đź“ś Does Your Website Need a Privacy Policy? Yes. Here's Why
Table of Contents
Privacy policies are far from the most exciting part of your website. In many cases, business owners don’t put a lot of thought into them. After all, few consumers spend hours pouring over legalese found in privacy policies or your terms and conditions. However, of all the content on your website, a privacy policy can be the difference between facing legal fallout and operating happily for years to come.
But here’s the caveat that people don’t realize. Privacy policies aren’t a one size fits all affair. Even though they might all seem like they’re saying the same things, that’s not the case. Depending on how your business uses data — even if it’s just via cookies for analytics or customer persona compilations, your privacy policy needs to reflect those nuances.
The short answer to the question, “do I need a privacy policy” is, yes you do. This is one area where cutting corners can cost you severely since failure to have one leaves you legally liable across a a wide array of jurisdictions — not just the one you live in. So, let’s break down what a privacy policy is, why you need it, and how to make one. Spoiler alert, it’s simpler than you think to make a privacy policy.
Should My Website Have a Privacy Policy?
This isn’t a question of should. Privacy policies aren’t “nice to have” concepts, they’re requirements. Consider them your commitment to how you will or won’t use consumer data. Privacy oversight agencies from various governments will look at your privacy policy and compare that with how you’re actually using consumer data. If there’s any inconsistency between what’s being promised and what’s actually occurring, your business will be held liable.
Even if all you do is use cookies for Google Analytics, and you don’t explicitly request data from consumers, you’re still tracking them via data. As a result, these activities need to be referenced in your privacy policy. Your privacy policy not only notifies consumers of what information is being collected and how it’s being handled but their rights regarding that information.
Especially with more stringent laws like the General Data Protection Regulation (GDPR) in the EU or the California Privacy Rights Act (CPRA), you also need to specifically address whether or not your website uses cookies, and how consumers can access, amend, restrict, or delete their information.
Additionally, your privacy policy needs to outline key points of contact — both within your organization and with any government oversight organizations — if a consumer wants to contact your business or lodge a formal complaint.
While GDPR tends to lead the charge in terms of consumer rights and data privacy expectations, almost all major privacy regulations require that your privacy policy clearly disclose the following:
What information is being collected: Again, “consumer data” by definition isn’t limited to just financial records, health details, or identifiable factors like race, gender, or sexual orientation. It can also include geolocations, IP addresses, or anything that clearly determines an individual user session.
How is the information being used: Are you collecting data to improve the user experience or because you require that everyone who accesses your site must create a user account? Your privacy policy needs to provide clear justification for why certain data points are being collected.
Clear disclosure concerning any data processors involved: Any entity that will have access to the data needs to be outlined here. This can include payment processors, e-commerce platforms that manage your backend, and even third-party apps, widgets, social buttons, and ad service integrations.
User rights: It is mandatory under many data privacy regulations not just in the EU but in the U.S. and other countries that users have the right to request, view, transfer, and erase their data (subject to certain conditions). It is important to note that these regulations apply to ALL businesses (including non-profits), regardless of their location, that handle data or provide goods and services to individuals in specific jurisdictions including the EU, Canada, and several states in the U.S.
Additional related requirements include:
Typically, your privacy policy should be located on a dedicated page on your website. This page is usually linked into the main navigation in the footer. As a general rule, avoid using excessively complex or confusing language, like legal jargon or industry terminology in the policy unless you clearly define it in the introduction.
Do All Websites Need a Privacy Policy?
Yes, every website that collects personal information (including email addresses) needs a privacy policy. This is true whether you run an ecommerce store, an information and news website, a SaaS application, or even a personal webpage. As long as you're capturing identifiers like names, IP addresses, demographic data, shipping addresses, you need a privacy policy.
What If My Business Doesn’t Collect Personal Information?
This is pretty rare and highly unlikely to not collect personal information on any level. More importantly, if your website is hosted through popular webhosts like Shopify, WordPress, GoDaddy or even Wix, many of them contain built-in analytics tools.
This means that even if you don’t ask them to, they’re tracking consumer activity on your website — even if you’re not collecting real names, email addresses, or other details. So, you’ll still need a privacy policy that clearly states your website does track data for analytics purposes only.
Why Do I Need A Privacy Policy?
As a commercial entity, you’re held to a higher code of conduct than a private citizen. Because of this, you are expected to adhere to a level of transparency so that consumers know your business is operating in good faith. But if you need more reasons to create a privacy policy, consider the below realities.
Privacy Policies Provide Legal Protection
We’ve already established that more than likely, even if you’re not actively using third-party apps or services, you’re still generating data on consumers that visit your website. So, you need to let them know what data (if any) is being collected, why and how it’s being used, if it’s shared, and how you’ll dispose of it.
Additionally, stricter regulations require that you give consumers a way to access, review, and amend it. So, you’re legally required to provide that information — which must be disclosed in the privacy policy along with other locations. As long as you adhere to the claims you’ve made in the privacy policy, your business is in compliance and you don’t have to worry about facing legal action.
Guides Your Data Practices
Once you create a privacy policy, your business is bound by the terms outlined in it — until you amend it. This creates a framework for your staff and any third-party entities to understand what’s expected of them when handling consumer data that’s generated from your website.
Builds Consumer Trust
We’re not going to pretend that the average consumer is reading privacy policies every day on websites. But when you don’t have one, it comes across as an untrustworthy business — along with opening your firm up to legal pushback. Avoid this by having a privacy policy that’s easily accessible on your website.
What Happens If I Don’t Have a Privacy Policy?
We’ve done a pretty good job of stressing the importance of a privacy policy. But if you need more motivation, here are some of the consequences businesses can face if they don’t have a privacy policy:
Hefty Fines from Government Agencies
The fines for non-compliance with data privacy laws differ. But generally, these can get real big, real fast. The CPRA, for example, can impose fines of up to $7,500 for intentional violations and $2,500 for unintentional ones. Note that those are filed per infraction, which can be cost prohibitive if you’re a small business facing multiple violation charges. The California State Attorney General once brought a claim against Delta Airlines for $37,500,000 in fines.
Also remember that you’re not limited to having governing bodies from your jurisdiction levy fines against you. The EU takes consumer privacy seriously and has a storied history of fining individuals as well as small, medium, and multinational conglomerate organizations for violating GDPR privacy directives. Just ask Microsoft, Apple and Facebook about their frequent and expensive GDPR fines for non-compliance.
Data Privacy Lawsuits
Government agencies aren’t the only entities that can bring lawsuits against your business. If a consumer finds that you’re breaching their data privacy rights by failing to have a privacy policy, they can file a lawsuit against you. This can be a long process, which can cost you a lot of time and money in legal fees even if you win. Plus, this can create long-lasting reputational damage that your business might not be able to overcome.
Loss Of Customer Trust
If you don’t have a privacy policy, consumers may assume that you’re not a trustworthy business, pushing them towards your competitors.
Business Closure
If you do face government fines or lawsuit fees that drain your financial resources, this could be the end of your business. The worst-case scenario of not having a privacy policy is the complete closure of your business. Don’t let your hard work go to waste by not complying with the law.
How To Make A Privacy Policy
We don’t recommend that businesses attempt to generate privacy policies from scratch unless you have a very good legal team on staff that specializes in privacy regulations and is well-versed in the main takeaways from the international community’s top privacy laws. It’s easy to forget to include details such as using third-party apps, analytics trackers, or even to ensure that you have the right points of contact based on the privacy regulation you’re trying to satisfy.
If you would like to write a privacy policy yourself, Enzuzo's easy step-by-step guide will help you get set up in no time.
Alternatively, we make it straightforward for you to make a legally compliant privacy policy using Enzuzo’s privacy policy generator. It’s free, and you can get it done in three simple steps. You just have to answer a few questions, and it integrates easily into many of the top webhost platforms including Shopify, Wix, WordPress and more. With just a little bit of time, you’ll be set to put it on your site immediately!
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.