Skip to content
Last updated: 2026-04-03

Privacy notice guide: Global insights and template

A well-drafted privacy notice is your organization's most important transparency tool. It informs individuals about how you process their personal data and provides the legal notice required by global regulations.

What makes a good privacy notice

Clear and transparent

  • Written in plain language, avoiding legal jargon
  • Organized logically with clear headings
  • Accessible through obvious links (not buried in pages)
  • Available in multiple formats (web, PDF, plain text)
  • Appropriate reading level for your audience

Complete

  • Covers all applicable regulatory requirements
  • Addresses all types of processing your organization conducts
  • Explains purposes, legal bases, and retention periods
  • Describes technical and organizational security measures
  • Outlines individual rights and how to exercise them

Accurate and current

  • Reflects actual data processing practices
  • Updated when processing activities change
  • Version controlled and dated
  • Reviewed and certified annually by legal/compliance teams

Actionable

  • Provides clear instructions for exercising rights
  • Lists contact information for questions and complaints
  • Explains how individuals can withdraw consent
  • Directs people to opt-out of marketing communications

Layered

  • Summary version for quick understanding
  • Detailed version for those wanting comprehensive information
  • Presented logically (what's collected, why, how long, rights, etc.)

Universal elements

Every privacy notice should include:

  1. Controller Identity: Full name, contact information, and role of the data controller
  2. DPO Contact: If applicable, how to contact the Data Protection Officer
  3. Purpose of Processing: Why you're collecting and using the data
  4. Legal Basis: What law or regulation allows the processing
  5. Categories of Data: Types of information collected (names, emails, payment info, etc.)
  6. Data Sources: Where the data originates (customer, employee, third party, public records, etc.)
  7. Categories of Recipients: Who has access to the data (internal staff, vendors, regulators, etc.)
  8. Retention Period: How long data is kept
  9. Data Subject Rights: Right to access, correct, delete, port, object, etc.
  10. Complaint Process: How to lodge a complaint with your organization and regulatory authority
  11. Automated Decision-Making: If used, explain how and how to opt-out
  12. International Transfers: If data crosses borders, mechanisms used (if applicable)
  13. Withdrawal of Consent: How to revoke consent (if applicable)
  14. Version & Date: When the privacy notice was last updated
  15. Language: Available languages and how to access translations

Jurisdiction-specific requirements

Required Elements (Article 13-14): - Identity and contact of controller - Purposes of processing - Legal basis for processing - Recipients of personal data - Retention period or criteria for determining it - Rights (access, rectification, erasure, restriction, portability, objection, etc.) - Right to lodge complaint with supervisory authority - Source of data (if collected indirectly) - Automated decision-making information (if applicable) - Information about automatic decisions with legal effects

Special Requirements: - Must be provided "in a concise, transparent, intelligible and easily accessible form" - Use "clear and plain language" - Modular/layered approach acceptable - Must be provided before data collection or at collection time - Can be electronic (website, app, etc.)

Translation: Not legally required in GDPR, but best practice if targeting non-English speakers

Required Elements (Business Disclosures): - Categories of personal information collected - Sources of personal information - Business or commercial purposes for collection/use - Categories of third parties with whom information is shared - Consumer rights available (access, delete, opt-out, correction, limit use) - Non-discrimination statement for exercising rights - Link to privacy policy and contact information - Categories of sensitive personal information (CPRA) - Automated decision-making disclosures (CPRA) - Correction rights information (CPRA)

Special Requirements: - Simple, plain English language - Prominent "Your Privacy Choices" link on homepage (CPRA) - Must be available in plain language and readable format - Consumer right to request in alternative formats - Updated as business practices change

Online: Must provide privacy notice on homepage with link to full privacy policy

Mobile Apps: Must provide privacy notice at download and before collection

Requirements: - Largely aligned with EU GDPR - Additional emphasis on transparency - Special considerations for UK national security exemptions - ICO guidance and standards expected - Some broader exemptions than EU GDPR

Special Elements: - Reference to ICO (Information Commissioner's Office) - UK GDPR legal basis explanations - UK-specific data transfer mechanisms

Required Elements: - Purposes for which personal data is collected - Types of personal data collected - Statement that recipient can request access/correction - Statement about how to file complaints - Contact information for access/correction requests - Any other disclosures mandated by the Act

Special Requirements: - Must be given at or before collection - Exception: May be withheld where disclosure would prejudice interests - Plain language required - Contact information prominent

Required Elements: - Purpose of use of personal information - Contact information of organization (business operator) - Description of how to handle complaints/inquiries - Statement about third-party provision (if applicable) - Other legally required information

Special Requirements (Post-Reform 2022): - Disclosure at point of collection where reasonably possible - Sensitive information handling disclosures - International transfer information - Automated decision-making disclosures - Plain language, clear presentation

Required Elements: - Identity of controller - Purposes of processing - Legal basis for processing - Recipients of data - Retention period - How to exercise data subject rights - How to lodge complaints - Information about automated decision-making

Special Requirements: - Must be provided in Portuguese (unless serving Portuguese-speaking audience internationally) - Clear, intelligible language - At point of collection or made available via electronic means - Specific requirements for sensitive data processing

Key content sections

Controller information

Always include your organization's full name, address, email, and phone number. If you have a Data Protection Officer, include their contact information prominently.

Legal basis

Different jurisdictions require different legal bases. Be specific about which legal basis applies to each processing activity. Users must understand the lawful ground for your processing.

Retention periods

Be concrete about how long you keep data. "As long as necessary" is too vague. Provide specific timeframes (e.g., "2 years after account closure" or "90 days for marketing emails after opt-out").

Rights explanation

Explain each data subject right in language non-lawyers can understand. Provide clear instructions on how to exercise rights and where to submit requests.

Common mistakes to avoid

  1. Wall of Legal Text: Overwhelming users with dense legal language instead of plain language
  2. Buried Information: Hiding privacy notice deep in website footer or behind links
  3. Generic Boilerplate: Using template language that doesn't match actual practices
  4. Incomplete Disclosure: Omitting information about certain processing activities or recipients
  5. Outdated Content: Not updating when processes change (especially vendors/recipients)
  6. Vague Purposes: "Legitimate interests" without explaining what that means
  7. No Contact Information: Making it difficult for people to contact you or exercise rights
  8. Consent Theater: Asking for consent without meaningful choice or ability to withdraw
  9. Missing Rights Information: Not explaining how to access, correct, delete, or object
  10. No Breach Notification Details: Failing to explain what you'll do if a breach occurs
  11. Unclear International Transfers: Not explaining if/how data crosses borders
  12. No Complaint Information: Not providing information about contacting regulatory authorities

Best practices

  • Test Readability: Have someone unfamiliar with privacy review your notice. Can they understand it?
  • Provide Summary + Detailed: Use layered approach with quick summary and comprehensive details
  • Use Clear Formatting: Headings, white space, and organization aid understanding
  • Plain Language Checklist:
  • Sentences under 15 words where possible
  • Avoid jargon (or define it)
  • Use active voice
  • Use "we" and "you" instead of "the company" and "the user"
  • Organize Logically: Follow information lifecycle (collect, use, share, retain, rights)
  • Keep Current: Review and update annually or when practices change
  • Version Control: Include date, version number, and what changed
  • Test Accessibility: Ensure available for people with disabilities (screen readers, etc.)
  • Provide Multiple Formats: Website, PDF, plain text, print
  • Translate: Make available in languages spoken by your audience
  • Mobile-Friendly: Ensure readable and accessible on mobile devices
  • Get Approval: Have legal and compliance review before publishing

Using Dxtra for privacy notices

Dxtra privacy notice generator

Dxtra provides an AI-powered privacy notice generator that: - Creates jurisdiction-specific notices based on your business profile - Includes all required elements for GDPR, CCPA, PDPA, APPI, LGPD, and more - Allows customization of content and branding - Generates versions for web, PDF, and email - Maintains version history and audit trails - Can be published hosted or embedded on your website

Note: Privacy notices should empower individuals to understand and control their data. They're not just legal requirements—they're trust-building documents that demonstrate your organization's commitment to privacy.

Not legal advice

AI-generated content does not constitute legal advice. Consult a qualified legal professional for advice specific to your jurisdiction and business context.