Does My Business Website Really Need a Privacy Policy?

From picking the color scheme to writing SEO copy to integrating your payment platforms, building a website or app is a huge project. After you’ve tested all your links, worked out the UX bugs, and built an interactive chat function, the last thing you want to do is think about a privacy policy.

Putting a privacy policy on your website or mobile app is like finishing the trim when painting your house—it’s not fun. No one wants to do it. 

But the job isn’t done without it. 

Do I legally need a privacy policy?

Whether or not you legally need a privacy policy depends on a number of factors.

If you operate in or collect data from customers who are residents of the European Union, your business is subject to the General Data Protection Regulation (GDPR). The GDPR, passed in 2016 and enacted in 2018, strictly regulates how companies collect, use, and share personally identifiable information collected from customers online. 

If your company only operates and sells to customers in the United States, data privacy law gets more complicated. Other than the Children’s Online Privacy Protection Rule (COPPA), which governs the online collection of data from minors under the age of 13, the US does not have a federal data privacy law. 

Instead, states are driving the privacy conversation for people living in the US. California, always happy to set trends for the country, passed the California Online Privacy Protection Act (CalOPPA) requiring websites and online services to post privacy policies almost 20 years ago in 2004. Since then, others including Delaware and Nevada, have followed suit. 

In addition to individual state statutes, it’s important to be mindful of Section 5 of the Federal Trade Commission Act. If you’re gathering user information and you use it for a purpose you didn’t disclose to the site visitor, you’d be in violation of the Act’s prohibition on deceptive marketing practices. 

California was also the first state to follow the EU when they passed the GDPR-lookalike California Privacy Protection Act (CPPA) in 2018. Since then, California has passed a second consumer privacy law that closed CCPA loopholes, and Nevada, Virginia, and Colorado have also approved comprehensive privacy legislation.

So if you operate in or collect personal information from consumers in those states, yes, legal requirements for your business mean you must put a privacy policy on your website.

Every business needs a privacy policy. Full stop. 

BUT! (There is definitely a but.) Exactly what a business’s privacy policy contains or how in-depth it needs to go varies. 

The United Nations named online privacy a fundamental human right in 2019, and at least 30 states currently have privacy bills proposed, in committee, or being studied by a task force. Legislative bodies aren’t the only groups focusing on protecting consumer privacy. Thanks to years of serious advocacy by consumer rights organizations, transparent privacy practices have also become a standard best practice for many industries. 

Major companies like Apple, Google, Mozilla, Microsoft, Monday.com, Indeed, Netflix, and Fitbit have implemented privacy practices that extend beyond legal requirements for user data protection.

At this point, all businesses are required to have a privacy policy—it’s just a matter of how complex the policy needs to be in order to be compliant. And even if it takes a few years for your governor to sign a privacy bill, your customers already expect you to have a solid privacy program.

What needs to be in my privacy policy?

If you don’t know what happens to data after you collect it, you can’t write a good privacy policy. 

What you disclose about how you collect, use and share information in your privacy policy needs to exactly match the actual process and should align with your business activities. For example, do you include a customer’s email address in multiple databases? Do you share their phone number with third-party services or vendors? Do you ever sell personal data to partner companies?

The biggest mistake companies make with their privacy policies is using a cut-and-paste template from random internet websites or, even worse, a competitor’s site. Your privacy policy is a legal document. In the event of a data breach, you can be held liable if your practices don’t match your policy.

Privacy policy must-haves include but are not limited to (important note here: there are sometimes more requirements depending on which  law you have to adhere to):

  1. The types of information you’re collecting (names, addresses, phone numbers, email addresses, geolocation, etc.)
  2. Your reasons for collecting this information
  3. How the information is being collected (cookies, logs, surveys, forms, registrations, etc.)
  4. Who will have access to the information (vendors, marketing teams, partners, random people you plan on selling it to, etc.)
  5. Who you will share the information to (this can include third parties, legal requirements, a sale of the company, bankruptcy,)
  6. What type of digital identifiers or cookies may be on the site and the type of digital advertising or analytics the company engages in
  7.  What choices and individual rights users have
  8. What safeguards will be used to protect data (access limitations, cybersecurity programs, etc.)
  9. Other items may include if the company follows Do Not Track or Global Privacy Control, and International Transfer of Data
  10. Contact methods if users have concerns
  11. How users will be notified of changes to the privacy policy

What makes a good privacy policy?

You can include everything from our must-have list and still have a marginal privacy policy. If you really want to stand out, here are our top tips for a good privacy policy:

  • Complete a data inventory

A data inventory is required for GDPR compliance, but even if it isn’t mandated for your business, it’s definitely a best practice.

When you complete a data inventory, you track data records, from collection to deletion, on their entire journey through your system. This process helps you understand what you’re collecting and why, where you’re storing it and for how long, and who has access to it. Which, if you read over our privacy policy must-haves again, is information you need to know.

As a bonus, mapping your data also shows where your data is vulnerable to exposure, allowing you to strengthen your security measures and reduce your risk.

  • Keep it simple

It might make your lawyers cringe a little, but your privacy policy shouldn’t be pages of legal jargon no one can understand. Instead, use easy-to-understand language to give a straightforward explanation of the hows, whys, whos, and wheres of your data privacy program.

Another option to make it easy to understand: create a visual, easy-to-read summary section of the privacy policy. You should still have your typical long-form one, but think of this as the tl;dr for your privacy policy. 

  • Links/instructions for opting out or opting in

Depending on which privacy laws your company is subject to, you may have to allow consumers to opt-in (the most privacy-friendly option!) or opt-out (a good option) of having their data collected, processed, shared, or sold.  Most data privacy laws also give consumers the right to correct or delete certain categories of sensitive personal information from corporate databases.

Your privacy policy needs to spell out how consumers can take advantage of these rights. Many companies include a link to a webform to complete these or to a preference center

We’re masters with a privacy paintbrush

Red Clover Advisors believes passionately that privacy gives businesses a powerful way to connect with their customers and grow revenue.  Wherever you are on your site’s or app’s privacy journey, we can help you create everything from a simple privacy policy to a full-blown privacy program.

Give us a call to set up your consultation today.