How to Write a Privacy Policy for Your Business Website

Your website collects personal information. Maybe it's a contact form asking for a name and email. Maybe Google Analytics is tracking which pages visitors view. Maybe you have a newsletter signup or accept online payments.

All of that triggers privacy law requirements, and the first one is straightforward: you need a privacy policy that explains what you collect and why. We covered the legal requirements in our guide to website privacy law in Canada. This post is the practical follow-up. Here's how to write a privacy policy that matches what your website actually does.

The Office of the Privacy Commissioner received 1,458 PIPEDA complaints in 2024-25 (opens in a new tab), a 32% increase over the previous year. Privacy enforcement is accelerating. A clear, honest privacy policy is your first line of compliance.

What Your Privacy Policy Must Cover

PIPEDA's Principle 8 (Openness) requires organizations to make "specific information about its policies and practices relating to the management of personal information" publicly and readily available. The OPC's ten tips for better privacy policies (opens in a new tab) translate that into concrete guidance: be specific, avoid boilerplate, and write in plain language.

Privacy policy anatomy for Canadian business websites showing ten required sections: privacy officer contact, types of data collected, purposes, third-party sharing, cross-border transfers, retention periods, individual rights, cookies and tracking, security safeguards, and policy update process, organized by PIPEDA's openness principle.

Your policy needs ten core sections. Here's how to write each one.

Section by Section

1. Who Is Responsible

PIPEDA requires you to designate someone accountable for your organization's privacy practices. For most small businesses, this is the owner. Your policy should include their name or title, an email address, a phone number, and a mailing address.

Don't skip the mailing address. The OPC recommends multiple contact options for privacy inquiries.

Example:

Matthew Kirkland is responsible for privacy practices at YLX. You can reach us at info@ylx.ca, by phone at (555) 123-4567, or by mail at 123 Main Street, Ailsa Craig, ON N0M 1A0.

2. What Personal Information You Collect

List the specific types of information you collect. The OPC explicitly warns against "vague terms" and "catch-all" language. Name what you actually collect, and separate what people give you voluntarily from what your site collects automatically.

Bad: "We may collect personal information from time to time."

Good: "We collect your name, email address, and phone number when you submit our contact form. Our website also collects your IP address, browser type, pages visited, and referring URL through analytics tools."

3. Why You Collect It

State the purpose for each type of data collection. This is where most template policies fail.

In PIPEDA Findings #2023-001 (opens in a new tab), the Privacy Commissioner found that Home Depot's privacy policy used "generic and vague terms such as 'improve our products and services'" when the company was actually sharing customer purchase data with Meta for targeted advertising. The Commissioner ruled the policy was insufficient for meaningful consent.

If you collect email addresses for two reasons (responding to inquiries and sending marketing), list both separately.

Bad: "We use your information to improve our services and enhance your experience."

Good: "We use your email address to respond to your inquiry, typically within two business days. We use website analytics data to understand which pages are visited most and to identify technical problems."

4. Who Receives Your Data

Describe the types of third parties you share data with and explain why. You don't need to name every company, but you must describe the categories.

Common third parties for Ontario business websites:

• Analytics providers (Google Analytics) receive browsing behavior and device information to generate traffic reports
• Email marketing platforms (Mailchimp, ConvertKit) receive email addresses and subscriber preferences to send newsletters
• Payment processors (Stripe, Square, Moneris) receive payment card details to process transactions
• Hosting providers (Vercel, AWS, Cloudflare) process web requests that include IP addresses and browsing data

State whether each third party uses the data only on your behalf, or also for their own independent purposes.

5. Where Your Data Goes

This is the section most small business privacy policies miss entirely. If you use any US-based service, personal information crosses the border.

The OPC's guidelines on cross-border data transfers (opens in a new tab) require you to tell users that their data may be processed outside Canada and warn that it may be subject to foreign law, including access by courts, law enforcement, and national security authorities.

Example:

Some of the services we use to operate this website, including our analytics platform and hosting provider, are based in the United States. Your personal information may be processed and stored on servers outside Canada, where it may be subject to US law, including lawful access by US courts or government agencies. We use contractual agreements with these providers to ensure a comparable level of protection for your data.

6. How Long You Keep It

PIPEDA doesn't set specific retention periods, but it requires you to keep data only as long as necessary for the stated purpose and to have a disposal process.

Be practical. Contact form submissions might be kept for one year. Analytics data might be anonymized after 14 months (GA4's default). Email subscriber data stays until the person unsubscribes. If a law requires longer retention (tax records, for instance), mention that.

7. Your Rights

PIPEDA gives individuals the right to know what personal information you hold about them, request corrections to inaccurate information, withdraw consent for future collection, and file a complaint.

Your policy must explain how to exercise these rights. Under section 8(3) of PIPEDA (opens in a new tab), you must respond to access requests within 30 days.

Include the OPC's complaint escalation path:

If you are not satisfied with our response, you can file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or by calling 1-800-282-1376.

8. Cookies and Tracking

Disclose every tracking technology your site uses, its purpose, and how to opt out.

Under PIPEDA, consent for tracking depends on context, sensitivity, and whether consent is meaningful. The OPC's policy position on online behavioural advertising (opens in a new tab) says opt-out can be acceptable only under specific conditions, including clear notice, immediate/persistent opt-out, and use of non-sensitive data. For advertising trackers like Meta Pixel or Google Ads remarketing, many businesses choose explicit consent before scripts load to reduce risk.

If your Ontario website serves visitors from Quebec, apply a stricter consent setup for non-essential trackers (block them by default until the user opts in). Our privacy law guide covers the PIPEDA vs. Quebec differences in detail.

You don't need a separate cookie policy. A "Cookies and Tracking" section within your privacy policy is sufficient unless your tracking setup is complex enough to warrant its own page.

9. Security Safeguards

Describe your protective measures in general terms. You don't need to reveal your exact infrastructure, but users should understand that safeguards exist.

Example:

We protect personal information using encryption in transit (HTTPS/TLS), secure hosting infrastructure, access controls limiting who can view your data, and regular security reviews.

Our post on website security fundamentals covers what these measures look like in practice.

10. Policy Changes

Include the date the policy was last updated. Explain how you'll notify users of significant changes.

The OPC's meaningful consent guidelines (opens in a new tab) state that consent is "dynamic and ongoing." For material changes like new third-party sharing, new data purposes, or changes to cross-border transfers, you need to notify users and may need to get renewed consent. For minor updates like a corrected phone number, updating the date is sufficient.

Common Scenarios for Ontario Businesses

What your privacy policy needs depends on what your website does. Here's what to address for the most common setups.

Contact form only. Disclose what fields you collect, that you use the data to respond, and how long you keep submissions. Implied consent is generally acceptable since the user is voluntarily reaching out. Include a brief notice near the submit button: "By submitting this form, you agree to our Privacy Policy."

Newsletter signup. Both PIPEDA and CASL (opens in a new tab) apply. You need express opt-in consent (no pre-checked boxes), your business name and mailing address in every email, and a working unsubscribe mechanism processed within 10 business days. Keep consent records as long as you rely on that consent and according to your compliance program. The CRTC says CASL does not prescribe a fixed record-retention period (opens in a new tab). Our CASL compliance guide covers the full set of email marketing rules, including consent types and enforcement examples.

Google Analytics. Name it in your policy. Describe what it collects: pages visited, time on site, device information, and geographic region. Note that data is processed on Google's servers in the United States. Link to Google's opt-out browser add-on. If you serve Quebec visitors, treat GA4 as non-essential and gate it behind consent. Our guide to Google Analytics and privacy in Canada covers consent mode setup and what to disclose.

Social media pixels. Meta Pixel and LinkedIn Insight Tag are advertising trackers. The OPC expects clear, up-front notice and a simple way to opt out. If these tools are active for Quebec visitors, use explicit opt-in before the scripts fire. Disclose the purpose (ad targeting, campaign measurement) and link to each platform's ad preference settings.

Online payments. Financial data is considered sensitive under PIPEDA, so express consent is required. Name your payment processor and clarify whether you store card details directly or the processor handles everything. Most small businesses use hosted payment pages (like Stripe Checkout) where card numbers never touch your server. If that's your setup, say so.

Why Template Privacy Policies Fall Short

The OPC's first tip is blunt: "Avoid templates and boiler-plate language."

Side-by-side comparison of template privacy policy language versus customized language showing three examples: data collection (vague versus specific types listed), third-party sharing (generic versus naming analytics and email platforms), and cross-border transfers (missing entirely versus disclosing US hosting with legal access risk), with red marks on template issues and green marks on customized versions.

Template risks include generic language that doesn't mention your specific third-party tools, static documents that become inaccurate when you add new services, and wrong-jurisdiction references (many generators produce US or EU policies citing CCPA or GDPR instead of PIPEDA).

An inaccurate privacy policy can increase your liability. You're making written representations about your data practices. If your policy says you don't share data with third parties but you're running Meta Pixel, that's a compliance problem.

If you start with a template, customize every section to match your actual practices. Audit every third-party tool on your site. Then review at least once a year and update whenever you add new tools or change providers.

A one-time legal review can catch gaps that self-drafted policies miss, especially around consent flows, cross-border disclosures, and retention wording.

Make Your Privacy Policy Page Accessible

In Ontario, your privacy policy page is web content. Under AODA's Information and Communications Standard (opens in a new tab), website accessibility requirements apply to designated public sector organizations and to private/non-profit organizations that meet the employee threshold (commonly 50+ employees). Covered organizations must make public-facing websites and web content published after January 1, 2012 conform to WCAG 2.0 Level AA, with limited exceptions. We covered what that standard requires in our AODA compliance guide.

For your privacy policy page specifically:

• Use proper heading hierarchy (H2s for major sections, H3s for subsections)
• Keep paragraphs short and use lists for enumerated items
• Ensure sufficient color contrast and readable font sizes
• Make the page navigable by keyboard and compatible with screen readers
• Don't publish the policy as a PDF-only document without an HTML equivalent
• Be prepared to provide the policy in an accessible format on request

Plain language helps everyone, not just people using assistive technology. The OPC recommends writing at a grade 8 to 10 reading level. If a sentence sounds awkward when you read it aloud, rewrite it.

What We Include With Every Site

Privacy compliance is part of our build process. Every website we deliver includes:

A customized privacy policy based on what your site actually collects. We audit your contact forms, analytics setup, third-party integrations, and hosting configuration, then write a policy that matches your real data flows.

Consent mechanisms where needed. If your site uses tracking scripts, we configure them to respect consent preferences. Scripts don't fire until conditions are met.

Accessible policy pages that meet WCAG 2.0 Level AA, with proper heading structure and clean, readable formatting.

Cross-border disclosures for any US-based services in your stack. Most business websites use at least one.

If your site collects email addresses for marketing, our guide to SPF, DKIM, and DMARC explains how to protect those communications from spoofing and phishing.

The Bottom Line

A privacy policy is not a legal checkbox. It's a plain-language explanation of how your website handles personal information. Under PIPEDA, every Canadian business website that collects data needs one, and it needs to reflect what your site actually does.

The key points:

1. Be specific about what you collect, why, and who gets it
2. Disclose your third-party services and cross-border data transfers
3. Give people a way to access, correct, or delete their information
4. Write in plain language at a grade 8 to 10 reading level
5. Make the policy easy to find and the page itself accessible
6. Review annually and update whenever your data practices change

This post is educational information, not legal advice. Privacy requirements depend on your business, the data you collect, and the jurisdictions you serve. For legal interpretation of your specific obligations, consult a qualified privacy lawyer.

Need Help With Your Privacy Policy?

If you're not sure whether your privacy policy covers what it needs to, we can take a look. We'll review your current site, identify what data you're collecting and where it goes, and explain what we find in plain terms.

Get a free privacy policy review: Contact us at info@ylx.ca