Introduction
This checklist provides in-house counsel and professional advisors with a framework for drafting a consumer privacy policy. It can also be used as an audit checklist for organizations that already have a consumer privacy policy.
A consumer privacy policy is a legal document that outlines how an organization gathers, uses, and discloses an individual’s information. This guide addresses how to draft digital consumer privacy policies that govern a consumer’s use of a website or app. Virtually every US organization needs a consumer privacy policy.
Consider the laws of each state in which the organization conducts business or targets consumers. This will ensure compliance. Note that this checklist is drafted from a general US (rather than state-specific) perspective.
The checklist focuses on how to draft a privacy policy and covers the following steps:
- Draft introductory provisions
- Draft provisions related to information collection, use, and disclosure
- Draft provisions related to user rights, retention, and security
- Draft provisions related to specific compliance obligations
- Draft conclusory matters and finalize
Use this checklist in conjunction with How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.
Step 1 – Draft introductory provisions
| No. | Action |
| 1.1 | Identify business and website or app |
| 1.2 | Statement summarizing impact of privacy policy |
| 1.3 | Define key terms |
Step 2 – Draft provisions related to information collection, use, and disclosure
| No. | Action |
| 2.1 | Type and methods of information collected |
| 2.2 | Use of cookies and similar technologies |
| 2.3 | Use of personal information |
| 2.4 | Retargeting |
| 2.5 | Information sharing |
Step 3 – Draft provisions related to user rights, retention, and security
| No. | Action |
| 3.1 | Set out user rights |
| 3.2 | Disclose retention policies |
| 3.3 | Provide a statement regarding data security |
Step 4 – Draft provisions related to specific compliance obligations
| No. | Action |
| 4.1 | Children’s Online Privacy Protection Act (COPPA) |
| 4.2 | State and federal obligations |
| 4.3 | General Data Protection Regulation (GDPR) and other international obligations |
Step 5 – Draft conclusory matters and finalize
| No. | Action |
| 5.1 | Contact information |
| 5.2 | Changes to privacy policy |
| 5.3 | Add relevant links |
Scope and use of checklist
US privacy law in its current state is a medley of state and federal laws. Different organizations are subject to different privacy regulations that may impact what they must include in their digital privacy policy.
This checklist provides a generally applicable framework for drafting privacy policies in the United States. It is designed to cover the main topics that most, if not all, privacy policies must include. However, organizations must consider what their specific privacy risks and legal obligations are and tailor their privacy policies accordingly.
General notes
Overview of US legal framework
In general, US privacy laws are derived from different state and federal laws and regulations that tend to target specific categories of information and individuals in specific circumstances, for example, protected health information or personally identifiable information of children under 13.
The state of the law regarding digital privacy policies reflects this legal situation. There is no general requirement to have a privacy policy in the United States. Nor is there a singular format or set of requirements for privacy policies in the United States. Yet, because of the impact of various privacy and data security laws, virtually every organization in the United States should have a privacy policy. Additionally, although the exact language and details vary, a general framework has developed that covers many of the most generally applicable privacy policy topics. This checklist focuses on those generally applicable topics.
For more information, see How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.
Key considerations
Once an organization has published its privacy policy by including it on its website or by attaching it to correspondence or other documents, the failure to adhere to that policy could subject it to enforcement action, litigation, and possible criminal penalties. Therefore, give careful consideration to the guidelines and enforcement actions of the Federal Trade Commission (FTC) and other regulators. Also give consideration to the types of issues being raised in litigation in order to identify trends in enforcement and to improve an organization’s compliance.
FTC guidance generally recommends that organizations employ increased transparency, use privacy statements that are short and easy to understand, and adopt internal-facing binding processes that encourage building privacy into everyday business practices. Consider implementing ‘Privacy by Design’ principles so that privacy issues are evaluated at each stage when a product or service is designed, rather than after the fact when it may be difficult or impossible to implement adequate safeguards.
For further information, see How to Guide: How to implement privacy by design within your organization.
Step 1 – Draft introductory provisions
1.1 Identify business and website or app
The privacy policy should begin by identifying the business and website or app to which it applies.
1.2 Statement summarizing impact of privacy policy
Include a statement summarizing the scope of the privacy policy and stating that it is legally binding.
Example
This privacy policy describes how we collect, use, and share your information and your choices and rights under certain privacy laws.
1.3 Define key terms
Include definitions for key terms used multiple times in the privacy policy. This will help to eliminate ambiguity or uncertainty regarding those terms. Examples of common key terms may include personal information, data privacy, consent, and transparency.
Step 2 – Draft provisions related to information collection, use, and disclosure
2.1 Type and methods of information collected
Disclose the type of information collected and how it is collected (eg, forms, tracking, etc.)
Organizations often divide these disclosures into two sections: one that discloses the information the organization itself collects from the consumer, and another that lists the type of information collected through other sources, such as credit reporting agencies. For example, one section may be titled ‘Information we collect about you’ and the other may be titled ‘Information we collect about you from others’.
2.2 Use of cookies and similar technologies
Disclose cookies usage in the privacy policy. Provide a brief explanation of what cookies are, the information they provide, and why they are used.
Example
Information from cookies and similar technologies: cookies are text files with small amounts of information that are downloaded to your device by your browser when you visit a website to remember information about you. We use cookies or similar technologies to remember your preferences, understand better how you interact with our services or emails that we may send you, maintain the security of our services, and generally to administer, improve, and promote our services. While you can configure your browser to prevent cookies, or refuse to allow cookies, please note that disabling cookies may make some features or functionality unavailable to you.
Organizations with extensive cookies usage or that are subject to other laws may have to create and link to a separate cookies policy or may detail the types of cookies used and how each is used.
In addition to including a disclosure regarding cookies in your privacy policy, a pop-up notice that discloses the website’s use of cookies is also generally advisable.
2.3 Use of personal information
Provide a summary of how you collect and use personal information. The following are common examples of uses of personal information:
- to fulfil orders or requests for services or products;
- personalization of user experience;
- marketing;
- account management;
- record-keeping and administrative purposes;
- to manage user requests; and
- to contact user.
2.4 Retargeting
Retargeting, also called readvertising, remarketing, or re-engagement, is a method of online advertising that targets past website users with additional advertising or marketing. For example, a user that visits www.ABCbikes.com to search for a road bike may be targeted with ads for ABCbikes.com when they are on different websites.
Organizations that use remarketing should disclose this use in their privacy policies. This disclosure should include an explanation of what retargeting is and how the organization uses it. Retargeting providers such as Google Ads will often have requirements for what must be disclosed by organizations that use their services. The following are links to some of the standards from the major retargeting service providers:
2.5 Information sharing
Disclose how personal information may be shared with others. This is typically done with a brief explanation and by providing a list of situations in which the user’s information is shared.
Example
We share your personal information in the following situations:
With third party providers. We disclose your information to service providers that help us run our business and provide you with goods and services. Third party service providers include, without limitation: IT service providers, payment processors, task management tools, and scheduling tools. We only disclose your personal information to the extent necessary for the third-party providers to provide their services.
The list would then go on to include other situations where data is shared. In addition to sharing with third party providers, it is also common for organizations to share data with others in the following situations:
- for legal purposes;
- upon request or additional consent of user;
- with other users where the sharing of information does not identify the user and it is shared for statistical or research purposes; and
- when the business structure changes.
Step 3 – Draft provisions related to user rights, retention, and security
3.1 Set out user rights
List the user’s rights over their personal information and how they may exercise those rights. A user’s rights are covered by the applicable state or federal law, and typically include the right to:
- access personal information;
- delete personal information;
- correct or update personal information;
- transfer personal information; and
- object to or restrict the processing of personal information.
3.2 Disclose retention policies
State the organization’s for retaining consumer user information; for example, how long information is retained after a user closes their account. It is a best practice that information is stored no longer than necessary to complete the task for which the information was provided.
3.3 Provide a statement regarding data security
Include a statement indicating how user information is kept secure. Typically, it is appropriate to provide a general statement regarding the fact that the organization takes data security seriously, a summary of the types of efforts it takes, and a disclaimer that data security cannot be guaranteed.
Example
We take keeping your information safe seriously. We use various administrative, technical, and physical safeguards to protect your personal data from being lost or accessed without authorization. These safeguards are designed to take into account the nature of the personal data collected and its processing, and the threats posed.
We also have procedures in place to deal with any suspected breach of our data security. We will notify you and the applicable authorities of a suspected data security breach when and how we are legally required to do so.
Despite these efforts, it is impossible to make an absolute guarantee of the safety of data transfer over the internet.
Organizations with more comprehensive data security obligations or processes, can provide a link to the data security policies.
Step 4 – Draft provisions related to specific compliance obligations
4.1 Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA), 15 USC section 6501, et seq, and the FTC regulations put in place to implement that Act, codified at 16 CFR sections 312.1 et seq, set out the requirements for an organization’s online operations to protect children under 13 years old.
Due to COPPA, privacy policies should address whether the website or app targets children under the age of 13. Those that do not target children should explicitly state as much and provide a mechanism for reporting violations.
Example
This website and any products and services offered herein are not intended for persons under the age of 13. ABC Company does not knowingly collect information from anyone under 13 years of age. If you are under the age of 13, you may not sign up for an account or use our site.
If you believe that someone under 13 or the applicable age of digital consent has provided us personal information in violation of this policy, please contact us. If we learn that we have personal information or content from anyone under 13, we take steps to delete that information.
Websites or apps that are directed to children under 13 must comply with the detailed requirements of COPPA. This includes a COPPA notice that is typically incorporated into the privacy policy, as well as direct notice to, and consent from, parents.
For guidance on complying with these requirements, consult Checklist: Understanding privacy laws in the US.
4.2 State and federal obligations
Review your organization’s state and federal privacy and data security obligations and ensure that your privacy policy addresses any requirements. For example, organizations that target customers in California or that meet certain revenue thresholds may need to include provisions related to the California Consumer Privacy Act and the California Privacy Rights Act. As another example, organizations in the health-care industry may need to include provisions related to the Health Insurance Portability and Accountability Act.
For more guidance on complying with these requirements, consult How-to Guide: How to determine and apply relevant US privacy laws to your organization.
4.3 GDPR and international obligations
Organizations that have international operations or target international clients should consider whether international laws require provisions to be added to their privacy policy. Currently, the international privacy regulation with the broadest scope is the EU’s General Data Protection Regulation (GDPR). It includes requirements at article 13 and 14 addressing the information that must be provided to data subjects. See also Practical Resources on EU data protection for further guidance.
Step 5 – Draft conclusory matters and finalize
5.1 Contact information
Provide contact information to allow users to get in touch with the organization regarding questions, concerns, or their rights under the privacy policy. This information could include a representative’s name or the title of the employee in charge of administering the policy, an email address, or a physical address. Review any applicable regulations to see if the organization must include specific types of contact information.
5.2 Changes to privacy policy
Specify that you may make changes to the privacy policy. Also state if and how you will provide users with notice of changes (typically by email).
5.3 Add relevant links
Include hyperlinks to relevant materials such as other related policies of the organization, prior versions of the privacy policy, and informational links.
Additional resources
Related Lexology Pro content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.