A Privacy Policy Is Required By Law

If you run a business of any kind, then you likely already know you need a Privacy Policy. A Privacy Policy is a legal statement explaining the kind of personal information an organization collects from users as well as how it handles, processes and protects it.

As a business owner, you may find difficulty knowing where to begin in creating your own Privacy Policy or what clauses to include. That is more so if you are running a small business that does not have the benefit of a legal department or an in-house legal counsel.

One way to get the process going is to read applicable legislation as well as the Privacy Policies of other businesses, especially those in your industry. Also reading a Privacy Policy template guide such as this one will get you moving in the right direction.

Privacy Policies are Required by the Many Privacy Laws Worldwide

Developing a Privacy Policy is today viewed as part of the routine for establishing a business, website, mobile application, payment processing tool, advertising plug-in, analytics suites and more. Yet, more than a routine process, a Privacy Policy is often required by law as long as your business collects personal information from its customers and/or the public. While the specific requirements of a Privacy Policy will vary by jurisdiction, the general principle is the same.

Compliance is not the only reason you should have a Privacy Policy though. It is also a valuable tool for building trust with consumers. When people see that you recognize your sacred duty to protect their personal information, they will be more comfortable doing business with you.

Even in the highly unlikely event that your business collects no personal information, there is no harm in having a Privacy Policy. Consumers are already accustomed to seeing one so the absence of the policy may leave them suspicious and confused. Alternatively, post a prominent notice stating that you do not collect any personal information.

Important Privacy Laws Around the World

At least 128 countries have laws governing privacy and data protection. Over a dozen more are processing draft legislation. Some countries such as the United States have privacy laws at the subnational level. In this context, it's not possible to cover all of the world's privacy laws here.

That said, certain privacy regulations stand out due to the number (and size) of organizations and consumers that could be potentially affected by them. We'll take a brief look at some of these. In any case, other privacy laws often borrow heavily from these major ones (especially the GDPR in more recent times) and are only amended to accommodate more local concerns.

GDPR

The EU's General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It enforces privacy standards on any organization collecting data from Europe-based consumers. It mandates that organizations must take appropriate technical measures and implement proper organization processes in order to protect the sensitive personal data they process or control.

The GDPR has been the most important development in privacy regulation in decades and has become the catalyst for GDPR-style legislation around the world. While privacy laws are not new, the GDPR was arguably the first that started to hold businesses accountable for data leaks caused by insecure communication practices and mishandling of third-party applications.

CCPA

The California Consumer Privacy Act (CCPA) came into force in January 2020. It applies to California-based customers and gives users greater control over their personal data. Whereas it's a subnational law, it is internationally significant. California would be the world's fifth largest economy if it were a country. It hosts numerous global corporations including the tech behemoths of Silicon Valley.

In November 2020, California voters through a ballot measure approved the California Privacy Rights Act (CPRA). The CPRA is a supplemental law that amends the CCPA giving California's residents more control over their personal data and imposing new obligations on businesses falling under the jurisdiction of CCPA. Most of CPRA's provisions will start to be enforced in July 2023.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's current private sector data protection law. Organizations must obtain an individual's consent when they capture, use or disclose an individual's personal information. Individuals have a right to access their personal information and challenge its accuracy.

The Canadian government introduced the Digital Charter Implementation Act (DCIA) on 17 November 2020 that, if passed, will replace PIPEDA. The DCIA includes the Consumer Privacy Protection Act (CPPA) and could bring important developments to privacy legislation and privacy issues in Canada that may exceed the provisions of the GDPR and California's CCPA.

DPA

With BREXIT came the end of the GDPR's applicability to the UK thus making it a 'third-party' country to member states of the European Economic Area. However, the UK adopted the GDPR's requirements into its own national legislation in 2018 via the Data Protection Act (DPA).

The DPA controls how businesses, organizations or the government use individuals' personal information.

APPI

Initially adopted in 2003, the Act on the Protection of Personal Information (APPI) is Japan's equivalent of the GDPR. It received a major overhaul and was enacted in June 2020. It details strict rules for any business handling the personal information of Japan's residents.

The amended APPI is effective April 1, 2022, though penalties are already effective. Certain provisions on sharing personal information with third parties come into force October 1, 2021.

LGPD

Brazil's Law for the Protection of Personal Data (Lei Geral de Proteção de Dados or LGPD) came into force in September 2020. It is Latin America's first major data protection law.

The LGPD regulates the use and processing of personal information and is heavily influenced by the GDPR. Administrative sanctions will be enforced from August 2021.

What is "Personal Information" for Privacy Policy Purposes?

In the legal context of a Privacy Policy, personal information often includes:

  • Names
  • Dates of birth
  • Social security numbers
  • Driver's license number
  • Phone numbers
  • Email addresses
  • Billing addresses
  • Shipping addresses
  • Bank account and credit card numbers
  • Household income
  • Medical information
  • User activity history

Other personal information that may be covered by Privacy Policies includes photos, videos, age, religious beliefs, marital status, sex, race and nationality.

What your Privacy Policy Should Include

A Privacy Policy will include several clauses. The more essential ones include the following.

What personal information we collect

What type of information is collected by your business, website or application? Disclose the personal data you collect both directly and indirectly. Get specific by giving as many categories and examples of the data you collect as you can.

You have limited space to cover this clause but the more thorough you are, the better you communicate to your customers, users and website visitors.

The BBC Privacy Policy lists the personal information it collects.

BBC Privacy Policy Personal Information collect screenshot

How we collect personal information

Explain how data may be collected. Your business could collect information via an online or paper form that the individual fills out and submits. However, you may also collect the data in more automatic and less obvious ways, at least in the eyes of the consumer.

An example of automatic data collection is cookies. Many websites will use cookies to record user behavior in order to create a more detailed profile for marketers and present a more personalized set of options. The Privacy Policy should have a section explaining the use of cookies and any other tracking technology.

The Yellow Pages Privacy Policy describes how the business collects personal information:

Yellow Pages Privacy Policy Collection of Personal Information

The purpose of collecting the personal information

Your business should collect only the data you need. Explain why you collect the personal information covered in the previous clause. You could explain this in a paragraph or more. Better yet, use a table, chart, infographic or other illustration for ease of readability.

AGC explains why it collects personal data:

AGC Privacy Policy Purpose of Collection Personal Information

How we use the personal information

Explain how the personal information you collect is used. You could use a list to convey information use in a more organized way. As always, include as many specific uses as you can.

For example, will the information collected as part of a transaction be later used in other ways? If yes, individuals should have a means of opting out of such extended usage. Extended usage may include using the information to cross-sell products and services.

The opportunity to opt out should be presented to the user before they start to receive unwanted promotional emails, instant messages, SMS, phone calls etc.

Glassdoor's policy delves into the company's use of personal information it collects:

Glassdoor Privacy Policy Use of Personal Information

Third-party sharing: Who will have access to the information?

Does your business share personal information with other affiliates, companies in the same conglomerate, or other organizations? Does it use third party tools and plugins to capture, process or distribute personal information?

Businesses, websites and applications do not exist in a vacuum. It is fairly common for businesses to use one or more third party services or tools to enhance user experience and site performance. Examples include AdSense for personalized advertising and Google Analytics for analysis of website traffic.

Each instance of third party sharing of personal data should be explained. You should provide links to the third party privacy policies, too. Break the explanation up into paragraphs for each type of third party sharing to make the text easier for readers to digest.

The Guardian goes into elaborate detail on who it shares personal information with:

The Guardian Privacy Policy Share of Personal Information

What security measures do we use to protect personal information

For security reasons, the Privacy Policy is unlikely to delve into the specific details of how user information is protected. However, the policy should provide a general overview of the security controls your business uses to keep the personal information in its possession safe.

It should mention how you realize the goal of ensuring access to personal information is limited to those who need it for discharging their duties. The clause should also mention the security safeguards you require of vendors and business partners that have access to this personal information.

For instance, you could state that your website uses SSL to encrypt any information sent over the Internet. The encrypted information cannot be read in transit. You may direct users to the visible signs of security such as the https lock icon in the address bar.

Apartments.com's Privacy Policy highlights how it protects personal information:

Apartments.com Privacy Policy Security of Personal Information

The Privacy Policy's effective date

What is the Privacy Policy's effective date? This lets users know exactly when the Privacy Policy was implemented or last updated.

This date is typically placed at the very beginning of the policy, as seen below from PayPal:

PayPal Privacy Policy Effective Date screenshot

Who users can contact with privacy questions or concerns

There should be someone in the business responsible for Privacy Policy matters. The policy should provide contacts of the person that can be reached for clarification on privacy questions and concerns? They should be reachable by email, toll-free number or snail mail.

Plan International has a data protection officer as the key contact for privacy matters:

Plan International Privacy Policy Data Protection Officer clause screenshot

How to opt out of data collection

The Privacy Policy must include instructions for users who want to opt out of ongoing data collection or want a copy of data already collected. There should be a relatively painless process for opting out such as sending an email, sending an SMS or calling a toll-free number.

If you have multiple data collection points or methods (such as web forms, email, text messages, snail mail etc.), make sure the Privacy Policy includes an explanation for opting out of each.

Costco's Privacy Policy explains how individuals can opt out:

Costco Privacy Policy How to Opt out

How users can review or correct their personal information

Your Privacy Policy should give consumers the opportunity to review or change the personal information you have collected about them. Lay out specific instructions on how they can do this.

UPS shows how users can access and correct their information:

UPS Privacy Policy How to Access Personal Information

After you create your Privacy Policy, it's time to display it.

How to Display your Privacy Policy

Having a Privacy Policy is a legal requirement. It's also a requirement that it be easy for people to locate at any time.

Provide a link to your Privacy Policy in conspicuous, relevant locations such as your website footer, and any area of your site where you request personal information.

Check out the location of the link to the Privacy Policy in Weather.com's footer:

Weather footer displaying Privacy Policy

Provide a link to the Privacy Policy anywhere personal information is collected such as account sign-up forms, email newsletter sign-up forms, ecommerce checkout pages/forms and email footers.

Upcounsel's new client registration form includes a link to the Privacy Policy:

Upcounsel Signup link to Privacy Policy

In mobile apps, a link to the Privacy Policy should be displayed on signup and login pages, ecommerce checkout pages and as a section in the Settings menu or other such menu. You'll also need to add a link to most App Store listings.

How to Get Agreement to Your Privacy Policy

For a Privacy Policy to be enforceable, you need to get users to consent to it. One of the more popular ways to do this is via an unticked checkbox that users must click to show agreement.

Some websites and mobile apps will require users to scroll down the entire document before they can click the checkbox or an accept button.

Samsung's contact us form includes a checkbox to confirm consent with the Privacy Policy:

Samsung Checkbox Consent to Privacy Policy

Wrapping Up

Privacy Policies weren't always required. The rise of digital transformation as well as the ubiquity of the Internet powered the exponential growth of personal data captured by businesses. With that, privacy has steadily become a major global concern.

A Privacy Policy is a legal agreement that helps your website visitors understand your privacy practices. Because of this, you should write your policy in clear, simple language. This will help your users understand your terms, and exactly what they're agreeing to when they agree to your Privacy Policy.

While these agreements are most commonly referred to as Privacy Policies, they're also referred to as a Privacy Statements, a Privacy Notice, a Privacy Page and other similar renditions of the term.

Irrespective of where in the world your business is based, there are likely privacy laws and regulations that require you to have a Privacy Policy. But even in the few jurisdictions where such laws do not exist, having a Privacy Policy is good practice that comes with tangible business and legal benefits. All privacy laws, guidelines and best practices are centered around the protection of consumer personal information.

As long as you run a business of any kind, you should have a Privacy Policy that not only complies with the regulations of jurisdictions you operate in but also inspires consumer confidence by demonstrating your commitment to the protection of personal data.