Laws requiring websites to post privacy policies have been passed in several jurisdictions. And these laws typically apply even if your business isn’t located in that state or country. For example, California’s Online Privacy Protection Act requires websites and apps to post a privacy policy if they collect any personally identifiable information from California residents. Under California law, your privacy policy must let visitors know what information your site collects and who you share that information with.
Similarly, the European Union’s General Data Protection Regulation (GDPR) applies not only to businesses based in the EU, but also to businesses that offer goods or services to residents of the EU or that collect data from the EU. If your site passively collects data through the use of third-party services to track website visitors, then the GDPR is potentially applicable to your small business. The GDPR is a complex law with a lot of requirements. But most importantly for small businesses, it requires that you (i) be transparent about the data you collect, (ii) have a legitimate purpose for collecting that data, (iii) only collect as much data as is necessary for those purposes, and (iv) get specific, unambiguous consent for collecting and processing that data.
In addition to this patchwork of legal regulations, the services built into your website also typically require the use of a privacy policy. For example, most websites rely on Google Analytics to try to understand how visitors find and interact with their website. The Google Analytics terms of service (a legal contract between Google and your business) require the use of a privacy policy on your site. Other data analytics tools, third-party advertising services, your payment processor (if your business is involved in e-commerce), even the chat bot that interacts with your visitors, all typically require that your site post a privacy policy.
What to Include In Your Privacy Policy
Your website’s privacy policy should let visitors to your site know:
- what information your website collects,
- how that information is collected,
- what you will do with that information once it’s in your possession,
- how you will keep that information safe,
- what information collection your visitors can opt-out of (and how that might impact their use of your site or services), and
- what third-party services you use to collect, process, or store information.
Best Practices for Drafting and Maintaining Your Website Privacy Policy
This is a messy area of the law that is only likely to get messier as the privacy debate continues. At this point, you might be thinking, “I’ll just copy a privacy policy from a website that seems similar to mine and call it a day.” But be careful! At a minimum, your business must comply with the terms of whatever privacy policy you set. Failing to do so or mispresenting what you do with consumers’ personal information is an unfair or deceptive trade practice that can lead to significant legal liability.
As your business practices change, your privacy policy should also be updated to reflect those changes. Because this is an evolving area of the law, your privacy policy should also be reviewed periodically to ensure compliance with the changing regulatory landscape.
