A privacy policy is a document on your website that tells users how and why you’re collecting their information. It spells out how you use that data, why you use it, and if it’s shared with others.
Privacy is a space that belongs to an individual — and neither governments nor companies can intrude without permission. But we share private information all the time: our addresses, our credit card numbers, our birthdays. It’s at this juncture that privacy policies come into play.
This article answers a few questions: why is a privacy policy important, what is the purpose of a privacy policy, and why you need a privacy policy.
Why Is a Privacy Policy Important?
Private data fuels much of the internet, from shopping sites and libraries to that guy in Florida who bought $5,000 of diving equipment with your friend’s credit card. The purpose of a privacy policy is to show the people you interact with that you take privacy seriously within your business. Since many companies have online stores where user information gets collected, it’s vital to let these users know how you will collect, use, and protect their data.
While having a privacy policy is just a proper thing to do, several laws also require one. For example, Europe’s General Data Protection Regulation (GDPR), along with state laws in California, Nevada, Delaware, Virginia, and Colorado.
If you are uncertain about why you need a privacy policy, avoiding hefty fines is a strong motivator.
What Does a Good Privacy Policy Look Like?
A privacy policy should be short, clear, and thorough. Unfortunately, very few policies actually meet that mark, but the clearer it is for your users, the fewer problems you will run into from misinterpretations.
A basic privacy policy covers:
- A list and description of information collected
- Where you find that information
- Why you collect it
- How it is collected
- Who else can see it and whether it will be shared or sold
- The rights that users have over their data
- How users can use those rights
- Your contact information
Other parts you may want to include:
- How you store the data
- Links to other policies on your website (cookie policy, terms of service)
- How to access or remove data
This list will likely change soon because privacy law changes quickly to keep up with technology. Once you create a policy, you will have to monitor it constantly to stay up to date with new or changed laws. Experts say our privacy laws now are still far from adequate, so expect that you will have to update your privacy policy constantly.
9 Reasons Why You Need a Privacy Policy
These days, almost all entities on the internet need to have a privacy policy. Of course, you may be able to avoid it if you keep no data and sell nothing, but even private bloggers have to consider why a privacy policy may be essential for them.
Consumer privacy laws are quickly growing in number and strength. Both consumers and business partners now expect you to tell them how you use and guard their personal data.
People are learning more about the purpose of a privacy policy, what to expect from a good one, and which ones offer little protection. Showing off your strong data security shows that you care for and protect your clients.
1.) It’s the Law
The biggest reason why you need a privacy policy is that you have to comply with the privacy laws that apply to wherever your consumers are. Companies generally build a website to expand their reach, and with that comes more laws to be aware of. Here are three prominent privacy acts you should know about.
US Federal Law
COPPA requires American businesses to get verifiable consent from a parent or guardian before a child under 13 can use your service, whether within the US or abroad.
In addition, the Health Insurance Portability and Accountability Act (HIPAA) carries strict requirements for how medical facilities protect the sensitive health information of their patients.
California
California has the strictest privacy laws in the US. The primary law is the California Consumer Protection Act (CCPA) — now amended by the California Privacy Rights Act (CPRA).
California also sets strict rules about cookie use, requiring any website that uses cookies (almost all sites) to have a cookie policy and a valid opt-out procedure.
Europe
While EU laws don’t apply in the States, the GDPR probably will apply to you. If you market or sell to people in the European Union, your website must comply with their privacy laws.
Europe asks for Privacy by Design, meaning businesses examine how they handle private information in every step they take with customer data. This process helps them be proactive about avoiding potential issues.
The GDPR outlines the users’ right to know about their data and how it’s used. It also requires sites to have a process to take down information that users don’t want online and information about where that data has traveled.
As of 2021, 97% of privacy policies fail to meet the GDPR’s standards.
2.) Third-Party Apps Require It
A growing number of third-party apps require all business partners to disclose how they handle private data. Though this requirement partly anticipates privacy laws becoming stricter, the primary purpose of the privacy policy is to ensure there’s a closed chain of protected data, from the vendors to end-users.
This trend is only becoming more common, too. All Google or Apple software or apps already require privacy policies from everyone they work with. And, because analytics software can be so reliant on personal information, using any kind of it almost always means you need a policy.
For example, Google Analytics includes this requirement in its terms of service.
3.) Build Trust with Customers
Recent statistics on data privacy show that consumers are more and more demanding of transparency and security when it comes to their personal information. A privacy policy shows your current and potential customers that you care about their privacy. But, if you’re trying to endear your users to you, it’s not enough to just make a policy.
After all, if your users feel like your privacy policy is too dense or confusing, they’ll likely disregard it — or, worse, think that means you’re trying to trick them somehow.
Many people don’t read privacy policies because they’re very long and filled with complex legalese. In fact, to counter this, some laws today actually require your policy to be in simple enough language that a layperson could read it.
But, even if you’re not trying to comply with a law, a short and clear policy lets your customers know you care about their time. Having a focus on good design can also better engage users and clarify the policy even more.
Finally, don’t overlook the rapport you can build when you give users transparency in a document that they’ve grown used to skipping over because of its complexity.
4.) Make Customers Feel Informed and Comfortable
Remember, people care about their privacy; with the number of data breaches that the news reports on, it’s easy for anyone to feel scared or unsafe. This pushes many people to learn more about privacy, and once they know the risks, they often want to make sure that their information is safe.
Your customers want to know that you respect their concerns and want to feel up to date with changes in your company. That’s why they tend to feel more comfortable with a business that is open about how it stores and uses their personal information. And customers who feel close to a company often turn into brand ambassadors, which is a great organic way to market your company. The purpose of a good privacy policy is as much a legal issue as it can be a marketing tool.
As a website owner, you’re responsible for your users’ personal data — such as names, birthdays, postal addresses, phone numbers, email addresses, and any other physical information that you could use to identify someone. And remember, it also includes non-descriptive details, like geolocation, shopping activity, educational and medical history, and the contents of emails and texts.
If your privacy policy doesn’t account for all of these details, you can face hefty fines and lose the respect of your customer base.
5.) Show a Security-First Stance
Your customers and the firms you do business with need to know that you take cybersecurity seriously. After all, they are entrusting you with intimate details about their lives. As a reflection of your company’s values, your privacy policy can strongly show how much you respect their security.
6.) Avoid Legal Battles and Fines
If nothing else convinces you to have a privacy policy, the threat of legal action should. If you collect data without a clear privacy policy, you expose yourself to potential fines and lawsuits that can end up costing you quite a bit.
For example, an Irish court fined WhatsApp $267 million because its privacy policy wasn’t strong enough. Its policy was too vague in the way it described how much data it shared with its parent company, Facebook (now Meta), and why it shared this data.
In response, WhatsApp changed and clarified its European privacy policy, but this case sparked a deeper look at WhatsApp’s data exposure in general. This is why WhatsApp users can now send messages that disappear after 24 hours or 90 days.
If you want to put more concrete numbers to the penalties, here are the violations you will face for non-compliance with some major privacy acts:
- The GDPR will fine you up to the higher between €10 million or 2% of your worldwide annual turnover from the last financial year.
- HIPAA categorizes violations into different tiers. Tier 1 fines will charge you at least $100 per offense, up to $50,000, while the most severe violations, Tier 4, carry a minimum charge of $50,000 per offense and no upper limit.
- Violating COPPA can land you a $43,792 fine per violation.
- CCPA violations carry a fine of up to $7,500 per intentional offense and up to $2,500 for each unintentional offense.
7.) SEO and Marketing Purposes
Search engines love a good privacy policy. They prioritize websites with privacy policies linked, taking that as a sign of proper security. So, if you don’t have a privacy policy yet, adding one could even help your site send better signals to search engines. In addition, many ad sellers will also require you to have a privacy policy before running ads on your site, so not having one can severely cut into your bottom line.
Furthermore, just as having a policy can build goodwill with ad sellers and search engines, not knowing why you need a privacy policy will reflect poorly on your company. After all, the laws requiring them have been around for long enough now that people and search engine algorithms alike will find a site much less trustable if it doesn’t have a privacy policy.
8.) Keeping up with New and Changing Technology
With the pace that technology grows at, user expectations are constantly advancing and changing as well. Therefore, it’s reasonable to predict that privacy policies will become required for even more uses in the future.
For example, a lot of business data now goes into cloud storage to cut down on how much companies spend on data storage. But this is a novel situation for privacy because it takes the data out of your control, instead scattering it across a number of servers. Without an up-to-date privacy policy covering these new developments, you open yourself up to liabilities that may not have existed a few years ago.
9.) It’s the Right Thing to Do
Contemporary ethicists speak of a moral right to privacy. For example, you expect your neighbors not to walk into your home without your permission. It’s essential to hold your neighbors on the internet to the same standard.
Almost every person today is a data source for many companies, analysts, and even bad actors. Therefore, everyone has the right to know what’s happening to all this information they need to give out, and they should be able to make an informed decision on who they give it to.
Around the world, people are calling for greater privacy rights. Accommodating them with a clear, up-to-date privacy policy that lets them know what personal data you collect and what will happen with it is a decent thing to do.
The Growing Purpose of a Privacy Policy
The big ideas behind the use of a privacy policy are transparency and choice. Your customer gets to peek into the parts of your organization that concern them, just like you get to look at aspects of their lives that are relevant to the services you offer. They can then gather the information to make an informed decision about using your website.
Remember, the purpose of a privacy policy is not to tell your business what to do. Instead, it tells the world what your business does, which is why it’s such a strong reflection of your company values. But it’s also a chance to brag about your best practices and stance on your users’ security.
Privacy policies will only grow more important with time. You should expect the need for a privacy policy to keep evolving, especially with how young the internet still is.
Wrapping Up
Online privacy is a newly recognized right, and the world is still in the process of working out what it means. Around the world, new laws around privacy policies are coming out all the time, but technology is changing just as quickly.
The good thing is that you can use technology to your advantage, too. For example, you could check out our guide to writing privacy policies to learn more about what you should include and how to make yours work.
You could also try out our privacy policy generator if you want to build a policy that’s customized to fit your business. After all, you’ll get the best benefits you can out of your privacy policy if it’s the best version you can make of it.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author
