Tech & Sourcing @ Morgan Lewis


In this month’s Contract Corner, we are highlighting considerations for drafting an up-to-date privacy policy. In Part 1 of this series, we provided background on the general legal landscape for privacy policies in the United States and general issues that need to be addressed for an up-to-date policy. In this Part 2, we will provide some specific pointers on drafting, updating, and disclosing such policies.

Additional Information to Include

In addition to the list of items that should generally be covered in every privacy policy we provided in Part 1, the following are additional items you may need to set out in your specific privacy policy:

  • Directions for customers to access and update data (e.g., password resets, contact information updates, and mechanisms for unsubscribing)
  • Contact details or other means of reaching persons in your organization that can address user queries or concerns
  • Information regarding notifications when the privacy policy is updated (see below for considerations when reviewing and updating your policy)
  • Mechanisms for users to agree to and accept the terms of the privacy policy, as well as means for users to opt out

Language Matters

When disclosing the foregoing information, you should be as specific as possible and avoid industry “jargon” as much as reasonably possible. As noted in the New York Times article cited in Part 1 of this Contract Corner (opinion piece), privacy policies of the past have been ineffective for communicating to the average user, as they can be incredibly difficult to understand. Especially if your site or application has any special requirements for collecting information from minors, you need to state them in an easy to read manner.

Customize the Privacy Policy for Your Business

As highlighted in Part 1, perhaps one of the most important guidelines to follow when preparing your privacy policy is to know your specific legal and regulatory obligations. Drafting a policy that is tailored specifically to your business practices, industry, and customers may take some homework. However, the time invested can offset risks faced in simply using an online form or “borrowing” a policy from another business (aside from not complying with privacy policy laws that are applicable to your business, or otherwise misleading your users about your business, use of the borrowed form could violate copyright law!). Beyond investing time, you may also want to consider seeking experts with demonstrated experience in your industry and jurisdictions to help reduce the risk of posting an insufficient privacy policy.

Reviewing and Updating the Policy/Flexibility

So long as your company continues to update the way data is collected and handled, or so long as requirements evolve, your work on your privacy policy is never truly finished. Your privacy policy should be subject to regular review and updated to reflect any market changes or to otherwise meet new legal requirements. To avoid the need for excessive review and updates, when drafting the original policy, you may choose to include any reasonably anticipated means of collecting or other uses of customer data (e.g., “data collected may be used for affiliate marketing purposes…,” etc.). You should also avoid making statements about practices you will “never” adopt — given the difficulty in predicting technological advances and the legal landscape shifting around it, preserving flexibility is important.


Last but not least, be sure to make your privacy policy visible and quickly accessible on your site or application. The policy or links to the policy should be on the main entry site page and also accessible to anyone who deep-links to your site. Burying the policy in one secondary page of your site or app will negate all the efforts you make to draft a clear and accurate policy that consumers can understand. In certain instances, an automatic redirect to the policy may make sense (similar to pop-up license agreements or terms and conditions). Finally, a click-through acceptance process (including as part of acceptance of site registration or purchase terms and conditions) should be considered to enhance the enforceability of the policy terms. Beyond any legal or regulatory requirement, this can also be beneficial in building user trust.

In this Part 2 of our Contract Corner on Privacy Policies, we have provided some tips on drafting an effective policy. Please be on the lookout for future posts in Sourcing @ Morgan Lewis that update the legal landscape for privacy issues and provide drafting pointers for policies.