If you are a professional photographer, you likely have a photography website because it’s an excellent way to share your work with potential clients in your area, book appointments, and receive payments.
However, if your website allows you to collect and share personal data from everyone who visits, it must have a clear privacy policy statement.
Read on to learn about the importance of a comprehensive privacy policy for photographers, and how you can make the best one for your own business.
- Why Data Privacy Is Important for Photographers
- Does Your Photography Website Need a Privacy Policy?
- Which Privacy Laws Affect Photographers?
- Creating a Photography Website Privacy Policy
- Things Included in a Photographer's Privacy Policy
- Where To Display Your Photography Website's Privacy Policy
- Article Snapshot
Why Data Privacy Is Important for Photographers
If you’re a photographer, you either already have or are likely in the process of designing a professional website. Through your website, you may need to collect various data from potential clients to get the necessary financial information for payments and improve your site’s overall performance.
While this data collection is useful, it is also regulated by both state, federal, and international laws. Many visitors to your photography website may not understand that you may collect their data or what rights they have in this process.
A professional photography business should have a clear and comprehensive privacy policy statement on your website to clarify your data collection practices, inform them of their data rights, and comply with federal, state, and even international laws.
Does Your Photography Website Need a Privacy Policy?
You need a privacy policy if you have a website that services Californians, Europeans, or residents in countries and growing number of US states with data privacy laws.
Since photography businesses tend to be more localized, the specific requirements of your privacy policy may change depending upon where your business is located and to whom you’re marketing your services.
However, even if your photography business does not operate in a state or country with specific online privacy laws, a resident of one of those areas could still access your site, setting you up for potential liability.
Additional reasons to have a privacy policy:
- A clear and transparent privacy policy is an excellent way to build a stronger relationship with potential clients.
- If you wish to partner with third-party apps, such as Apple or Google, you will need a privacy policy to meet their requirements.
- Privacy policies are often beneficial for your website’s search engine optimization (SEO) since major search engines like Google likely prioritize websites with appropriate privacy measures on their websites.
Which Privacy Laws Affect Photographers?
US State and Federal Laws
California Consumer Privacy Act (CCPA)
The CCPA requires some companies that do business with and collect California residents’ information to have privacy policies that inform clients:
- What data you have about them
- How you collect and use this data
- How consumers can opt out of you selling or sharing their data
While some businesses may not be affected by the CCPA, you should always try to comply with data privacy standards because it’s the right thing to do.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is a federal law that mandates specific privacy protections for children in the United States. This law applies to any website that may be accessed by children under American jurisdiction.
COPPA gives the US Federal Trade Commission (FTC) the power to determine whether or not a site is “marketing towards children.” A website’s appearance, its content, the kinds of language and music it uses, and the site’s general user composition can all determine if COPPA applies.
Even if your photography business does not market directly to children, keep this federal law in mind when creating your privacy policy.
California Online Privacy Protection Act (CalOPPA)
CalOPPA applies to any website that may collect “personally identifiable information” about California residents who access that site.
The California Attorney General’s Office now enforces CalOPPA’s privacy requirements for mobile apps, as well.
If your photography business operates in the state of California, under CalOPPA you must “conspicuously” post a privacy policy as either a visible post on your homepage or through a clearly-labeled link.
Colorado Privacy Act
The Colorado Privacy Act may apply to you if your photography business services Colorado residents.
This law — part of the broader Colorado Consumer Protection Act — regulates information “controllers,” which it defines as any person or group of people who collect and control online data of Colorado residents.
Utah Consumer Privacy Act
Utah’s Consumer Privacy Act gives residents of the state of Utah the right to know which data of theirs a business collects via its website, how it uses that data, and whether or not it is selling that data.
Under this law, Utah residents also have the right to access any data of theirs that an online business has collected, and opt-out of any data collection if they so choose.
If you plan on operating your photography business to residents of Utah, your privacy statement should inform them of which data of their you may collect and how you plan on using that data.
You must also clearly inform them that they may access any data of theirs that you have collected and that you will comply with their requests to cease data collection and delete data of yours that you have already collected.
Virginia Consumer Data Protection Act
Virginia’s Consumer Data Protection Act applies to any online business that operates within the commonwealth of Virginia, and that either collects data from 100,000 Virginia residents or derives more than half of its gross income from selling the personal data of at least 25,000 Virginia residents.
If you are operating a photography business in Virginia, or if you may in any manner market services to current residents of Virginia, your privacy policy must inform them of their right to access or delete any data you collect, and to opt-out of data collection by your photography website in the future.
International Laws
Though photography businesses tend to be localized, you might offer services to residents of other countries. International visitors might access your website, in which case you should make sure that your privacy policy corresponds to various international privacy laws, as well.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) applies to citizens of all countries in the EU, as well as the countries of Norway, Switzerland, Ireland, and Liechtenstein. The UK has also recently passed its version of the GDPR after leaving the EU in 2020.
Both laws require companies to inform site users how their websites are collecting user data, how they are using that data, and how site visitors can opt-out.
Personal Information Protection and Electronic Documents Act (PIPEDA)
If you are selling photography services in Canada, your website must comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which mandates that you inform site visitors how you are collecting their data and how they can consent or opt-out.
Creating a Photography Website Privacy Policy
Resources are already out there to help you create your own legally sound and user-friendly privacy policy.
Managed Solution
With Termly’s free privacy policy generator, you can construct simple yet comprehensive privacy policies for your photography business website.
By using Termly’s managed solutions, you can ensure that your privacy policy will correspond to the legal requirements under both US federal law and the various state laws that may apply to your business.
Template
We also offer a comprehensive sample privacy policy template that you can adjust and customize to your specific needs.
DIY
You can also create your privacy policy on your own. This route is much more time consuming and you need to know what you’re doing.
If you choose to go this route, we have outlined a few things you need to include in your photography site’s privacy policy below:
Things Included in a Photographer’s Privacy Policy
In general, when writing a privacy policy, you should ask a few key questions:
What Personal Data Does Your Website Collect?
Any data your photography website may collect from customers should get disclosed in your privacy policy.
This includes email addresses, shipping addresses, and birthdates. It might also include payment information, such as credit card numbers and banking account and routing numbers.
How Do You Use Personal Data?
You must inform visitors how you use the data you collect. For example, if you use it for targeted ads and promotions for upcoming events to a more specialized audience, you must mention this in your policy statement.
Do You Collect Data From Children Younger Than 13?
Under COPPA, you must address this even if you do not specialize in children’s photography. If not, your policy can include a clause specifying that you do not market to or collect data from children under 13.
If you do, your privacy policy must include more information to address COPPA legal requirements regarding minors.
How Do You Protect the Personal Data That Your Photography Website Collects?
Your privacy policy must inform your customers of the steps you have taken to protect their data. You have certain obligations when it comes to protecting your client’s data, and your privacy policy must inform them of this.
Do You Share the Data With Third Parties?
If you share customer data with third-party companies for analytics, marketing, sales leads, or customer service improvement, you must inform customers of this fact. You must also specify what data of theirs you share.
Do You Use Cookies and Other Tracking Methods?
Your photography website may have a separate, more in-depth statement on your use of cookies and other tracking methods, in which case this mention in your privacy policy need not be too extensive. However, it’s a good idea to include a brief mention of it anyway and refer visitors to your more detailed cookie policy.
How Can Your Customers Control the Personal Data That You Have Collected?
Many laws that might affect your photography business give users the right to access, control, and delete any personal data of theirs that you have collected. Your privacy policy should specifically inform them of this right and how they can go about accessing their data.
You should also link to a Data Subject Access Request form here.
Have Your Photography Website’s Privacy Policies Changed Recently?
You must include any recent changes to your photography business’s privacy policies in your online statement. Relevant changes include new privacy laws in effect where you operate, third-party requirements, or changes in your privacy policy.
Add a modified date to the top of the privacy policy to annotate when the changes were made.
Where To Display Your Photography Website’s Privacy Policy
When considering where to put your photography website’s privacy policy, keep a few key points in mind:
- The link to it must be clearly identifiable and easily spotted and accessed.
- Users must know that this is your privacy policy.
Most websites — including photography sites — should link to their privacy policy from the website’s footer.
However, you might also want to link to the policy on any banners, pop-ups, and transaction points you deploy on your site.
Article Snapshot
With so many different legal requirements and laws in place, the content you will need for your privacy policy can seem overwhelming.
Fortunately, Termly’s various resources are an excellent place to start when creating the best privacy policy for your photography business.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
