What is a Privacy Policy?
According to PrivacyTrust a privacy policy is “…one of the most important documents on any website. It details your company’s views and procedures on the information collected from visitors.”
In other words, a privacy policy is a page or document on your website or app that explains what, when, where, why, and how you collect personal information about the people visiting or using your site or app.
Who Needs a Privacy Policy?
Almost everyone! If you collect any information that is “personally identifiable” information then you need a privacy policy.
What is “Personally Identifiable” Information?
Personally Identifiable Information (PII) varies according to which privacy laws you are looking at.
Basically, any information that might identify an individual is PII. This includes, but is not limited to:
- Name
- Date of Birth
- Social Security Number
- Email Address
- Mailing Address
- Billing Address
- Credit Card Information
- Health Information
- Phone Number
Is a Privacy Policy Required?
A privacy policy is required by law if you collect any PII.
There are numerous laws and regulations that cover privacy laws for citizens of various parts of the worlds. It can get very complicated knowing which ones apply to you and which ones don’t.
A few of these regulations are:
- The Children’s Online Privacy Protection Act (COPPA) – this is a US policy covering children’s privacy protection. If you collect information online then this policy applies to you, even if your website or app is not for children.
- The California Online Privacy Protection Act (CalOPPA) – this is California’s privacy protection act for their citizens. There are clauses in it that affect people and business outside of California if the person visiting your site or app lives in California.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) – this is a Canadian privacy protection act. Just like the California act above, if your website or app visitors are Canadian then this act applies to you.
- The General Data Protection Regulation (GDPR) – this is the European Union’s (EU) privacy protection regulation for its citizens. You guessed it, this applies to you if you collect PII from someone living in the EU. This regulation also has one of the stiffest penalties for non-compliance. The fines start at 10 million Euro, and go up from there.
There are more and more privacy regulations being added all the time. Most states are looking at adding a policy that will affect anyone collecting information about their citizens.
Now that you can see why you need a privacy policy…..
What Should Your Privacy Policy Contain?
Your privacy policy should contain everything that any of the regulations say it needs to contain.
Currently, this means your policy needs to contain:
- What information you collect – do you collect their name, email, phone number, etc.
- How you collect it – how is it collected? Via form submission, contests, etc
- Why you collect it – what will you use their information for? To contact them, promote your services, etc
- What happens if the person does not want you to have that information anymore – if they request to be have their information deleted how does that affect them? Will they no longer have access to content, will they no longer receive your emails, etc
- Do you use cookies – do you use cookies for any purpose, and if so what purpose
- Children’s privacy – how do you protect children’s privacy, and if you’re website is not meant for children, a statement saying so
- Do you use analytics programs – if you use any analytics programs you need a statement about which ones you use. Google Analytics require you give the person information enabling them to opt-out
- How you use the information – do you use it to market to them, send them emails, snail mail, etc
- Do you sell the information – self-explanatory hopefully
- Do you share the information – do yous hare this info with anyone? Third party vendors, CRM, etc
- How long you keep the information – do you keep it for a certain amount of time or until something happens
- Do you perform direct marketing – do you use the information to sell products and services directly to the individual
- Do you use automated decision making and/or profiling – do you use the information you collect to do anything that is automated, such as delivering an email based on a form they filled out
- Do you link to third party websites – does your site or app contain any links to other websites or apps
- Do you support Do Not Track – Do Not Track is a preference you can set in your web browser to tell sites you don’t want to be tracked, do you support this
- How can people opt-out – how can people not have their information stored or get it removed
- What rights do people have – what rights do they have based on current privacy acts and regulations
- Where is the data processed – in what location does the data processing occur
- Do you have a Data Protection Officer (DPO) – the DPO is a requirement of the GDPR for certain businesses
- How often do you update your privacy policy – when is it updated and how can individuals know when it was last updated
- Contact information – who can the individual get a hold of for questions
- Do you intend to transfer data to a third-world country or international organization – are you sending information outside your nation
- Do you offer health or fitness services – do you offer nutrition, fitness, or other health related advice
- Do you offer legal services – are you a lawyer, paralegal, or do you offer other legal advice
How to Create a Privacy Policy
Hopefully, you can see how important a privacy policy is for your business by now. So how do you go about creating one?
You can do it yourself. There are privacy policy generators on the web. A simple search will turn a few of them up. This is a great cheap solution for privacy policies. However, it means you need to check back and re-update it on a regular basis, since privacy laws are always changing. This could very easily turn into a full-time job.
You can hire a lawyer. First, you would need to find a lawyer specializing in privacy policy, and that understands, and keeps up to date on changes as they happen. This is an excellent option, but also a costly option. An initial policy would be $1k plus. Reviews of the policy would be cheaper, but they may be needed as often as once a week.
Pay for a Service. Probably the easiest solution of the three. I personally use a service called Termageddon. Strange name, huh? They are a company that stays up to date on privacy acts and regulations, and has designed customizable privacy policies that will auto-update based on the changing regulations. That means you input your company information one time, answer some questions, and then you have a privacy policy created for you that is stored on their site. You add a little bit of code to your site, and the policy automatically updates anytime there is a change in privacy regulations.
Create Your Policy Now
No matter which option you choose, choose one of them. Having a privacy policy is a must for any business that collects information on individuals. Not only can it help limit your liability in certain situations, it is also the law.