Do I need a privacy policy on my website is one of the most common questions my clients ask. First, let me start with I am not a lawyer. This is not meant to be legal advice. I’m writing from the perspective of a web designer as it is an important aspect of information that I present to my clients to have a professional website that also ranks well in search engines. This article is intended as informative from a web designer’s perspective. I ask that all my customers provide a privacy policy and I want to explain why.
What is a Privacy Policy?
Privacy policies provide a safeguard for both you and your visitors. The privacy policy serves as a declaration to visitors and customers what you’re doing with their data, how you’re doing it, and how it is safeguarded.
A privacy policy discloses to your visitors know what type of personal information you are collecting and what you are doing with that data. Personal information may be anything used to identify an individual, not limited to a person’s name, address, date of birth, marital status, contact information, ID issue, financial records, credit information, medical history, where one travels, intentions to acquire goods and services. It also lets visitors know how you’re collecting data, whether it is through a form, mailing list sign up, or cookies on your website.
Secondly, they also outline your policy of storing customer data and how long you are planning to store the data. Are you planning to keep the information forever or do you promise to delete it after 60 days? One part of the privacy policy informs visitors how long you plan on keeping the data in your possession.
Privacy policies often include the security policy you use to protect the data you are collecting. This is typically an outline of security steps to take to safeguard the visitor data by you or vendors you use.
In a nutshell, a privacy policy builds trust with your audience that you are a legal business and trustworthy.
Am I collecting private information on my website?
Absolutely, yes. You may not realize it, but every website collects information. Any tool or plugin that collects information from your site is collecting personal information, such as:
- contact forms
- email lists
- chat widgets
- website analytics (such as Google Analytics)
You should be collecting information as you need this information to successfully understand your audience and customer base. If you have a contact form you are receiving personal information from a visitor. If you have an email list, so a visitor can sign up to your email list, you are also collecting personal information. Additionally, if you use Google Analytics (which all of my customer websites are set up with), you collect demographic information on your visitors through Google analytics. Google uses cookies to track this information. Analytics are so important to be able to make sure your target market is viewing your website. Google Analytics has a privacy policy requirement in its terms of use for you to even collect metric data.
Are Privacy Policies required?
No one common, general applicable law exists regarding privacy policies. However, multiple federal laws govern privacy policies in specific circumstances such as:
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) affects websites that knowingly collect information about or target at children under the age of 13.
The act was effective April 21, 2000 and applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age. The Act details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing of those under 13.
While children under 13 can legally give out personal information with their parents’ permission, many websites—particularly social media sites, but also other sites that collect most personal info—disallow children under 13 from using their services altogether due to the cost and work involved in complying with the law.
Gramm-Leach-Billey Act
The Gramm-Leach-Billey Act requires institutions in financial activities give clear, conspicuous, and accurate statements of their information sharing practices.
It specifically requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The privacy notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties, meaning bulk emails must have an opt-opt option.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) privacy rules require notice in writing of the privacy practices of health care services, and this requirement also applies if the health services is electronic. This act is only required for health-related fields such as but not limited to doctors, pharmacists, dentists, etc.
California Online Privacy Protection Act of 2003
The California Online Privacy Protection Act of 2003 – requires any commercial website or online service that collects personal information on California residents to post a privacy policy on their website. The privacy policy must
- List the categories of personally identifiable information the operator collects;
- List the categories of third parties with whom the operator may share personally identifiable information;
- A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
- A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy; and
- The effective date of the privacy policy.
State Specific Laws
Both Nebraska and Pennsylvania have laws treating misleading statements in privacy policies published on websites as deceptive or fraudulent business practices and is punishable by those state courts.
Federal Trade Commission (FTC)
The Federal Trade Commission (FTC) is the chief federal agency on privacy and enforcement. The agency oversees the protection of consumers’ personal information and ensures that they have the confidence to take advantage of the many benefits of the ever-changing marketplace.
Not ensuring your data is secure and you abide by privacy regulations can have consequences. The FTC has enforced punishments for companies that violate consumer privacy, regardless of their size or stature. They’ve taken action against a long list of companies including Facebook, Equifax. Google and Youtube for failing to disclose how they secured their customer’s data.
European Union (EU) General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the European Union (EU) privacy initiative. It obligates organizations anywhere, so long as they target or collect data related to people in the EU, to adhere to privacy and security standards. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
Privacy Shield
The European Union (EU) – United States (US) Privacy Shield Framework provides a method for companies to transfer personal data to the US from the EU in a way that is consistent with EU law. Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR. This basically means that US businesses need to follow the GDPR.
Facebook and Google
If you are planning or running a digital ad campaign, both Google and Facebook require privacy policies. Facebook Lead Ads, require a privacy policy URL link within each ad you create. Google is king of the search engines with over 75% of internet searches done on Google. I’ve seen customers drastically improve their Google rankings once they add a privacy policy to their website. You cannot ignore Google’s request for a privacy policy if you want to rank.
Do I also need a Terms and Conditions document?
Terms and Conditions set out the rights and responsibilities of anyone visiting the site—basically, it’s the rules of your website. The exact contents vary depending on the type of site and the services it provides. It often includes an explanation or definition of key words used in the terms, and outlines the legal limitations of responsibility of the website owner for any damages or harm incurred during usage of the site. Additionally, Terms and Conditions will typically include the following elements: Limitation of liability, copyright, country of governance, change clause, e-commerce sites, guests, and third-party links.
Terms and Conditions typically go hand -in -hand with a privacy policy. Some website owner’s like to separate the privacy policy from the terms and conditions and some owners put both together. Both styles are sufficient.
Where do I put a privacy policy?
The privacy policy is a page in your website. You should create it as a page rather than a post. The privacy policy should be listed in 2 places.
- Make sure to notify your WordPress website that you have a privacy policy in your WordPress settings. From your WordPress dashboard, go to Settings -> Privacy. You then select the page name of your Privacy Policy. Hit the blue button Use This Page to save the settings.
- Also, link your privacy policy and any other legal documents such as terms and conditions, and disclosure policy (optional) in the footer bar of your website. This will allow the privacy policy link to be on every page on your website.
Where do I get Privacy Policy & Terms and Conditions documents?
Ultimately, it is up to you to determine what kind and the details your business needs in your privacy policy. You should consult with a legal professional, whether that is meeting and hiring a lawyer or working with a law firm that provides privacy policy templates.
If you are a business creative or you need to get legal protection in place right away contract templates may be perfect for you. Plus, it’s a fraction of the cost of working with a lawyer on a custom legal document. Contracts are available to purchase at the AWB Firm. I recommend the Website Documents bundle that includes the Privacy Policy, Terms & Conditions, and Disclosure. If you are only wanting the Privacy Policy then it is also available separately.
*As a heads up, the link for the AWB Firm is an affiliate link, so I earn a commission if you decide to purchase. I would have personally recommended this resource either way. I have purchased contracts from several different law firms and contract shops before deciding upon AWB Firm.
And Now, Some Legal Talk …
This blog post is informational about laws surrounding website privacy policies. It is to help the reader understand the legal issues surrounding digital marketing. The legal information is NOT the same as legal advice – the application of the law to an individual’s specific circumstances.
I have conducted research to ensure the information is accurate and helpful. I insist that you consult with a lawyer if you want professional assurance our information, and your interpretation of it, is accurate and complete. Please understand that I am not a lawyer and do not claim to be a legal expert.
You may not rely upon this blog article as legal advice, nor as a recommendation or endorsement of any particular legal understanding. You should regard this article as intended for entertainment purposes only.