Legally, no. However, there are plenty of reasons to have one.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
What is Personal Data?
Firstly, it's important to define what personal data is.
Personal data is harder to define than you might imagine as there is no standard definition in the US. However, in general, personal data is anything that could be used to identify an individual.
This includes (but is not limited to): first and last name, home address, telephone number, date of birth, email addresses, bank account details, financial history and any other information that relates to an individual and could be used to identify them.
Even a person's IP address could be considered personal information.
It's essential to carefully consider whether your company collects any information that could be considered personal data from website or app users.
To avoid any confusion, Startpage provides a clear explanation of what it regards as personal data. The company explains that it uses a broad definition to maximize the user's privacy. Not only does this help to avoid misunderstandings, it also gives the impression of a more trustworthy and open company:
Now that you've considered the definition your company uses to describe personal data, let's assume that your website or app collects no personal data and look at the big question:
Finally, a company may use intermediaries that collect data on their behalf.
Let's break these down further:
Just a short, simple statement like this makes a world of difference when it comes to how your users and the authorities view your privacy practices.
Avoid Accusations of Data Collection
It's quite rare to find a company that doesn't collect any data and privacy conscious users will appreciate this. Use this to your advantage and provide an explanation of why your business doesn't collect any data alongside a definition of what personal data is.
Ecquire also explains why it doesn't store any data or messages stating that it has nowhere to store data as the company doesn't have a server database:
Address Third Party Data Collection
For example, an ecommerce site may not collect data from their customers. However, if the site hires a third party to process their customers payment information, it is likely that the intermediary will collect billing and payment information.
It's important to find out if any intermediary stores user information and to inform users about this if they do.
Save Time in the Future as Your Business Grows
The line-through method used here isn't something you see often, but you can see how it helps users see what the old practice used to be and how the updates to the policy change that.
Think carefully about any information you do collect that could be considered personal data. Also, consider if there are any circumstances where you may collect personal data even if it isn't done routinely.
However, the Policy goes on to identify a few exceptions, such as that the company does store personal data that is provided voluntarily, information shared by third parties, data that is publicly available and website user's IP addresses:
Global Dro also makes an exception for data that is volunteered to the company:
The policy makes it clear that the website does not collect personal data - including user's IP addresses and geolocations. However, the website will collect user's email addresses, provided the address has been volunteered by the user. The policy makes it clear that there is no requirement to provide an email address:
Disconnect goes on to state that even though the company collects email addresses that have been volunteered, this information is only retained for a short amount of time, namely 30 days:
Your policy doesn't need to be as long and complicated as a business that collects personal information. It just needs to state that your company does not collect any personal data and include a definition of personal data so that users are clear about what you don't collect.