So, you’ve got a landing page, or a website, and you’ve crafted the perfect opt-in/freemium/discount offer (whatever it is that you provide in exchange for someone signing up to receive your emails). You feel like you’re on top of the world because as an online business owner you were smart enough to realize that while you don’t own your social media following you sure as heck own your email list.

BUT…do you have a Website Privacy Policy?

If you’re new to the interwebs, you may or may not have seen the term before. You may have even been bombarded with emails in your own inbox about changes to other companies’ privacy policies following the enactment of the European Union’s General Data Protection Regulation (or “GDPR”) in May 2018 or the California Consumer Privacy Act (CCPA) in January 2020. Or you could be reading this with a completely confused look on your face thinking: “What the heck is a Privacy Policy and do all websites need a privacy policy?”

Don’t worry friend, I’ll explain. But first, know that everything I chat about here is intended to provide legal information and education. It is not business, financial, or legal advice, and does not create an attorney-client relationship between us. I’m an attorney licensed in the United States, so everything will be from the perspective of United States law. You should consult with an attorney in your area who understands your particular business situation so that you can take the right steps for you and your business.

What is a Privacy Policy?

Simply put, your website Privacy Policy puts your website viewers on notice that you’ll use care in collecting their personal information and tells them how you plan to use it.

That email address you collected in exchange for your opt-in/freemium/discount offer? Yeah, its personal information.

First, a little back story. The California Online Privacy Protection Act (CalOPPA) went into effect in 2004. It was the first United States law to REQUIRE online business owners to post a Privacy Policy on their websites if they collect personal information from website viewers who reside in California. CalOPAA’s definition of “personal information” includes first and last name, email address, physical address, telephone number, social security number, birthday, height, weight, and any other information that can be used to contact the Californian website viewer physically or via email.

And since the reach of the interwebs is nothing short of impressive, online business owners quickly caught on that they needed to comply with CalOPPA (because they had no idea if the people interacting on their websites were in California or Timbuktu). Especially since fines are $2,500.00 per violation (and each time a Californian resident visits a non-compliant website counts as an individual violation; so fines can add up quickly!)

What Should a Privacy Policy Include?

CalOPPA requires your Privacy Policy to include 6 main things to put your website viewers on notice:

1. What personal information you collect;

2. What third parties you share the personal information you collect with;

3. How a website viewer can contact you to make changes to or update any personal information that was collected;

4. How you deal with “Do Not Track” requests;

5. How you notify website viewers of changes to your Privacy Policy; and

6. The date the Privacy Policy went into effect.

Where Should I Put My Privacy Policy?

CalOPPA requires online business owners to “clearly and conspicuously” post their Privacy Policy. This means either:

1. On the home page of your website,

OR

2. Via a hypertext link on the home page of your website that contains the word “privacy” written in capital letters (also known as a “browse wrap” in internet law). This is the more common practice across the interwebs, just look at the bottom of the websites that you visit on a daily basis.

Better practice is to actually take it a step further and have a method for your website viewers to affirmatively agree to your Privacy Policy BEFORE providing you with their personal information. So, before they receive your perfect opt-in/freemium/discount offer, they have to check a box (also known as a “click wrap” in internet law) that indicates they have read and agree to your policy. And I’ll explain why in a minute.

So, What About the GDPR Privacy Policy I Mentioned Earlier?

I’m not going to lie. The GDPR is pretty complicated. And I’m not going to get into all of the nitty gritty specifics here. 

BUT it is important to know that the GDPR applies to any business that processes personal information from even ONE PERSON in the European Union (E.U.) or U.K.

The GDPR requires affirmative consent from your website viewers to process their personal information.

This means:

1. Your website viewer’s consent must be “freely given, specific, informed, and unambiguous;”

AND

2. Your website viewer must take some sort of action to say, “Yes, you can process my personal information.” This is why I said earlier that the better practice is to have your website viewers check a box that they agree with your Privacy Policy.

Processing personal information under the GDPR means collecting, recording, retrieving, storing, disclosing, and/or using personal information. It’s pretty expansive.

The GDPR also has an expanded definition of personal information – it’s “any information relating to an identified or identifiable natural person.” Holy cow. This includes the items named in CalOPPA (first and last name, email address, physical address, telephone number, social security number, birthday, height, weight) BUT it also includes anything relating to the person’s “physical, physiological, genetic, mental, economic, cultural, or social identity.” This includes IP addresses. All the tracking software and cookies you have on your website? Yeah, you need your website viewer’s consent.

You want to be sure to comply because the GDPR allows an individual to sue a business if his or her rights under the legislation are infringed. Typically enforcement is left to regulatory agencies. So, there is speculation in the worldwide legal community that claims brought by EU residents could be extremely costly to small businesses around the world. Especially since the fines are up to €20 million, or 4% of the business’ worldwide revenue of the prior financial year, whichever is higher.

And, as a note, the GDPR actually provides that you cannot simply block website viewers in the E.U. or U.K. So, don’t do it.

Do I need to update my privacy policy for GDPR?

In addition to the things required by CalOPPA, the GDPR requires that your Privacy Policy include:

1. How and why you collect personal information;

2. What you do with the personal information;

3. How you keep the personal information safe;

4. How long you retain the personal information;

5. If you share or sell the personal information with or to third parties (and if so, what third parties); and

6. If you use cookies.

You can read more about complying with the GDPR as a U.S.-based business here.

How does the GDPR Affect Me if I Don’t Live or Do Business in the E.U. or U.K.?

As I mentioned earlier, online business owners never know where their website viewers reside. And I’m guessing neither do you. With the expanded definition of personal information under the GDPR, it’s a good idea to make sure your website’s Privacy Policy (and business practices) are GDPR compliant.

Plus, there is a trend of global convergence in consumer privacy laws – to give control in how businesses use personal information back to the consumer.

Case in point? The California Consumer Privacy Act of 2018 (CCPA). The law went into effect January 1, 2020 and requires businesses that do business in California to:

1. Disclose what personal information they collect, the source of the information, how it will be used, and whether it’s sold or shared with any third party;

2. Allow consumers to say “no” to the sale of their personal information via an “opt out” process;

3. Provide consumers with access to the personal information that has been collected;

4. Delete personal information upon the request of a consumer; and

5. Not to discriminate against a consumer who exercises their rights.

The CCPA applies to businesses that do business in California and earn annual gross revenue of $25 million or more; collect, share, sell, or store the personal information of at least 50,000 consumers for commercial purposes; or earn at least 50% of their annual revenue from selling consumers’ personal information.

As a small online business owner, you’re probably thinking: “That doesn’t apply to me, so why should I be concerned?” Because the definition of “sell” under CCPA is murky – and you’re probably engaged in practices that fall under the definition. Which means there’s more your Privacy Policy should address – and the potential of a lawsuit or fines if you don’t comply. You can read all about it here.

Plus it’s inevitable that other states will soon be pushing for similar privacy legislation. Or we may see the federal government weigh in. Long story short, you need a Privacy Policy for your website.

This Seems Like A Lot – What Do I Get a Privacy Policy for my Website?

You can certainly try to piece it all together and draft a Privacy Policy for your website yourself. But the good news? You can snag a website Privacy Policy template.