In this day and age, data privacy is a hot topic. Many Americans believe their personal data is less secure now than ever and that data collection poses more risks than benefits.[1] For this reason, among others, businesses must consider data privacy when setting up their websites so that they can prioritize protecting personal information, establish trust with consumers, and comply with regulations to avoid potentially severe legal penalties.
If you own a business and have a website where you expect to collect any data from your website visitors, especially personally identifiable information (“PII”) that includes such simple things as names and e-mail addresses, it is essential to include a privacy policy on your website.
What is a Privacy Policy?
The purpose of a Privacy Policy is to provide a clear explanation to your website’s visitors about the types of data/information you are collecting, and what you are doing with that data. These policies will typically include information on the ways and methods through which you are collecting data, your company’s policy for storing (and deleting) customer data, and where such data is being kept (“data repositories”).
Privacy policies also often include the security measures utilized to safeguard and protect the data that is being collected from visitors. This frequently means an outline of the security measures your business has taken to safeguard customer data by your business, or the third-party vendors your business uses.
Your privacy policy may also include information on who has access to your visitors’ data. Visitors should be given the right to request access to their data at their discretion, and you should provide them with the proper contact information in case they have any questions about your Privacy Policy.
Ultimately, your privacy policy provides a clear understanding for both you and your visitors so that both parties are on the same page. If you are collecting data from visitors, you should tell them what you are doing, how you are doing it, and how it is being safeguarded. The name of the game is ultimately transparency.
Why you need a Privacy Policy
Multiple global regulations direct businesses to inform their users about data collection practices to give visitors greater control over their personal information. These include the European Union’s General Data Protection Regulation (“GDPR”), which recently adopted new rules in July to ensure stronger enforcement of the GDPR in cross-border cases,[2] and the California Consumer Privacy Act (“CCPA”),
Failure to comply with these regulations can result in penalties, including substantial fines. Look no further than the record $1.3 billion fine levied on Meta for its failure to comply with the GDPR this past May.[3]
As of 2023, there are now eleven states that require your website to have a privacy policy, including California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, and Texas. The Virginia Consumer Data Protection Act, effective January 1, 2023, establishes the framework for controlling and processing personal data in the Commonwealth and failure to comply can result in fines of up to $7,500 per violation.[4] Having a well-crafted privacy policy is paramount.
In addition to legal considerations, it is also important to maintain trust with your customers. A KPMG survey reports 86% of respondents reporting that data privacy is a growing concern for them and about two-thirds (68%) revealing that the level of data collection by companies is concerning.[5] Ultimately, these concerns are grounded in a fundamental lack of trust. Thus, companies must prioritize data protection and take meaningful action to build consumer trust. The bare minimum step is to first have a clear and comprehensive data privacy policy.
Where do you put your privacy policy?
Your privacy policy should be conspicuous to visitors. To do this, place your privacy policy on a standalone page on your website with a clearly demarcated title in big letters. Put links to that page in your footer navigation on your website and on any other opt-in pages.
Additionally, under the new GDPR guidelines, you should also put a link to your privacy policy anywhere that you ask for consent or collect data as well. Where applicable, you should also include an opt-out form and cookie policy.
What do I need to put in my privacy policy?
Here’s what you should include in your privacy policy:
- Scope of Privacy Policy
- Relevant definitions, such as defining Personal Information
- The types of data collected
- How you might use the data
- Any disclosure of personal information to third parties
- If applicable, the visitors’ rights under the GDPR.
- If applicable, the visitors’ rights under the CCPA.
Consider including certain disclaimers based on the types of customers you expect to visit your website. For example, you might consider a provision that states you do not knowingly collect personally identifiable information from minors under 18. Finally, you may also want to include a cookie policy, to explain the use of cookies on your website, and a data retention policy, which explains how long data is retained. It is prudent to have separate cookie and data retention policies altogether, on separate pages.
Depending on your business’s website and the way it interacts with people’s personal information, it is necessary to carefully tailor your privacy policy to suit your business needs. Contact an attorney to draft your privacy policy if you want your bases covered.
[1] https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/
[2] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3609
[3] https://apnews.com/article/meta-facebook-data-privacy-fine-europe-9aa912200226c3d53aa293dca8968f84
[4] 2021 H.B. 2307/2021 S.B. 1392, https://lis.virginia.gov/cgi-bin/legp604.exe?ses=212&typ=bil&val=Hb2307
[5] https://advisory.kpmg.us/articles/2021/bridging-the-trust-chasm.html?utm_source=vanity&utm_medium=referral&mid=m-00005652&utm_campaign=c-00107353&cid=c-00107353
[View source.]
