cookiebox logo

The art of simple privacy policy:
How to do it right!

Content of this article

How do I write a privacy policy? What must it contain?
What mistakes should I avoid?

A privacy policy has been part of every website since the introduction of the European General Data Protection Regulation in 2018. Its function is to inform users about the processing of personal data on a website. All website operators know this by now. For most, the privacy policy is simply an annoying obligation that is fulfilled rather poorly than well. Users usually can’t do much with the texts, as they are at the mercy of a confusing flood of information in the form of seemingly endless legal texts. The widespread assumption that “nobody reads through that anyway” is probably true in these cases. However, the problem lies not in the volume of information but rather in its presentation. In such cases, one should also hope that no one reads through this type of data protection statement very carefully. Because if supervisory authorities take a closer look, some website operators can expect unpleasant mail.

But what is the right way to do it? This is how you write your privacy policy:

If you want to comply with data protection laws as a company, you should start with your privacy policy. Data protection regulators look first at a site’s privacy policy should they have concerns / complaints about your data processing.

1. no more technical jargon: how to inform in an understandable way!

Privacy statements are known as page-long legal texts that a normal consumer does not understand at all, and also no one has the necessary time to read through such documents on every website. With the introduction of the General Data Protection Regulation (GDPR), websites had to not only inform, but also do so in a user-friendly and understandable way. This means the privacy policy page must be accessible in less than two clicks and inform in simple language about the data processing on the website.


Article 12 EU GDPR:

“The controller shall take appropriate measures to provide the data subject with all information […] relating to the processing in a precise, transparent, intelligible and easily accessible form, using clear and plain language.”


This means that only if the information is presented in an easily digestible way and formulated in a way that is easy to understand, can the privacy statement fulfill its actual function.


The grandparent test for privacy statements:

Potentially the biggest challenge for companies is telling users how their data will be treated in privacy policies in a way that is easy for users to understand, yet goes far enough to protect the company from potential litigation.


Therefore, to make privacy content user-friendly, do the “grandparent test.” Would your grandparents understand the information in the privacy policy? No. Then you should make it even simpler and more transparent. Nevertheless, data processing, especially via third-party providers, is sometimes very complex and explaining it accordingly becomes a challenge. In this case, it is sometimes necessary to resort to the legal formulations of the providers.

2. no more deluge: don't overwhelm the user with the content of the privacy policy

It is not uncommon for privacy statements to be copied from other websites and used on one’s own website – just exchange the name and that’s it. Unfortunately, it is not quite that simple. Every website is different and uses different services and technologies that store information from website visitors (first-party services) and may pass it on to third parties (third-party services). These must be accurately reflected in the privacy policy. So, logically, it makes no sense for a small business with little data processing to copy Google’s privacy policy, and especially not vice versa.


“Do what you say, and say what you do.”

It is important that you write a privacy policy that accurately reflects your data processing. However, this also means that you only provide information about data processing that you do. Nothing more, nothing less. More information than necessary would be misleading. The rule is: do what you say and say what you do.


Who should sign off on the privacy statement?

A company’s CEOs and board should have the final say. However, the content should be drafted in advance by a lawyer or data protection officer. The IT team and sales department will also come into contact with and use customer data at some point. Therefore, it is best practice for them to provide input on the policy or at least review a draft to ensure that what is communicated about company practices is consistent with their department’s data use.


Be as specific as possible in describing your data handling practices, and then make sure that the rest of the company’s practices do not deviate from those descriptions.



Present each section of the privacy policy in a clear and structured way. For example, in a so-called accordion, which displays only headings and opens up further information texts when the user clicks on them.

3. put an end to outdated content: How to keep your privacy policy up to date - without investing a lot of time

If you have now presented all data processing procedures in your privacy policy according to the requirements, you are done and can sit back. However, nothing too long. Because nowadays websites are no longer static like a business card, but are subject to a constant process of change and development. Here a new form, there a plug-in or video and already you have to adapt your privacy policy. This is a big challenge even for small websites.

While the practice of copying privacy policy templates from the Internet is easy and tempting, as they are usually offered free of charge. But copying templates is not a sustainable practice when it comes to privacy. Don’t worry, now you don’t have to check your website daily and update the privacy policy. There are now smart software solutions that do just that for you. This way, you can be sure that the information presented will still be up to date tomorrow and you can now really sit back and tick off the privacy policy issue.

Check your Website Compliance

Take the test with our free quick scanner!


With the European GDPR, data protection law became an issue worldwide. Thus, since the adoption of the EU GDPR, other countries such as Brazil, China, India and Canada have followed the European example with similar data protection laws. These changes in the law, combined with increased consumer awareness of data privacy risks due to data breach news, have increased pressure on companies to model strong data privacy programs. To properly craft a privacy policy, it’s important to know your specific data collection practices before you publish a policy outlining what you do with customer data. For websites, there are scanners that show you what services you use on your site and need to include in the privacy policy or in your consent management system. It’s important to note that the GDPR requires you to obtain consent from your website visitors for some data processing (especially when it comes to third-party services).


Content of this article

Any questions?

Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:

fragen icon

Du wünschst weitere Infos zum Privacy Hub oder unseren Beratungsleistungen?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships

Want more information about the Privacy Hub or our consulting services?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships