Does Your Business Website Need a Privacy Policy?
If you are wondering whether your business website needs a privacy policy, the short answer is probably that it does. The following is a basic overview of privacy policies will get you started.
WHAT IS A PRIVACY POLICY?
A privacy policy discloses which kinds of personal information you collect from website visitors, how you use that information, and how you keep it safe.
WHICH TYPES OF WEBSITES SHOULD HAVE A PRIVACY POLICY?
Any website that allows users to interact or collects any information from its users should have a privacy policy. That includes (but is not limited to):
Websites that allow interaction (like posting comments) with or without an accounts,
Websites that allow visitors to create accounts,
Websites that allow users to sign up for e-mail lists,
Websites that use cookies or other tracking mechanisms (such as Google Analytics), and
Websites that allow visitors to spend money (buying goods, buying services, or donating money).
ARE PRIVACY POLICIES REQUIRED BY LAW?
Although there is no federal law in the United States that requires a business website to have a privacy policy in all circumstances, there are several US laws that require a privacy policy in some circumstances, and many international laws that may require that your website have a privacy policy if it reaches users in those countries.
It is advisable to consult with a data privacy or internet law attorney regarding the specific facts of your business website to determine which laws apply to your business.
In the United States, there are federal laws that require a website to have a privacy policy if:
The website knowingly collects information about or targets its content to children under the age of thirteen (the Children’s Online Privacy Protection Act or COPPA)
The businesses is significantly engaged in financial activities, such as banks (Gramm-Leach-Bliley Act or GLBA)
The business is engaged in health care services (Health Insurance Portability and Accountability Act or HIPPA)
In addition, the California Online Privacy Protection Act (“CalOPPA”) requires a website to have a clearly visible and accessible privacy policy if it collects personal data from residents of the State of California. Even if your business is not physically located in California, it is still likely that CalOPPA applies to your website because of the chance that your website will attract visitors from California. The California Consumer Privacy Act (“CCPA”), which takes effect January 1, 2020, will create additional requirements for certain business websites that collect personal information from users in California.
Outside of the United States, the General Data Protection Regulation (“GDPR”) requires all companies operating in the European Union (EU) as well as foreign companies that handle personal data of people located in the EU to have a Privacy Policy. Like CalOPPA, even if your business is not physically located in the EU the GDPR may apply if your website attracts users from the EU.
Other countries such as Canada, Australia, and the UK also have laws that require websites to have a privacy policy.
WHAT SHOULD BE INCLUDED IN MY WEBSITE’S PRIVACY POLICY?
It is advisable to consult with a data privacy or internet law attorney regarding the specific facts of your business website to determine what should be included in your website’s privacy policy. However, some general guidelines are:
Your policy should be written in easy-to-understand English (not “legalese”).
Generally, your privacy policy should disclose:
what information you are gathering (including personal information, usage and analytics data, cookies, text message or chat data, etc.),
what you will do with information gathered (including customer service, general announcements, sharing with third party service providers or affiliates)
how you are gathering that information, and
how the information will be stored and secured.