I’m thrilled to featured this guest post from my colleague Cheri D. Andrews, Esq.
Cheri helps small business owners and solopreneurs just like you protect your livelihood. After all, you work hard to build your empire – Cheri has got your back!
What IS a Privacy Policy?
A Privacy Policy is a legal document posted on your website or mobile app that establishes your compliance with consumer privacy regulations. Think of it as an agreement between your company and your website visitors with respect to their personal information. It tells visitors to your website what information you collect, why you collect it, how you use and share it, and what they can do to get it removed from your database, make corrections to inaccurate data, or contact you with concerns.
Do I NEED a Privacy Policy?
Just because you have a website does that automatically mean you need a privacy policy? The short answer is technically, NO, but realistically, YES.
If your website:
- has ANY forms for collecting names, emails, or other personal information for email marketing, scheduling purposes, or to enable download of a lead magnet, OR
- Your website uses cookies, pixels, and other methods of collecting metrics such as clicks, views, and IP addresses
Then a privacy policy is a MUST have!
Some would argue that because privacy regulations require you to disclose what personal information you collect, that you must have a policy even if it is just to disclose that you don’t collect ANY personal information.
And the data protection agencies EXPECT to see a privacy policy on every website. You may be drawing unwanted attention (and possibly data audits) to your website with the lack of one.
What are the benefits of a Privacy Policy?
A privacy policy is a fairly inexpensive way to mitigate potentially substantial legal risk. The existence of a Privacy Policy on your website is the first indication that you are compliant with consumer privacy regulations. The actual language within the policy is designed to show HOW you are maintaining compliance.
The existence and terms of your Privacy Policy go a long way to establishing trust with your website visitors (your potential future clients). If your website visitor can’t find a Privacy Policy on your website, or the policy isn’t clear, they may question how seriously your company takes data protection. It is one piece of the “know, like, trust” puzzle.
What regulations govern Privacy Policy?
Now that we have established that you need a privacy policy and the reason is to be compliant with regulations, let’s dig into those regulations. The United States does not have a federal consumer privacy regulation – YET. California, Colorado, Utah, Virginia, and most recently Connecticut have enacted comprehensive privacy legislation. California was the first with the California Consumer Privacy Act. This is currently the most stringent consumer privacy legislation in the U.S. But the General Data Protection Regulations (GDPR) from the European Union is still the most stringent and the gold standard to follow. Individual states may require specific language in the privacy policy which has to be added to any GDPR compliant policy, but a GDPR compliant policy covers the majority of the requirements in the United States.
You may rightfully be wondering “Why should I care about regulations in five states or the EU where I’m not located and don’t do business?” Fair question. The answer is simple. You can’t stop visitors from those states or the EU from visiting your website. And the minute they do, the regulations kick in.
GDPR is technology neutral – meaning it covers data you collect both online and offline, regardless of device – computers, phones, cash registers, paper.
GDPR covers both data privacy AND data security, so it’s not just what data you are collecting and how you use it, but also how you are protecting it, and how you will respond in the event of a data breach incident.
Under the GDPR, all businesses, regardless of location or size, are expected to comply with GDPR if:
- You collect personal information from EU citizens (newsletter, lead magnet, contact form) OR
- You sell goods or services to EU citizens OR
- You use analytics on your website that can capture the behavior of EU citizens (clicks, views).
It doesn’t matter if you actually do business in the EU or you actively target EU consumers – if you are getting their personal information or analytics, GDPR applies.
How can I be compliant with these regulations?
- Make sure your website is httpS certified – this is the security certification.
- Know what data you collect – Covered data includes:
- Personal Data – Name, address, birth date, SSN, etc.
- Web Data – geolocation, IP address, cookie data, clicks, views, etc.
- Protected Data – health, biometrics, race/ethnicity, politics, sexual orientation, etc.
- Do a data audit – know where your data comes from, where it is stored, how it is processed, how long it is kept, and how secure it is. Data audits should include your own computers, your paper files, any cloud-based storage, and all your vendors – such as Google Analytics, Email Marketing Platforms, Payment Processing Platforms
- Maintain a “reasonable” level of data protection & privacy, ensuring storage of data is secure, only the data you really need is collected, and data is stored no longer than necessary to fulfill the purpose for which consent is given
- Post a Privacy Policy on your website. Make sure the links to find it are easy to locate.
- Obtain Clear Consent for all data collection – Switch from opt-out to opt-in procedures. Don’t pre-check consent boxes. Make sure each consent form includes a link to your privacy policy.
- Have a Breach Protocol Policy in place so that you know how to respond in the event of a data breach and can meet the 72-hour reporting requirement. Reporting is state or nation specific in terms of requirements, so your reporting will depend on where your data subjects reside.
- Respond to requests from data subjects for access to, correction of, or deletion of their information within 30 days.
Are you ready to get your business and your website protected, but don’t know where to start? With the Privacy Policy Workshop, it’s so easy to avoid regulatory compliance issues and fines! The Privacy Policy Workshop by Wise Owl Academy provides you with a GDPR compliant template and the guidance and knowledge to both customize the template for YOUR business and understand what is in the policy and why it is important to your business.