You may have asked yourself at some point, “Do I really need a privacy policy for my website?” The answer is yes, you really do. Not having one is asking for trouble.

In most countries a privacy policy is a legal requirement. While that may not deter some folks, it’s important to note that the FTC here in the US isn’t afraid to take action. They’ve done so against many companies for failing to properly disclose how they used their customer’s information. But it doesn’t stop with the FTC. Individual consumers whose privacy has been violated can also take action against the company in the form of a lawsuit. Yuck.

Considering how easy it can be to comply with privacy laws and regulations, it’s far easier to get one written up and added to your website than to deal with the hassle of government fines and consumer lawsuits. In this post you’ll learn a little bit about what a privacy policy is, how to get one, and what it should include.

But first, a disclaimer:

I’m not a lawyer. This blog post/article is aimed to provide general information to website owners about the necessity of a privacy policy. But providing information, even legal information, is not the same as legal advice. As such, this information may not (and shouldn’t) be relied on as legal advice, nor as a recommendation or endorsement of any particular legal understanding. This blog post/article is intended for informational and/or entertainment purposes only.

What is a privacy policy and what regulations are there?

Put simply, a privacy policy is a legal agreement that clearly explains what kind(s) of personal information you gather from website visitors, how you use this information, and how you keep it safe. It also generally provides information about how you are collecting information, whether it’s via a form or cookies or some other method.

As noted in a May 2021 update, the FTC enforces over a dozen rules to protect consumers’ personal information. However, California is the first state to require commercial websites to post a privacy policy. That comes in the form of the California Online Privacy protection Act (CalOPPA). CalOPPA simply requires “operators of commercial web sites or online services that collect personal information on California consumers through a web site to conspicuously post a privacy policy on the site and to comply with its policy.” Obviously there’s more to it than that as it is one of the strictest privacy laws in the US, but it’s not very complicated to comply.

There are three other regulations that you might want to be aware of:

Privacy Shield – created by the US Department of Commerce, the European Commission and Swiss Administration to prove “a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.”
GDPR – the European Union’s data protection law to provide rights for citizens.
The Children’s Online Privacy Protection Act (COPPA) – a US law created to protect the privacy of children under 13.

This definitely not an exhaustive list. For other regulations in other countries, take a gander this blog post over at PrivacyPolicies.com.

How to create a privacy policy

Consult with a legal professional! But you knew I was going to say that, right? Honestly, that’s the best thing you could do. That said, there are some other resources you can look into as an intermediary step.

For starters, the FTC provides a lot of information to help guide US businesses. And there also online generators such as GetTerms, iubenda, and TermsFeed. While these are a great starting point, nothing can really match or replace getting a privacy policy specific to your business written up from a legal professional.

What to include

How a website collects and manages consumer/visitor data and how it interacts with third party services (such as Google Analytics) is unique to every business. So it’s not a big leap to understand that privacy policies will vary from one business to another. Plus, where a website’s users live can impact the privacy policy due to international or state laws protecting consumers.

Most privacy policies include details about what information a website is collecting and how it’s used. It also may include how the data is stored – is it in perpetuity or does it get deleted after a certain period of time? Further, it might include where data is stored. And sometimes a privacy policy may include security polices that you use to protect the data you’re collecting.

With all that that in mind, at a minimum your privacy policy should include the following:

Your business name and contact details.
The type of personal data you collect (i.e. name, email address, etc.).
Why you collect personal data (is it for marketing purposes or something else?).
How the data is used.
How you share data with third parties, if at all.
How your visitors can opt out of data collection.

Conclusion

As with any sort of regulation or legal requirement, there’s a fair amount to understand about privacy policies and compliance. But the bottom line is that if you run a website pretty much anywhere in the world, you’re going to need a privacy policy that complies with the regulations and laws where your website visitors reside.

And while I didn’t really cover it here, you also need to be aware of third party services you use on your website, such as Google Analytics, ad services, and yes, even payment processing tools.

By having a thorough but easy to read privacy policy, you’ll be headed in the right direction for complying with existing and future privacy laws.