Privacy Policies – What Should They Say?

It can be difficult to know where to start when preparing a privacy policy.  There is a temptation to cull wording from policies which you have seen on other websites. The danger in doing this is that the contents of the policy may well not reflect how you use (process in data protection speak) personal data. If that happens the privacy policy will not serve its purpose.
If you are hoping that the policy helps you to comply with the Data Protection Act by giving data subjects (individuals whose personal data are being processed) information which you are obliged to give under the First Data Protection Principle, or helps you to obtain consent for your processing of personal data, you will not achieve either of those objectives if the privacy policy is misleading. (Please refer to our article Privacy Policies – Do I Need One? if you want to know why you might need a privacy policy.)


A privacy policy should inform data subjects about who you (the data controller) are and how you will use their data. It should:

  • Give data subjects useful, accurate and up to date information;
  • Draw data subjects' attention to any use or disclosure of their personal data which they might not otherwise expect;
  • Not confuse or mislead data subjects;
  • Be expressed in language which data subjects can understand, making the language as unlegalistic, as clear as possible and free from jargon;
  • Be easily readable, having regard to things like font size, colour and the amount of white space; and
  • Be drawn to the attention of data subjects, especially whenever you are collecting their personal data.


Circumstances may change over time; for instance the purposes for which you use personal data may change or you may start to transfer personal data outside the EEA.  It is important to review your policy regularly to make sure that it reflects your current practices.


But changing your policy will not automatically give you the right to process personal data for new purposes; in order to be able to do that, you may have to go back to the data subjects to obtain their consent.




As a general rule a privacy policy should cover the following:

  • The identity of the data controller. A logo or trading name is not sufficient. The information should be sufficient to be able to identify the data controller properly.  If the data controller is a company, the privacy policy should give its full corporate title, registered number and registered office. The e-Commerce Regulations oblige website owners to provide this sort of information on their site. And bear in mind that there may be more than one data controller;
  • A description of the sort of personal data which the data controller collects and processes;
  • The purposes for which the data controller will use personal data, making specific mention of direct marketing;
  • Details of any circumstances which may have escaped the notice of data subjects – for instance it may not occur to young users of a blog that any personal details which they post will be available to other bloggers;
  • Whether the website uses cookies, what a cookie is and how to disable them;
  • The sorts of people to whom you may disclose personal data, mentioning that the personal data may be transferred outside the European Economic Area, if that is the case;
  • Contact details so that the data subject knows to where he can send requests, complaints and enquiries;
  • A warning about links to other sites – their practices may be different; and
  • Any steps taken to protect the personal data.  This should be in broad terms to avoid helping anyone to breach that security.


Contact Details


If you would like further advice about any of the issues considered above please contact

 Christine Reid on 01865 864195 or email her at christine.reid@northwoodreid.com.


Terms of Use


This article is not intended to be, and should not be taken as being, legal advice. The law often changes and it varies from jurisdiction to jurisdiction; the information in this article is generic in nature and specific legal advice should be taken before acting on any of it.


© Northwood Reid 2009. The use, copying and dissemination of this article are subject to our

 Terms of Use.