How to Write an Effective Privacy Policy

We all want to know our personal information is in safe hands. 

Your customers are no different.

More personal data is being collected, stored and used by retailers every day. And an effective privacy policy can help show you’re taking people’s privacy seriously.  

This article will cover:

• What a privacy policy is
• Why omnichannel retailers need privacy policies
• Seven areas to cover in your first privacy policy
• Privacy policy best practices

What is a privacy policy?

A privacy policy is a document that explains how your brick-and-mortar and online stores collect, use and protect customers’ personal information. This policy should be easily accessible to customers, typically via a link in the footer of your store website.

Why omnichannel retailers need privacy policies

Omnichannel retailers need a privacy policy even more than retailers focused solely on ecommerce or brick-and-mortar retail. 

In ecommerce and brick-and-mortar retail, customer data collection can be more limited and focused. For example, small online retailers may only collect personal information through web forms and payment gateways. And small brick-and-mortar retailers may only collect personal information through in-store purchases.

But omnichannel retailers often collect personal information from customers through additional areas. You might be collecting data through mobile apps, social media, customer service calls, loyalty partnerships, and marketing and advertising campaigns. 

This means that omnichannel retailers have access to a glut of personal information from customers, going far beyond core information like names, addresses, email addresses and preferred payment methods.

• A clear and transparent policy helps to build trust with customers. Customers want to know how their personal information will be used, and a well-written privacy policy can help to reassure them that their data will be protected. 
• It’s also the law in many jurisdictions. For example, the California Consumer Privacy Act (CCPA) in the United States and the General Data Protection Regulation (GDPR) in the European Union both mandate that companies must have privacy policies.

Alexandra Vesalga is a privacy attorney and the founder of AV Privacy, a consulting firm focused on developing and operationalizing privacy programs for business growth. She said regulators have been highly active in privacy over the past few years, with more and more focus on privacy globally. “Lacking an adequate privacy policy is an easily enforceable issue because it is highly visible to regulators,” said Vesalga.

Related: Privacy policies are one part of the process. Learn how to start your online store.

What should you include in your first privacy policy?

Vesalga suggests retailers provide “clear and accurate information” about data practices. “Different regulators around the world have different requirements for what’s included, and some require disclosures in specific languages or formats,” she added, “but clearly explaining your data practices will get you a long way.” 

For example, your privacy policy could cover the following topics.

1. Say what personal data you will collect

Your policy should specify exactly what information you collect from your customers, such as contact details and payment information. Usually, this includes details like your customers’ names, email addresses and payment information.

2. Explain how you collect and store data

You also need to explain how you gather this information. This might be through online forms, transactions at your in-store point-of-sale, newsletter sign-ups, social media promotions or through third-party partners.

3. Clarify how you’ll communicate about future policy changes

You should also tell customers how you will inform them about any important changes to the privacy policy. “Most businesses take the view that the privacy policy can be updated at any time,” said Vesalga. But if you’re making a big change to how you collect, store or share data, then you need to inform data owners. “Email is a frequently used method, or in some cases, an in-product notification is acceptable,” she added.

4. Help people access, update or delete their data

You should make it clear how customers can access their data and update it or delete it. Your customers should have full control over their personal information so that they feel comfortable doing business with your company. Vesalga suggests retailers provide at least two channels of communication for customers to exercise their right to access, delete or correct personal data.

5. Be clear about how and why you use cookies 

Here, include information about the types of cookies your website uses, and whether they are used for essential purposes, such as maintaining a user’s login status, or for non-essential purposes, such as tracking user behavior for advertising purposes. This section should also mention how website visitors can manage their cookie preferences and opt out of non-essential cookies if they want to. 

6. Say if you share data with other parties

If you use third-party services such as analytics or advertising platforms, your policy should explain what those services do with user data and how they protect it. This includes any tracking technologies they may use.

7. Show how you protect personal data

What security measures will you put in place to protect the personal information of customers?  This could include encryption, firewalls, regular data backups or access controls. Retailers should also explain here, how customers can report any security incidents or concerns. 

Retail privacy policy best practices

Intellectual property attorney Thomas Galvani frequently writes website terms and conditions as well as privacy policies for his clients, including garment and sporting goods retailers. “There are different schools of thought on how to generally write a privacy policy,” he said. “Some privacy policies are readable, short and highly understandable. The hope is that people will not immediately turn away from reading the policy—and that they will understand it if they do.”

The most important best practice in drafting is clarity, said Beth Fulkerson, a partner in the Chicago office of law firm Culhane Meadows. “However, clarity often competes with simplicity.  You can make the policy shorter by linking off to more detailed explanations, and using industry opt-out sites, such as the National Advertising Initiative or the Digital Advertising Alliance.”

Here are some more best practices for omnichannel retailers to consider. 

1. Be specific. Your policy should clearly explain what type of data is collected and why, and how it will be used. The more specific you can be, the better informed both you and your customers will be.  
2. Use plain English. Stay away from jargon, unless unavoidable. You want everyone to understand what they are agreeing to when they buy your products, use your website or sign up for your marketing emails.   
3. Update the policy. Reviewing and updating your retail privacy policy is important. Laws can change or become more stringent. What was acceptable one year may no longer be when regulations change.

Make sure that all of your opt-out links work, and that your ad tech providers are following through on the opt-outs directed to them, suggests Fulkerson. “Your contact for questions or concerns can have a generic email address but must go to people who actually respond.”

Find out more about privacy policies

You can also find plenty of resources online to help draft your first policy. You can find a list of state laws about digital privacy here. The following resources are worth a look too.

• Retail Industry Leaders Association Privacy Factsheet
• Privacy Policies for Ecommerce Stores
• Ecommerce Privacy Policy Template

By having a clear and concise privacy policy, you can help build trust with your customers and show them that you value their information.