Creating a GDPR-compliant privacy policy

People have the right to control their personal data. This is the main principle of the  EU General Data Protection Regulation (GDPR). As a company that’s involved in processing that personal data, you must disclose everything that you do with it. This is why having a Privacy Policy is so important.

What is personal data?

Any data that can be used to identify an individual is called personal data. There’s a lot that can fall into that category:

  • Email address
  • First and last names
  • City or town plus country
  • Shipping or billing addresses
  • Social security number

Anonymous data can also be classified as “personally identifiable information if it can be used in connection with another type of data to identify an individual.

The definition of “personal data” under GDPR is very broad. Everything from IP addresses to cookie data constitutes personal data, your website might process personal data from people who will never even contact your company. In your Privacy Policy, you must be absolutely clear about every type of personal data you deal with, and why you need to do this.

Many companies break this part of their Privacy Policy down into sub-sections, such as “data you provide to us” and “data collected by our website." Visit this tutorial to learn how to opt-out of non-essential data collection.

Why do I need a new Privacy Policy?

Your company may have already produced a Privacy Policy to comply with one of the many other laws that require one, for example:

  • The California Online Privacy Protection Act (CalOPPA)
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australia’s Privacy Act
  • United Kingdom's Data Protection Act 1998 (or DPA)
  • EU's Data Protection Directive
  • Singapore's Personal Data Protection Act 2012 (PDPA)

The GDPR is different. Its requirements are more demanding than any of the above laws. Even if your existing Privacy Policy complies with these laws, it will unlikely be sufficient under the GDPR.

Is Privacy Policy mandatory?

Under the GDPR, the Privacy Policy, also known as Privacy Statement and Privacy Notice, is one of the most important company documents. It is mandatory not only under GDPR but also under a number of other country laws. The benefits of having a GDPR-compliant Privacy Policy are manifold:

  • You show your customers that you can be trusted with their personal data. 
  • You provide customers with clarity on how much personal data your company controls. 
  • You verify whether your data protection practices are legally compliant. 

An important thing to bear in mind is that the Privacy Policy is aimed at anyone whose personal data you might process including visitors to your website.

Tips for creating a Privacy Policy

Important: this article does not offer legal advice and is for your information only. Make sure to seek legal advice before publishing your Privacy Policy on your website.

  • You should start your Privacy Policy with a brief explanation of who your company is, and what your Privacy Policy is.
  • You should include the date from which the Privacy Policy takes effect (the “effective date“).
  • You should include the legal name and business address of your company.
  • You should include the contact details of your Data Protection Officer (DPO). 

Note: GDPR requires you to write your Privacy Policy in a clear human voice and avoid legal jargon at all costs. You may find more requirements from the European Union in the document attached to this article. A sample Privacy Policy can guide you in the right direction.

Where to display your Privacy Policy

The mandatory place to encourage visitors to read your Privacy Policy is in any block with forms when you collect visitors' names and email addresses. Here's how to place a link to your Privacy Policy page:

1. Hover over the Privacy Policy link and click on the "chain" Edit link icon:


2. In the next menu, choose Open to a page from the drop-down menu Click action and choose Privacy Policy from the list of your website pages.


3. Click Submit to confirm your changes.

Congratulations! You have added your GDPR-compliant Privacy Policy to your forms.

In the same way, you should place links to your Privacy Policy page in a website footer so that it shows on every page. 


A cookie consent banner is another good place where you should encourage visitors to read and acknowledge your Privacy Policy. Here's how to do it:

1. Go to the Website settings menu and scroll to the Cookie & User data. Click the field to enable the Cookie consent banner.


2. Scroll to the top of your website and edit the copy of your cookie banner. For example, you can add "Please review our Privacy Policy for more information." (Note: this information cannot serve as legal advice). 

3. Hover over the link Privacy Policy to edit it. For more information on how to edit links, visit this tutorial.


4. Click Publish to make changes live. Your visitors will now see a cookie banner that also contains a link to your Privacy Policy.


Other helpful articles

Adding new items to the navigation

GDPR regulation and your Online Store

Sample GDPR-compliant Terms and Conditions

Requesting user consent for GDPR compliance


Was this article helpful?
0 out of 0 found this helpful