Why do you need a Privacy Policy on your website?

A Privacy Policy is a legal requirement if you collect and process any personal data from customers or users of your website. It outlines the type of data collected, how you collect it, what it is used for, where it is stored and how you keep it secure. There are also some international laws you need to comply with if you have users who reside in the EU or California, or who are under the age of 13.

What does this all mean for you?

Personal Data

Let's begin by defining personal data. Personal data is any information that enables the identity of a person. Examples of personal data are name, address, email address, mobile number and drivers license.

Collecting and Using Personal Data

Your Privacy statement needs to outline how you collect personal data from your users. You may do this in a variety of ways. For example, if you produce a weekly newsletter and you ask users to subscribe, you will collect their data through this process. Other examples of how you may collect personal data are if you are selling products and services, if you run a social media page or when customers interact with you by email, phone or in person.

What are you using the personal information for? Perhaps you are providing goods and services and need to have payment details to process the sale and name and address details to send the goods to your customers. Perhaps you want to provide your customers with personalised offers or running promotional events. Maybe you want to track the sales data and monitor the use of your website. Whatever reasons you have for collecting and processing your customers data this needs to be included in your Privacy Policy.

Sharing Personal Data

Do you share any of your users personal data with a third party? This could include advertising services, social media, analytics services such as Google Analytics, web hosting companies or cloud storage.

If you answered yes to any of these then, you guessed it, your Privacy Policy needs to include who you are sharing your users personal data with.

Security

The ways in which you try to secure your users personal data must also be included in a Privacy Policy. I use the terms "try" as there is no guarantee that you will be able to keep data 100% secure from hackers or unauthorised persons but you do need to have some safeguards in place.

A common security measure is HTTPS (Hypertext Transfer Protocol Secure), which is an internet communication protocol that encrypts data between your customers computers and your website.

Storage

Include in your Privacy Policy where your data is stored. This includes the country/ies of the servers that your data is stored on. If one or more of your servers is located within the EU, you will need to ensure that your Privacy Policy complies with GDPR regulations.

You should also include a paragraph to let your users know how long you retain their personal data for.

International Laws

As previously mentioned, if you have users that reside in the EU or California or you store personal data on servers in the EU, then you are required to comply with some specific privacy laws. Given the nature of the internet and that you may not automatically know if your users and customers will come from these areas, it is best to ensure your Privacy Policy covers these laws.

The three main international laws you need to comply with are GDPR, CalOPPA and CPPA.

GDPR

The GDPR or General Data Protection Regulation is a set of regulations designed to protect the rights and personal data of residents and citizens of the EU. It came into effect on the 25th May 2018.

There are seven key principles that outline how personal data is to be protected. These are:

1. Lawfulness, fairness and transparency: processing personal data must be done in a lawful, fair and transparent way.
2. Purpose limitation: personal data is only to be collected for explicit and legitimate purposes.
3. Data minimisation: personal data must be relevant and limited to the purpose it is being processed for.
4. Accuracy: personal data needs to be as accurate and relevant as possible.
5. Storage limitation: personal data should be stored for the least amount of time as possible.
6. Integrity and confidentiality (security): personal data needs to be processed in the way that safeguards it.
7. Accountability: you need to be able to demonstrate accountability for the previous six points.

There are also rights of the individual that need to be explained to your users and included in your policy and these are:

1. The right to be informed: provide your users with the information about how you use, secure and share their personal data.
2. The right of access: your users must be able to access their personal data if they wish.
3. The right to rectification: your users have the right to have any incorrect data corrected as soon as possible.
4. The right to erase: this may also be known as the right to be forgotten. Users have the right to have their data erased under certain circumstances.
5. The right to restrict processing: the individual has the right to have their personal data restricted under certain circumstances.
6. The right to data portability: an individual has the right to obtain, use and move their personal data to another environment for reuse
7. The right to object: in certain circumstances the individual has the right to object to their personal data processing.
8. Rights to automated decision making and profiling: there must be a lawful basis to use an individuals personal data to carry out profiling or automated decision making.

For an in-depth look into the GDPR and what to include in your Privacy Policy, take a look at this post What to Include in a GDPR Privacy Policy

CalOPPA

Under the California Civil Code, residents of California are permitted to request information about the disclosure of their personal information to third parties for direct marketing purposes. Users of your site who are under the age of 18 years, have the right to have content or information they have posted publicly removed.

CCPA

The Children's Online Privacy Protection Act is a US Privacy Law which protects the rights of children under the age of 13. To be compliant with this law your website needs to make it evident whether they collect any personal information from children under 13 years of age.

Conclusion

A Privacy Policy is a must and having a GDPR, CalOPPA and CPPA compliant Privacy Policy will ensure you have covered these laws if you have users and customers from the EU or California and the US.

A Privacy Policy does not need to be drafted by a lawyer but it must include relevant, clear clauses on types personal data, users rights, security measures, storage and retention of personal data, whether you share data with third parties and much more.

For a GDPR, CalOPPA, and CPPA compliant attorney drafted and approved Privacy Policy Generate here