If you have an online website or business, a privacy policy is a must. These legal notices generally outline how your website visitors’ personal information is used. For example, many websites collect IP addresses and later sell them to third parties. If you do not sell your information to a third-party, great! But, consumers want to know that. And, in today’s “connected’ world, they are demanding privacy more and more.

What is a privacy policy?

A privacy policy simply discloses the website owner’s intent. People are entitled to know where their information will go once it travels through their computer and into the interweb. For example, is your website dropping “cookies” to keep track of visitor activity? Though cookies generally allow users to save login information and therefore serve a legitimate purpose, such information should appear in a privacy policy.

What is the risk in not having a privacy policy?

Photo credit: Yuri Samoilov

Many jurisdictions require privacy policies for websites on which secure transactions are completed. For example, an online retailer’s privacy policy would assure visitors that their private information will not be sold if they choose to buy products on the site. Consumers are entitled to know their address, phone number, and credit card information is secure. Many consumers know to trust only secure websites, and your privacy policy is the place to display a secure transaction “trust badge”. And, if in a regulated industry, the law may require that you display a privacy policy on your website. Failure to do so may result in fines or suspension of your business license.

While shopping websites and others such as medical and banking are required by law to maintain a privacy policy, other industries are not so regulated. Nevertheless, every business with a website should have a privacy policy. For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) requires email marketers to allow customers to opt-out of receiving emails, and your privacy page should include opt-out instructions.

What should my privacy policy include?

 Every industry and each website within it will require a different privacy policy. Further, a poorly written privacy policy is like not having one at all. Here are a few do’s and don’ts to remember when creating yours.

• Do not simply cut and paste a privacy policy from another website. Each company uses customer information in a different way;
• Do not use business slang that customers may not understand. For example, explain that “cookies” are used to remember customer login information;
• Do not write your own privacy policy yourself unless you have experience in writing them; and,
• Do include the processes your business actually follows (not the ones you hope to follow);

By explaining what data you are collecting, you are not just playing it safe, you are treating your consumers with respect. This will help earn and build trust among your consumers.

Again, every privacy policy is unique. For more information about creating an effective privacy policy, contact Revision Legal’s Internet attorneys through the form on this page or call 855-473-8474

Federal and State Laws That Mandate Privacy Policies

The United States has no single comprehensive federal privacy statute, but a patchwork of federal laws imposes privacy notice requirements on specific industries and data types. The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. Sections 6501-6506, requires websites directed at children under 13 to post a privacy policy disclosing what personal information is collected, how it is used, and to whom it is disclosed. Violations carry civil penalties up to $51,744 per violation under FTC enforcement. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide customers a clear notice of their privacy practices. HIPAA mandates a Notice of Privacy Practices for covered healthcare entities.

At the state level, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most demanding U.S. state privacy law currently in force. Businesses meeting CCPA thresholds must maintain a specific privacy notice and honor consumer rights including the right to know, the right to delete, the right to correct, and the right to opt out of sale or sharing of personal information. Virginia, Colorado, Connecticut, Texas, and more than a dozen additional states have enacted similar comprehensive privacy laws.

What a Compliant Privacy Policy Must Disclose

Regardless of which law applies to your business, a compliant privacy policy should clearly address the following categories: categories of personal information collected (name, email address, device identifiers, IP addresses, purchase history, geolocation data, and inferences drawn from these); purposes for collection and use (fulfilling orders, improving services, marketing, analytics, fraud prevention); third-party sharing (identify service providers, advertising partners, analytics vendors, and data brokers who receive personal information); data retention periods; consumer rights and how to exercise them; and security measures in place to protect personal information.

GDPR Considerations for Businesses with EU Traffic

If your website attracts visitors from the European Union or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR impose additional requirements that go well beyond U.S. standards. Under the GDPR, you must identify a lawful basis for processing personal data, disclose data transfers to third countries and the safeguards in place, and provide a privacy notice in plain, specific, informed, and unambiguous language. Failure to comply can result in fines up to EUR 20 million or 4% of annual global turnover, whichever is higher. Even U.S.-based businesses without a physical presence in the EU can be subject to GDPR enforcement if they offer goods or services to EU residents.

Privacy Policy as a Trust Signal and Competitive Advantage

Beyond legal compliance, a clear and honest privacy policy functions as a competitive differentiator. Research consistently shows that consumers — particularly in regulated industries like healthcare, finance, and legal services — are more willing to share personal information with businesses that clearly explain how that information will be used and protected. A privacy policy that is specific about data practices, easy to find, and written in plain language communicates organizational maturity and earns consumer confidence in a way that boilerplate legal jargon does not. Pair your policy with a visible cookie consent mechanism and, where required, a clear “Do Not Sell or Share My Personal Information” link, and you signal that your business takes privacy seriously at every consumer touchpoint.

Contact Revision Legal’s Internet Attorneys

Privacy law is evolving rapidly, and a policy drafted in 2018 may not comply with the laws in effect today. Revision Legal’s internet attorneys draft privacy policies tailored to your business model, data practices, and applicable state and federal law. Contact us to ensure your privacy policy is accurate, legally compliant, and actually builds the consumer trust your business depends on.