The internet creates countless opportunities for companies to collect and use personally identifiable information (Personal Data), including creating personalized and highly relevant user experiences and identifying likely users of future products and services. The collection and storage of Personal Data also creates opportunities for other parties to steal or misuse data. In response, governmental agencies around the globe are increasingly regulating the manner in which such data can be collected, used and disclosed. A privacy policy accurately describing a company’s practices regarding Personal Data is the first step in complying with applicable privacy laws and regulations.

What is Personal Data?

From a legal standpoint, many key jurisdictions define Personal Data as any information that can be used on its own or in combination with other information to identify, contact, or locate an individual. Data that can be used on its own to identify or locate an individual includes information such as a person’s full name, credit card number, social security number, or driver’s license number. Data that can be used in combination with other information to identify or locate an individual is not as obvious. For example, a person’s gender, location at a given date and time, IP address, alma mater, favorite sports team or ethnicity may all qualify as Personal Data. Used in isolation, this type of data cannot identify a person, but when taken in combination with other information, the data may be sufficient to identify an individual.

What is a Privacy Policy?

A company’s privacy policy informs users which types of Personal Data a company collects, and how a company uses and discloses (or plans to use and disclose) that data. For example, a privacy policy should specify:

  • The type of Personal Data a company collects upon registration or at other points during a user’s use of a website or app (e.g., name, email address)
  • How a company uses that Personal Data(e.g., to target ads to the user, fulfill user requests, provide support)
  • To which third parties companies may disclose such data (e.g., hosting service providers, third-party marketers)

A privacy policy should also describe the collection methods used, such as cookies, and where any Personal Data will be stored.

Why is a Privacy Policy Important?

Although the specific requirements regarding privacy policies differ based on industry, state and country, at a minimum, every website owner or app developer collecting personally identifiable information must implement and post to the website/app a privacy policy in order to comply with relevant laws and regulations.[i] Failure to comply with the requirement to post a privacy policy can result in fines by governmental agencies, enforcement actions (often highly publicized), and in some cases lawsuits by private individuals whose data companies collected and used/disclosed incorrectly.

Implementing a good privacy policy is not just about complying with laws and regulations. It also makes good business sense. Users are increasingly cautious with, and protective of, their personally identifiable information and they increasingly appreciate and value transparency. Thinking through, implementing and posting to a company’s website/app a comprehensive privacy policy tailored to the company’s business shows users that the company takes privacy matters seriously and will be an honest and trustworthy custodian of their information.

Some businesses make the mistake of using a generic or form privacy policy that does not reflect how the company actually collects, uses, and discloses Personal Data. Although sample policies may be a useful starting point, in order to comply with the law and merit the trust of  any users, a company needs a privacy policy that accurately reflects how their business uses customer data and complies with the current laws of the jurisdictions in which that company operates. An outdated or inaccurate policy could result in significant liability for a business.


[i]A few examples of the various data privacy and protection laws and regulations that may apply to a business:

HIPPA (Health Insurance Portability and Accountability Act): Imposes strict privacy requirements regarding a patient’s medically related information within the United States.

COPPA (Children’s Online Privacy Protection Rule): The FTC imposed requirements on website or online services operators regarding the collection of data from children under 13 years old within the United States.

California Online Privacy Laws: California has enacted 14 individual laws relating to online privacy in addition to the federal regulations. See

EU Data Protection Directive: the European Union views the protection of personal data as a fundamental human right and has enacted strict data privacy laws as a result. Websites and apps with users in the EU must take note of EU specific data protection regulations.

Back to All Resources