to define whether your compact privacy policy also covers data shared with third parties (think advertisers). 


Personal Data Collection and Use

Every part of a policy template for small businesses is important. But this section is probably one of the most crucial ones — and is a key section that governing bodies use to determine the accuracy of your privacy handling claims. Simply put, be sure that whatever data you’re collecting from consumers is clearly defined here. Common options can include: 

  • Phone number
  • Address
  • Name
  • Email address
  • Age 
  • Sex, gender, or orientation
  • Race, nationality, or ethnicity
  • Religious beliefs
  • Financial information such as credit card or banking details
  • Login and account information
  • IP address
  • Web browser and/or device, device software, etc.

Don’t forget that part of this collection will also include if you’ve leveraged plug-ins or applets designed to process information in the background. This can include pixel and analytical services like Google Analytics, Facebook Pixel, or even other social platforms like Pinterest or Tik Tok that leverage connecting into your backend to serve data to their proprietary business services dashboards. All of these types of services can fall under the general term “trusted third parties”. 


How and Why the Data is Being Used

Your ecommerce website privacy policy template also needs to explicitly state why the data is being used. Normally, there are boilerplate phrases that can be inserted here that reference actions such as 

  • Providing a more personalized experience
  • Verifying identity
  • Providing optimized customer service support
  • For marketing communications purposes 

Whichever of these actions is applicable to how you plan to use consumer data, be sure to clarify it here. Remember that you also need to include how you’ll share data if necessary, to which parties, and for which purposes. Likewise, be mindful of data sales. Most jurisdictions don’t support data sales — with California ironically being the exception. 

However, the state requires that you provide proper notice of your intent to do so. Alternatively, if you have no plans to attempt to sell user data, then you should explicitly state it here. 


Cookie Policy

Cookies are essentially digital tracking devices that allow you to observe a web visitor’s browsing habits during a single session. Many jurisdictions have very strict expectations for how commercial businesses can use cookies, how long the data can be stored, and the rights that citizens within their borders have over that data. 

Err on the side of caution and be sure to include a section on cookie usage in your privacy policy. Along with explicitly stating why the information is being collected, don’t forget to include verbiage regarding how web visitors can access, control the usage of, and/or delete that information if they so desire. 

This section can be a minefield if you’re not careful as California’s CCPA and the EU’s GDPR require businesses to inform users that cookies are present. More importantly, there needs to be an easy-to-find option to adjust cookie settings to stay compliant with both of those state and international regulations. 


Retention and Deletion

Consumers need to know how long you plan on storing their private information. For ease, it’s best to stick to whatever is the jurisdictional mandated maximum time frame that you can store data. Just remember, whatever you commit to here needs to be enforced. Don’t forget to tell users how you plan on removing that data. Typically this includes deleting or anonymizing that information. 


Children’s Data

Most websites avoid collecting data from children as regulations are even stricter for gathering and managing underaged personally identifiable information. However if you’re so inclined, you need to at least follow the guidelines outlined by the FTC’s Children’s Online Privacy Protection Rule (COPPA).  

In most cases, jurisdictions view “children” as legally referring to people under the age of 16. As a precaution, be explicit here and let users know if you won’t be collecting data from minors. 


Personal Data Rights

The actual rights a user has regarding their personal data can vary widely based on the jurisdiction in which they reside. The Enzuzo privacy policy generator explicitly outlines a user’s rights based on the major international privacy laws like the EU’s GDPR or Brazil’s LGDP, Canada’s PIPEDA, or the CCPA in California. 

There are so many different privacy and data rights regulations worldwide, with varying degrees of user control. So, this is one area where using a generator is smarter than trying to go it alone. Don’t forget to outline how users can withdraw consent, or request access to their information here. The goal is to provide transparency. Ideally, users shouldn’t have to jump through unnecessary hoops to access and adjust how you’re using their data — unless you want to be fined. 



Simply put, this section gives notice that your policy may periodically be updated. However, you do need to identify how you’ll notify users of privacy policy changes. The easiest option is to simply say that as the policy is updated, users will be notified and will need to re-accept the policy before continuing with using your website. 



Complaints are inevitable, but you need to have a reliable method for receiving not-so-positive feedback from your website users. In most cases, this should be a dedicated email, phone number or submission form where people can file their grievances. If a person wishes to escalate their complaint, be sure to provide clear direction of which oversight authority is within their jurisdiction. 


Contact Information

A privacy policy without real contact information for a business is a policy that’s in violation. You need to include important information that includes: 

  • Company name
  • Address
  • Phone number
  • Email address

It’s best to have one dedicated person or department that’s assigned to monitoring contacts for this purpose. 


Should You Use a Privacy Policy Generator?

As we’ve outlined above, there are a wide array of critical components that a viable privacy policy needs for it to be compliant. If you’re not a privacy policy wonk, trying to go it alone can be problematic.

Privacy policy generators are a cost-effective method of building legally-compliant privacy policies. Yes, you can use a trustworthy privacy policy generator without many concerns.  

Along with being overwhelmed by the sheer amount of information that needs to be included, it’s very easy to run afoul of the various international privacy regulations. Note that there are roughly 137 different regulations that are available worldwide. However, only a few tend to be viewed as the brand standard. These tend to be PIPEDA (Canada), GDPR (EU), CCPA (California), and LGPD (Brazil). 

But to throw more caveats into the mix, if you know for a fact that you’re receiving or intend to target consumers in another jurisdiction that’s not one of the big four, you’ll want a privacy policy that’s reflective of that jurisdiction’s expectations. 

Could you make a privacy policy independently that attempts to address all those caveats? Sure, it’s possible. But it’s equally likely that something will get overlooked and your policy won’t be compliant. Long story short, you could be legally liable. 

Opting for Enzuzo's privacy policy generator can give you peace of mind. We’ve incorporated the critical points that you need to be compliant — not just in the U.S. but abroad. Remember, as long as you receive web visitors from other jurisdictions, you’re held to the privacy and data usage standards of that location. 


What’s Required for Privacy Policy Compliance

Compliance should be any business’ goal when crafting a privacy policy. Yet, with the big four having slightly disparate views on what’s essential, this can be hard. At a glance, here’s what you need to include to be compliant: 


Greenshot 2023-05-11 22.25.12

Creating a Privacy Policy with Enzuzo

Most experts won’t recommend trying to create a privacy policy from scratch — and we’re inclined to agree for all the reasons we’ve already outlined above. Thankfully, you can use our Privacy Policy Generator to quickly and efficiently create an effective and compliant policy that easily integrates with all the major web platforms. 

Our privacy policy generator defaults to include the major international policies: CCPA, GDPR, PIPEDA, LGPD, and POPIA (South Africa). However, you have the option to upgrade and opt for worldwide coverage as well as outline how data transfers are managed for EU customers. 

Additionally, you’ll appreciate that our generator includes a privacy policy template for ecommerce that updates in real time as you add your information into the prompts on each screen. 

The easiest way to get started is to head over to Enzuzo's privacy policy generator and sign up for a free account. Next, follow this step-by-step process: 


1. Complete a short questionnaire

We ask you some details about your business or website to generate a policy page personalized to your requirements.

You’ll need to share your:

  • Legal business name
  • Business address
  • Email address and/or phone number


2. Pick Your Business Type

First things first, determine what kind of business you’re running. Additionally, you can always preview the policy in both desktop and mobile format.

3. Add The Essential Details


Drop in your official business name as well as physical address. Meanwhile, your policy updates in real time so you can see exactly what’s being included as it’s being created. 


4. Add Contact Details


Choose how much or how little information you want to include. Just remember that you’re legally required to include at least one form of legitimate contact. Note here is where you can also include details if your company is a DBA (doing business as). 


5. Customize your privacy policy

The next step is to assist you with customization. We give you a handful of options that allow you to control how your privacy policy looks on your site. 

Stick with our standard title, or choose a new one for your privacy policy instead. Select a border style for your drop-down sections and get a preview for how this looks. You can choose from drop shadow, bordered, or no border for a more seamless look. 

You might notice we don’t get into colors and fonts here. That’s because Enzuzo pulls this styling directly from your website theme, so there’s no clashing of styles. 

In this step, you're also able to customize your policy to be compliant with privacy laws. Changes made here are reflected in the wording, so it’s important to choose wisely to cover all your bases. We recommend checking all the boxes here so you’re covered, no matter where your next visitor or customer comes from.


6. Customizing Cookies, Privacy Laws, and Applicable Communications

After you’ve established the essentials for your business details, it’s time to specify cookie usage. Note that the generator is preset to usage for web applications, to remember preferences, and to personalize content. But you also have options for analyzing traffic and third party data sharing. 

Likewise, Enzuzo defaults to the five major privacy laws (CCPA, GDPR, PIPEDA, LGPD, and POPIA), but you can also opt for worldwide coverage. Specifically for GDPR compliance, you can clarify whether you process and/or transfer personal data — and if so, where this activity occurs. If you have multiple company locations, you can also specify that. 

The generator defaults to stating that your business doesn’t collect personal or sensitive data — as well as usage information — but you can adjust this if needed. If you use analytics or remarketing solutions, the Generator can be edited to reflect this. 

You can also let your web visitors know if your business is certified under the EU-US Privacy Shield Framework, and if you want your privacy policy to also apply to any form of communication you use to connect with your audience. Finally, you can also specify if there is a minimum age requirement to use your website. 


7. Save and publish your new privacy policy

Your privacy policy is almost ready. Next up, you’ll need to save your policy and share a few details with us so you can edit and publish your privacy policy. 

Tell us which website builder you’re using our drop-down menu.

Almost Done! (1)

And that's it! When you've selected your privacy policy builder, we'll generate a Javascript link that you can add to the footer of your website. Just follow our simple instructions, and the privacy policy will be live.


Don’t Do It Alone with Your Privacy Policy

Privacy policies might not be the most exciting thing you’ll create for your business, but it’s one of the most important from a compliance standpoint. As tempting as it might be to try to find a shortcut, don’t. With services like our privacy policy generator, there’s no excuse to take the risk of expensive litigation and settlement fees because you failed to properly disclose how you’re collecting, using, sharing, or disposing of user data. Don’t take a chance with your business, let Enzuzo keep you compliant. 

Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.