Check out our legal templates to help you protect your business! Buy now

Your Entrepreneur School

How to Write a Privacy Policy for your Website

Legal Website· Privacy Policy· Uncategorized

If you’re collecting any personal information from visitors to your website, you must have a privacy policy. And, if you have a online business, website or blog, you’re almost definitely collecting personal information from people visiting your site. This article will show you how to write a privacy policy for your website and what needs to be included.

There is no federal law governing whether a privacy policy is required for all business (yet!). But, there are state laws that essentially require a privacy policy for all websites. Even if you aren’t required to have one, you should have one to show transparency and build trust with your customers and/or audience.

Should you write your privacy policy yourself?

Some people choose to create their privacy policy themselves. If you choose to do that this post will give you some information that needs to be included. You can look at other sites for inspiration, but you should never copy & paste anything. First, that’s a copyright violation. Second, your privacy policy should be tailored to your business and copying from another site isn’t going to help you make sure you have all the correct information.

If you don’t want to invest the time or energy required to write a privacy policy and prefer to purchase a done-for-you template, I have one available in my shop. This template is lawyer-drafted, easy to customize, and GDPR compliant. Most people who’ve purchased tell me they were able to get it up on their site within 30 minutes.

You also need to follow your privacy policy

You need a privacy policy, but you also need to make sure you’re following your policy. Recently, the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have brought actions against several large companies for misleading statements in privacy policies and/or failing to protect personal data like they should have. These have been mostly big businesses, but something to keep in mind as a small business owner, too. A lot of the legal cases in this area revolve around a company’s failure to follow their privacy policy.

If you say you’re protecting their information in a certain way, make sure you’re doing that. Your privacy policy should evolve over time as your business changes. Most advice I’ve seen suggests revisiting and updating your privacy policy once a year. Make sure to include language that you may make changes to your privacy policy at any time.

Your privacy policy should be concise and easy to understand. It should be placed in an easy to find place on your website. Most sites I’ve seen include their privacy policy in the footer. It does not need to have a lot of legalese and should be at around a high school reading level. You are not trying to be sneaky and you want it to be clear to your audience exactly what information you’re collecting, why you’re collecting it, and how you’re using it.

What laws make a privacy policy required

There is no federal law requiring a privacy policy for all US businesses. But, that doesn’t mean you don’t have to have one.

Federal laws

Some businesses are required by federal law to have a privacy policy based on the type of business they are and/or the type of personal information they’re collecting. This is in no way meant to be a full coverage of these laws. If you think one may apply to you and your business, you should do your own research or consult with an attorney.

Children’s Online Privacy Protection Act (COPPA)

Companies that target, or knowingly collect information from, children under the age of 13 are required to post a clear and comprehensive privacy policy. If your website targets children under the age of 13, you can read more about COPPA here.

Gramm-Leach-Bliley Act (GLBA)

Companies that are “significantly engaged” in financial activities are required to give clear, conspicuous, and accurate statements of their collection and sharing of personal information. This includes companies that “offer consumers financial products or services like loans, financial or investment advice, or insurance” according to the Federal Trade Commission’s (FTC) website. You can read more about it here.

Health Insurance Portability and Accountability Act (HIPPA)

For those companies in the health care services industry, a privacy policy must be provided in writing. This also applies to health services provided electronically. You can read more about HIPPA here.

State laws

Interestingly, it’s state laws that essentially make privacy policies a requirement for all US businesses to have a privacy policy. The rise of online businesses means that a business in one state can more easily target and do business with citizens of another state. Generally, if you’re doing business in a state by making your product or service available in that state (even if it’s not your home state), then you’re required to follow the laws of that state as well.

As business owners, this can feel cumbersome, but as consumers I think we can see why this is necessary to protect us.

California

California has the strictest privacy laws in the country (California Calif. Bus. & Prof. Code Sect. 22575-22578), and since you never know when you could have a visitor to your site from California, you need to abide by their law. This requires “conspicuously” posting a privacy policy on your site. ‘Conspicuous’ is a common legal term that means easily noticeable. You need to tell what information you’re collecting, what third parties you share that information with, and how you track people visiting your site.

In 2012, Delta was sued by the state of California for violating this law and pursued statutory penalties of $2500 for each time the app was downloaded by a California resident. Is your business as big as Delta? Probably not, but that doesn’t mean you wouldn’t face fines for violating the law.

Connecticut

Connecticut also has a law (Conn. Gen. Stat Sect. 42-471) requiring businesses to protect the data it collects. It also requires a clearly posted privacy policy for those businesses collecting Social Security numbers.

Considering the number of privacy breaches in the past few years, I expect many other states to follow suit. And, I would be surprised if the federal government did not enact a federal law requiring privacy policies and the disclosure of how a website is collecting, using, and sharing the personal information of its visitors.

General Data Protection Regulation

There are many international laws, but the only one I will mention in this article is the General Data Protection Regulation (GDPR). The GDPR is a European Union law that went into effect on May 25, 2018. It caused quite an uproar at the time, because it’s a very encompassing law and applies not only to websites and businesses located in the EU, but also those whose websites and/or businesses can be accessed by the people located within the EU.

I will not go into a lot of detail in this article about GDPR, because it’s a long and complex law and deserves more attention than I can give to it here. For our purposes here, just know that even if you’re in the US, the GDPR probably applies to you and it’s just one more reason you need to have a privacy policy on your website.

Start your Business {Legally!} 7 Day Challenge

To get started with the challenge enter your email address below.

 

Subscribe

We won’t send you spam. By signing up for the challenge, you will receive our newsletter. Unsubscribe at any time.

Powered By ConvertKit

How to write a privacy policy for your website

Now that you know you need to have a privacy policy on your website, you’re probably wondering how you can write one. There is no single right way to create a privacy policy, but all privacy policies need to contain certain information. Most people are capable of writing their own privacy policy, but you need to know that it will likely take quite a bit of time.

If you don’t want to deal with the hassle of writing your own privacy policy, there are many templates, free and paid, available online. I can’t speak to how well any of these are created, but I have created a template that is available in my shop if you’re interested. It is  easy to customize and GDPR compliant. The best part is, you can have it up on your site within 30 minutes.

If you’re going to create your own privacy policy, do NOT go to a website and copy & paste their privacy policy. For one thing, this is a copyright violation and not allowed. But perhaps more importantly, a privacy policy means nothing if it’s not tailored to your website. Copying another website’s policy will tell you how they’re collecting information, etc. but that may not be how you’re collecting information. You’re required to have a privacy policy, but you’re also expected to follow your privacy policy and copying someone else’s that doesn’t reflect your business practices doesn’t do you any good.

Your privacy policy needs to include at least these things:

  • What personally identifiable information (PII) you are collecting from customers and those visiting your site?
  • How you collect that information?
  • How you store and protect that information?
  • How you use that information?
  • How you distribute or share that information?
  • How your customers can access what information you’ve collected about them and what they can do to review, edit, correct, and/or delete that information?

It’s also a good idea to include a business transfer clause. This is a clause saying if you sell, or otherwise transfer, your website, you will also be transferring the information you’ve collected from visitors and customers.

Finally, you should have a dispute resolution clause. I generally suggest an arbitration clause. Though this might sound like a scary legal term, what it means is that if there are any disputes, you will go to arbitration to handle the disputes instead of the court system. This is usually a much more cost effective and timely way to handle disputes.

If you are collecting personal information from people, then you need to have a privacy policy clearly posted on your site. And, if you have a website or blog, chances are you’re collecting personal information. How you create this policy-whether you do it yourself or purchase a template-is really up to you, but it is important that you tailor the policy to your actual business practices and that you follow your policy.

Want to make sure your website is fully protected? Check out this post to learn what other legal pages you need on your website.

Disclaimer:  This site, and all information contained herein or through communication with me, is intended as legal information only.    I am an attorney, but I am not your attorney, so nothing on this site, nor any communication with me, shall create an attorney-client relationship.  I am not liable for damages or losses based on any action taken, or inaction, based on the information contained on this site.  All areas of the law are fact specific and there is no substitute for legal advice from an attorney licensed in your jurisdiction who is familiar with the specific facts and circumstances of your situation.