Privacy Policy best practices

Having a Privacy Policy is very beneficial – it can help you comply with privacy laws, thereby helping you avoid privacy-related fines and lawsuits, and it can help you show your customers that you care about their privacy. If you are not a privacy attorney though, you may be wondering about Privacy Policy best practices and how to ensure that your policy meets your goals. In this article, we will outline the five Privacy Policy best practices that you should follow to ensure that your Privacy Policy adequately protects your business.

Privacy Policy best practice 1: review your website

While we will discuss in more detail who privacy laws apply to in the next section, privacy laws generally apply to websites that collect Personally Identifiable Information (PII). PII is defined as any information that could identify someone. Examples of PII that are commonly collected by websites include:

• Names;
• Emails;
• Phone numbers;
• Physical addresses; and
• IP addresses.

Since privacy laws regulate the collection of PII, the first Privacy Policy best practice is to review your website to see what PII is collected where. You should pay particular attention to these features on your website as they are often used to collect PII:

• Contact forms;
• Email newsletter sign up forms;
• Account creation forms;
• eCommerce portals where consumers can make purchases; and
• Analytics programs such as Google Analytics.

Once you have reviewed your website for these features and determined what PII you collect, you should also ask yourself:

• How do I use the PII that I collect?
• Who, if anyone, do I share this PII with?

Once you have reviewed your website, it is time to determine what privacy laws apply to you.

Privacy Policy best practice 2: determine which privacy laws apply to you

Privacy laws dictate the disclosures that your Privacy Policy needs to contain so the second Privacy Policy best practice that you need to undertake is to determine what privacy laws apply to you. A Privacy Policy that is not based on the laws that apply to you will not have all of the disclosures required by those laws and thus can leave you vulnerable to hefty fines and even lawsuits.

While privacy laws have a very broad application in the sense that they apply to businesses outside of the states or countries in which they are passed, they also have certain criteria that you need to meet for the law to apply to you. Therefore, you should not just assume that every privacy law applies to you, but should instead review the below list of laws and criteria to determine your obligations:

• California Online Privacy and Protection Act of 2003 (CalOPPA): applies to operators of commercial websites that collect the PII of California residents;
• California Privacy Rights Act (CPRA): applies to for-profit entities that do business in California, collect, share or sell the PII of California residents and meet one or more of the following criteria:
  • Has annual gross revenues of $25,000,000 or more;
  • Buys, receives, sells or shares the PII of at least 50,000 California consumers, households or devices; or
  • Derives at least 50% of its annual revenue from selling the PII of California consumers.
• Nevada Revised Statutes Chapter 603A applies to data brokers and operators of commercial websites that collect the PII of Nevada consumers that purposefully directs their activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution;
• Delaware Online Privacy and Protection Act (DOPPA): applies to operators of commercial websites that collect the PII of Delaware residents;
• Virginia Consumer Data Protection Act applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
  • During a calendar year, control or process the PII of at least 100,000 residents of Virginia; or
  • Control or process the PII of at least 25,000 Virginia consumers, and derive 50% of gross revenue from the sale of PII.
• Colorado Privacy Act applies to controllers of PII that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
  • Control or process the PII of 100,000 or more Colorado consumers during the calendar year; or
  • Derive revenue or receive a discount from the sale of PII and collect or process the PII of 25,000 or more Colorado consumers.
• Utah Consumer Privacy Act applies to controllers of PII that conduct business in Utah or that produce products or services that are targeted to residents of Utah and that:
  • Have annual revenue of $25,000,000 or more; and
  • Meet one of the following thresholds:
    • During a calendar year, control or process the PII of 100,000 or more Utah residents; or
    • Derive 50% or more of its annual revenue from the sale of personal data and control or process the PII of 25,000 or more Utah consumers.
• Connecticut SB6 applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
  • Controlled or processes the personal data of 100,000 or more Connecticut residents; or
  • Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.
• General Data Protection Regulation (GDPR): applies to you if you:
  • Are located in the European Union;
  • Offer goods or services to European Union residents, regardless of your location; or
  • Monitor the behavior of European Union residents, regardless of your location.
• UK DPA: applies to you if you:
  • Are located in the United Kingdom;
  • Offer goods or services to U.K. residents, regardless of your location; or
  • Monitor the behavior of U.K. residents, regardless of your location.
• Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the PII of Canadian residents.
• Quebec Law 25 applies to persons who collect, hold, use or share the personal information of Quebec residents in the course of carrying on an enterprise within the meaning of Article 1525 of the Quebec Civil Code. Article 1525 defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property or providing a service.” This means that Quebec Law 25 will apply to both for-profit and nonprofit organizations that collect, hold, use or share the personal information of residents of Quebec.
• Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and the organizations outside of Australia that have an Australian link. It also applies to the following Australian organizations even if they have turnover of less than AUD $3,000,000 per year:
  • Private sector healthcare providers;
  • Businesses that sell or purchase PII;
  • Credit reporting bodies;
  • Contracted service providers for Australian government contracts;
  • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
  • Businesses that have opted in to comply with the law;
  • Businesses that are related to a business covered by the law; and
  • Businesses prescribed by the Privacy Regulation 2013.
• There are also several privacy laws about to go into effect as well, including:
  • NJ SB 332 (effective January 16, 2025)
  • Delaware (effective January 1, 2025)
  • Oregon Consumer Privacy Act (effective July 1, 2024)
  • Texas Data Privacy and Security Act (effective July 1, 2024)
  • Montana Consumer Data Privacy Act (effective October 1, 2024)
  • Tennessee Information Protection Act (effective July 1, 2025)
  • Indiana SB5 (effective July 1, 2026)
  • Iowa SF262 (effective January 1, 2025)
  • New Hampshire SB 255 (effective January 1, 2025)
  • Kentucky HB15 (effective January 1, 2026)
  • Nebraska LB1074 (effective January 1, 2025)

The above list can be intimidating but if you use the Termageddon Privacy Policy generator, the first set of questions that you are asked will help determine which privacy laws apply to you and thus what disclosures your Privacy Policy needs to contain, making achieving this second Privacy Policy best practice much easier. After determining what privacy laws apply to you, your next step will be to ensure that your Privacy Policy contains all of the necessary disclosures.

Privacy Policy best practice 3: include the necessary disclosures

The next best practice is to ensure that your Privacy Policy contains all of the disclosures required by the privacy laws that apply to you. Since each law had a very specific set of disclosures that are required, if you are drafting your Privacy Policy yourself, you will need to read those laws and make lists of the disclosures that you need to add. Depending on what laws apply to you, you may need to include some or all of the following information:

• The effective date of your policy;
• Your name and contact information;
• What PII you collect;
• Sources from which you collect the PII;
• Purposes for which you will be using the PII;
• Whether you share PII and, if you do, the categories of third parties with whom you share it;
• If personal information is collected using technology that allows the person to be identified, located or profiled and the means available to deactivate the functions that allow the person to be identified, located, or profiled.
• How your website responds to Do Not Track signals;
• How you will notify users of changes to your Privacy Policy;
• Whether you sell PII – fi you do, you may need to make further disclosures regarding such sales;
• Whether you use PII for targeted advertising and how individuals can opt out;
• A list of the privacy rights provided to consumers;
• How a consumer can exercise their privacy rights;
• How a consumer can appeal a decision made regarding a privacy rights request;
• How a user can complain to the authorities if they feel like their privacy rights have been infringed upon;
• Legal bases under which you process PII;
• How long you store PII;
• Whether you use PII for direct marketing;
• Whether you use PII for automated decision making or profiling;
• Whether you transfer PII outside of certain countries or to an international organization;
• Whether you have a Data Protection Officer. If you do have a Data Protection Officer, you will need to include their contact information in your Privacy Policy;
• How you protect the PII that you collect;
• Whether you use any type of analytics on your website such as Google Analytics; and
• Whether you use cookies or other tracking technologies on your website.

While your Privacy Policy may not need all of the above disclosures, it is imperative that it does contain all of the disclosures that are required by the privacy laws that apply to you. Missing just one disclosure can mean that your Privacy Policy is not compliant, leaving you in danger of heavy fines or even lawsuits. Termageddon’s Privacy Policy generator will help you build a Privacy Policy that has these disclosures by asking you a series of questions. Your answers are then used to build a Privacy Policy that is specifically based upon the privacy laws that apply to you and your privacy practices.

Privacy Policy best practice 4: review your Privacy Policy

Once your Privacy Policy has been created with all of the right disclosures, the next Privacy Policy best practice is to review it. While having a Privacy Policy is an excellent first step towards compliance, you also need to follow your Privacy Policy and the promises contained therein. For example, if your Privacy Policy states that you do not sell PII, you should not sell it until you update the policy and obtain appropriate consents from your customers where needed. In addition, your Privacy Policy will also state where individuals can send their privacy rights requests and how soon you will respond to those requests. Thus, it is important that you review your Privacy Policy and have a strategy in place for responding to consumer privacy rights requests and other requirements imposed by the privacy laws that apply to you.

Privacy Policy best practice 5: strategy for keeping your Privacy Policy up to date

Unfortunately, the days of putting your Privacy Policy on your website and never updating it again are over. With over a dozen proposed state privacy bills in the United States, Canada’s proposed update to its privacy law, PIPEDA, and the United Kingdom considering an overhaul of its privacy legislation, it is more important than ever to have a strategy for keeping your Privacy Policy up to date with new laws and changes to Privacy Policy requirements. If you do not have the time to spend hours on tracking privacy bills across the world and for updating your Privacy Policy whenever those laws change, you can use Termageddon’s Privacy Policy generator – we will track privacy bills and laws for you and make updates whenever a new privacy law is passed or an existing privacy law is amended, saving you time and headache.

As you can see, there are several Privacy Policy best practices that will help you ensure that your Privacy Policy meets your goals of compliance with privacy laws. From reviewing your website, to determining what privacy laws apply to you, to keeping your Privacy Policy up to date, we hope that this guide has helped you make your Privacy Policy better.