08 October 2025
How to write a privacy notice that people might actually read
Most privacy notices are unreadable by design. Here's how to write one that's both legally sound and genuinely useful to the people it's meant to inform.
Catenary Ltd
957 words · 5 min read
The average privacy notice is several thousand words long, written in dense legal prose, buried in a footer, and read by almost nobody. This is not an accident. Privacy notices evolved primarily as a legal shield, or way for organisations to say "we told them". GDPR tried to solve this problem by requiring privacy information to be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." In practice, most privacy notices still read as though they were written by a solicitor for an audience of solicitors.
You can do better. And doing better is actually in your interest! A privacy notice that people understand builds trust, reduces complaints, and demonstrates to the ICO that you take transparency seriously.
What a privacy notice has to include
Before thinking about how to write it, let's be clear on what it has to cover. The GDPR specifies that your privacy notice must include:
- Who you are and how to contact you (and your DPO if you have one)
- What personal data you collect and where you get it from
- Why you're processing it (the purposes)
- What your lawful basis is for each purpose
- Who you share the data with
- Whether you transfer it outside the UK/EEA, and if so, how it's protected
- How long you keep it
- The rights individuals have (access, erasure, rectification, portability, objection, restriction)
- Whether you use automated decision-making or profiling
- The right to complain to the ICO
That's a lot. But most of it can be stated briefly, and not all of it applies to every organisation.
The structure that works
The most readable privacy notices use a layered approach. They start with a short summary, a few sentences to cover the essentials. It might contain a link to fuller detail for people who want it. Think of it like a newspaper article: the important information is at the top, and you go deeper only if you need to.
A short summary might look like this:
We collect your name and email address when you contact us. We use this to respond to your enquiry and, if you agree, to send you our newsletter. We don't sell your data or share it with third parties except where necessary to deliver our services. You can ask us to delete your information at any time by emailing [address].
That covers the essentials in four sentences. The full notice beneath it can go into the legal detail for those who want it.
Plain language in practice
The most common failures in privacy notices are:
Passive constructions that obscure who is doing what. "Personal data may be processed for the purposes of service improvement" tells you nothing about who processes it or how. "We use your usage data to improve the service" is clearer and more honest.
Lawful basis stated without explanation. Many notices list "legitimate interests" as a lawful basis without explaining what those interests are. If you're relying on legitimate interests, you should briefly explain what they are. That explanation helps users assess whether they agree with your reasoning or not.
Vague retention periods. "We keep your data for as long as necessary" means nothing. "We keep your contact details for two years after your last interaction with us" is meaningful and shows you've actually thought about it.
Long lists of third parties without context. "We may share your data with our partners, suppliers, agents, and service providers" is meaningless. Name the categories of third party and explain why the sharing happens.
Boilerplate rights sections. Most privacy notices list data subject rights in the same generic language. It's more useful to explain, in plain terms, how someone actually exercises those rights with your organisation specifically.
Tone
Privacy notices don't have to be cold and legalistic. Some of the best ones are written in first and second person, in a conversational style, as though a real person sat down to explain how their organisation handles data.
This isn't just a style choice. The ICO has published guidance encouraging plain language, and a notice that reads as though a human wrote it for humans is more likely to be treated as genuine transparency than one that reads as a legal disclaimer.
Keeping it current
A privacy notice is not a one-time document. Every time you start using a new tool, share data with a new partner, or change what you collect, your notice needs to update. Many organisations write a privacy notice once and never revisit it, which means it gradually becomes inaccurate and potentially misleading.
Build a habit of reviewing your privacy notice whenever you make significant changes to how you operate. If you use a Records of Processing Activities document (which you should, as explained in step 5 of our GDPR audit guide explains how), your privacy notice should reflect what's in it.
One practical thing to do today
Take your current privacy notice and read it as though you're a customer seeing it for the first time. Ask yourself: does this actually tell me what this organisation does with my data? Could I act on this information if I wanted to?
If the answer is no, it's worth an afternoon to rewrite it in plain language. It won't take long, and it's one of those compliance tasks that also genuinely improves your relationship with the people you serve.
If you'd like a second pair of eyes on your privacy notice, or help writing one from scratch, get in touch.