This article by Barbara Meyers is from the January 2021 edition of Nink, the monthly newsletter of Novelists, Inc.  (NINC). Nink, which is packed each month with informative articles for career novelists, is a benefit of NINC membership. 

Are you required to have a privacy policy on your website? If your website is based in the United States, the answer is yes—and you might be violating Federal Trade Commission (FTC) rules if you don’t have one. If your website reaches audiences in the European Union, you also must comply with General Data Protection Regulation (GDPR).

Not following compliance guidelines can lead to liability. Likewise, if you have a published policy but don’t follow it, someone could make claims against you for deceptive or unfair trade practices. Plus, those who view your website may be more comfortable knowing there’s a policy that spells out exactly what information you collect during their visit and how it’s used.

While most states have no laws regarding website policies, California and Vermont have been more aggressive in increasing privacy protections. The California Consumer Privacy Act (CCPA), took effect Jan. 1, 2020, and focuses on how businesses collect and use Californians’ data. Even if you are not a California resident, your website is accessible to those who are. CCPA is meant to address website operators selling data directly by using lead generation companies and direct marketers, or by sharing personal data with ad networks through cookies without disclosure. Violations fall under California Unfair Competition Law and can incur a penalty of $2,500 per violation.

Vermont recently signed into law legislation (Senate Bill 110) to address a number of issues related to data privacy and consumer protection, such as expanding the definition of personally identifiable information (PII) for purposes of data breach notification requirements for data collectors. Under the Vermont Security Breach Notice Act, data collectors are required, in certain instances, to report data breaches of PII.

The General Data Protection Regulation (GDPR) in Europe takes these rules a step further, requiring consent prior to data collection.

While everyone should have a privacy policy on their website, Layne Lyons, JD, says you especially should if you:

  • Collect personal information from residents of the state of California (you'll need to have a privacy policy which includes CCPA-specific requirements).
  • Collect information for a newsletter, giveaway or any kind of an opt-in where you give a freebie in exchange for their email—you should definitely make visitors aware of how you plan to use their personal information.
  • You sell via your website—in this case the need for a privacy policy is even greater.

What is a privacy policy and what is included?

Lyons explains that your privacy policy “tells your website visitors what information you collect, how you use that info, how you share it, how you store it, how you protect it and, very important, how they can opt-out if they want.”

A policy missing any of those key elements will fail to protect the business owner. Further, Lyons said, “The risk of not having a properly drafted policy is tremendous. Facebook has had billions of dollars of fines levied against it for failing to have one component of their policy adequately drafted and followed. It is essential that all of the elements be precisely addressed by someone who understands each facet and how to ensure compliance.”

Attorney Philip Nicolosi points out that often failure to write a proper policy stems from website operators not understanding the definition of personal data. For example:

  • In California, under the CCPA, an IP address is specifically considered an item of personal data on a stand-alone basis. Cookies use unique identifiers to identify a device in connection to its IP address. Uninformed website operators may incorrectly define and then not disclose what is actually collected and shared.
  • An open-source platform such as WordPress allows for the integration of millions of free and paid plug-in applications to facilitate operating the website. Those plug-in operators/creators may be collecting data through each website that has installed and uses the plug-in. In fact, one of the most common privacy policy mistakes is not understanding what is collected by third parties while operating a website.
  • The use of email marketing services such as Mailchimp gives these third parties access to personal data, such as an email address. In theory, using third parties to operate the website or for marketing purposes that have access to personal data in any capacity should be disclosed regardless of how such parties are using data.

The issue of data collection and disclosure is primarily all about controlling unauthorized selling and/or sharing of personal data without notification. The FTC Act controls data collection disclosure through restricting "deceptive practices." Not disclosing how an individual's personal identifying information is shared with third parties is deceptive.

How to create your policy

So where do you go to find legal documents for use on your web site? Both attorneys interviewed provide privacy policy and other legal documents for web-based entrepreneurs. Check out:

Keep in mind, however, the free sites may offer no support or any way to get your questions answered. A good policy includes several requirements regarding the setup for your website, for example Secure Sockets Layer (SSL), so it can be worth it to have someone to go to for assistance when you need it. SSL is a secure protocol developed for sending information securely over the internet. When you are asked to "log in" on a website, the resulting page is usually secured by SSL. If a web address starts with "https," the "s" after the "http" indicates the website is secure.

No matter if you do it yourself or get an expert to help with your policy, make sure your policy is written in easy-to-understand language. Lyons says she sees a lot of policies written in “impossible-to-understand legalese, filled with legal jargon and old English wording. Having clarity with all legal documents is empowering for an entrepreneur and will foster confidence and peace of mind.”

In the interest of full disclosure, I was one of those website operators who didn’t know I needed a privacy policy. I took advantage of Layne Lyons’ free web site review and half hour consultation before she drafted my website policies.

(Editor’s note: If you do not have a webmaster, your web hosting service can help you set up and install an SSL Also, many free plug-ins are available to help you set up the “This site uses cookies” banner that should pop up on your website when a visitor lands on it. This banner alerts visitors you are collecting data, and if set up to do so, one click can allow a visitor to review your privacy policy.)