Do I Need a Privacy Policy on My Website?

In most cases, the answer is yes, you do need a Privacy Policy on your website. This could be for legal, practical or reputational reasons.

Let's break down why and how you should publish a Privacy Policy on your website.

What is a Privacy Policy?

Different laws and rules use different terms for a Privacy Policy such as "privacy notice," "privacy statement," and personal "data handling." While the precise details may vary, these different terms usually refer to the same broad concept, namely a document saying:

• What personal data you collect
• Why and how you use it
• What rights people have over their data

And the most common way to state these details to the public is via a Privacy Policy.

Laws That Require You to Have a Privacy Policy on Your Website

The following are just some of the laws that require a Privacy Policy.

General Data Protection Regulation (GDPR)

The GDPR is an EU law that requires a Privacy Policy. It applies if you, the data subject (the person the data is about) or the data processing itself is in an EU country.

Articles 12 through 14 of the GDPR say you must provide certain information about data handling to the data subject, "including, where appropriate, by electronic means."

Posting a Privacy Policy with GDPR provisions on your website is the most efficient way to meet this requirement.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal law that applies to most businesses in Canada. Fair Information Principle 8 of PIPEDA requires openness.

The Office of the Privacy Commissioner of Canada, which enforces PIPEDA, says this means "Your organization's detailed personal information management practices must be clear and easy to understand. They must be readily available."

The best way to do this is by publishing a Privacy Policy.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal law that applies if you target your site at people aged under 13 in the U.S., or know for sure that such people use your site.

The law says you must not only get parental consent to collect data about people aged under 13, but must also publish a Privacy Policy detailing how you use this data.

California Online Privacy Protection Act (CalOPPA)

CalOPPA applies if you handle personal information about California residents (regardless of your own location.) It specifically requires a clearly labeled and publicly posted Privacy Policy on your website, and the policy must cover a number of specific details.

California Consumer Privacy Act (CCPA/CPRA)

The CCPA (as amended and expanded by the CPRA) applies to very large businesses that serve California, or those that deal with personal data about a large number of Californians. It requires a detailed notice covering data collection, sales and disclosure. This notice is best placed within a Privacy Policy.

Note that other states and countries have privacy laws that require a Privacy Policy, and additional states and countries are sure to create such laws in the future.

Third Parties That Require You to Have a Privacy Policy on Your Website

Even when you aren't covered by a law requiring a Privacy Policy, you may need to have one for contractual reasons. This is most common when you use a third-party platform or service to deal with customers.

App Platforms and App Stores

Major app platforms such as the Google Play Store and Apple App Store have rules that require app developers to let users (and potential users) access a Privacy Policy. This covers the way the developer uses data collected through the app.

Since 2022, it's mandatory for Google Play apps to report on privacy in two ways. First, developers must answer set questions on data handling, with the answers appearing in the app listing. Second, the app listing must link to a Privacy Policy on the developer's website.

The Monopoly Solitaire app listing shows the set question answers:

If someone clicks the See details link, a more detailed page opens up that includes a link to the full Privacy Policy:

Similarly, Apple's rules say that developers must answer set questions, with the results appearing in app listings. These answers must also cover any third parties who access or receive data from the app. The rules also require a link pointing to a "publicly accessible Privacy Policy." (Apple recommends, but does not require, that you also link to a page where users can change privacy settings.)

The app store listing for CNN shows both the answers to the set questions and the direct link to the app's Privacy Policy:

Analytics Services

Many services that track and analyze user data on behalf of a business have rules saying the business must have a Privacy Policy. This policy must cover not only the business's use of data, but also the collection and use by the analytics service.

For example, Google Analytics requires that you not only link to its Privacy Policy, but also to your own Privacy Policy. This policy must cover any use of cookies. Google also requires that you abide by what you say in your Privacy Policy.

The U.S. House of Representatives Privacy Policy addresses its use of Google Analytics:

Email Newsletter and Marketing or List Services

Services for sending emails automatically, such as for mailing lists and newsletters, inherently involve handling customer data. Many such services have rules that say you must publish a Privacy Policy detailing how you collect customer details, whether you share these details, and how you use the details.

Some service providers say exactly what you must include in your Privacy Policy while others, such as Mailchimp, simply say it must comply with all relevant laws:

Make sure to check with laws in your area as well as in areas where you have customers. You'll also need to check the Terms agreements of any and all third party services you work with, from your website platform to payment processors and mobile app distributors to see what exactly is required for your Privacy Policy.

What if I Don't Collect Personal Information?

It's possible you don't collect or use personal information in a way that triggers any laws or rules requiring a Privacy Policy. You might be tempted to simply ignore it, but this could be a mistake for three reasons:

• People may assume you have something to hide or have not paid attention to privacy laws and rules
• You may have to waste time and effort answering questions about your personal data use (or lack of it)
• You miss out on a chance to reassure customers and users that their data is safe when they use your business

Instead, you can publish a very brief Privacy Policy that explains you don't collect, use or share any personal data. It's also worth explaining when this is an intentional policy choice rather than just something that's happened by default.

Think Small's Privacy Policy is largely about explaining when it doesn't collect personal data:

DuckDuckGo's Privacy Policy summary makes quick work of showing how it doesn't collect or share any personal information:

Even if you don't need to have a Privacy Policy for some rare reason, you should still have one to make it clear that you aren't just disobeying the law or disrespecting the privacy of your users.

How to Create a Privacy Policy For Your Website

Exactly what to put in your Privacy Policy will depend on which laws and rules apply, so check the requirements carefully.

As a general rule, covering the following points will help you comply with most rules as well as getting you in a good position if your position changes later on and you come under different rules:

• Your identity (business name, contact address and the details of whoever is responsible for data protection at your business).
• What personal data you collect. (You can break this down into general categories, though note some laws such as the CCPA (CPRA) require you to use specific categories.)
• Why and how you use this personal data. (Again, you can break it down into categories.)
• Whether you share or sell personal data and, if so, who gets it.
• How long you keep personal data (or how you decide when to get rid of it).
• How you keep personal data secure.
• Whether you rely on consent to process data and, if so, how people can withdraw this consent.
• The user's legal rights over their data and how they can exercise these rights. (This could include knowing what data you store, correcting errors and asking you to stop using data.)
• Whether you use personal data for automated decision making or profiling.

As long as you collect and use similar types of data from all customers, you can cover most of these points in a general Privacy Policy. You can then list any exceptions or additions for specific cases at the point when you collect the data.

Make sure to review your policy regularly to make sure it's still accurate. Transport for All gives details of the last update to reassure customers it is still relevant:

Check out our Free Privacy Policy Generator or downloadable, customizable Privacy Policy template to create your own policy right away.

How to Display a Privacy Policy on Your Website

How and where to display your Privacy Policy is both a matter of good practice and, in some cases, a legal requirement. The key principle to remember is that users should be able to easily check your Privacy Policy both before and after you collect their data.

You can comply with most laws and rules by doing the following:

• Have the Privacy Policy as a standalone page on your site unless it's very short, in which case it could be part of a broader legal page that also covers topics such as terms of use and disclaimers.
• Make sure the page is always available and not hidden in a pop-up window or drop-down box.
• Link to the Privacy Policy whenever somebody is about to provide personal information such as an email address.
• Use clear language and explain any legal terms.
• Link to the Privacy Policy from your home page and as part of any navigation system such as a footer menu that appears on every page.

Legal Compliance Services combines the Privacy Policy in a page which also has information on cookies. It links to this page from a footer menu:

LinkedIn requires users to agree to the Privacy Policy when signing up and providing personal information:

Summary

Let's recap what you need to know about whether you need a Privacy Policy for your website.

• Laws in places including Europe, Canada and the U.S. require a Privacy Policy.
• Many service providers that help you deal with customers require a Privacy Policy. This includes app stores, analytics services and email and newsletter management services.
• Customers expect to see a Privacy Policy and may be concerned if you don't have one. This means it's smart to publish a Privacy Policy, even if only to say you don't handle personal data.
• Key points to address in the Privacy Policy include what data you collect, how and why you use it, whether you share it, and how users can exercise their data rights. Check relevant laws and rules as the precise requirements vary.
• It's usually best to publish your Privacy Policy as a standalone web page that users can easily find and visit at any time, then link to this page when you are requesting personal information as well as in a static place that's always accessible, such as in your website's footer.