100 Overlook Center, 2nd floor, Princeton, New Jersey, 08540, USA

How to Draft a Privacy Policy: a Detailed Tutorial from Stalirov&Co IT lawyers

In August 2021, WhatsApp's Privacy Policy mistakes cost the company EUR 225 million. And in January 2022, Google had to pay 90 million EUR for violating the procedure consent for using cookies. The United States Federal Trade Commission (FTC) is threatening to fine Facebook more than $22.5 million for breaching its Privacy Policy and sharing personal data with Cambridge Analytica during a US election. In October 2018, Facebook was fined $644 million for leaking the user's data.

E-commerce received the highest number of GDPR and CCPA violation fines in 2021. The Social Networking industry takes second place for receiving fines; the Technology sphere is in third place on this list.

E-commerce received the highest number of GDPR and CCPA violation fines in 2021.

In the article IT lawyers explain how to avoid penalties and IT product blocking, how to draw up a Privacy Policy for the website or the mobile application to comply with the requirements of GDPR, CCPA and other acts and regulations in the sphere of privacy and data protection.


What is a Privacy Policy on a website or app? 

The Privacy Policy is a legal agreement that explains what personal data you collect for the website or app from the visitors/users, the purposes for this, and how you process and operate with and protect this data.


Why is it necessary to have the Privacy Policy?

Let's highlight 4 reasons to develop and publish a document.


To comply with the GDPR, CCPA and local data protection laws and regulations

There is a legal requirement to have the Privacy Policy on a website or mobile app. If an IT product targets audiences in different countries, then the Privacy Policy must comply with the requirements of the laws of such regions. In this case, the rule applies: if the user comes to you, then your law applies; if you go to the user, then users’ law applies.

California has the California Online Privacy Protection Act (CalOPPA) and the Consumer Privacy Act (CCPA). The acts apply to companies that collect personal data from California residents, meaning their laws go beyond the boundaries of one state. For example, your company is located in Seattle or Boston but processes users' personal data from California. Then the Seattle or Boston company must comply with CalOPPA and CCPA requirements.


These are some acts that regulate privacy:

  • The Children's Online Privacy Protection Act (COPPA) is in the US.
  • In Canada - Personal Information Protection and Electronic Documents Act (PIPEDA).
  • In the EU - General Data Protection Regulation (GDPR).


Your consumer's (user's) location influences the requirements you need to comply with in your Privacy Policy. For example, there are differences between CCPA and GDPR. The first applies to the protection of the B2C segment, but the second - applies to B2C and B2B. At the same time, US companies that work with European markets and consumers must adapt their policies to the requirements of the GDPR.


To publish mobile applications in the AppStore and Google Play

Since 2018, AppStore has required all apps to add and publish Privacy Policy. Now, iOS app developers must publish the Privacy Policy before a product can be submitted for review in the AppStore.

The Google Play Software Distribution Agreement, which you accept as a developer, states that the Privacy Policy is required for all Android applications. In addition, the Android Security and Privacy team provided the statistics that 1.2 million privacy-violating apps were blocked in 2021.


To use Google Analytics, Google Ads, Cookies and remarketing tools

Google Analytics included a requirement to have the Privacy Policy in its Terms of Service. The main goal of Google Analytics is to store cookies on the user's computer and collect data with their support, but for such actions, you need to get permission from the user.

Google Ads requires informing users that the IT solution uses remarketing to advertise a product or service, and the user has an opportunity to opt-out of it.

The Twitter Lead Generation Card requires you to enter your Policy URL to use the services. The same condition is for Facebook. When using the Facebook API, you request users' personal data. Therefore, Facebook requires you to provide the Privacy Policy and ensure that you comply with the data protection laws and regulations.

In 2020 activists discovered that Zoom for iOS was sending analytics data to Facebook even if users didn't have an account on the social network. But Zoom Privacy Policy didn’t mention this fact. After the publicity of such a violation, the video conferencing service stopped sharing information.


To use a payment system for online payments

Acquiring systems requires websites or mobile applications to notify users about transferring personal data to payment systems. Therefore, you need the Privacy Policy to connect PayPal, Stripe, Apple Pay, Google Pay, or other payment systems. To make payments in applications, online stores and other IT products, you need to notify users of what financial information you collect, where it goes and for what aims.


Now you know why Privacy Policy is needed on the website or mobile application. Next, we will tell you how to draw it up.


What should be included in the Privacy Policy?

Below are the main questions that should be addressed in the Privacy Policy.


What data do you collect and process?

First of all, define what personal data is.

For example, personal data can be defined as any information directly or indirectly relating to a specific user. Then the separate categories of personal data that are collected can be specified depending on the type of your IT product.

Stalirov&Co IT lawyers drafted the Privacy Policy for the Youwex freelance exchange and stated that the platform collects such data:

  • About customers: first name, last name, email address and password, transaction details (debit/credit card details).
  • About freelancers: first name, last name, email address, password, postal code, country, language skills, education, work experience. In addition, the freelancer provides supporting documents and adds photos, videos and presentations.


Another IT product that IT lawyers have cooperated with is SmartWatch Sync & Bluetooth notifier. There is an application for synchronizing smartwatches with android devices. The list of personal data the users provide to this IT solution differs from Youwex, and includes:

  • Google account data
  • DeviceID
  • Device model
  • Users' email address, first name, last name, location
  • Payment data


Stalirov&Co IT lawyers also drafted the Privacy Policy for the insurance search platform that targeted businesses in the US and EU  - InsuranceHunter. Therefore, it was necessary to cover the requirements of the GDPR and the CCPA in the document. Here is an approximate list of personal information compiled by IT lawyers that were collected by the platform and included to the Privacy Policy:

  • identification data: name, date of birth, age and any family information;
  • biographical data: marital status, gender and employment status;
  • contact details: home or other physical address, email address and telephone number;
  • driver data: car accident details and vehicle information;
  • financial data: credit information and annual income;
  • health data: biometric parameters (height, weight) and health information;
  • technical information such as IP address or identifier.


What are the purposes and grounds for personal data collection and processing?

Purposes should be specific, legitimate and transparent. The GDPR establishes 6 grounds for lawful personal data processing. The main one is the user`s (as a data subject) consent. Other grounds are:

  • Contractual necessity
  • Lawful processing based on legal obligations
  • Vital interests and lawful personal data processing
  • Public interest 

The CCPA's approach is fundamentally different and establishes a presumption of the lawfulness of personal data processing. The collection and processing of personal data is a priori legal and may be carried out by companies. At the same time, to protect the rights of data subjects, the CCPA establishes the right of an individual to send requests to the company to prohibit the selling and transferring of their personal data. The Privacy Policy should indicate this right; if such a request is received, the company should address it and does not have the right to act with the user's personal data in future.


For the Island 211 mobile game, IT lawyers set the following goals:

  • Registration in the game
  • Advertising content demonstration
  • Mutual settlements between players
  • Funds withdrawal
  • Customer support provision and other purposes


The goals for Youwex differ. The platform collects and processes data to:

  • Help the users to find a freelancers' profiles, to book and conduct online sessions;
  • Check the right to provide services in the selected section and direction to maintain services at the highest professional level;
  • Comply with the requirements of legislation in the field of finance and accounting, confirm transactions between the customer and the freelancer;
  • Prevent fraudulent activity on the platform and help to manage users' profiles.
It is prohibited to use personal data for purposes that are not described in the Privacy Policy. Twitter violated this rule and was obliged to pay $150 million under the decision of the US Federal Trade Commission. The case was that Twitter obtained users' phone numbers indicating the security purposes for such collection, but this data was used for the targeted ads.


Сan the collected data be shared?

An IT product owner may share information with different service providers: including sales, marketing, provision of content and features, advertising, analytics, research, data storage, security, fraud prevention, payment systems, delivery services and other services, social networks, data can be shared with partners, courts, law enforcement and government agencies and other persons (third parties) as well. The main requirement for disclosing information to third parties is that the amount of data that is disclosed must be adequate to the purpose and not exceed its implementation. Such third parties must comply with the rules of the Privacy Policy interacting with users' data. It is necessary to inform users in the Privacy Policy to whom (which categories of third parties) the data is transferred and the purposes of such sharing.


What third-party services does the IT product use?

It is obligatory to notify users that third-party services can get access to their personal data. For example, the SmartWatch app uses Flurry, a mobile app analytics platform. All user actions and clicks within the product are recorded and processed. In addition, SmartWatch uses AdMob to make it easier to generate revenue through advertising and Firebase -  for analytics.


Additionally, mobile applications need to obtain consent to access to the device's system settings (mobile phone, for example): location and vibration, background work, opening network links, shopping features, storing data in external storage. In addition to the list, you need to describe the purpose of access to the user's device. For example, the SmartWatch app needs location access to find Bluetooth devices in range.


Another case as an example from our IT lawyers’ experience is Hypelitix. This web service provides public Instagram profile data: posts metadata, IGTV and profile stories. The service uses Google Cloud Vision to recognize text in images and videos on Instagram.


Privacy Policy aims to inform the user about third-party services and, if possible, to fix links to their public documents. This rule also applies to payment systems.


Cookie files

First of all, define what such cookie files are.

The cookie files are the pieces of data that the server sends to the user's web browser. Cookie files are used for analytics, performance and advertising purposes.

IT lawyers prepared the Privacy Policy for the SnekerStudio online store. The document included a detailed description of the types of Cookies, the time and purpose for their storage. For example, basket_id is stored for 4 years for the Basket operation on the website. Google DoubleClick uses the IDE for advertising purposes and collects information about how users can cooperate with the website. Storage time - 1 year. Facebook uses _fbp and fr cookies to deliver relevant ads. Storage time - 2 months.

Violating the GDPR rules connected with cookies can cause penalties for websites or mobile application owners. In January 2022, French Data Protection Authority (CNIL) imposed a EUR 90 million fine on Google LLC. The reason - YouTube makes it easy to accept cookies, but it's harder to refuse them. CNIL noted that opting out of YouTube cookies requires the user to make a few clicks, while acceptance requires only one click. But opting out of cookies should be as simple as consenting, and YouTube has violated such GDPR requirements.

It is essential to obtain explicit (active) consent from the user to use cookies and provide the opportunity to withdraw such a decision at any time simply.


Advertising distribution 

It would help if you devoted a separate paragraph of the Privacy Policy to distributing marketing materials. Suppose you use the user's personal data for marketing and advertising purposes. In that case, it is necessary to indicate how you operate with the personal data for such purposes and specify if you can use it for internal marketing and email delivery, including through mailing lists, SMS and text messages. The user should be able to refuse - to unsubscribe, for example. There is a mandatory requirement of the GDPR and CCPA.

In July 2020, the Italian Data Protection Authority imposed a EUR 17 million fine on telecommunications company Wind for its illegal direct marketing activities. The company sent advertisements to Italian customers without their consent. But customers could not refuse it because the company indicated incorrect contact details.


The financial services giant BBVA had a similar case. The Spanish DPA imposed a €5 million fine on the company for sending SMS messages without consumer consent.


What security measures does the website or app take?

Websites and applications implement physical, electronic and procedural security measures to protect personal data. Article 32 of the GDPR offers to provide the following security measures:

  • Anonymization
  • Encryption
  • Integrity and continued confidentiality
  • Stability of processing systems and services
  • Ability to restore access in a timely manner
  • Efficiency testing


Let's take an example of violations. Zoom's audience has grown from 10 million daily users in December 2019 to 300 million in April 2020. At the same time, the program's security methods have been thoroughly tested. Experts found several violations.
🔸In March 2020, researcher Jonathan Leitshu discovered a trivial remote vulnerability in Zoom for Mac that allows any malware to turn on the camera without the user's permission.
🔸The New York Times later reported that Zoom used a data mining feature that matched Zoom users' names and email addresses with their LinkedIn profiles without the users' consent. Such actions violate the GDPR rules of anonymity. Not to violate the GDPR principles, Zoom has permanently removed the feature.
🔸And one example of violation - the Mac microphone could remain the listening function even after the end of the Zoom meeting.
Such situations demonstrate that Zoom is not taking sufficient security measures to comply with the requirements of Art. 32 GDPR.


Where and for how long is personal data stored?

Each IT product independently determines the place and time of the user's personal data storage. For example, freelance exchange Youwex undertakes to delete personal data within 180 days from the date of deletion of the profile by the user.

The Sneker Studio stores data throughout the existence of a personal account.

The retention period of the SmartWatch depends on the purpose of data collection. For example, account registration data is stored for marketing purposes while the application is installed on the user's device (mobile phone).


How to get access, update or delete data?

To make the Privacy Policy compliant with the GDPR and CCPA, describe how the user can access, view, update, correct and delete personal data. The algorithm of actions should be simple. For example, to send a request to an email address.

Here's how the Youwex developers did it. The user can enter his profile and change information about himself to the extent that the system allows it. The user also has the right to submit a request to change information about him by email: support@youwex.com. If he wants to submit a request for the deletion of personal data following the requirements of the GDPR, he needs to send an email to the address support@youwex.com. When submitting a request by email, the user will be asked to provide information for identification and verification.

The CCPA and GDPR requirements for user access to personal information differ. Therefore, when Stalirov&Co IT lawyers wrote the InsuranceHunter policy (a platform for users from the EU and the US, including California), they added special notices for California residents describing the rights to access or request for deletion of personal data.


2 additional recommendations for your Privacy Policy

Place the Privacy Policy in an accessible place

The Pew Research Center surveyed 4,272 Americans. Only 9% of them read Privacy Policy entirely before accepting it. About 36% said they never read the document. Despite the disappointing statistics, the document should be easily accessible. In addition, this is a requirement of the GDPR and CCPA. User experience demonstrates that the registration form or website/mobile application footer are the ideal places to place the Policy link and to obtain the user's consent to be bound by its terms.

Use plain language writing the Privacy Policy 

Kevin Litman-Navarro, the journalist, studied 150 privacy policies. Using the Lexile service, he tested how easily the documents were understood. According to service standards, doctors and lawyers must understand a material with a score of 1440. To the surprise of the journalist, many politicians exceed this standard. You may think that this is not the core issue. But even regulatory authorities pay attention to the accessibility criterion. Ireland's DPA in the WhatsApp case stated that the messenger did not comply with the policy's easily accessible requirements. The company must use language that is understandable to users. This kind of violation cost WhatsApp EUR 225 million.


We encourage you not to repeat the mistakes of the world giants and use our advice for writing your Privacy Policy understandable (user friendly), choosing convenient formatting and implementing functional navigation.


Article navigation
Follow the latest news
Latest articles

Latest cases

All cases
For the full operation of the website and the improvement of service provision, we use anonymous data provided by Сookies!
Call me back IT lawyer will contact you
to discuss details
Service order IT lawyer will contact you
to discuss details
Thanks for reaching out!

An IT lawyer will contact you with legal solutions

Thank you for your request!

An IT lawyer will call you back to discuss details

Thank you for your feedback!

We would love it if you tell your friends and colleagues about us

Thank you for your inquiry!

The IT legal team will contact you with options solutions

Thank you for your inquiry!

An IT lawyer will contact you with a few more questions

Thank you for your interest!

Await advice from IT lawyers

Thank you for your inquiry!

The IT legal team will prepare a solution for you

Thank you for contacting us!

An IT lawyer will analyze your situation and offer a solution