At this point, you might be asking yourself: Do I really need a privacy policy for my website?
If you’re starting any kind of company today, the answer is likely yes, you really do.
Starting a new business can be overwhelming -- there are a lot of moving parts to manage all at once, and it's easy for your privacy policy to get overlooked (or completely forgotten) in the shuffle. But with so many new data privacy regulations and lawsuits cropping up, skipping out on a privacy policy is just asking for trouble.
To give you an idea of what you're up against, here are a few examples of regulations that require a privacy policy:
- California Online Privacy Protection Act
- Privacy Shield
- EU General Data Protection Regulation (effective May 2018)
- Children's Online Privacy Protection Rule
Regulations around privacy policies don't just end at your website: any tool that collects information from your site -- such as website analytics, online forms, or chat widgets -- will require a policy too. Google Analytics, the most popular web analytics tool out there, even has a privacy policy requirement in its terms of use.
And if you’re planning on running any online ad campaigns, both Google and Facebook require privacy policies in place if you’re collecting any user information. This is especially important for Facebook Lead Ads, which require a privacy policy URL link within each ad you create.
The FTC isn’t afraid of enforcing punishments for companies that violate consumers' privacy, regardless of size or prominence. They’ve taken action against many companies -- even ones as big as Google and Facebook -- for failing to properly disclose how they used their customer’s data.
Okay okay, enough scary stuff. You're hopefully convinced by now that you should probably get one of these privacy policy things.
But what exactly is a privacy policy?
Basically, a privacy policy usually lets your customers know what type of data you’re collecting, and what you’re doing with that data. It also generally provides information about how you’re collecting data, whether it’s through a form, or cookies on your website.
They also usually outline your policy for storing customer data. How long you’re planning to store data is a big deal -- are you storing someone’s info in perpetuity, or do you promise to delete it after 90 days? Privacy policies typically inform users how long their data will stay in your possession.
Depending on where your company is located, you might also have to include where the data is being stored. Even if you’re not storing it yourself, you’d need to disclose the physical data center (e.g. an AWS US-East server in northern Virginia).
Privacy policies may also include information on who has access to the customer’s data. This can mean giving customers the right to request data if they want, and a process to do so. And it usually involves providing contact info if they have a question about the privacy policy. You may also want to provide an opt-out notice for users that don’t agree with the policy.
Finally, privacy policies often include the security policy you use to protect the data you’re collecting. This usually means an outline of the security measures taken to safeguard customer data by you, or the vendors you use. Here’s HubSpot’s security policy for reference.
Ultimately, privacy policies provide a safeguard for both you and your visitors. If you’re collecting data from visitors or users, it’s recommended to tell them what you’re doing, how you’re doing it, and how it’s being safeguarded. The privacy policy serves as a declaration to visitors and customers what you’re doing with their data.
When writing a policy, it should be clear and explicit so any user can understand it.
So how do I get a privacy policy?
Ultimately it’s up to you to determine what kind of privacy policy your business needs, and you should consult with a legal professional.
However, here are some helpful links like this privacy policy writing guide from the Better Business Bureau to get you started. Likewise, there are privacy policy generators that often offer basic privacy policies for free (here’s an example of one focused on the aforementioned Facebook Lead Ads use case: link). Additonally, the FTC’s website has a bunch of information to help guide US businesses in particular.
Again, we emphasize that you should consult with an attorney on what type of policy is best for your needs.
And Now, Some Legalese ...
This blog post has provided information about the law designed to help our readers better understand the legal issues surrounding internet marketing. But legal information is not the same as legal advice -- the application of law to an individual’s specific circumstances.
Although we have conducted research to better ensure that our information is accurate and useful, we insist that you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is accurate.
To clarify further, you may not rely upon this information as legal advice, nor as a recommendation or endorsement of any particular legal understanding, and you should instead regard this article as intended for entertainment purposes only.