Do I Need A Privacy Policy on My Website?

February 7, 2018 | Business, Web Design

Like this? Share it.
Privacy Policy

When we work on web sites for our clients one of things I always ask is for them to provide content for a privacy policy. Many of our clients are surprised that we are asking for this as they may not have a policy written up, even if they already have a web site live for their business.

Frequently, the next questions from our clients are, “Do I really need a privacy policy?” and then, “How can I write one?” First of all, you should definitely have a policy and secondly you should not just take one from another web site and change out the details.

Did you know that every site running Google Analytics requires a privacy policy?

To help you understand why you need a privacy policy and the important details you should consider, I asked Adam Nyhan to provide some insight. Adam Nyhan is an attorney affiliated with Opticliff Law, LLC and a former General Counsel at a New York software firm. If you need a privacy policy written for your website, I highly recommend Adam and he can take care of this quickly and painlessly. He has assisted many of our clients and can work with most US-based businesses to write a privacy policy for you.

Here’s the Q&A between Adam and I, all about privacy policies.


Q: Do I need to have a privacy policy on my web site?

Adam Nyhan: For 99% of websites, yes. Partly because you need a privacy policy to use all the most common marketing tools on the market. And partly because it’s legally required for most websites (and it’s a good practice to assume yours is one of them). Either way, it’s one of the easiest, least-expensive things you can ever do to advance your business.

Q: Is it a law or just a good idea?

AN: Both. There’s a California consumer privacy law that applies to all types of websites, in all industries, even those based outside of California. It says that if your site collects “personally identifiable information” (PII) from your visitors, you need to publish a policy that tells people how you do that and how you use the information they give you. PII includes obvious things like your visitors’ names and emails, of course. But it also includes information that your website is probably collecting from visitors perhaps without your knowledge or theirs. So you should assume you need a policy. Also, if your business is any sort of regulated industry like health care, education or financial services, there are much more complex privacy laws that you’ll need to navigate.

But the more pressing issue is your access to Facebook, Google and other indispensible online marketing tools. A lot of companies require you to have a privacy policy in order to use them. Facebook Lead Ads requires you to paste a link to your online policy just to create an account. Google Analytics requires one too. And these rules have teeth. For example, Google recently announced that it will boot app developers from the Google Play Store if they don’t have privacy policies. These companies will continue to enforce their policies just as state and federal law enforcement take increasingly aggressive approaches to enforcing these privacy laws.

Bottom line: don’t build your online marketing strategy on a foundation that violates the rules of Facebook and Google as well as the law.

Q: I only have a brochure-style website, do I still need a privacy policy?

AN: Yes. These laws (and the Facebook and Google rules) apply to all websites, from a simple one-page site to the world’s most sophisticated e-commerce sites.

Q: Do I need a link to the privacy policy on every page?

AN: No, but that’s what I recommend because it’s easiest. The law says the policy must be posted “conspicuously” and lists a few examples of ways you can do that. But the simplest way is to place a persistent link on each page’s footer pointing to the policy page.

Q: Are there certain elements that must be included in my privacy policy?

AN: Yes, the California privacy law is very specific about details you must disclose to website visitors. Most of them are pretty straightforward: tell people what types of PII you collect, what kinds of third parties you might share it with, and how you’ll let them know in the future if you update it. But there are some pretty technical details, too. For example, if you track visitors’ browsing habits after they leave your website, you need to state how your site responds to “do not track” tools that some visitors use.

And that’s just what the law requires. Some commercial advertising platforms might include additional details in your privacy policy, too, so make sure to read their Terms of Use.

Q: Do I really need a lawyer for this, or can I write my own?

AN: Think of this like filing your income taxes each year. Sure, you can do it yourself, and if you spend enough hours researching the latest updates to the laws, you can do it yourself and probably get it right. Or you can hire somebody to do it for you, somebody who does this for a living and is always researching the latest changes in the laws. Of all the things you’ll ever hire a lawyer to do for you, a privacy policy is one of the least expensive, and you’ll be happy to have it done right.

Q: Can I use a privacy policy I found on someone else’s website and just update it with my information?

AN: No, that’s worse than having no privacy policy at all! Remember, one thing that a privacy policy does is tell people how you use their information. You have no idea whether Company X uses personal information the same way you do, so copying its policy means you may end up making false statements about your own practices.

Q: When do I need to update my policy?

AN: Update it whenever you make changes to the types of PII that you collect from people or to the ways you use that information. For example, one of my clients in its first two years was adamant that it would never, ever share visitor information with third parties. And its privacy policy said that. But as it grew, it decided to hire a marketing firm, so we updated the policy to say “we’re going to share your email address with our friends at the marketing firm, but you can just opt out at any time and we’ll honor that.” That’s fine. Your customers generally will be understanding about that as long as your policy lets them know what you plan to do with the information.

Q: What else do I need to know?

AN: People often ask whether a privacy policy is the same as a website Terms of Use. No, they’re different things. A privacy policy is legally required, but a Terms of Use is not, and many websites don’t need Terms of Use at all. A Terms of Use is a binding agreement between the website’s visitors and its owner. If a website just lists your contact information and a few photos of you, you probably don’t need a Terms of Use. It’s much more important if the website allows users to do more complex things like make purchases, upload photos for other visitors to see, or communicate with other people. In those cases, you’ll use a Terms of Use to manage your liability and deal with intellectual property issues.


I hope you’re convinced now that it’s worth it to get a professionally written privacy policy. Definitely every web site that Visible Logic designs and builds needs a privacy policy, and it’s most likely that yours does too. And don’t forget if you’re working internationally, or with data that’s covered by HIPAA or other policies, you may need even more than a basic privacy policy. If that is the case, make sure you work with a lawyer experienced in the details of the type of web site you’re building.

No comments yet

Join the Conversation