It is almost impossible to watch the news nowadays without seeing some privacy scandal or another. Facebook is sharing the data of its users with third parties, Google is gobbling up medical records and a new GDPR violation fine is imposed with alarming frequency. With privacy laws being passed and new bills being introduced, it is hard to keep track of what is really going on. You may be asking yourself: 

  • What is a Privacy Policy? 
  • Do I need a Privacy Policy? 
  • Why do I need one? 

In this post, we hope to answer all of the above questions so that you can understand your obligations regarding privacy protections online. 

What is a Privacy Policy? 

A Privacy Policy is a statement or document that discloses the ways the website operator gathers, uses, discloses, and manages the data of customers and/or website visitors. In other words, at the most basic level, a Privacy Policy discloses: 

  • What data you collect; 
  • What you do with that data; and 
  • Who you share it with. 

While the above seems simple enough, don’t be fooled. Depending on which laws apply to you, a Privacy Policy may also need to include additional disclosures such as: 

  • Use of analytics programs; 
  • Data retention period; 
  • Sale of personal information; 
  • Use of direct marketing; 
  • Response to Do Not Track signals; 
  • Possibility of data transfers; 
  • Rights of the user with respect to their data; and 
  • Location of data processing. 

A Privacy Policy informs visitors to your website and your customers on what is done with their data. It can also help protect you against fines for violations of data privacy laws. 

Do you need a Privacy Policy? 

This question has a lot of misconceptions surrounding it. Some people think that they need a Privacy Policy only if they are processing payments while others believe that small businesses don’t need to worry about any of this. The truth is that any website that collects personally identifiable information needs to have a Privacy Policy. Personally identifiable information is any information that could identify someone such as name, email address, phone number or physical address. So, if your website has a contact form or a newsletter sign-up form, then it also needs to have a Privacy Policy. 

Why do you need a Privacy Policy? 

Most websites have contact forms so we will assume that yours does too. Thus, you need a Privacy Policy. But why? There are some privacy laws out there that protect the personally identifiable information of consumers. If these privacy laws apply to you, that means that you need to have a compliant Privacy Policy to avoid fines. Currently, there are four privacy laws that protect the European Union and the United States’ consumers online: 

  • European Union’s General Data Protection Regulation; 
  • The California Online Privacy Protection Act of 2003; 
  • The California Consumer Privacy Act; and 
  • Nevada Revised Statutes Chapter 603A and SB220. 

You may be thinking to yourself: “I’m not located in the EU, California or Nevada, so I’m in the clear, right?” Not exactly. These laws protect the consumers of that state, not the businesses. You should consider where the visitors to your website and your customers are from. If you have customers in California, Nevada or the EU, these laws may apply to you. For more information on who these laws affect, read more about what laws require websites to have a Privacy Policy. Each of these laws has similar but different requirements as to what a Privacy Policy should contain and impose high penalties for non-compliance. Fines can range from $2,500 per violation (per website visitor) to €20,000,000. 

Furthermore, nine states have proposed their own privacy bills, including Hawaii, New Jersey, Pennsylvania, Illinois, Washington, New York, Massachusetts, Minnesota, and Rhode Island. These privacy bills would require websites that collect personal information to have Privacy Policies that comply with state requirements. Finally, as we see with the other privacy laws that are already in effect, these bills would reach businesses outside of those respective states as well. 

It is clear that websites that collect personal information such as name, email or phone number need to have a Privacy Policy. Privacy laws are in effect and being enforced and more bills are being introduced and passed. Don’t allow your business to become fined or investigated and get protected today. 


Donata Kalnenaite
PresidentTermageddon
Donata is the President of Termageddon and the engineer behind the policy questions and text. She is a licensed attorney and certified information privacy professional. She often volunteers at the Illinois State Bar Association holding courses on the General Data Protection Regulation where she teaches other attorneys on the importance of privacy and what Privacy Policies should contain. In her free time, Donata enjoys bee keeping, hunting for morel mushrooms and walks with her fiancé and two dogs.