Do I Need a Lawyer for a Privacy Policy?

Practically every website and app will need a Privacy Policy. However, most business owners will not necessarily need a lawyer to create their Privacy Policy.

This article explains how to determine if you need a lawyer’s help when creating your Privacy Policy, and how drafting your own Privacy Policy is simpler than it may seem.

What is a Privacy Policy?

A Privacy Policy is a legal document that outlines your data processing activities such as what types of personal data you collect, why you collect this data, and how it’s used.

Monday states this clearly in the first sentences of its Privacy Policy:

Are Privacy Policies Legally Required?

Yes. Privacy Policies are legally required if you collect or process personal data. Since the majority of businesses collect at least some personal data, most if not all businesses need a Privacy Policy.

Just a few applicable privacy laws that require a Privacy Policy are the EU’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the USA’s California Online Privacy Protection Act (CalOPPA).

The definition of “personal data” differs slightly around the world, depending on which privacy laws apply. However, the typical definition of personal data is any information which could identify, or be attributed to, a specific person. This includes obvious identifiers such as names and home addresses, but also less obvious identifiers such as IP addresses and online account details.

Some categories of personal data are considered “sensitive” because there’s an increased risk of harm to the individual if the data falls into the wrong hands. Examples of sensitive data are health information, and religious or political affiliations.

Even if you do not collect or process personal data, you could have a privacy statement confirming this. For more information on this, check out our feature article: Why You Need a Privacy Policy Even if You Don’t Collect Personal Data

Do I Need a Lawyer to Create a Privacy Policy?

The short and simple answer is no. You do not need to spend money on hiring a lawyer to write a Privacy Policy for your business. As privacy lawyers can be expensive, this is good news for small businesses with limited funds or cash flow.

Most businesses do not require overly complex Privacy Policies. There are various free or cost-effective resources you can use instead, so let’s explore them.

How Can I Write My Own Privacy Policy?

Many people find the idea of writing their own Privacy Policy overwhelming. This hesitancy is understandable. After all, a Privacy Policy is a legally required document with real legal consequences.

Luckily, you don’t need to do it alone. Instead, you have some options.

Use a Privacy Policy Generator

Privacy Policy generators are highly effective and convenient ways to create Privacy Policies. All you need to do is answer some simple questions and the generator will create a policy based on, for example, whether your Privacy Policy is for an app or website, and which country’s privacy laws will apply.

Our Privacy Policy generator is simple to use. It only takes a few minutes to answer the questions about your business and your commercial practices, and the result is a Privacy Policy you can rely on.

Use a Privacy Policy Template

A Privacy Policy template can help give you a great base to use when writing your own Privacy Policy. The template will include an outline of general clauses that you can fill in with specific information that’s relevant to your own business practices.

While not as comprehensive in scope or as simple to use as a generator, Privacy Policy templates are still very helpful. You will, however, need to remember to include clauses specific to your business practices, since these templates may be quite general.

Always use a trusted source which keeps Privacy Policy templates up-to-date. Otherwise, you risk publishing an outdated, unreliable, and unprofessional Privacy Policy on your website.

Read Online Resources

There are various guides available that walk you through how to write a Privacy Policy. They are usually free, so they’re accessible to all businesses.

Privacy Policy resources can help you comply with specific privacy laws and understand your wider compliance responsibilities. For example, this article on GDPR compliance for start-ups guides you through how new businesses can protect personal data, which includes creating a Privacy Policy. And this article guides you through how to check an existing Privacy Policy for compliance with the California Consumer Privacy Act (CCPA).

Adapt Example Clauses

Privacy Policy clauses often use similar wording. This actually helps users, because it allows them to become more familiar with Privacy Policies and quickly understand the content. For businesses, it’s also helpful because you can use existing clauses as a reference point.

For example, consider a clause like this one from another Privacy Policy, that outlines the types of personal data a company collects:

Instead of just using the exact list the other company uses, you can update the list items to reflect your actual unique practices. Even if your list is somehow exactly the same, you can reword things to be uniquely yours and not just copy and pasted.

To avoid copyright issues, we do not recommend copying clauses from another Privacy Policy. Using them as inspiration and guidance to create your own, however, is a helpful approach.

What Should You Include in Your Privacy Policy?

At a minimum, your Privacy Policy should include the following clauses:

• Confirmation of whether you process personal data, and what types of data you process
• A summary of the user’s privacy rights and how they might exercise them
• Your purpose for collecting personal data
• How you collect and use personal data
• Who you might share personal data with, such as third parties
• How you store personal data and keep it safe
• How long you keep personal data and how it is erased
• Your contact information

What are Some Tips for Writing a Privacy Policy?

The simplest and fastest way to create a legally compliant Privacy Policy for your business is to use a generator, or template. However, if you do decide to write your own Privacy Policy, or you want to add extra clauses to a generated Privacy Policy, here are some tips.

• Know which privacy laws apply. This will depend on your business, your jurisdiction, and where your customers are based.
• Perform a privacy audit. Understand how your data flows, and how you gather and process information.
• Determine what information you truly need to collect. You can do this by thinking of your purpose for collecting the data. If you don’t have a clear purpose, you probably don’t need all the data you process.
• Explain things in clear and simple terms.

Use short paragraphs for readability, and use different fonts such as bold or italics for emphasis. Above all else, make sure the content is easy for your target audience to understand.

When Might You Need a Lawyer for a Privacy Policy?

There are businesses which may benefit from a lawyer’s input before publishing a Privacy Policy. You might consider hiring an attorney to draft a Privacy Policy, or evaluate your existing Privacy Policy, if your company falls into one of the following categories.

You are in a Highly Regulated Industry

Some industries are subject to greater scrutiny and regulatory oversight than others. These industries include law, medicine, finance, and pharmaceuticals.

Businesses operating in these niches may be subject to more stringent privacy rules. They may also have more detailed disclosure requirements. It’s important that compliance with these rules is reflected in your Privacy Policy.

Cigna Healthcare, for example, has a Privacy Policy wholly dedicated to how users can access their healthcare data. It emphasizes how it’s a “Covered Entity” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

Bank of America emphasizes how employees can only access certain financial information on a need-to-know basis:

Mistakes in a Privacy Policy can damage your reputation, especially if you’re in a highly regulated industry.

For example, if you don’t include the right clauses, your Privacy Policy could be unenforceable, and you could face the same penalties as a business which does not have any Privacy Policy at all. Or your Privacy Policy could leave you open to lawsuits if it’s unclear or invalid.

Large, multinational companies or those in regulated sectors could benefit from legal advice before drafting a Privacy Policy to avoid such concerns.

Even if you’re not strictly in a regulated sector, operating in a niche sector such as the trade union space or religious groups could mean it’s worth getting a lawyer’s opinion on your Privacy Policy.

You Handle Large Volumes of Sensitive Personal Data

If you’re working with large volumes of sensitive information, having a lawyer draft or review your Privacy Policy may be beneficial. This type of information includes:

• Biometric data
• Health information
• Political affiliations
• Religious beliefs
• Sexual orientation
• Financial information
• Trade union membership

Everly Health, for example, processes home blood tests. It has a separate Privacy Policy solely to address how it handles sensitive health information in compliance with HIPAA:

You Have Complex/International Data Flows

When you have international users, your data processing activities are typically more complex. This is because you’re gathering data from a variety of sources. You need to understand how the data flows work together, and you’re also obliged to comply with various global privacy laws which you may be less familiar with.

Gymshark, for example, has multiple Privacy Policies covering various territories and scenarios:

eBay has a series of corporate rules designed to protect data as it’s collected, processed, and transferred around the world:

When we consider these factors, it’s unsurprising that some Privacy Policies may be more nuanced or comprehensive than others. In these scenarios, you might benefit from legal advice to ensure that you’re complying with all applicable rules and regulations.

Your Business is Aimed at Minors

Children or minors under 18 years of age are often granted additional privacy protections under privacy laws. If you’re targeting underage users with your products, website or app, then you will likely need certain clauses and procedures in place to protect their data.

The requirements can vary considerably, depending on which privacy laws apply. For example, under the federal Children’s Online Privacy Protection Act (COPPA), you need a clause telling parents how you protect their children’s data, and you may also need to address issues of parental control.

Here’s an example of such a clause from Paramount:

Given the complexities, you might want a lawyer’s advice on Privacy Policies aimed at minors.

Summary

Do you need an attorney to write a Privacy Policy? In most cases, the answer is no. Most small and even medium-sized businesses can create their own Privacy Policy using an online generator or template, or they can write their own.

There’s no legal obligation to hire a lawyer to draft a Privacy Policy. However, some business owners may feel more comfortable hiring an attorney, particularly if their company falls into any of the following categories:

• You’re operating in a highly regulated industry where privacy concerns are particularly complex, such as health or finance.
• Your business processes large volumes of sensitive information, which could result in harm, or a loss of security, if it fell into the wrong hands.
• Your business is international and/or has complex and numerous inputs for data collection.
• You target minors, or users under the age of 18.

If you decide to write your own Privacy Policy, you can use online tools to generate legally compliant policies for your business. And if necessary, you can manually add extra clauses as required. Or you may write your own Privacy Policy from scratch.