More and more frequently, clients purchasing websites are demanding increased transparency for their users with regards to the use of cookies and privacy policies. On the user’s end, this results in an increased frequency of non-obtrusive pop-up windows asking for approval of privacy policies and cookies.

Many privacy laws throughout the world dictate that if a website collects personal information, it needs to have a clearly posted privacy policy. Though the issue really came to a head around the time of the infamous Facebook-Cambridge Analytica scandal, numerous data breaches and privacy issues prior to that incident had gotten the ball rolling with regard to beefing up legal protections for internet users.

The most robust and significant of these changes came in the form of the General Data Protection Regulations rolled out in the European Union. This gamechanger, implemented on May 25, 2018, has become the global standard for data privacy.

The GDPR, which was 20 years in the making, was designed to give EU residents more control over their data. This includes citizens of any of the 28 EU member countries needing to give their explicit consent or another legal basis for processing to be present before a company can process their data. Additionally, citizens can request information regarding how their data is used or even for their data to be deleted from a company’s system, completely.

The GDPR also requires websites to have (and enforce) a privacy policy which is accessible to users. Per the GDPR, a website’s privacy policy must be placed where visitors can easily see it and it must be written in a way that can easily be understood.

One criticism of the GDPR is that the territorial scope has not been defined in enough detail. This results in GDPR applying to websites that process data of EU residents living within the EU, impacting most websites.

But even if your agency isn’t affected yet, you should expect the GDPR to form the foundation for a global data protection standard. It doesn’t hurt to get ahead, in the meantime.

Let’s dig deeper into the question, “Does my website need a privacy policy?”.

What is a Privacy Policy?

A privacy policy is a legal agreement that explains the nature of personal information a website gathers from users, how it is used, and how it is kept safe. It’s all about transparency.

Other information included in a privacy policy is the details of data transfers, affiliated websites/organizations, and the use of cookies.

Personal information often collected includes a user’s name, date of birth, email address, bank details, social security numbers, and billing and shipping address. A website with a contact form asking for a name and email would need to have a compliant privacy policy to avoid fines (or even lawsuits).

Most website designers proactively include privacy policies for clients, as the GDPR isn’t the only such privacy law demanding sites be more transparent with regard to data collection and use. You and your clients may also be affected by the California Online Privacy Protection Act and Canada’s Personal Information Protection and Electronic Documents Act, which both require websites to have a privacy policy.

Websites designed before these laws were passed are now needing to update their privacy policies to be GDPR-compliant.

Why Web Design Agencies Need a Privacy Policy

A website design agency is responsible for ensuring — to the best of its ability — that its clients end up with websites that connect with a target audience. They also have an opportunity to help a business understand the importance of privacy policies.

By creating websites with privacy policies, an agency helps build trust between their client and consumers. This trust is essential to developing brand loyalty, as well as providing peace of mind to consumers who are especially concerned with data privacy.

To answer the question, “Does my website need a privacy policy?” — the bottom line is that having a privacy policy is the law. Providing one for a website helps protect clients from lawsuits and fines.

How to Ensure That Your Privacy Policy is GDPR-Compliant

There are a bundle of details a website needs to have for its privacy policy to be considered GDPR compliant. For example, these include company contact details; purpose and legal basis for processing; details about sharing personal data; how long the data will be stored; whether the data will be transferred to a third country; and users’ rights.

A website needs to include company contact details because users continue to have some level of control over what happens to their data even after it’s been collected.

According to Article 6 of the GDPR, a website cannot process personal data unless it has a specific purpose to do so. This stops the indiscriminate collecting and processing of data. Along these same lines, a website has to detail how long data will be stored. It’s important to remember that private data should not be stored for any longer than necessary.

Though the specific companies a website shares personal data with don’t have to be named, the site must provide some general idea of the type of organizations that will be using the data. This can include third-party services, such as payment processing tools, analytics suites, automated email service, and so on.

The part of the privacy policy requirements that American-based organizations often struggle with is the idea of the “third country”.

When talking about transferring data to a third country, the GDPR is referencing any country outside of the EU. So, if a website is hosted in the US but processing data of EU residents in the EU, then it would be considered to be transferring data to a third country. The European Commission has a list of countries which they believe have adequate data protection.

Not only does the GDPR create these rights for users, but it also requires that websites make users aware of their rights. In-depth details of users’ rights are explained in Chapter 3 of the GDPR.

Should I Hire a Lawyer to Write My Privacy Policy?

For website designers who are unsure about the GDPR-compliance of the websites they are building, it’s possible to contact a lawyer to help navigate the process of creating a bulletproof privacy policy.

However, a more straightforward way to ensure that sites are compliant is by using solutions such as Termageddon, which generates a privacy policy that can be seamlessly applied to a website, eCommerce site, or mobile application.

Through Termageddon, it’s possible to generate any website policy in three easy steps. This can include privacy policies, disclaimers, end-user license agreements, and terms and conditions. After making a purchase, there are just a few quick questions to answer about the website before generating a code that can be embedded in the website’s footer.

The best part about a Termaggedon policy is that it automatically updates as laws changes, which means there is no need to check and recheck compliance. It’s also possible to manually edit sections, which remain intact regardless of future updates. Such policies can be shared with all associated parties, such as a web developer, client, or attorney.

GDPR & An Important Note About Consent

Along with the GDPR comes a new definition of consent: users should be able to make informed choices about whether to give a website permission to collect and process their data. This means consent should be genuinely given.

As such, a user must positively affirm that they’re allowing a website to process their data. This means no presenting users with pre-ticked boxes. This also opens the door for a website privacy policy to be created with a more granular approach, by which users can opt into some types of processing — but not others.

Of course, the most important thing to remember is that a user may withdraw their consent whenever they wish to do so.

Final Thoughts: Does My Website Need a Privacy Policy? Guide for Agencies + Clients

New legislation throughout the world requires businesses and organizations to provide and develop clear policies to protect personal data. This often means giving users the right to request access to their data and a clear understanding of how their data is being used if they provide consent.

Navigating compliance for these laws as they continue to develop and change can be a challenge. However, a failure to do so can be costly, opening the door for lawsuits. Thankfully, there are available solutions, such as Termaggedon, that can quickly and effectively create privacy policies to protect website design agencies and their clients.

Get in touch with the experts at Termageddon to ask questions and assist with compliance around relevant data protection regulations.