Websites that collect Personally Identifiable Information (PII) such as names, emails, phone numbers or IP addresses through features such as contact forms, email newsletter subscription forms, eCommerce forms, analytics or advertising should be aware that the collection of this information is increasingly being regulated by privacy laws. The purpose of privacy laws is to provide individuals with more control over their PII by granting them privacy rights and by imposing obligations on businesses such as the requirement to have a comprehensive and compliant Privacy Policy.
Since fines for privacy law non-compliance start at $2,500 per violation (i.e. per website visitor whose privacy rights are infringed upon), it is important to get the right Privacy Policy to help protect your business from large fines. So you may be wondering, where can I get a Privacy Policy? In this article, we will break down the factors that comprise a comprehensive Privacy Policy and will look at the various ways that you can obtain one, including writing it yourself, using a template, using an attorney or a Privacy Policy generator so that you can make sure that you are making the right choice.
Table of Contents
Where can I get a comprehensive Privacy Policy?
If you are not a privacy attorney, you may think that all Privacy Policies are essentially the same – an explanation of privacy practices layered with legal jargon. However, in practice, this is simply not the case. To be compliant and thus avoid privacy-related fines, a Privacy Policy must include all of the disclosures that are required to be made by the privacy laws that apply to the business and the website. This is because each privacy law has its own set of requirements as to what information a Privacy Policy must provide to the website visitor.
Thus, the question of “where can I get a Privacy Policy?” will only get you a roll of the dice where the Privacy Policy may or may not leave you at risk. The proper question to ask is “where can I get a comprehensive Privacy Policy?” as this will actually help you avoid the fines that stem from non-compliant policies and privacy law violations. In order to determine where to obtain a comprehensive Privacy Policy, you should ask the following questions:
- Is this Privacy Policy based on the privacy laws that apply to me? A Privacy Policy needs to be based on the privacy laws that apply to you because that is how the disclosures within that Privacy Policy are determined.
- Does this Privacy Policy combine multiple privacy laws? If individuals from multiple states or countries can submit their PII to your website, you have clients from different areas, you offer goods or services to multiple states or countries or track individuals online through features such as cookies or analytics, then chances are that multiple privacy laws will apply to you. Since each privacy law has its own set of disclosure requirements, you will need a Privacy Policy that combines these requirements to meet the obligations of multiple privacy laws;
- Does this Privacy Policy contain all of the required disclosures? If a Privacy Policy does not contain all of the disclosures required by the laws that apply to you, then it is not compliant and could put you at risk of fines.
- Does this Privacy Policy update as the laws change? With four privacy laws going into effect over the next year, over a dozen proposed privacy bills in the United States and countries such as the United Kingdom and Australia considering updates to their privacy laws, Privacy Policy disclosure requirements will change and thus your Privacy Policy will need to be updated as well.
Keeping the above factors in mind will aid you in making a choice that will help you obtain a comprehensive and up to date Privacy Policy that will not put your business at risk.
Should you write your own Privacy Policy?
If you have just started your business or are trying to save on costs, then you may be tempted to write your own Privacy Policy. Because, really, how hard can it be? To write your own Privacy Policy, you would need to perform the following tasks:
- Read over a dozen privacy laws that require websites to have a Privacy Policy and determine which of those laws apply to you;
- Read the Privacy Policy disclosure requirements of each privacy law that applies to you;
- Read the regulations, guidance and enforcement actions of each law for additional or changed Privacy Policy disclosure requirements;
- Write all of the disclosures ensuring that they fit the requirements of the privacy laws as well as your privacy and business practices;
- Track dozens of proposed privacy bills in every jurisdiction that applies to you and read their requirements;
- Update your Privacy Policy whenever new laws are passed, existing laws are amended, new guidance is issued or enforcement actions interpret the disclosure requirements.
As you can see from the above, you would need to read hundreds of pages of legal documents, continuously track new legislation and requirements, and update your Privacy Policy to fit those requirements. In addition, you would need to ensure that your Privacy Policy disclosures are written in a specific way to meet those requirements. These tasks can take hundreds of hours each year, all while you are trying to service your customers, sell your products or services and run a business. Thus, unless you are a privacy attorney, you will probably want to choose a more cost and time effective solution rather than drafting your Privacy Policy yourself.
Should you use a Privacy Policy template?
With dozens of free or low cost options online, some business owners choose to use a template for their Privacy Policy. However, how does a Privacy Policy template address the factors above?
- Privacy Policy templates are not necessarily based on the privacy laws that apply to you. Templates are static documents that may claim to cover one privacy law such as the General Data Protection Regulation (GDPR). Since they are static documents, they do not help you determine what privacy laws actually apply to your business. While some templates may claim to cover one privacy law, other templates do not claim to cover any privacy laws but instead contain random disclosures that will not help you comply with any privacy law;
- Since Privacy Policy templates are based on one privacy law at best, they do not combine the disclosure requirements of multiple privacy laws. Thus, if multiple privacy laws apply to you, you will need to edit the template to add additional disclosures, which can take significant time. In addition, you will also need to edit the template to make sure that it fits your actual business and privacy practices as doing so is necessary for compliance;
- Privacy Policy templates usually do not include all of the disclosures required by the privacy law that the template claims to comply with. This is because templates are usually created by technology enthusiasts and not privacy attorneys and thus many disclosures are frequently missed;
- Lastly, since templates are static documents, they are not updated as the laws change. This means that you will still be responsible for tracking privacy bills and making updates as new laws are passed or existing laws are amended, which can take a lot of time and effort.
As you can see from the above, a Privacy Policy template is not a great solution for reducing the risk of privacy-related fines and can make you liable for privacy law violations.
Should you have an attorney write your Privacy Policy?
Having an attorney draft your Privacy Policy is a great option as the attorney can provide you with legal advice, help you determine what privacy laws apply to you, write your Privacy Policy and keep it up to date with changing legislation. It is important to note that privacy law is a more specialized field and thus having a privacy attorney (rather than a general attorney or a business attorney) draft your policies is the best choice.
The one con to using a privacy attorney to draft your Privacy Policy and keep it up to date is that it can be expensive (up to a few thousand dollars or more per year). Before engaging a privacy attorney, you should ask them the following questions:
- How much will it cost to initially draft the Privacy Policy?
- What privacy laws will the Privacy Policy cover?
- Will you be updating this Privacy Policy as legislation changes? If so, what is the cost of the updates?
Should you copy and paste your competitor’s Privacy Policy?
Another option for obtaining a Privacy Policy is to copy and paste the one that your competitor uses. Copyright infringement aside, this is not a great option because:
- Your competitor may need to comply with different privacy laws than you do;
- Even if you do need to comply with all of the same privacy laws, your competitor’s Privacy Policy may not include all of the disclosures required by those laws;
- Your competitor’s privacy and business practices may be different so you will need to edit the document to make sure that it fits your practices;
- You will have to check your competitor’s Privacy Policy all of the time to see if any updates are made for changing legislation. If your competitor is not tracking new legislation or is not making updates due to such changes, your Privacy Policy will not be compliant and you will be at risk of privacy-related fines.
Should you use a Privacy Policy generator?
The final option for the question of “where can I get a Privacy Policy” is to use a Privacy Policy generator. A Privacy Policy generator is a tool that asks you a series of questions and then uses your answers to generate a Privacy Policy. A good Privacy Policy generator will first help you determine what privacy laws apply to you and will then ask you follow up questions to create the disclosures required by those laws. A good Privacy Policy generator will also keep your Privacy Policy up to date with changing legislation by updating the text within your Privacy Policy whenever new legislation is passed or existing legislation is amended.
While a Privacy Policy generator is a more affordable option than using an attorney (because they cannot provide you with legal advice), not all generators are created equal. To pick the right generator for you, you should ask the following questions:
- Does the generator have clear pricing or do they hook you in with “free” and then ask for payment for basic features such as creating policies for a business or compliance with certain privacy laws?
- Was the generator founded by an attorney or do they have an attorney on staff?
- Does the generator have a record of updating client policies prior to the effective dates of new legislation?
- Does the generator provide additional resources on how to comply such as Compliance Guides?
- Does the generator help you determine what privacy laws apply to you?
A generator is a great option for obtaining a Privacy Policy as it is cost-effective, saves time and can help you protect your business. If you do not currently have a Privacy Policy and want to choose a generator that checks the boxes above, make sure to check out the Termageddon Privacy Policy generator.