Do I Need a Lawyer for a Privacy Policy?

Privacy policies can be intimidating for small businesses without legal teams or legal counsel, but they don’t have to be.

There are some instances where a lawyer could be useful, depending on:

• Your industry
• The type of audience you target
• How much data you collect, and how it’s processed
• What data privacy legislation your business falls under

Read through this guide to learn when and what types of businesses should get help from a lawyer to make a privacy policy.

What Is a Privacy Policy?

A privacy policy is a legally required document that explains how and why a website or mobile app collects, uses, stores, and shares or sells consumers’ personal information.

Privacy policies must meet different guidelines and requirements depending on what data privacy laws your business falls under, and it’s likely you fall under multiple as these regulations usually have an extraterritorial scope.

You can learn more about relevant laws by checking out our US data privacy legislation tracker and our global data privacy regulations graphic.

What Businesses Should Consult a Privacy Policy Lawyer?

Some businesses don’t collect enough personal information to require paying for legal counsel. In contrast, others should have a lawyer vet their online privacy policy and verify that they abide by the relevant data privacy regulations.

To help you determine where your business might fall, we’ve created this chart to compare what companies should consult a privacy policy lawyer versus ones that would benefit more from using our generator.

While the chart above is a good starting point for determining if you should consult a lawyer when making your online privacy policy, it’s not meant to give you a definitive answer.

Ultimately, each business should evaluate on a case-by-case basis if they can make their own legally compliant policy or require assistance from a legal professional.

Why You Don’t Need a Lawyer To Make a Privacy Policy

Most small to medium-sized businesses don’t need a lawyer to make a privacy policy for the following reasons:

• You’re not legally required to use one: While legislation impacts what goes into your privacy policy, there aren’t any laws obligating businesses to use a lawyer when writing one.
• Plenty of free privacy policy resources exist: From free privacy policy templates to guides on how to write a privacy policy to blogs and even YouTube channels, you can access countless free resources to help you make this document on your own.
• Managed solutions also exist: Managed solutions like our Privacy Policy Generator cost much less than legal fees and comply with several data privacy regulations across the world.
• You collect minimal or no personal data: If you run a blog that only collects email addresses or an ecommerce shop that retains payment information, you only need a basic privacy policy which can be made using free resources or other solutions instead of paying high legal fees.
• You don’t fall under any data privacy laws: This is rare, but if your business doesn’t meet the thresholds of any data privacy laws, paying for a lawyer would be unnecessary — but still put a privacy policy on your site; otherwise, consumers may assume it’s untrustworthy.

Even if your business is under the jurisdiction of data privacy laws and you collect small amounts of personal information, a legally compliant managed solution can help you make a comprehensive privacy policy at a lower cost than using a lawyer.

When You MIGHT Need a Lawyer

You might need a lawyer to assist with your privacy policy if your business:

• Collects very large amounts of personal information: The specific volume depends on multiple factors, like what industry you’re in, so this must be evaluated on an individual basis, but a good rule of thumb is the more complex your data practices, the more likely you’ll need to seek our legal counsel.
• Collects categories of highly protected types of personal information: For example, if you collect sensitive personal information, medical information, data from children, or biometric data, it benefits you to consult a lawyer.
• Targets minors under the age of 18: Businesses that target children or minors must follow stringent legal guidelines, like those outlined by COPPA, and it’s best to consult a lawyer to ensure you’re following all relevant laws and regulations.
• Collects data from international website visitors or transfers data internationally: This process can get complicated, especially when it comes to following all the legal guidelines for international data transfers. For example, you may have to sign separate data processing agreements with third-party service providers such as Google Analytics. Since this goes beyond drafting a privacy policy, it’s in your best interest to get help from a lawyer.

If your business requires legal assistance, you can still benefit from making your privacy policy beforehand using a compliant and reputable managed solution.

This way, you bring the completed document to your solicitor rather than asking them to make it from scratch, which could reduce the time they spend on your privacy compliance and the cost of your legal fees.

How Much Do Lawyers Charge for a Privacy Policy?

The internet will quickly tell you that lawyers charge anywhere from $500 to $3,000 to help a business write and vet a privacy policy, but it depends on where you’re located and how extensive of a policy you require.

For example, according to the US Bureau of Labor Statistics, the mean rate for lawyers in the US is $71.17 per hour.

By comparison, according to the Gov.uk website, the suggested hourly rate for solicitors in the United Kingdom with at least four years of experience is £180, approximately $216.61 USD.

But a full year of membership to our Pro+ plan, which grants you access to our Privacy Policy Generator plus our entire suite of compliance solutions and legal policies, costs only $180 in total — less than an hours’ time in legal fees, depending on the cost of your lawyer.

Making a Privacy Policy Without a Lawyer

There are several ways you can make a privacy policy online for your website or mobile app without relying on a lawyer, including using a:

• Managed solution
• Free template
• Do-it-yourself (DIY) approach

Let’s discuss these methods in more detail so you can choose the one that works best for you.

Managed Solution

Managed solutions, like our Privacy Policy Generator, are a great option for businesses looking to make one of these documents without relying on a lawyer.

It takes all of the time, effort, and guesswork out of making a privacy policy. You only need to answer a few simple questions about your business.

We recommend this solution for:

• Businesses that fall under the California’s CCPA
• Businesses that are subject to the European Union’s GDPR and that do not collect large amounts of personal data (for example, the data of 50,000 people)
• Ecommerce websites that have visitors from California and/or the European Economic Area (EEA)
• Companies that want to increase their privacy literacy
• Businesses that want to build and maintain consumer trust

See a screenshot of our privacy policy builder below.

Our Generator includes questions and sections so businesses can make a policy that complies with all of the following pieces of data privacy legislation:

• GDPR
• UK GDPR
• Amended CCPA
• CalOPPA
• Virginia CDPA
• PIPEDA

Overall, a managed solution is an efficient and more affordable way to make a compliant privacy policy for websites collecting small to moderate amounts of personal data.

But if your data collection practices are more complex, consider using a generator to make your privacy policy first, then present it to your lawyer for review. This helps minimize the time they spend on your policy, reducing the amount you spend on legal fees.

Templates

If you collect basic or no amounts of personal information, then downloading and customizing our free privacy policy template is a great option. We recommend this solution for:

• Basic blog websites that only collect email addresses to send updates about new posts
• Ecommerce websites or apps that only collect basic information for payment processes
• Small businesses that don’t collect sensitive personal information such as health data or data related to race, ethnicity or gender on large scale.
• Any company that doesn’t require unique or non-traditional clauses in their privacy policy
• Websites that don’t collect any personal information from users or that don’t fall under any data privacy legislation

The benefits of using free templates are undeniable. They cost nothing, complete a lot of the initial writing and formatting for you, and are super easy to use.

You just manually replace some blank parts of the template with basic information about your business, and you’re done. See what our privacy policy looks like in the screenshot below.

Our privacy policy template even includes clauses and sections to help businesses comply with the same data privacy regulations as our generator.

DIY

You can always take a do-it-yourself approach and write your privacy policy yourself. This is a feasible option, especially if you:

• Don’t collect any personal information from your users
• Don’t fall under the jurisdiction of any data privacy legislation
• Only collect minimal amounts of data

But even if you don’t collect personal information or aren’t under data privacy regulations, it’s still a business best practice to post a privacy policy on your website.

If consumers don’t see one, they tend to assume your website is untrustworthy and may choose a competitor over you.

Tell them the truth about your data collection practices, even if they’re nonexistent or basic. Customers will appreciate your transparency, and you’ll foster better relationships with your users.

Don’t collect any personal data? Read this.

For businesses that don’t collect any user data, your website might still place cookies or other trackers on your visitors’ browsers, and cookies contain a unique identification number (cookie ID).

Under regulations like the GDPR, cookie IDs are considered personal information, and you must get explicit user consent before any cookies that aren’t deemed strictly necessary are placed on users’ browsers.

Because the GDPR applies to any website with visitors from the European Economic Area (EEA), you should verify if your website uses cookies.

Find out by using our free cookie scanner.

Is Termly’s Solution Vetted By Lawyers?

Yes, all of our website policies and privacy compliance solutions — and even this article — are vetted by our legal team and data privacy experts with certifications from the International Association of Privacy Professionals (IAPP), including all of the following:

• Certified Information Privacy Professional (CIPP)
• Certified Information Privacy Manager (CIPM)
• Certified Information Privacy Technologists (CIPT)
• Fellow of Information Privacy (FIP)

We’re a small, collaborative team of privacy professionals. Our legal department works with our product developers and engineers to ensure the tools we provide are high quality, reliable, and compliant with data privacy legislation.

But that means we also need to disclaim some liabilities from our plates. Our compliance solutions don’t equate to actual legal advice. Termly Inc. is not a lawyer or law firm. We don’t practice law, provide legal advice, or offer legal representation.

The information, materials, services, comments, and resources we provide are for informational purposes only. As proud as we are of the integrity of our resources, we’re not a substitute for professional legal advice.

Summary

We’ve got good news for your wallets — most businesses don’t need a lawyer to make a website privacy policy.

Reputable managed solutions like our Privacy Policy Generator are enough for businesses that fall under some data privacy laws and collect personal user data.

For those who collect no user data, only a small amount, or who want to increase their privacy literacy, we recommend trying a free customizable template.

But, for some companies, using a managed solution to build your policy is an excellent way to jump-start the process and save money before asking a lawyer to verify that you’re following all relevant data privacy guidelines set by any laws you fall under.

However, if your company targets children, collects very large amounts of personal data, falls under multiple complex data privacy regulations, or deals with very sensitive personal information, it might be in your best interest to request legal counsel.

More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author