Do I Need A Privacy Policy on My Website?

February 7, 2018 | Business, Website Design and Redesign

Like this? Share it.

Privacy Policy

When we work on websites for our clients, I always ask them to provide content with a privacy policy. Many of our clients are surprised that we ask for this as they may not have a written policy, even if they already have a website live for their business.

The following questions from our clients are, “Do I need a privacy policy?” and then, “How can I write one?” First of all, you should have a policy, and secondly, you should not just take one from another website and change the details.

Did you know that every site running Google Analytics requires a privacy policy?

To help you understand why you need a privacy policy and the essential details you should consider, I asked Adam Nyhan to provide some insight. Adam Nyhan is an attorney affiliated with Opticliff Law, LLC and a former General Counsel at a New York software firm. He has assisted many of our clients and can work with most US-based businesses to write a privacy policy for you. If you need a privacy policy written for your website, I highly recommend Adam, and he can take care of this quickly and painlessly.

Here’s the Q&A between Adam and me, all about privacy policies.

Q: Do I need to have a privacy policy on my website?

Adam Nyhan: For 99% of websites, yes. Partly because you need a privacy policy to use all the most common marketing tools. And partly because it’s legally required for most websites (and it’s a good practice to assume yours is one of them). Either way, it’s one of the easiest, least expensive things you can ever do to advance your business.

Q: Is it a law or just a good idea?

AN: Both. A California consumer privacy law applies to all types of websites in all industries, even those outside California. It says that if your site collects “personally identifiable information” (PII) from your visitors, you need to publish a policy that tells people how you do that and how you use the information they give you. Of course, PII includes obvious things like your visitors’ names and emails. But it also provides information that your website is probably collecting from visitors, perhaps without your knowledge or theirs. So it would be best if you assumed you needed a policy. Also, if your business is in any regulated industry like health care, education, or financial services, there are much more complex privacy laws that you’ll need to navigate.

But the more pressing issue is your access to Facebook, Google, and other indispensable online marketing tools. Many companies require you to have a privacy policy to use them. Facebook Lead Ads requires you to paste a link to your online policy to create an account. Google Analytics requires one too. And these rules have teeth. For example, Google recently announced that it would boot app developers from the Google Play Store if they don’t have privacy policies. These companies will continue to enforce their policies just as state and federal law enforcement take increasingly aggressive approaches to enforce these privacy laws.

Bottom line: don’t build your online marketing strategy on a foundation that violates the rules of Facebook and Google and the law.

Q: I only have a brochure-style website. Do I still need a privacy policy?

AN: Yes. These laws (and the Facebook and Google rules) apply to all websites, from a simple one-page site to the world’s most sophisticated e-commerce sites.

Q: Do I need a link to the privacy policy on every page?

AN: No, but I recommend it because it’s the easiest. The law says the policy must be posted “conspicuously” and lists a few examples of ways you can do that. But the simplest way is to place a persistent link on each page’s footer pointing to the policy page.

Q: Are there particular elements that must be included in my privacy policy?

AN: Yes, the California privacy law is particular about details you must disclose to website visitors. Most of them are pretty straightforward: tell people what types of PII you collect, what kinds of third parties you might share it with, and how you’ll let them know in the future if you update it. But there are some pretty technical details, too. For example, if you track visitors’ browsing habits after they leave your website, you need to state how your site responds to “do not track” tools.

And that’s just what the law requires. Some commercial advertising platforms might include additional details in your privacy policy, so make sure to read their Terms of Use.

Q: Do I need a lawyer for this, or can I write my own?

AN: Think of this as filing your income taxes each year. Sure, you can do it yourself, and if you spend enough hours researching the latest updates to the laws, you can do it yourself and probably get it right. Or you can hire somebody to do it for you, somebody who does this for a living and is constantly researching the latest changes in the laws. Of all the things you’ll ever hire a lawyer to do for you, a privacy policy is one of the least expensive, and you’ll be happy to have it done right.

Q: Can I use a privacy policy I found on someone else’s website and update it with my information?

AN: No, that’s worse than having no privacy policy! Remember, one thing that a privacy policy does is tell people how you use their information. You have no idea whether Company X uses personal data the same way you do, so copying its policy means you may end up making false statements about your practices.

Q: When do I need to update my policy?

AN: Update it whenever you make changes to the types of PII that you collect from people or how you use that information. For example, in its first two years, one of my clients was adamant that it would never, ever share visitor information with third parties. And its privacy policy said that. But as it grew, it decided to hire a marketing firm, so we updated the policy to say, “we’re going to share your email address with our friends at the marketing firm, but you can just opt out at any time, and we’ll honor that.” That’s fine. Your customers generally will understand that as long as your policy lets them know what you plan to do with the information.

Q: What else do I need to know?

AN: People often ask whether a privacy policy is the same as a website’s Terms of Use. No, they’re different things. A privacy policy is legally required, but a Terms of Use is not, and many websites don’t need Terms of Use. A Terms of Use is a binding agreement between the website’s visitors and its owner. If a website lists your contact information and a few photos of you, you probably don’t need a Terms of Use. It’s much more important if the website allows users to do more complex things like making purchases, uploading photos for other visitors to see, or communicating with others. In those cases, you’ll use a Terms of Use to manage your liability and deal with intellectual property issues.

I hope you’re convinced that it’s worth it to get a professionally written privacy policy. Every website that Visible Logic designs and builds need a privacy policy, and it’s most likely that yours does too. And don’t forget, if you’re working internationally or with data covered by HIPAA or other policies, you may need even more than a basic privacy policy. If that is the case, make sure you work with a lawyer experienced in the details of the type of website you’re building.

Let’s Talk