A Privacy Policy Can Protect Your Business

Why do you have a website for your business? Many business have chosen to make the investment into a website because it brings them leads or sales. To express their interest, prospective customers often submit their names, email and phone numbers through contact forms or newsletter sign up forms. While many business owners do not realize this, collecting leads through your website may require you to comply with certain privacy laws, and these laws require websites to have a Privacy Policy. This article covers various privacy laws that apply to websites, legal requirements and the consequences for not having one. That way, you’ll be able to make an educated decision on how to protect your business (and yourself!).

Is your website collecting PII?

First, you only need to worry about Privacy Policies if your website collects Personally Identifiable Information (PII). PII is any data that could identify someone. Examples of PII include names, emails, phone numbers, and IP addresses. Websites commonly collect PII through contact forms, newsletter sign up forms, and analytics services such as Google Analytics. Below is an example of a contact form that collects PII – name and phone number.

What laws apply to the collection of PII by websites?

The collection of PII by websites is governed by certain privacy laws. These laws can start applying as soon as you collect PII. That means that you don’t need to use, sell or share PII to be subject to their requirements. It is important to note that these laws protect consumers, and not businesses. This means that you could be subject to the laws even if you are not physically located in the states or countries in which the laws were passed. Thus, the following factors are the most important when determining what privacy laws apply to you:

• Where you do business;
• Where your customers are located;
• Whose PII your website is collecting; and
• Whose behavior you are tracking through analytics programs.

The following privacy laws may apply to your website:

• California Online Privacy and Protection Act of 2003 (CalOPPA): applies to websites that collect the PII of California consumers. Since anyone from anywhere can submit their PII to a website, this law has a broad reach and applied to most modern websites.
• California Online Privacy and Protection Act of 2003 (CalOPPA): applies to websites that collect the PII of California consumers. Since anyone from anywhere can submit their PII to a website, this law has a broad reach and applied to most modern websites.
• California Consumer Privacy Act (CCPA): usually applies to larger businesses that do business in California, collect the PII of California consumers, and meet one or more of the following factors:
  • Has gross revenue of $25,000,000 or more;
  • Buys, receives, sells or shares the PII of at least 50,000 California consumers, households, or devices; or
  • Derives at least 50% of its annual revenue from selling the PII of California consumers.
• Nevada Revised Statutes Chapter 603A: applies to you if your website collects the PII of Nevada consumers and if your business has sufficient connections to the state. In general, “sufficient connections” would include doing business in Nevada or having a customer that is located in Nevada.
• Delaware Online Privacy and Protection Act (DOPPA): applies to websites that collect the PII of Delaware consumers.
• General Data Protection Regulation (GDPR) applies to you if you:
  • Are located in the European Union;
  • Offer goods or services to European Union residents, regardless of your location; or
  • Monitor the behavior of European Union residents (through, for example, pixels, cookies, or analytics services), regardless of your location.
• United Kingdom Data Protection Act of 2018 (DPA 2018) applies to you if you:
  Are located in the United Kingdom;
  • Offer goods or services to United Kingdom residents, regardless of your location; or
  • Monitor the behavior of United Kingdom residents (through, for example, pixels, cookies, or analytics services), regardless of where you are located.
• Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect the PII of Canada residents in the course of commercial activity. Canadian courts and the Canada Office of the Privacy Commissioner have held that this law can apply to organizations outside of Canada as well.

As you can see, privacy laws have a very broad reach and can apply to you even if you have never even physically set foot in regulating state or country. If any of the above privacy laws apply to you, then you are required to have a Privacy Policy.

What is a Privacy Policy?

A Privacy Policy is a document that explains your privacy practices to visitors of your website. A Privacy Policy will generally state what PII you collect, what you do with it, and who you share the PII with. While these disclosures are the “meat and potatoes” of a Privacy Policy, privacy laws can require a lot of different and relatively obscure disclosures. For example, CalOPPA requires Privacy Policies to disclose how a website responds to Do Not Track signals, while the CCPA requires some Privacy Policies to disclose a toll free phone number where consumers can exercise their privacy rights.

Because a Privacy Policy is based on lawful requirements, every policy must be started with determining what laws apply to you. Then, the disclosure requirements of each law are used to draft your Privacy Policy. Thus, it is best not to copy and paste generic templates or use someone else’s Privacy Policy as doing so could leave you out of compliance.

What are the consequences of not having a Privacy Policy?

Now that you are aware of the various privacy laws and the requirement of having a Privacy Policy, you may be wondering about the consequences of not having one on your website. Privacy laws impose heavy penalties for failure to comply, ranging from $2,500 per violation to €20,000,000 or more in total. In this case, “per violation” does not mean per website or per policy, it means per website visitor whose privacy rights you infringed upon. Even with just a few visitors to your website, this could still add up to a large fine.

What is the future of privacy law?

PII is extremely valuable and as such, it is becoming a more highly regulated field every day. There are currently more than a dozen proposed privacy bills in the United States. While all of these bills are different, below are some notable common features:

• If passed, all of the bills would apply to businesses outside of the state that enacts it;
• Most bills would apply to businesses regardless of their size; and
• Some bills would allow individuals to use businesses directly for privacy law violations.

As new bills are passed you’ll need to update your policy. Therefore, you need a Privacy Policy that complies with the laws of today and a strategy for keeping that policy up to date. To avoid fines, contact us and we will get you set up with a customized Privacy Policy for your website.