Privacy Policies – do you need one? And what should be in it?

What is a privacy policy?
A privacy policy is a legal statement of what you do with any personal information you obtain from your website. Personal information includes a person’s name, email, address, phone number, IP address, or any other personal information you might collect on your website or social media.
Do you need a privacy policy?
Yes, if you collect any personal information whatsoever, such as collecting email addresses for your newsletter or tracking visitors via Google Analytics, you need a privacy policy.
And certainly if you collect emails via an opt in form on your website, or, in the case of an e-commerce site, store a buyer’s name, address, and purchasing history on your website, you need a privacy policy.
In the interest of transparency and to promote confidence with users, you need a privacy policy to inform site visitors of how you use the data you give them. Also, some third party applications, like Google Analytics, require you to have a privacy policy if you use their services. (More on laws on privacy is below.)
You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies, identifiers for mobile devices (e.g., Android Advertising Identifier or Advertising Identifier for iOS) or similar technology used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data. This can be done by displaying a prominent link to the site “How Google uses data when you use our partners’ sites or apps”, (located at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time).
https://marketingplatform.google.com/about/analytics/terms/us/
What should a privacy policy cover?
A privacy policy should cover:
- what personal information you collect
- why you collect it
- how you store it
- what you do with that personal information
- whether you sell that information to anyone
- whether you use cookies and how on your site
- your business name and contact information
- whether you comply when a browser is set to “Do Not Track”
Do you know what data you are collecting?
At this point, I bet I know what you’re thinking:
“I’m only vaguely aware of what data my site is collecting, and where it’s going, and how it’s stored. How on earth am I supposed to write this thing?”
Am I right? You are not alone.
Many of us are fuzzy, confused, or clueless about what and how much data our websites gather. If we’ve installed third party plugins on our sites for opt in forms, for visitor tracking, or form software for surveys or contact forms, we are probably gathering and storing more data than we realize.
And a lot of those plugins use cookies as well. So do WordPress, Joomla, and other Content Management Systems. It is very possible that soon you will be required to disclose what cookies you use and how a visitor can disable them. Cookie disclosure is already required if you follow the GDPR.
How to find out what your site is doing and where the data is going.
First, make a list of what data you are collecting on your website.
Do you have a contact form? Where does the form content go? Is it retained in the database on your website? Or if you use an external service like Wufoo forms or Survey Monkey, is the contact’s data stored there? How long do you keep it? What do you do with it? Is it secure?
Do you have opt in forms for downloads or lead magnets on your site? If so, what information are you collecting exactly? Where does the person’s email address and personal information go? Where is it stored?
Do you sell things on your site, via WooCommerce, a membership plugin or service, or some other kind of e-commerce plugin or extension? What information do you retain there? Probably at least a minimum of a user’s name, billing and shipping info, order history, and payment preferences.
Do you send data to a CRM, like Hubspot, Zoho, Infusionsoft, or MailChimp? What information is stored there? What do you do with it?
Does your website use cookies? If you’re not sure, you can use a free service like Cookiebot to check:
Cookiebot will send you a free report of what cookies are on your website and will try to identify what they are used for.
Make yourself a list or spreadsheet of what data you collect, where it’s stored, and what you do with it. Find out what cookies your website deploys.
Armed with all of this information, you’re now ready to write your privacy policy.
Where do you get a privacy policy?
WordPress now puts a simple draft of a privacy policy page on every new WordPress installation to use as the basis for a privacy policy. It contains starter text for a bare-bones privacy policy. At a minimum, you should use this after updating it with your company information.
Or you can use privacy policy generator, such as those found on one of these websites:
https://www.privacypolicies.com/
Their privacy policy generators will walk you through a series of questions about your website and use of personal data, then create the privacy policy for you.
And if you have a large company the best plan may be to have an attorney or compliance officer create the privacy policy for you. But this is far more than what most small business owners, nonprofits, or entrepreneurs need.
What happens if you don’t have a privacy policy?
There are no United States federal laws currently that universally require a privacy policy, unless you sell financial services, market to children, or collect health information and are subject to HIPPA.
But the California Online Privacy Protection Act requires any commercial website that collects Personally Identifiable Information (PII) from a citizen of California, including just tracking them for Google Analytics, to have a privacy policy.
If reported and marked for non-compliance, a business owner must make amendments and comply with CalOPPA within thirty days or else face potential consequences. Although CalOPPA does not have an enforcement mechanism or provisions, its enforcement falls under the scope of Californias Unfair Competition Law. Under this law, the California AGs office can file suit.
https://blog.rsisecurity.com/consequences-of-non-compliance-with-caloppa/
If you have website visitors or customers from the European Union, you need to follow the GDPR (more on the GDPR below).
Tim Cook, CEO of Apple, is advocating for federal privacy laws in the U.S.:
“That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—a landmark package of reforms that protect and empower the consumer.”
https://time.com/collection/davos-2019/5502591/tim-cook-data-privacy/
What about the California privacy law? What is it? Do you need to comply?
The California Consumer Privacy Act is a bill that was signed into law in California in 2018 and will go into effect on January 1, 2020.
The purpose of the bill is to give California citizens knowledge and control of the information that is collected and sold about them to large corporations. It’s purpose is to cover three main areas:
- To give citizens the right to know what data is collected and sold about them, including the categories of data collected and the categories of companies that their data is sold too. Citizens will have the right to request what information is collected about them, twice a year, free of charge.
- To give citizens the option to say no to having their data stored and sold, without fear of reprisal from the company.
- To give the citizens the right to sue if their data is breached and the company was negligent in safeguarding their personal data.
How do you comply with the California Consumer Privacy Act?
The new law only applies to for-profit companies that do business in California which either:
- (A) has annual gross revenues in excess of $50,000,000
- (B) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices
- (C) derives 50 percent or more of its annual revenues from selling consumers’ personal information
Any person or business that intentionally violates this Act may be liable for a civil penalty of up to $7,500 for each violation.
So although many small businesses and nonprofits are not directly affected by this Act, it is worth noting that these regulations and laws are being considered across the country and are a harbinger of what is to come everywhere.
What is the GDPR, and why should you care?
GDPR is the European Union’s General Data Protection Regulation, which went into effect on May 25, 2018. You need to be compliant with the GDPR if you store the data of any European Union citizen on your website.
If an infringement of a customers’ information occurs on a US website or a breach of security is not reported correctly, organizations could risk steep financial and legal penalties. If you don’t do anything to comply, you’re looking at potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
https://www.cmdsonline.com/blog/the-looking-glass/gdpr-us-websites/
The purpose of the GDPR is to give EU citizens more control over their personal data. The goal is to provide transparency in how a person’s personal data is stored and used online. For more information on the GDPR, read this article from Cookiebot.com.
The GDPR requires that a site visitor has to give express permission for you to collect or use their data. You can’t just assume that having usage information in your privacy policy is enough.
As an example, you probably have cookies on your site. Common uses of cookies for small companies are:
- for google analytics to track visitors
- to track if a person has already opted in to your lead magnet, so you don’t keep popping up an opt in box after they’ve already signed up
- to track what’s in a shopping cart
(Don’t know what a cookie is? Read this Wikipedia article on cookies.)
If you are using cookies, and most small business people are, in order to be compliant with the GDPR, you have to refrain from using most cookies until a site visitor agrees to them. You have to provide a way for visitors to opt out of cookies.
If you have a lead magnet on your site with an opt in form that collects an email address, you can’t just add that email to your newsletter list when they sign up for your lead magnet. To be GDPR compliant, you need to have a checkbox asking them specifically to opt in for the newsletter.
The idea is to pass the power to the consumer about when and how their personal information, including how they use your website, is used.
You can’t assume consent.
Do you need to have a ‘Cookies policy’ opt in on your website?
If you are trying to be compliant with the GDPR, then you need to follow their Cookie law, and ask permission before letting your website place cookies in a user’s browser. This is how cookiebot.com suggests cookie compliance with EU laws and the GDPR:
“The main things to keep in mind as a website owner, are these:
- You must reveal all cookies and trackers operating on your website to the user, in plain language, so that he or she can make an informed choice of consent or revoking of consent.
- You must withhold all cookies and trackers on your website (besides those strictly necessary for the functioning of your website), until you have received clear and explicit user consent on each type of cookie and tracker.
- The consent must be freely given, and never e.g. as a condition for using a service.
- You are responsible for users’ data on your website. It is up to you to protect it from third-party harvest. Know which third-party trackers your website might harbor, e.g. via video plugins and social media implementations.”
You need a plan to find and remove data.
Another issue site owners need to think about both to be in compliance with the GDPR and the California Privacy Act, is to know where the data on your website users is stored, how to access it if they request it, and how to delete it if they request it.
WordPress, for instance, has incorporated tools into the CMS to allow you to export all information a website has stored on a particular user, and to delete that user’s information as well.
Final thoughts on your privacy policy.
Although you may not have visitors to your website from the EU, you may want to consider becoming compliant with the GDPR anyway, as the GDPR provides good guidelines on data privacy and security that we all should be following in the interest of our users.
The U.S. lags way behind Europe in privacy laws, but they are coming, and many believe the GDPR is a good model to follow.
Sooner or later it’s likely the US will catch up on the federal level in the online privacy law department and pass something similar. In fact, it may be sooner according to iapp.org.
It is a good practice for all of us to consider:
- What information we collect from people who visit our websites and social media accounts
- How it is stored
- How we can delete it if requested
- How we can access it if requested by a client or site visitor
- Whether we effectively explain what we collect and why
- Whether we provide a way for a person to notify us that they want to opt out of having us store their information
For many of us, dealing with our privacy policy is tedious and confusing. It ranks right up there with setting up your business ledgers on the excitement level for many of us.
But it must be done. And we should all be starting to think this through. We are expecting big companies like Facebook and Google to step up to the plate and get a better grip on our personal information and privacy.
As small business owners, let’s make sure we do the same for our customers, clients, and site users.
DISCLAIMER
This article does not constitute legal advice. I am not an attorney or privacy law expert. If in doubt, consult your attorney about your privacy policy.
Photo by ev
Do you need help with your website?
I offer help with site design, redesign, web maintenance, and digital marketing.
Get in touch and let’s find out how Sparkem Studio can help you.