DMA: Data and Marketing Association
Consumer Help

How To Construct Your Privacy Policy

Please Note: This guidance on creating a privacy policy is not meant to replace legal counsel — ensure you have reviewed your privacy policy and your related information practices with your own legal counsel.

Constructing a privacy policy should be a simple process.

Transparent consumer notification of your online and mobile information practices through a privacy policy is a basic element for responsible information practices. Operators of commercial websites should be transparent about their marketing and information practices in a prominent place on their websites.

Privacy Policy Tips: Keep It Simple.

  • Make the policy easy to read, easy to understand and easy to find on your website. Be as comprehensive as possible about the information policies you follow.
  • Promote your policy internally in employee communications. Consumers are concerned and may reach out to your staff, and your team should know how your company responds to those concerns and what the standard is – especially your IT, database and marketing teams.
  • Promote your privacy policy with key stakeholders, including customers, investors, contributors, and policymakers. Privacy policies put consumers in charge of their information.
  • Update your privacy policy as needed to stay current with changes in your business practices and legal requirements, and alert visitors to upcoming changes and current policies.
  • Make sure your policy is legally compliant but uses consumer-friendly language and not “legalese”. Check with your legal counsel to ensure that your privacy policy complies with all applicable data protection, privacy and security laws at the state, federal and global levels. Make sure your team writes the policy so that a visitor does not need to be a lawyer to understand it. For instance, here are some of the major regulations and laws to comply with:

GLB — financial data
HIPAA — health data
COPPA — children data

Privacy Shield – global data protection regulation
GDPR — compliance May 25, 2018
ePrivacy Regulation — compliance May 25, 2018
CASL – Canada’s Anti-Spam Law

Key Elements to Include in Your Privacy Policy Statement:

  1. Provide key contact information: identify the organization’s website administrator; be sure to include relevant email addresses and a physical address of the organization and contact information to assist those with an inquiry regarding your information privacy practices and to manage their marketing preferences.
  2. Identify the categories of Personally Identifiable Information (PII) collected and information uses: identify the types of data that your organization collects through your website or online service, including information your web server automatically retrieves from visitors, and information provided by consumers;
  3. Identify if cookies or other non-cookie based technologies are being used that may track visitors for online or interest-based advertising purposes: if so, for what purpose and how can consumers manage their online ad experience; See the industry-supported Digital Advertising Alliance (DAA) Aboutads.info so that you are properly alerting your visitors to these policies and your practices. If third parties are collecting for interest-based advertising purposes on your website then this does trigger additional compliance requirements and a need for an enhanced privacy policy.
  4. Identify which types of information may be shared with third parties, with whom, and provide consumer choice for such sharing: if you share consumer information with third parties, identify what information you are sharing, to whom (categories of third-parties or which entities) and how consumers can limit or opt-out of the sharing of information;
  5. Describe how consumers can let you know their marketing preferences: provide options for consumers (both prospects and customers) to let you know their marketing preferences for receiving marketing communications from you;
  6. Describe how consumers can review and make changes to their information: if it is allowed and/or applicable, describe the process for your website or mobile application to review and request changes to the data that is collected via the website or mobile app, if dealing with data under the Privacy Shield from EU or Switzerland – this is a requirement;
  7. Notify visitors if you have information-sharing relationships with any third party ad servers or third party network advertisers: list the URLs or other contact information for your partners and list the types of information, if any, that is shared with them;
  8. Describe the security measures: you employ to protect PII and sensitive data;
  9. Describe the enforcement measures: you employ to adhere to your privacy practices both internally, and, if an independent organization is utilized, like the DMA. You may provide contact information for the DMA’s Accountability Department for consumer complaint resolution in addition to your own contacts.
  10. Describe how visitors can learn of privacy policy changes: in your privacy policy practices in the future; and
  11. List the current effective date of the privacy policy.


Contact the Data & Marketing Association’s Accountability Department at ethics@thedma.org or 225 Reinekers Lane, Suite 325, Alexandria, VA 22314

Understand the relationship between brand, consumer trust and data use practices.
Data Governance Course Ethical Data & Marketing Practices Certificate