How to Create a Privacy Policy…and Why You Need To


Do You Need a Privacy Policy

Think you’re too small to need a privacy policy for your business or nonprofit? Think again!

Facebook thumbs up or downFacebook’s in hot water because they violated their own privacy policy. Don’t assume that just because you’re small–and you’re not doing anything “wrong”—that you don’t have to pay attention to privacy issues.

If you have a website, a POS system, an email list, or process customer data in any way, you should have privacy protocols in place and post a privacy policy on your website. While Facebook is probably too big to fail, chances are, you’re not.

The truth is, few people will ever read your privacy policy and even fewer will make the effort to opt out. But respecting people’s privacy and being transparent is part of being a Good Egg, so treat this like the important responsibility that it is.

Disclaimer: The information in this article is intended to provide background information and is not legal advice. Consult an attorney to ensure that you’re protected.

What are the legal requirements?

What are the legal requirements?

Privacy laws regulate how governments, businesses, organizations, and individuals collect, store and use personally identifiable information. In particular, they seek to keep sensitive personal information–like your social security number or financial or medical records–from getting disclosed.

Privacy regulations vary depending on your industry, the context, and what state or country you live in. The Federal Trade Commission is the national agency that oversees US privacy policy and enforcement. Federal privacy laws primarily apply to publicly-traded companies, financial institutions and financial service agencies, government agencies, and health care providers, but you still could be prosecuted or sued, even if you’re not directly involved in one of these.

Since there’s no comprehensive US data privacy law, the California Online Privacy Protection Act 2003 (CalOPPA), serves as the de facto regulation for the rest of the country. According to the legislation, CalOPPA applies to anyone who is: “An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.”

Those covered are required to “conspicuously post” their privacy policy on their website or other appropriate places. So even if you’re not based in California, if there’s any chance that you’ll be collecting personally identifiable information from anyone living there, this law applies to you.

The General Data Protection Regulation (GDPR) goes into effect in the European Union (EU) on May 25, 2018. The GDPR provides tighter consumer protection than the U.S. currently requires. if you collect any type of personal information from people in the EU, regardless of whether you’re a business or a nonprofit, you’ll have to comply with GDPR regulations. For example, here’s how you’d need to adapt your email marketing practices for the GDPR.

Even if none of the above seems to apply to you, if you use any type of third-party service provider—such MailChimp, Toast, Squarespace, Google Analytics, Facebook–that collects or uses data on your behalf, their service agreements may require you to have a posted privacy policy that references them.

We Are All Data Collectors

We Are All Data Collectors

You may think your business isn’t connected to this digital web, but it’s nearly impossible to do business without gathering personal information about your customers. If you use almost any service provider to host your website, take credit card payments, send emails, analyze your web traffic, etc., then data is being collected on your behalf.

Most people—including me—think this is kind of creepy. At the same time, I love being able to log into my insurance company’s website and be able to download my policy without having to call somebody (or store it myself). I’m willing to sacrifice (some of) my privacy because I think it’s worth the trade-offs.

If your customers value the speed and convenience these services provide and you like having access to information to help you market to your customers as effectively as possible, then take responsibility for it. Make thoughtful decisions about what information you will collect and how you’ll protect it, then share that information with your customers. Let them decide if the trade-offs make sense to them.

Develop Privacy Protocols

Assign a point person

  • You (or a designated staffer or consultant) should oversee your data and set up protocols to protect your customers’ privacy.
  • Be sure that you (or someone else) has access to everything and understands the system, in case your point person isn’t available and so that there’s built-in oversight.

Map how your business collects, stores, and uses customer data

Mapping Data

  • What are you collecting and why?
  • Where is the information being collected and stored?
  • Can you use it and get rid of it immediately after or do you need to keep it?
  • How are you encrypting or protecting it?
  • What will you do if there’s a data breach?
  • Can you offer any ways for customers to opt out?

Review your service provider agreements and their privacy policies

  • Make sure you understand how they’re collecting, storing, and protecting your customer information.
  • Are they sharing or selling any of your data?
  • What happens if there’s a data breach?
  • Do they offer ways for your customers to opt out?
  • Do they require you to post a privacy policy? If so, what do they suggest or require you to say?

The FTC has a great guide for how to how to inventory, scale down, secure, and dispose of the customer data you collect.

Create Your Privacy Policy

  • Start by reading privacy policies of similar companies or organizations to get ideas. But don’t copy someone else’s policy verbatim. That would be stealing, plus what they say may not apply to you!
  • Don’t want to write a policy from scratch? Use a template (such as this one from the Better Business Bureau). Or use a “privacy policy generator,” such as Terms Feed or iubenda.
  • Use simple language, not jargon. You can usually provide a link to more technical information, if needed.
  • Make it readable. I love the way this home furnishing company, Louise Dean, wrote their policy. It makes me want to check out their furniture!

Legal Disclaimer (again)

As stated above, the information in this article is intended to provide background information and is not legal advice. Consult an attorney to ensure that you’re protected.

Leave a Reply

Your email address will not be published. Required fields are marked *