Why Your Online Business Needs a Privacy Policy

I’m sure you’ve noticed that most websites include links to their “Privacy Policies” near the bottom on their home pages. You might have even tried to read through one of these Privacy Policies and understand what their purpose. If you have, chances are there was so much legalese that it was hard to figure out what it meant, and why it was there.

You might have also asked yourself whether you need something similar for your own online business. The short answer to that question is yes. If you are looking to maximize the protection of your online assets, you need to prepare and properly implement an appropriate privacy policy on your website.

Let’s walk through what privacy policies are, and how to prepare one that’s best suited for your web-based business.

What are Privacy Policies?

A privacy policy is a written statements that sets forth the terms and conditions under which your website handles the personal information that it obtains from anyone who visits the site. There is no required length or standard form for a privacy policy, though many of them contain the same kind of terms and language.

The guiding principles for preparing your own website privacy policy are accuracy and clarity. First and foremost, your privacy policy should describe the things you do or might do with the personal information you collect from your website visitors. As a starting point, your privacy policy should contain the following elements:

1. Identify the types of personal information your website collects about its visitors. You might collect the email address of each visitor who posts message to your website bulletin boards or chat areas, or who contact you through a web form or email. You might also collect consumer preference information from website surveys or other pages, and there might be additional information that users volunteer or give while on your website. You should identify each of these types of information.

It’s also good practice to describe the types of information that your website servers automatically log about each visitor, which might include the IP address of the computer the customer is using. You should also state whether your website sets “cookies” on the computer of a visitor, and if so, what information is stored in the cookie and what that information is used for.

2. Describe how you use the information that is given by or collected from your visitors. Do you use your customer information for internal purposes only, such as to optimize your website structure or content? Do you share the information with outside organizations who may contact the individuals for marketing purposes? If contacted by a government entity who wishes access to the visitor information, would you contact the individuals prior to releasing the information to the government entity? You should disclose each of these uses in your privacy policy.

3. Describe how a website user can review and make changes to their personal information, if that’s an option available to them. For example, if your website has an e-commerce component and you permit customers to store their shipping or billing information on your website, then you should state how the customer can access that information if he or she wants to review or change it.

4. Describe how you will publicize changes to your privacy policy. Privacy policies are living documents, in the sense that they need to be updated and revised as you grow and make changes to the way you do business, and in response to changes in legal requirements. Do you plan to email your registered users with an update about any changes to the privacy policy, or should the review the policy from time-to-time to learn about changes?

5. Provide your contact information. At a minimum, you should provide a valid email address where a customer can contact you with questions about your privacy policy. This is a good practice because it can help you identify

Do I Really Need to Have a Privacy Policy?

If you truly don’t collect any personal information from your visitors (such as if your business website is simply a single page that gives your physical store location and business hours), then you might not need to have a formal written privacy policy. But if you collect any customer or contact information through your website, have an ecommerce element, or collect any other information from your visitors, or plan to do any of those things in the near future, then yes, you do need a privacy policy. Not having an accurate privacy policy can expose your business to liability in a number of different ways.

The first is that you might face liability under a growing number of state laws aimed at protecting consumer privacy. For example, California law requires a commercial website operator who collects any personal information about users to conspicuously post its privacy policy on its website. While the term “conspicuously” isn’t defined explicitly in the law, it’s generally accepted that this means that the link should be on the website’s home page.

Pennsylvania and Nebraska both have laws which prohibit website operators from knowingly make a false or misleading statement in their privacy policies about the use of personal information collected from their users.

Should you care about these state laws if you don’t live in one of these three states? The answer, again, is – probably. If your business targets users across the country (or, more accurately, doesn’t target users in any particular locale), then your website will likely be held to the legal requirements of each and every state. This will be the case if you are in the business of selling informational products like e-books, provide consulting services to clients anywhere in the U.S., or the like.

Even if your business is truly a local one, such as a hair salon that uses a website to provide contact information or allow customers to make appointments online, it’s still a good idea to make your privacy policy accurate. The laws above are just those that are enforceable by the states themselves. Private individuals might also bring lawsuits based on any kind of inaccurate or potentially deceptive practices set forth in your privacy policies.

What do I do next?

Thankfully, you don’t need to start from scratch when you prepare your privacy policy. There are a number of resources available on the Internet that will serve as great starting points for your own privacy policy. But beware of simply copy another website’s privacy policy word for word. This will increase the chances that the policy doesn’t match what you do with your customers’ personal information.

Take the time to make sure that the privacy policy actually matches the way you do business, and meets the minimum standards described in this article (some website privacy policies in use today do not meet these standards). If you have the resources, consult with a qualified advisor to make sure the proposed privacy policy works for you and your business. This will help you maximize the protection afforded to your online assets.