How to write privacy policies and consent language for forms

Home / Everything About / Everything About Forms / How to write privacy policies and consent language for forms

Look at any privacy policy online and you will find dense walls of legal jargon, impossible sentence structures, and words no regular person uses in conversation. You scroll and scroll waiting for something in plain English. Most visitors give up and just accept the terms without reading a word because they cannot understand what they are reading.

But here is what actually matters. Your visitors need to understand what you are doing with their data. The law requires you to disclose it. Good writing (clear, straightforward writing) is what makes people actually read and understand instead of just clicking "I agree" without knowing what they just accepted.

Writing privacy policies and consent language is a balance between legal accuracy and real clarity. This article covers how to structure privacy information that meets legal requirements while remaining accessible to actual humans.

What you'll learn: How to organize a privacy policy, how to write consent checkboxes that satisfy legal requirements, how to make legal language clear without losing accuracy, and how to keep privacy information updated.

The anatomy of a privacy policy

A complete privacy policy should include these sections:

What data we collect

List the categories of information you collect from forms and other sources. Be specific.

Good: "We collect: names, email addresses, phone numbers, mailing addresses, company names, job titles, and account information from contact forms and account signups."

Vague: "We collect personal information."

Also mention non-obvious data you collect. Many privacy policies forget to mention analytics data (IP addresses, pages visited, time spent) or cookies. These count as personal data.

Why we collect it (the legal basis)

Explain the reason for each type of data collection. GDPR requires this; CCPA expects it.

  • "Email is collected so we can respond to your inquiry"
  • "Phone number is collected to contact you about your order"
  • "Marketing consent is collected so we can send you promotional emails if you choose to receive them"
  • "Analytics data is collected so we can see how visitors use our website"

Match each piece of data to a specific purpose. Do not collect data and have a vague reason for it.

How long we keep it

Specify retention periods. Different types of data may have different retention periods.

Example:

  • "Contact form submissions are kept for 6 months unless you ask us to delete them"
  • "If you purchase from us, we keep your order data for 7 years for tax and legal purposes, then delete it"
  • "If you unsubscribe from marketing emails, we keep your email on our do-not-contact list indefinitely so we do not email you again"
  • "Analytics data is kept for 14 months then automatically deleted"

Who has access to your data

Tell visitors who can see their information:

  • Your employees who need it to do their job
  • Third-party services (email provider, payment processor, analytics platform)
  • Whether you sell or share data with other businesses

If you use third-party services, name them and explain why.

Example: "We use [Email Service] to send marketing emails. Your email address is stored in their system, which is protected by their privacy policy."

Your visitors' rights

Explain what options people have:

  • They can unsubscribe from marketing emails
  • They can request a copy of their data
  • They can ask you to delete their data
  • They can correct inaccurate information

Provide the mechanism for each right. For unsubscribe, include a link or email address. For data deletion, explain how they request it.

Contact information

Include an email or address where visitors can contact you with privacy questions or requests.

Writing clear consent language

Consent checkboxes are where visitors make choices about how their data is used. The language must be clear enough that someone without a law degree understands what they are agreeing to.

Bad consent language (vague, legal jargon)

[ ] I consent to the terms and conditions of data processing

[ ] I acknowledge receipt of the privacy policy and opt-in to communications

These are vague. A visitor reading them does not know exactly what they are agreeing to.

Good consent language (specific, clear)

[ ] I agree that you may contact me about my inquiry

[ ] I would like to receive marketing emails about new products

These are specific and understandable. A visitor knows exactly what happens if they check the box.

Rules for consent language

Use second person ("you"): "I agree to receive emails" is clear. "Data subjects may consent to marketing communications" is not.

Be specific about frequency or purpose: "I would like to receive monthly product updates" is better than just "I agree to marketing emails." Give people an idea of what they are signing up for.

Separate concerns: Do not combine multiple purposes into one checkbox. "I agree to be contacted and added to your mailing list" should be two separate checkboxes:

  • [ ] You may contact me about my inquiry
  • [ ] I would like to be added to your mailing list

Start with unchecked boxes: Visitors should actively choose to consent, not have to uncheck a pre-selected box.

Do not use double negatives: WRONG: "I do not object to receiving emails." CORRECT: "I agree to receive emails." Double negatives confuse people.

Privacy information on the form itself

The full privacy policy is important, but visitors often do not read it before submitting a form. Include a short summary right on the form so people know what is happening.

Example form notice:

"We collect your name and email to respond to your inquiry. We will not add you to a mailing list unless you ask us to. Your data is stored securely and will not be shared with third parties. You can request access to or deletion of your data at any time. Read our full privacy policy."

This is short, specific, and covers the key points.

Different consent for different use cases

Contact forms

Minimal consent needed. You need their email and possibly phone to respond. One checkbox is usually sufficient:

[ ] I understand you will contact me to respond to this inquiry

This is not asking permission; it is confirming that they understand what will happen.

Newsletter signup forms

You need explicit consent for marketing. One or two checkboxes:

[ ] Yes, I would like to receive your weekly newsletter

[ ] Yes, I also want to receive promotional offers (optional)

E-commerce checkout

You need consent for billing, shipping, and order communication. Optional: consent for marketing.

[ ] I agree that my order information will be used to process and ship my order

[ ] I would like to receive shipping updates and order information (checked by default, they can uncheck)

[ ] I would like to receive promotional emails about sales and new products

Data collection for analytics

Some countries require consent for analytics tracking. Include this near your analytics notice or in the privacy policy:

[ ] I agree to analytics tracking so we can see how you use our site

Keeping your privacy policy updated

Your privacy policy is not a one-time document. Update it when:

  • You change how you collect or use data
  • You add new third-party services (like a new analytics tool or email provider)
  • New laws take effect that affect you
  • You have a data breach

When you update your policy, notify visitors. Some regulations require you to get re-consent if you make significant changes.

Legal review of privacy policies

A privacy policy is a legal document. Before publishing yours, have it reviewed by a lawyer who specializes in privacy law. The cost of a review is worth avoiding fines and legal problems later.

You do not need to write the policy from scratch. Templates exist (check your state attorney general website or consult with a lawyer), but they need to be customized for your specific business and reviewed for accuracy.

What WEMASY does for privacy policies

WEMASY forms include consent management and privacy documentation tools. You can add privacy notices directly to your forms, manage consent checkboxes for different purposes, and track which version of your consent terms each visitor accepted. WEMASY also provides resources and templates to help you write compliant privacy documentation.

Learn more about privacy and compliance tools in your plan on the pricing page.

Frequently asked questions

Can I use a template privacy policy without customizing it?

With WEMASY's <a href="/website-builder" target="_blank">website builder</a>, you can set this up directly on your website.

How often should I update my privacy policy?

Should the privacy policy be in the footer or on the form?

What is the difference between a privacy policy and terms of service?

Is a privacy policy required by law?