You Need a Privacy Policy: Here’s Why (and How to Write One)

A privacy policy is one of the more annoying things most of us ignore day-to-day. We breeze past them to log into websites and when we’re about to download something important.

But moving forward, we’re all going to need a privacy policy. If your app or service doesn’t already have one, it will likely require one soon. Apple recently made a change to its developer policy that demands all iOS apps have a privacy policy (and landing page on the web to host that policy). While we don’t know Apple’s motivation behind this new move, the decision arrives in the wake of many scandals involving the brokerage of personal data to outside sources, oftentimes without users’ knowledge or consent.

But how can you, the tech pro who (probably) hasn’t gone to law school, craft a privacy policy? It’s not easy, but it’s simpler than you think. The first thing to know is a privacy policy doesn’t have to be full of legalese; you can craft a readable policy that anyone will be able to grasp.

WWDC 2018 Apple Data Privacy Security

What to Know About Your Privacy Policy

According to KJ Dearie, Product Specialist and Privacy Consultant for Termly, everyone should follow GDPR guidelines. “As of May 25, 2018, the standards to meet when crafting a privacy policy are those established by the GDPR. While this legislation applies to companies that collect data from EU citizens, it has also set a new global precedent for the transparency and thoroughness expected from a privacy policy.”

You also have to detail what a user’s rights are. From Dearie:

Legally, if you have users in the EU or California, you need to include a section (or sections) that specify the privacy rights that they are granted under those jurisdictions. For example, EU citizens should be informed that they have the right to request to transfer, edit, or delete their personal data, while California citizens should be informed of their right to request that their personal data not be sold.

David Reischer, Attorney & COO for, notes a privacy policy can be one that grants you permission to do just about anything. “A good privacy policy should spell out how customer information is used. It is not illegal to track customer behavior or even sell that data to a third party, so long as it is disclosed to a user in advance.”

Dearie points out that, while Reischer may be correct that such a policy can absolve guilt, GDPR guidelines outline six specific bases where the “collection and processing” of data is lawful: user consent, legitimate interests, public interest, contractual necessity, vital interests, legal obligation. To remain GDPR compliant, you must state specifically which case you’re claiming as reason to gather and process user data for each activity.

You’ll have to list who your partners are when it comes to selling or processing user data, but Dearie suggests taking it a step further: “For the sake of both legal protection and consumer appeasement, add a section to your privacy policy that states where user data may travel to and from. List all your server locations, as well as locations where data may be transferred.”

Data Security Third Party Libraries Security Developer Dice

How to Create a Privacy Policy

You could craft your own policy, so long as you’re open about what info the app gathers, which partners you may be working with, and what you’re doing with user data. The best instance to write your own policy is when you have an app or service that doesn’t collect any info, or one that stores login credentials and nothing more.

Hiring a lawyer to craft a privacy policy is probably the most thorough option. It’s also best suited for apps that are maybe taking VC funding or are a product of a larger company. It’s an option you can also revisit later should your app become a hit; a privacy policy can be a living document so long as you inform users there have been changes (when applicable).

The easiest method for most tech pros is finding a template online. We really like Termly’s GDPR-friendly option, which can be customized and embedded on any webpage (which, as we’ve noted, is now mandatory for some services). It’s free to use if you get less than 25,000 page views monthly and don’t need to embed your policy (it hosts your policy and provides you with a link to it, which adheres to Apple’s rules). If you want to embed your policy on a page or have a lot of traffic to your site, the $10/month paid option is probably a better choice.

Data Privacy Security User Data Privacy Policy Dice

Why You Need a Privacy Policy

Apple is likely a canary in the privacy coal mine. We fully expect Google to follow suit, especially as its recent Google Plus/user data privacy issues have revealed that it’s as vulnerable as any other company to breaches. Expect web-hosting services to likewise follow suit at some point.

If we’re being blunt, a privacy policy is also a CYA policy. It’s the user’s responsibility to read and accept your privacy terms. Explaining in clear language what your app does, what data it collects, who has access to that data, and how you (or others) may use it is a preventative measure as much as it is one of good faith and taste.

A privacy policy is no longer a suggestion; it’s mandatory. Even if you’re not publishing to a major native ecosystem, users are starting to care about how their data is handled and who has access to it. One of the more alarming issues regarding various data breaches is how platforms such as Facebook aren’t clear about who has access to data, and don’t require their own partners to be clear about how data is handled.

Yes, it’s going to cost you a bit of cash to craft and implement a policy, but a few dollars every month is far more cost-effective than the fallout your business and reputation will take if you or your partners aren’t clear about how data is handled. Even the best intentions can seem nefarious when you leave people in the dark.

One Response to “You Need a Privacy Policy: Here’s Why (and How to Write One)”

  1. Benjamin Smith

    You are right, now the privacy policy is a very important document for any product or company. I think everyone now knows how much hype there is due to various copyright or privacy violations. I think Apple will not be the last to introduce these restrictions for its products.

    Thank you for your recommendations, they are really useful, but I would also advise consulting with experts or lawyers. Many people do not pay due attention to the privacy policy. When I wrote the privacy policy for the written service, I took advice from a friend of a specialist who often prepares such documents. It is very important that you have your own policy, which you follow. This will help to avoid big problems.