Crafting a Privacy Notice


Crafting a Privacy Notice Topic Page

Increasingly, privacy is becoming a differentiator for consumers, and company privacy notices are a way to show potential customers how you handle consumer data. Above and beyond competitive advantage, privacy notices offer consumers and regulators an example of your corporate citizenship–never mind that there are laws in many regions that require notices and they can offer an organization legal protection from claims that a business did not provide notice of its consumer data usage. Writing a privacy notice can be daunting, but this topic page can take some of the guess work out of it.

Featured Resources


Rethinking notice and consent

IAPP Editorial Director Jedidiah Bracy chats with Jen King, the Privacy and Data Policy Fellow at Stanford’s Institute for Human-Centered Artificial Intelligence, about what’s needed for an effective paradigm shift in this space.
Read More


Why Batman shouldn’t write your privacy notice

Ryan Chiavetta writes about how once you understand the weight data plays in our society, you really begin to notice how much it permeates the culture in which we consume and take part.
Read More


Program aims to help organizations design better privacy notices

Greater Than X Co-Founder and CEO Nathan Kinch believes privacy notices and other legal agreement documents are missing something important: a touch of humanity. Kinch spoke with Ryan Chiavetta about the program and why it would be appealing to chief privacy officers.
Read More


Sample CCPA Privacy Notices

This resource provides access to sample privacy notices and templates covering the California Consumer Privacy Act of 2018.
Read More


Privacy notices analyzed against the CCPA

This applies the CCPA to the privacy notice of theScore — a sports news application — one of the 17 apps The New York Times recently identified for sharing precise location data. The analysis illustrates how the CCPA impacts privacy notices.
Read More


Operational Responses to the GDPR – Transparency and privacy notices

This article examines the GDPR’s requirements for “transparency” and how your organization should respond.
Read More

Additional News and Resources

The IAPP updates its privacy notice

According to research we conducted in late 2019, 80% of respondents have updated their organization’s privacy notice one or more times in the last 12 months. Well, it’s time for the IAPP to do it, too. We first conducted a major overhaul of our website’s privacy notice in anticipation of the May 25, 2018, effective date of the EU General Data Protection Regulation. Our goal was (and still is) to offer information to our members about what personal data we collect from them, under what circumst... Read More

UX solution allows companies to create streamlined privacy notices

While conducting demos of their ConsentCheq solution, PrivacyCheq Co-Founders Roy Smith and Dale Smith, CIPT, were constantly running into a problem. Clients would tell them they liked ConsentCheq’s ability to develop privacy notices, but the solution would conflict with other systems already in place. At first, the co-founders thought they could sell companies on their solution by just featuring its privacy notice function, but they soon realized it was not a feasible outcome. This dilemma led... Read More

How not to write your GDPR-'compliant' data protection notice

The mark of an organization’s commitment to data protection is shown through its data protection notice/statement. A robust DP notice is essential. One of the things that a data protection officer is required to monitor is compliance with the DP notice. Unfortunately, some organizations are issuing what can only be termed “Caspar Milquetoast” DP policies. Caspar Milquetoast was a cartoon character who was timid, bland and inoffensive. Obfuscating their data collection and processing activities o... Read More

AI tool scans privacy notices to inform users on data collection

A 2008 study conducted by a pair of Carnegie Mellon University researchers found it would take the average person 201 hours to read every privacy notice they encountered in a calendar year. Since then, the number of websites, apps, and services have skyrocketed, and in Feb. 2016, a different pair of researchers took notice of the rise in popularity of "chatbots" and decided to create one to answer questions about organizations' privacy policies.  That bot would eventually be called PriBot, and ... Read More

Privacy notice change management

It might be the oldest topic in the IAPP canon: What makes a good privacy notice? In fact, while attendees of Privacy. Security. Risk. were mingling in San Jose, California, the U.S. Federal Trade Commission was discussing that very topic in Washington, DC, as part of their workshop series. Somehow, though, there remains grist for the mill. The panelists at P.S.R.’s “Making the Grade: Moving Beyond Compliance into Data Stewardship,” moderated by the IAPP’s Jedidiah Bracy, CIPP, even found somet... Read More

On Building Consumer-Friendly Privacy Notices for the IoT

Snapchat made headlines once again late last month after the media latched on to its newest privacy policy update. The Independent reported, “Snapchat’s terms of service allow the company to look through your snaps and share them publicly.” That same report later added, “Very similar worrying phrases were found in Microsoft’s terms and conditions earlier this year, for instance, when a tool that could guess how old you were went viral—but also granted the company the option to use and publish th... Read More

Need To Write a Solid Privacy Notice? A Few Tips

Start-ups and emerging businesses sprinting toward profit have a complex privacy landscape to navigate, but there are several helpful bits of insight that may help mitigate common mistakes, particularly in drafting privacy notices. That was only part of a detailed and in-depth preconference workshop at the IAPP Privacy Academy and CSA Congress, with insight from some of the privacy world’s top legal, operational and regulatory voices. Read More

Best practices in drafting plain-language and layered privacy policies

Privacy policies have become long legal documents that most attorneys, let alone the average consumer, have difficulty understanding. They are meant to provide notice to individuals about data collection, use and disclosure policies. However, they are often complicated, long, unintelligible and, as a result, rarely read by the average consumer. It is important to change this reality. Below are a few best practices in drafting plain-language and multi-layered privacy policies that should help reverse this trend and help the average consumer read and understand your privacy policy. Read More

Five considerations before publicizing privacy policy updates

Changes in the law, in practices of your industry or to your business’s or vendor’s data collection or use practices may trigger a need to update your privacy policy. We recommend that you think about the following five considerations when making changes to your privacy policy. These considerations should help you educate your users; be transparent and accurate in disclosing your practices, and steer clear of regulatory scrutiny. Read More