How To Construct Your Privacy Policy | ANA

How To Construct Your Privacy Policy

Please note: This guidance on creating a privacy policy is not meant to replace legal counsel — ensure you have reviewed your privacy policy and your related information practices with your own legal counsel.


Constructing a privacy policy is essential.

Transparent consumer notification of your information collection, sharing and protection practices through a privacy policy is a basic element for responsible marketers and fundraisers. Your information practices should be clearly laid out in your online privacy policy and displayed in a prominent place on your website.


Privacy Policy Tips: Keep It Simple.

  • Involve all pertinent team members in crafting your policy: IT, legal, marketing, training, database, and lead channel teams (mail, digital, telemarketing) to ensure you're properly communicating your information practices.
  • Make the policy easy to read, understand and find on your website: Be as comprehensive as possible about the information policies you follow.
  • Promote your policy internally in employee communications: Consumers are concerned and may reach out to your staff, and your team should know how your company responds to those concerns and what the standard is – especially your IT, database, and marketing teams.
  • Promote your privacy policy with key stakeholders, including customers, investors, contributors, and policymakers: Privacy policies put consumers in charge of their information to stay current with changes in your business practices and legal requirements, and alert visitors to upcoming changes and current policies.
  • Make sure your policy is legally compliant but uses consumer-friendly language and not "legalese": Check with your legal counsel to ensure that your privacy policy complies with all applicable data protection, privacy and security laws at the state, federal, and global levels. Make sure your team writes the policy so that a visitor does not need to be a lawyer to understand it. For instance, here are some of the major regulations and laws to comply with:
  • Federal:
    • GLB — financial data
    • HIPAA — health data
    • COPPA — children data

Key Elements to Include in Your Privacy Policy Statement:

  1. Provide key contact information: Identify the organization's website administrator; be sure to include relevant email addresses and a physical address of the organization and contact information to assist those with an inquiry regarding your information privacy practices and to manage their marketing preferences.
  2. Identify the categories of Personally Identifiable Information (PII) collected and information uses: Identify the types of data that your organization collects through your website or online service, including information your web server automatically retrieves from visitors, and information provided by consumers.
  3. Identify if cookies or other non-cookie based technologies are being used that may track visitors for online or interest-based advertising purposes: If so, note their purpose and how consumers can manage their online ad experience — see the industry-supported Digital Advertising Alliance (DAA) YourAdChoices — so that you're properly alerting your visitors to these policies and your practices. If third parties are collecting for interest-based advertising purposes on your website, there are additional compliance requirements, including an enhanced privacy policy.
  4. Identify the types of information that may be shared with third parties, which third parties, and sharing options for consumers: If you share consumer information with third parties, identify what information you're sharing, to whom (categories of third-parties or which entities) and how consumers can limit or opt-out of the sharing of information.
  5. Describe how consumers can let you know their marketing preferences: Provide options for consumers (both prospects and customers) to let you know their marketing preferences for receiving marketing communications from you.
  6. Describe how consumers can review and make changes to their information: If allowed and/or applicable, describe the process for reviewing and requesting changes to the data collected through your website or mobile app. Note: If dealing with data under the Privacy Shield from EU or Switzerland, this is a requirement.
  7. Notify visitors if you have information-sharing relationships with any third party ad servers or third party network advertisers: List the URLs or other contact information for your partners and list the types of information, if any, that is shared with them.
  8. Describe your security measures: Provide a general description of the security measures you employ to protect and safeguard PII and sensitive data.
  9. Describe your enforcement measures: Provide information on how you ensure adherence to your privacy practices both internally and, if an independent organization like the ANA is utilized, externally. You may refer consumers to ANA's Ethics Team for further complaint resolution in addition to your own internal process for resolving complaints.
  10. Describe how visitors can learn of changes to your privacy policy practices.
  11. List the current effective date of the privacy policy.


Contact the ANA’s Center for Ethical Marketing Team at