Privacy Hub

GDPR

ePrivacy

Is your website analytics GDPR-friendly?

Website privacy policies

At a glance

Your privacy policy is required by GDPR Articles 13 and 141. It must cover :

  • Who you are
  • What personal information you collect
  • Why you collect it
  • On what legal basis
  • Who you share it with
  • How long you keep it
  • Users’ rights
  • How to complain

Your privacy policy is required by GDPR – not as a formality, but as the primary mechanism for being transparent with your users. Under the right to be informed, people must know what you’re doing with their data before you do it. Your privacy policy is how you tell them.

The bad news: most privacy policies are terrible. Walls of legal text in tiny font, buried in a footer, full of vague phrases like “we may collect certain information” and “trusted third parties.” These documents don’t just fail users – they fail GDPR’s transparency standard too.

The good news: writing a clear, compliant privacy policy isn’t that hard, once you know what goes in it.

The complete privacy policy checklist

  1. Your identity and contact details: company name, registered address, and a contact email address for privacy matters. If you have a Data Protection Officer, include their contact details separately.
  2. What personal data you collect: Be specific. “We collect your name, email address, IP address, and cookie identifiers” is compliant. “We may collect certain information about you” is not. List actual data types.
  3. Why you collect it: List each purpose clearly and link it to the data you collect for that purpose. “We use your email address to send order confirmations.”, “We use cookies to measure website performance (with your consent).”
  4. Your legal basis for each purpose: Match every purpose to a legal basis. Vague descriptions like “for business purposes” don’t count.
  5. Who you share data with: Name specific companies, and why you share data with them. “We share order data with our payment processor (Stripe)” “Trusted third parties” is not sufficient. Name them.
  6. International transfers: If data leaves the EU/EEA, say where it goes and what safeguards are in place. “We use Google Analytics, which transfers data to the US under the EU-US Data Privacy Framework.” Silence on this point is a compliance gap.
  7. How long you keep data: Give specific periods or the criteria you use to determine them. “We keep account data for 2 years after your last login.” “We retain order records for 7 years for tax purposes.” Never “as long as necessary” without defining what “necessary” means.
  8. Your users’ rights – all eight of them: List the 8 data subject rights and explain how to exercise them. An email address is the minimum. Make it easy to find and easy to use.
  9. Right to complain to a supervisory authority: Tell users they can complain to their local data protection authority. Include a link if possible. In the UK, that’s the ICO. In France, CNIL. In Germany, the BfDI or relevant state authority.
  10. Automated decision-making: If you use any algorithmic profiling that affects users – pricing algorithms, credit scoring, content filtering – explain it. If you don’t, say so briefly: “We do not make decisions about individuals using automated processing.”
  11. Cookie information: Either include a full cookie section within your privacy policy or link to a separate cookie policy. List the cookies you use, their categories, what they do, and how consent is managed.

How to write it well

  1. Use plain language: GDPR’s transparency standard requires that information be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” If someone needs a law degree to read your policy, it fails the test.
  2. Layer the information: GDPR encourages what regulators call a “layered approach”: a short summary at the top for quick scanning, with full detail below. Users can read as much or as little as they need.
  3. Use headings and structure: Walls of text are not transparent. Break your policy into clear sections with descriptive headings. Each section should have one main subject.
  4. Avoid weasel words and ambiguity: “We may collect…” “We might share…” “Certain information…” Be definitive. Tell users exactly what you collect, not what you theoretically might collect someday.
  5. Date it: Include a “Last Updated” date at the top. If you make significant changes, briefly describe what changed and why. “Updated 15 March 2026 – Added Mixpanel to analytics section.”
  6. Make it findable: A link in your footer on every page, near any form where data is collected, on your cookie banner, and on any registration or checkout page. It must be accessible before users submit data, not hidden away where nobody can find it.

Common mistakes to avoid

  • Copy/pasting a template without customising it: We know this stuff is complicated and boring, but a template describes generic processing simply won’t cut it. Your policy must describe YOUR processing, specifically.
  • Avoid waffle: We know that you “take privacy seriously”, so does everybody else. It’s meaningless filler. Show, don’t tell. Your policy shows you take it seriously by being specific and complete.
  • Not updating it when things change: Added a new tool? Changed a vendor? Started collecting a new type of data? Update the policy.
  1. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2254-1-1 ↩︎