What IS a Privacy Policy?
A Privacy Policy is a legal document posted on your website or mobile app. It establishes your compliance with consumer privacy regulations. Think of it as an agreement between your company and your website visitors with respect to their personal information. The privacy policy tells visitors to your website what information you collect, why you collect it, and how you use and share it. And it tells them how to get their information removed from your database, make corrections to inaccurate data, or contact you with concerns.
Do I NEED a Privacy Policy?
Does EVERY website need a privacy policy? The short answer is technically, NO, but realistically, YES.
If your website:
- has ANY forms for collecting names, emails, or other personal information for email marketing, scheduling purposes, or to enable download of a lead magnet, OR
- uses cookies, pixels, and other methods of collecting metrics such as clicks, views, and IP addresses
Then a privacy policy is a MUST have!
And the data protection agencies EXPECT to see a privacy policy on every website. You may draw unwanted attention (and possibly data audits) to your website with the lack of one.
What are the benefits of a Privacy Policy?
A privacy policy is an inexpensive way to mitigate potentially substantial legal risk. The existence of your Privacy Policy indicates your compliance with consumer privacy regulations. The actual language within the policy shows HOW you are maintaining compliance.
Your Privacy Policy establishes trust with your website visitors (your potential future clients). Because, if your website visitor can’t find a Privacy Policy on your website, or the policy isn’t clear, they may question how seriously your company takes data protection. This is one piece of the “know, like, trust” puzzle.
What regulations govern Privacy Policy?
Now that you know you need a privacy policy and the reason is to be compliant with regulations, let’s dig into those regulations. The United States does not have a federal consumer privacy regulation – YET. But, currently there are 15 states – California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire – that have enacted comprehensive privacy legislation. California was the first with the California Consumer Privacy Act, later amended to the California Privacy Rights Act. This is currently the most stringent consumer privacy legislation in the U.S. Several more states have introduced privacy bills But the General Data Protection Regulations (GDPR) from the European Union is still the most stringent law. And it’s the gold standard to follow. Some states require specific language in the privacy policy which has to be added to any GDPR compliant policy. But a GDPR compliant policy covers the majority of the requirements in the United States.
You may rightfully wonder “Why should I care about regulations in states or the EU where I’m not located and don’t do business?” Fair question. And the answer is simple. You can’t stop visitors from those states or the EU from visiting your website. And the minute they do, the regulations kick in.
Understanding the General Data Protection Regulations
The GDPR is technology neutral. This means it covers data you collect both online and offline, regardless of device. Including computers, phones, cash registers, and paper records.
The GDPR covers both data privacy AND data security. So it’s not just what data you are collecting and how you use it, but also how you are protecting it, and how you will respond in the event of a data breach incident.
Under the GDPR, all businesses, regardless of location or size, are expected to comply with GDPR if:
- You collect personal information from EU citizens (newsletter, lead magnet, contact form). OR
- You sell goods or services to EU citizens. OR
- You use analytics on your website that can capture the behavior of EU citizens (clicks, views).
It doesn’t matter if you actually do business in the EU or you actively target EU consumers. If you are getting their personal information or analytics, GDPR applies.
How can I be compliant with these regulations?
- Make sure your website is httpS certified – this is the security certification.
- Know what data you collect. Covered data includes:
- Personal Data – Name, address, birth date, SSN, etc.
- Web Data – geolocation, IP address, cookie data, clicks, views, etc.
- Protected Data – health, biometrics, race/ethnicity, politics, sexual orientation, etc.
- Do a data audit. Know where your data originates, where you store it, how you process it, how long you keep it, and how you secure it. Include computers, paper files, and cloud-based storage in your data audit. And don’t forget your vendors! Include Google Analytics, Email Marketing Platforms, Payment Processing Platforms, etc. in your data audit.
- Maintain a “reasonable” level of data protection & privacy. Ensure secure data storage. Only collect the data you really need. Store data no longer than necessary to fulfill the purpose for which consent was given.
- Post a Privacy Policy on your website. Make sure the links to find it are easy to locate.
- Obtain Clear Consent for all data collection. Switch from opt-out to opt-in procedures. Don’t pre-check consent boxes. Make sure each consent form includes a link to your privacy policy.
- Have a Breach Protocol Policy in place. Make sure you know how to respond in the event of a data breach and can meet the 72-hour reporting requirement. Reporting is state or nation specific in terms of requirements, so your reporting will depend on where your data subjects reside.
- Respond to requests from data subjects for access to, correction of, or deletion of their information within 30 days.
Get Protected
Are you ready to protect your business and your website, but don’t know where to start? With the Wise Owl Academy®, it’s so easy to avoid regulatory compliance issues and fines! The Privacy Policy module available within the Wise Owl Academy provides you with a GDPR compliant template and the guidance and knowledge to both customize the template for YOUR business and understand what is in the policy and why it is important to your business. Don’t wait! Get Protected NOW.