Chances are that when using websites, you have either been asked to agree to a Privacy Policy or have seen a link to a Privacy Policy on the footer of the page so you may be wondering: what are Privacy Policies? Privacy Policies are documents that inform your website visitors of your privacy practices such as what Personally Identifiable Information (PII) you collect, what you do with that information, and who you share it with. While many think that a Privacy Policy contains random information and legalese, this is actually not true as a Privacy Policy must contain the disclosures that are required by the privacy laws that apply to you. In this article, we’ll answer the question of “what are Privacy Policies?”, including:
- Who needs to have a Privacy Policy and why;
- What information should your Privacy Policy contain;
- Why you need to have a strategy to keep your Privacy Policy up to date;
- Where to obtain Privacy Policies.
Table of Contents
Who needs to have a Privacy Policy?
Is your website collecting PII?
Generally speaking, any website that collects PII needs to have a Privacy Policy as PII is regulated under a number of privacy laws that require businesses that collect PII to have a Privacy Policy. PII is any information that could identify someone or any information that is related to a specific person. For example, the following information that is commonly collected through business websites is considered PII:
- Names;
- Email addresses;
- Phone numbers;
- Shipping addresses;
- IP numbers;
PII is commonly collected through the following website features:
- Contact forms
- Email newsletter subscription forms;
- eCommerce forms;
- Analytics tools such as Google Analytics;
- Advertising tools such as the Facebook Pixel.
It is important to note here that while sensitive PII such as Social Security Numbers or passport numbers are protected by privacy laws as well, you do not need to collect sensitive PII for privacy laws to apply to you as less sensitive PII such as names and email addresses are also covered. In addition, privacy laws can apply to you even if that information was submitted voluntarily by the website user and is not required to be submitted. Lastly, privacy laws apply as soon as you collect the PII and you do not need to share it or even use it for privacy laws to apply to you.
What privacy laws can require websites to have a Privacy Policy?
Most businesses have a Privacy Policy on their website to comply with the privacy laws that apply to them and thus avoid fines and lawsuits. Since non-compliance with privacy laws can be costly (starting at $2,500 per website visitor), it is important to get this right. Privacy laws were created to protect individuals residing in certain states and countries and, due to the broad nature of the Internet (anyone from anywhere can submit their PII to a website online), privacy laws do not apply based on where your business is located. To determine what privacy laws apply to you, you must ask the following questions:
- Who can submit their PII to your website?
- Where do you do business?
- To whom do you offer goods or services?
- Who do you track online through features such as cookies, pixels, and analytics?
- Where are your customers located?
For example, if your website collects the PII of residents of California, the California Online Privacy and Protection Act (CalOPPA), will probably apply to you. On the other hand, if you collect the PII of residents of Nevada and do business in Nevada, then Nevada Revised Statutes Chapter 603A will apply. In addition, if you offer goods or services to residents of the European Union or track their behavior online, then GDPR will apply to you. These privacy laws can apply even if your business is not located in California, Nevada or the European Union.
The first step in complying with privacy laws is to determine which privacy laws apply to you as that will dictate the requirements that you need to comply with and the disclosures that your Privacy Policy will need to contain.
What information should your Privacy Policy contain?
To comply with privacy laws and thus help avoid fines and lawsuits, it is imperative that your Privacy Policy contains the information required by the privacy laws that apply to you. This is due to the fact that each privacy law has its own set of disclosures that it requires Privacy Policies to contain.
It is important to note that since each privacy law has a unique set of required disclosures, compliance with the most stringent privacy law does not necessarily mean compliance with other privacy laws. For example, the General Data Protection Regulation (GDPR), a privacy law that most consider to be the most comprehensive one, does not require you to disclose whether you sell PII while the California Privacy Rights Act (CPRA) does. Thus, compliance with GDPR would not mean compliance with the CPRA when it comes to Privacy Policies.
In addition, your Privacy Policy should accurately reflect your business and privacy practices. For example, if your Privacy Policy states that you do not share personal information but you actually use an email marketing vendor such as MailChimp to send newsletters, that information would actually be shared and your Privacy Policy would be inaccurate and thus non-compliant.
Thus, your Privacy Policy should contain the disclosures required by the privacy laws that apply to you and should accurately reflect your business and privacy practices.
Why you need a strategy to keep your Privacy Policy up to date
Once you have obtained a Privacy Policy that complies with the privacy laws that apply to you, you may be tempted to sit back and believe that the job is finished. However, once a privacy law has been passed, things are not finished. After the passage of a privacy law, it is common for state Attorney Generals to issue regulations, which further interpret the requirements of the law, including the required Privacy Policy disclosures. In addition, Data Protection Authorities often issue decisions on violations of a privacy law or guidance that helps businesses comply. Regulations, cases, fines, and guidance can all change the Privacy Policy disclosure requirements.
In addition, new privacy laws are passed all of the time. For example, in 2024, three new privacy laws are going into effect, each with their own unique Privacy Policy disclosure requirements. And, with more than a dozen states that have proposed their own privacy bills and multiple countries such as the United Kingdom, Canada, and Australia working to update their privacy laws, there is no shortage of upcoming Privacy Policy changes.
Lastly, your Privacy Policy needs to be updated whenever your business and privacy practices change. For example, if you previously did not use Google Analytics but plan on doing so now, your Privacy Policy needs to be updated to reflect the new PII that is going to be collected, used, and shared.
Due to the numerous changes to Privacy Policy disclosure requirements from new privacy laws, regulations, cases, and fines, it is imperative that you do not just have a Privacy Policy that complies with today’s privacy laws but that you also have a strategy to keep the policy up to date with new changes.
Where to obtain Privacy Policies
Now that you have an answer to your initial question of “what are Privacy Policies”, you may be wondering how you can obtain one for your website. Remember that the two most important aspects of a Privacy Policy are:
- The Privacy Policy must contain the disclosures required by the privacy laws that apply to you and must accurately describe your business and privacy practices;
- The Privacy Policy must update to reflect new laws, regulations, cases, fines and guidance.
Can you copy and paste your competitor’s Privacy Policy?
Many business owners believe that to get a Privacy Policy, all they need to do is copy and paste their competitor’s policy and change the business name and contact email address. You’re of similar size, serve similar markets, sell similar products or services, so what’s the harm? First, copying and pasting policies from a competitor’s website is copyright infringement. Second, your competitor may not need to comply with the same privacy laws as you do. For example, your competitor may not service users in California or may not offer shipping to the European Union and thus not need to comply with those privacy laws. If that is the case, the Privacy Policy that you copied and pasted may not include all of the required disclosures and leave you out of compliance.
Third, even if your competitor does need to comply with the same privacy laws as you do, they may have missed certain disclosures. Thus, if you copy and paste the Privacy Policy, it may not include all of the disclosures required and thus leave you out of compliance. Fourth, if you copy and paste your competitor’s Privacy Policy, you will need to check their Privacy Policy and hope that they update it in time for any newly required disclosures. Lastly, you will also need to read through the policy and make changes to ensure that it accurately reflects your business and privacy practices, which can be a very time consuming process.
Can you hire an attorney to write your Privacy Policy?
Hiring an attorney to write your Privacy Policy is the best option as the attorney can make sure that your Privacy Policy contains all of the disclosures required by the privacy laws that apply to you, make updates to the policy as needed and provide you with legal advice on how to comply with the privacy laws that apply to you. However, it is important to note that hiring an attorney to draft your policies and update them can be very expensive, costing you thousands of dollars. Thus, if you can afford it, hiring an attorney is the best option but it may be not affordable for many small businesses.
Can you use a Privacy Policy generator?
For businesses that want comprehensive, auto-updating Privacy Policies but do not have the funds for an attorney, the next best option is to use a Privacy Policy generator. A good Privacy Policy generator will first ask you questions to determine what privacy laws apply to you and then will ask you subsequent questions to create the disclosures required by those laws. A good Privacy Policy generator will then monitor privacy laws for you and can even automatically update your policy for newly required disclosures.
It is important to note that not all Privacy Policy generators are built the same. To pick the right Privacy Policy generator for you, you should ask the following questions:
- Does the generator determine what privacy laws apply to you?
- Does the generator have clear and straightforward pricing? Or does the generator claim that your policies will be free but when you actually start creating them, you are being charged for extra protection?
- Who is behind the generator? Does the generator employ a privacy attorney?
- Does the generator have a history of updating client policies prior to new laws or changes going into effect?
- Does the generator provide support in case you are not sure how to answer certain questions?
With a lot of Privacy Policy generator options out there, it is important that you take the time to make sure that you are picking the right one for your business. Make sure to check out the Termageddon Privacy Policy generator as it ticks all of the boxes above so that you can have peace of mind that your business is protected.
