Where should a Privacy Policy be on a website?

If your website collects Personally Identifiable Information (PII) such as names, emails, phone numbers or IP addresses through features such as contact forms, email newsletter sign up forms or analytics, you may be required by law to have a Privacy Policy. Once you create your policy with Termageddon, the next step is to put that Privacy Policy on your website. So you may be wondering – where should a Privacy Policy be on a website? The main rule of displaying a Privacy Policy is that it should be conspicuous to the visitors of your website. In this article, we will discus show to make your Privacy Policy conspicuous and the rules that privacy laws impose on displaying a Privacy Policy on your website.

Why is it important to properly post your Privacy Policy?

Privacy laws do not just require businesses to have a Privacy Policy just for the fun of it. The purpose of a Privacy Policy is to educate the visitors or users of your website on your privacy practices such as what PII you collect, what you do with it, and who you share it with. That is why privacy laws require websites to conspicuously post a Privacy Policy in a way that consumers can easily find it and learn more about your privacy practices. Failing to post your Privacy Policy in the proper manner means a violation of privacy laws. Privacy laws impose heavy penalties for violations – ranging from $2,500 per website visitor to €20,000,000 or more in total, meaning that failure to properly post a Privacy Policy can cost your business a lot of money.

Where should a Privacy Policy be on a website? Home page

Certain privacy laws such as the California Online Privacy and Protection Act of 2003 (CalOPPA) and the Delaware Online Privacy and Protection Act (DOPPA) require websites to conspicuously post a Privacy Policy. One of the ways in which these laws define “conspicuously” if posting the Privacy Policy as either the homepage of the website or the first significant page after entering the website. Since a website’s homepage introduces visitors to your business, presents visitors with your offerings, and entices visitors to do business with you, changing that page to just your Privacy Policy is, quite understandably, not very appealing to most business owners. Thankfully, these privacy laws also allow you to post a link to your Privacy Policy on your website’s footer, which is a much more popular solution.

For most business owners, the answer to “where should a Privacy Policy be on a website” is on its own page, with a link to that page being displayed on your website’s footer. CalOPPA and DOPPA require this link to be conspicuous and to do one or more of the following:

  • Include the word “privacy”;
  • Be written in capital letters equal to or greater in size than the surrounding text;
  • Is written in larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.

The California Consumer Privacy Act (CCPA) also provides that the Privacy Policy must be posted online through a conspicuous link using the word “privacy” on the business’ homepage or on the download or landing page of applications.

Posting the Privacy Policy in a manner accessible to consumers

While CalOPPA, DOPPA, and the CCPA provide clear instructions on how to post a Privacy Policy, other laws leave it up to the business owner to determine how to post a Privacy Policy, as long as the Privacy Policy is accessible to consumers. For example, Nevada Revised Statutes Chapter 603A provides that the Privacy Policy must be posted in a manner that is reasonably calculated to be accessible by consumers. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) states that a privacy information (contained in the Privacy Policy) must be readily available to consumers in complete form. In addition, the Australia Privacy Act 1988 states that a company must have a clearly expressed and up to date Privacy Policy that is available free of charge and in such form as appropriate. Australia’s privacy law also dictates that the Privacy Policy must be prominently displayed, accessible, and easy to download. Lastly, the General Data Protection Regulation (GDPR) and the United Kingdom Data Protection Act 2018 (UK DPA 2018) state that the policy should be easily accessible.

Privacy laws such as GDPR and the UK DPA 2018 may require you to obtain consent prior to collecting the PII of residents of the European Union and the United Kingdom. These laws state that consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the individual’s agreement to the processing of their PII. In this case, “informed” means that the individual is presented with a Privacy Policy that contains all of the required information prior to their PII being collected. In addition, an “unambiguous indication” usually means the checking of a box prior to submitting PII. Thus, websites often have a checkbox to agree to a Privacy Policy that the user can click on whenever PII is being collected such as on contact forms, email newsletter sign up forms, account creation forms and order placement forms. Lastly, it is important to note that GDPR prohibits the bundling of consent with a Terms of Service or the provision of a particular service, where consent is not necessary to perform that contract or service. Thus, the best practice is to not bundle your Privacy Policy with your Terms of Service.

Whether you place your Privacy Policy as a homepage, or place a link to your Privacy Policy in your website’s footer or post your Privacy Policy wherever you are gathering consent, it is important to post it properly so that it can be easily found by consumers. Doing so can help you avoid privacy-related fines and lawsuits. If you have not created your Privacy Policy yet, make sure that you check out Termageddon’s Privacy Policy generator to create your auto-updating policy today.