Loading auth config...
Skip to main content
Lokker

Privacy Policy and Cookie Policy Content Guide

This guide helps you write clear, compliant privacy policies and cookie policies that meet regulatory requirements while being understandable to users. Whether you're subject to GDPR, CCPA, CPRA, or state privacy laws, this guide shows you what content to include and how to structure it effectively.

Table of Contents

Overview: Why Privacy Policies Matter

Privacy policies are legally required under:

  • GDPR (Article 13 & 14) - Must provide privacy notice before collecting data
  • CCPA/CPRA - Must disclose data collection and sharing practices
  • US State Laws - VCDPA, CTDPA, CPA, and others require privacy notices
  • Sector-Specific Laws - HIPAA, GLBA, COPPA have specific notice requirements

Business Benefits

Beyond legal compliance, privacy policies:

  • Build Trust: Transparent policies build customer confidence
  • Reduce Risk: Clear disclosures reduce legal liability
  • Improve UX: Users understand what data you collect and why
  • Support Marketing: Privacy-respecting brands differentiate themselves

Common Mistakes to Avoid

  • ❌ Using legal jargon that users can't understand
  • ❌ Hiding important information in long paragraphs
  • ❌ Not updating policies when practices change
  • ❌ Copying policies from other companies without customization
  • ❌ Missing required disclosures for your jurisdiction
  • ❌ Not linking policies where required (website footer, consent banners)

Privacy Policy Structure

A well-structured privacy policy should include:

  1. Introduction - Who you are and what this policy covers
  2. Information You Collect - What data you collect and how
  3. How You Use Information - Why you collect data and how you use it
  4. Data Sharing - Who you share data with and why
  5. Data Storage and Security - How you protect data
  6. Your Rights - User rights and how to exercise them
  7. Cookies and Tracking - Cookie usage (or link to cookie policy)
  8. Third-Party Services - Third-party tools and services used
  9. International Transfers - If data crosses borders
  10. Children's Privacy - COPPA compliance if applicable
  11. Policy Updates - How and when you update the policy
  12. Contact Information - How to reach you with privacy questions

Structure Comparison by Regulation

SectionGDPR RequiredCCPA RequiredState Laws Required
Data Controller Info
What Data Collected
Legal Basis (GDPR)
How Data Used
Data Sharing
Data Retention
User Rights
International Transfers⚠️⚠️
Cookie Disclosure
Do Not Sell/Share
Contact Information

Required Disclosures by Regulation

GDPR Requirements (Articles 13 & 14)

Must Disclose:

  • Identity and contact details of data controller
  • Contact details of Data Protection Officer (if applicable)
  • Purpose and legal basis for processing
  • Legitimate interests (if using legitimate interest basis)
  • Recipients or categories of recipients
  • International transfers and safeguards
  • Retention period or criteria
  • User rights (access, rectification, erasure, etc.)
  • Right to withdraw consent
  • Right to lodge complaint with supervisory authority
  • Whether providing data is mandatory and consequences of not providing
  • Automated decision-making including profiling

When to Provide:

  • Article 13: When collecting data directly from user
  • Article 14: When collecting data from third parties

CCPA/CPRA Requirements

Must Disclose:

  • Categories of personal information collected
  • Categories of sources from which information is collected
  • Business or commercial purpose for collecting information
  • Categories of third parties with whom information is shared
  • Categories of personal information sold or shared
  • Right to opt-out of sale/sharing
  • Right to delete
  • Right to correct
  • Right to know
  • Right to limit use of sensitive personal information (CPRA)
  • Right to non-discrimination
  • How to exercise rights
  • Authorized agent process

Notice at Collection:

  • Must provide notice at or before point of collection
  • Must disclose categories collected and purpose
  • Must link to full privacy policy

State Privacy Laws (VCDPA, CTDPA, CPA)

Common Requirements:

  • Categories of personal data processed
  • Purpose of processing
  • Categories of data shared
  • User rights (access, delete, correct, opt-out)
  • How to exercise rights
  • Right to appeal (VCDPA, CTDPA)
  • Contact information

Differences:

  • VCDPA/CTDPA: Require appeal process disclosure
  • CPA: Requires disclosure of sensitive data processing
  • Each state: Slight variations in required disclosures

Writing Clear, User-Friendly Language

Principles of Clear Privacy Writing

1. Use Plain Language

  • ❌ "We process personal data pursuant to legitimate interests"
  • ✅ "We use your information to improve our services"

2. Avoid Legal Jargon

  • ❌ "Data subject rights under Article 15 of GDPR"
  • ✅ "You can request a copy of your personal information"

3. Be Specific, Not Vague

  • ❌ "We may share your data with partners"
  • ✅ "We share your email address with our email marketing provider, Mailchimp, to send you newsletters"

4. Use Headings and Bullet Points

  • Break up long paragraphs
  • Use clear section headings
  • Use bullet points for lists

5. Provide Examples

  • Instead of "personal information," say "personal information like your name, email address, and phone number"
  • Give concrete examples of how data is used

Language Examples

Example 1: Data Collection (Bad)

Bad Example: "We collect personal data from various sources including but not limited to direct interactions, automated technologies, and third-party sources in accordance with applicable data protection legislation."

Why It's Bad:

  • Vague ("various sources")
  • Legal jargon ("data protection legislation")
  • No examples
  • Doesn't tell user what data is collected
Example 1: Data Collection (Good)

Good Example: "We collect information you provide directly to us, such as:

  • Account Information: Name, email address, password when you create an account
  • Purchase Information: Billing address, payment information when you make a purchase
  • Communication: Messages you send us through contact forms or email

We also automatically collect some information when you visit our website:

  • Device Information: Browser type, device type, IP address
  • Usage Information: Pages you visit, links you click, time spent on pages"

Why It's Good:

  • Specific examples
  • Clear categories
  • Plain language
  • User understands what's collected
Example 2: Data Sharing (Bad)

Bad Example: "We may share your personal information with service providers and business partners as necessary to provide our services and comply with legal obligations."

Why It's Bad:

  • Vague ("may share")
  • Unclear who receives data
  • No specific purposes
  • "As necessary" is too broad
Example 2: Data Sharing (Good)

Good Example: "We share your information with the following types of companies:

Service Providers (to help us operate our business):

  • Payment Processors: We share billing information with Stripe to process payments
  • Email Services: We share your email address with Mailchimp to send you order confirmations
  • Analytics: We share website usage data with Google Analytics to understand how visitors use our site

Business Partners (only with your consent):

  • Marketing Partners: We may share your email address with marketing partners if you opt-in to receive offers from them"

Why It's Good:

  • Specific companies named
  • Clear purposes for each
  • Distinguishes between required sharing and optional sharing
  • User understands who gets their data

Privacy Policy Sections Explained

1. Introduction

What to Include:

  • Company name and contact information
  • What this policy covers (website, services, apps)
  • Effective date
  • Last updated date
  • Link to previous versions (if applicable)

Example:

This Privacy Policy explains how [Company Name] ("we," "our," or "us") collects, uses, and shares your personal information when you visit our website [website.com] or use our services.

**Effective Date**: January 1, 2025
**Last Updated**: January 1, 2025

**Contact Us:**
Email: privacy@company.com
Address: [Company Address]

2. Information You Collect

Structure:

  • Organize by collection method (directly from you, automatically, from third parties)
  • Or organize by data category (contact info, payment info, usage data)
  • Provide specific examples for each category

Required Details:

  • What information is collected
  • How it's collected (forms, cookies, etc.)
  • Whether collection is mandatory or optional
  • Consequences of not providing information

Example Structure:

## Information We Collect

### Information You Provide Directly
- Account registration information
- Purchase information
- Communication preferences

### Information Collected Automatically
- Device information
- Usage information
- Location information (if applicable)

### Information from Third Parties
- Social media information (if you connect accounts)
- Payment processors
- Marketing partners

3. How You Use Information

What to Include:

  • Specific purposes for each data category
  • Legal basis (for GDPR)
  • Business purposes (for CCPA)

Common Purposes:

  • Provide and improve services
  • Process transactions
  • Send communications
  • Personalize experience
  • Marketing and advertising
  • Legal compliance
  • Fraud prevention

Example:

## How We Use Your Information

We use your information to:
- **Provide Services**: Process your orders, manage your account, respond to your requests
- **Improve Services**: Analyze usage data to improve our website and services
- **Communicate**: Send you order confirmations, updates, and marketing emails (with your consent)
- **Legal Compliance**: Comply with legal obligations and respond to legal requests
- **Security**: Detect and prevent fraud, abuse, and security threats

4. Data Sharing

What to Include:

  • Categories of third parties you share with
  • Specific companies (if possible)
  • Purpose for each sharing
  • Whether data is "sold" or "shared" (CCPA)
  • Opt-out mechanisms

Required Disclosures:

  • GDPR: Categories of recipients
  • CCPA: Specific categories, whether sold/shared
  • State Laws: Categories of third parties

Example:

## How We Share Your Information

We share your information in the following ways:

**Service Providers**: We share information with companies that help us operate our business:
- Payment processors (Stripe, PayPal)
- Email service providers (Mailchimp)
- Analytics providers (Google Analytics)
- Cloud hosting providers (AWS)

**Business Partners**: With your consent, we may share your email address with marketing partners

**Legal Requirements**: We may share information when required by law or to protect our rights

**Business Transfers**: If we merge or are acquired, your information may be transferred

**We Do NOT Sell Your Personal Information**: We do not sell your personal information to third parties.

5. Data Storage and Security

What to Include:

  • Where data is stored (geographic locations)
  • Security measures implemented
  • Data retention periods
  • How data is deleted

Example:

## Data Storage and Security

**Where We Store Your Data**: Your data is stored on servers located in [location]. Some service providers may store data in other locations.

**Security Measures**: We implement technical and organizational measures to protect your data:
- Encryption in transit (SSL/TLS)
- Encryption at rest
- Access controls
- Regular security audits

**Data Retention**: We retain your data for as long as necessary to provide services and comply with legal obligations. Account data is retained until you delete your account or request deletion.

6. Your Rights

What to Include:

  • List of rights available to users
  • How to exercise each right
  • Response timelines
  • Contact information for requests

Rights to Include:

  • Right to access
  • Right to delete
  • Right to correct
  • Right to opt-out (CCPA)
  • Right to portability (GDPR)
  • Right to object (GDPR)
  • Right to restrict processing (GDPR)
  • Right to withdraw consent

Example:

## Your Privacy Rights

Depending on where you live, you may have the following rights:

- **Access**: Request a copy of your personal information
- **Delete**: Request deletion of your personal information
- **Correct**: Request correction of inaccurate information
- **Opt-Out**: Opt out of sale/sharing of your information (CCPA)
- **Portability**: Request your data in a portable format (GDPR)

**How to Exercise Your Rights**: 
Email us at privacy@company.com or use our [Data Request Form](/privacy/request)

**Response Time**: We will respond within 30-45 days depending on your location.

7. Cookies and Tracking

What to Include:

  • What cookies are used
  • Types of cookies (essential, analytics, marketing)
  • Purpose of each cookie type
  • How to manage cookies
  • Link to detailed cookie policy

Example:

## Cookies and Tracking Technologies

We use cookies and similar technologies to:
- **Essential Cookies**: Required for website functionality (cannot be disabled)
- **Analytics Cookies**: Help us understand how visitors use our site
- **Marketing Cookies**: Used to deliver relevant advertisements

You can manage cookie preferences through our [Cookie Settings](/cookie-settings) or your browser settings.

For detailed information about our cookie usage, see our [Cookie Policy](/cookie-policy).

8. Third-Party Services

What to Include:

  • List of third-party services used
  • What data they collect
  • Links to their privacy policies
  • How to opt-out (if applicable)

Example:

## Third-Party Services

We use the following third-party services:

**Google Analytics**: Collects website usage data. [Privacy Policy](https://policies.google.com/privacy) | [Opt-Out](https://tools.google.com/dlpage/gaoptout)

**Stripe**: Processes payments. [Privacy Policy](https://stripe.com/privacy)

**Mailchimp**: Sends marketing emails. [Privacy Policy](https://mailchimp.com/legal/privacy/)

9. International Transfers

What to Include:

  • If data is transferred outside user's jurisdiction
  • Where data is transferred to
  • Safeguards in place (GDPR)
  • Legal basis for transfer

Example:

## International Data Transfers

If you are located in the European Economic Area (EEA), your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable

10. Children's Privacy

What to Include:

  • Age restrictions (typically 13 or 16)
  • COPPA compliance if applicable
  • Parental consent requirements
  • How to request deletion of children's data

Example:

## Children's Privacy

Our services are not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Policy Updates

What to Include:

  • How users will be notified of changes
  • How to review policy updates
  • Effective date of updates
  • Archive of previous versions (recommended)

Example:

## Policy Updates

We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last Updated" date
- Sending an email notification (for material changes)

We encourage you to review this policy periodically.

12. Contact Information

What to Include:

  • Privacy contact email
  • Mailing address
  • Data Protection Officer contact (if applicable, GDPR)
  • Phone number (optional but helpful)

Example:

## Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us:

**Email**: privacy@company.com
**Address**: [Company Address]
**Data Protection Officer**: dpo@company.com (EU users)

A cookie policy is a detailed explanation of:

  • What cookies are used on your website
  • What each cookie does
  • How long cookies last
  • How users can manage cookies

Cookie Policy:

  • Detailed cookie information
  • Technical details about each cookie
  • Cookie management instructions

Privacy Policy:

  • Broader privacy practices
  • May include cookie overview
  • Links to detailed cookie policy

Best Practice: Have both a privacy policy (general) and cookie policy (detailed)

For Each Cookie, Disclose:

  • Cookie name
  • Purpose (what it does)
  • Type (essential, analytics, marketing, etc.)
  • Duration (session, persistent, expiration date)
  • First-party or third-party
  • Whether consent is required

Recommended Sections:

  1. What Are Cookies? - Simple explanation
  2. Types of Cookies We Use - Categories
  3. Cookie List - Detailed table of all cookies
  4. Third-Party Cookies - Cookies set by third parties
  5. How to Manage Cookies - Instructions
  6. Updates to Cookie Policy - How policy changes
## Cookie Policy

### What Are Cookies?
[Simple explanation]

### Types of Cookies We Use

**Essential Cookies** (Required)
- Purpose: Website functionality
- Cannot be disabled

**Analytics Cookies** (Optional)
- Purpose: Understand website usage
- Can be disabled

**Marketing Cookies** (Optional)
- Purpose: Deliver relevant ads
- Can be disabled

### Detailed Cookie List

| Cookie Name | Purpose | Type | Duration | Consent Required |
|-------------|---------|------|----------|------------------|
| session_id | User session | Essential | Session | No |
| _ga | Analytics | Analytics | 2 years | Yes |
| _gid | Analytics | Analytics | 24 hours | Yes |

### How to Manage Cookies
[Instructions for browser settings and cookie preferences]

Third-Party Data Sharing Disclosures

What Must Be Disclosed

CCPA/CPRA Requirements:

  • Categories of personal information sold
  • Categories of personal information shared
  • Categories of third parties
  • Whether you "sell" or "share" data

"Sale" vs. "Share" Under CCPA

Sale:

  • Exchanging personal information for monetary or other valuable consideration
  • Includes data broker relationships
  • Includes advertising that involves data exchange

Share:

  • Sharing for cross-context behavioral advertising
  • Even if no money changes hands

Disclosure Requirements

Must Disclose:

  • Whether you sell or share personal information
  • Categories of information sold/shared
  • Categories of third parties
  • How to opt-out

Example Disclosure:

## Sale and Sharing of Personal Information

**We Do NOT Sell Personal Information**: We do not sell your personal information to third parties.

**We Share Personal Information**: We share the following categories of personal information for advertising purposes:
- Identifiers (email address, device ID)
- Internet activity (website usage)

**Categories of Third Parties**: We share with advertising networks and data analytics providers.

**Opt-Out**: You can opt-out of sharing by clicking [Do Not Sell/Share My Personal Information](/opt-out) or enabling Global Privacy Control in your browser.

International Considerations

Multi-Language Policies

When Needed:

  • Serving users in multiple countries
  • Legal requirement in some jurisdictions
  • Better user experience

Best Practices:

  • Provide policy in user's language
  • Keep translations updated
  • Use professional translation services
  • Link to language-specific versions

Regional Variations

Different Requirements:

  • GDPR (EU): More detailed requirements
  • CCPA (California): Specific opt-out requirements
  • State Laws: Varying requirements

Options:

  1. Single Comprehensive Policy: Include all requirements
  2. Regional Policies: Separate policies by region
  3. Hybrid: General policy with regional addendums

Recommendation: Single comprehensive policy that covers all requirements (easier to maintain)

Policy Update Procedures

When to Update

Update When:

  • Data collection practices change
  • New third parties are added
  • New data uses are introduced
  • Regulations change
  • Business practices change
  • Mergers or acquisitions occur

How to Notify Users

Notification Methods:

  1. Email Notification: For material changes
  2. Website Banner: Prominent notice on website
  3. In-App Notification: For mobile apps
  4. Updated Date: Always update "Last Updated" date

Update Checklist

Step 1: Review Current Policy
  • Review current data collection practices
  • Compare practices to policy disclosures
  • Identify gaps or inaccuracies
  • Note any new practices not disclosed
Step 2: Draft Updates
  • Update relevant sections
  • Add new disclosures if needed
  • Remove outdated information
  • Ensure language is clear
  • Review for regulatory compliance
Step 3: Legal Review
  • Have legal team review updates
  • Ensure compliance with all applicable laws
  • Verify accuracy of disclosures
  • Confirm required disclosures are included
Step 4: Publish and Notify
  • Update policy on website
  • Update "Last Updated" date
  • Send notification to users (if material changes)
  • Archive previous version
  • Update any links or references

Examples: Good vs. Bad Language

Example 1: Data Collection Disclosure

Bad Example

"We collect personal information from various sources including direct interactions, automated technologies, and third-party sources in accordance with applicable data protection legislation."

Problems:

  • Too vague
  • Legal jargon
  • No examples
  • Doesn't tell user what's collected
Good Example

"We collect the following types of information:

Information You Provide:

  • Name and email address when you create an account
  • Billing address and payment information when you make a purchase
  • Messages you send us through contact forms

Information Collected Automatically:

  • Device information (browser type, device type, IP address)
  • Usage information (pages visited, time spent on site)
  • Location information (general location based on IP address)"

Why It's Good:

  • Specific examples
  • Clear categories
  • Plain language
  • User understands what's collected

Example 2: Data Sharing Disclosure

Bad Example

"We may share your personal information with service providers and business partners as necessary to provide our services."

Problems:

  • Vague ("may share")
  • Unclear who receives data
  • "As necessary" is too broad
  • No opt-out information
Good Example

"We share your information with:

Service Providers (to operate our business):

  • Stripe: Processes your payments (receives billing information)
  • Mailchimp: Sends you emails (receives your email address)
  • Google Analytics: Analyzes website usage (receives usage data)

Marketing Partners (only with your consent):

  • We may share your email address with marketing partners if you opt-in to receive offers

We Do NOT Sell Your Personal Information

You can opt-out of sharing with marketing partners at any time by updating your preferences or emailing us at privacy@company.com."

Why It's Good:

  • Specific companies named
  • Clear purposes
  • Distinguishes required vs. optional sharing
  • Includes opt-out information

Example 3: User Rights Disclosure

Bad Example

"Data subjects have certain rights under applicable data protection legislation including but not limited to rights of access, rectification, erasure, and objection."

Problems:

  • Legal jargon ("data subjects")
  • Vague ("certain rights")
  • Doesn't explain how to exercise rights
  • No contact information
Good Example

"You have the following rights regarding your personal information:

  • Access: Request a copy of your personal information
  • Delete: Request deletion of your personal information
  • Correct: Request correction of inaccurate information
  • Opt-Out: Opt out of sharing your information for advertising

How to Exercise Your Rights: Email us at privacy@company.com or use our online form at [website.com/privacy/request]

Response Time: We will respond within 30-45 days."

Why It's Good:

  • Plain language
  • Clear rights listed
  • Specific instructions
  • Includes response timeline

Privacy Policy Checklist

Content Requirements

Basic Information
  • Company name and contact information
  • Effective date and last updated date
  • What the policy covers (website, services, apps)
  • Contact information for privacy questions
Data Collection
  • What information is collected
  • How information is collected
  • Categories of information (CCPA)
  • Sources of information
  • Whether collection is mandatory or optional
Data Use
  • How information is used
  • Purposes for each use
  • Legal basis for processing (GDPR)
  • Business purposes (CCPA)
Data Sharing
  • Who information is shared with
  • Categories of third parties
  • Purpose for each sharing
  • Whether data is "sold" or "shared" (CCPA)
  • Opt-out mechanisms
User Rights
  • List of available rights
  • How to exercise each right
  • Response timelines
  • Contact information for requests
  • Appeal process (if required by state law)
Security and Retention
  • Security measures implemented
  • Where data is stored
  • Data retention periods
  • How data is deleted
Cookies and Tracking
  • Cookie disclosure or link to cookie policy
  • Types of cookies used
  • How to manage cookies
  • Third-party tracking disclosure
International Considerations
  • International data transfers (if applicable)
  • Safeguards for transfers (GDPR)
  • Children's privacy (if applicable)
  • Multi-language versions (if applicable)
Policy Management
  • How users are notified of updates
  • Archive of previous versions (recommended)
  • Clear, user-friendly language
  • Proper formatting and structure
Cookie Information
  • Explanation of what cookies are
  • Types of cookies used
  • Purpose of each cookie type
  • Detailed cookie list with:
    • Cookie name
    • Purpose
    • Type (essential, analytics, marketing)
    • Duration
    • First-party or third-party
    • Consent required
Third-Party Cookies
  • List of third-party cookies
  • What third parties set cookies
  • Links to third-party privacy policies
  • How to opt-out of third-party cookies
Cookie Management
  • Instructions for managing cookies
  • Browser settings instructions
  • Cookie preference center link
  • How to opt-out of non-essential cookies
Updates
  • How cookie policy is updated
  • Last updated date
  • Notification of changes

Last Updated: 2025-01-17