Small Business Privacy Policy Template

If you operate a small business, you will most likely legally need a Privacy Policy if you're collecting or processing any personal information.

This article will explain why, while helping you create your own compliant Privacy Policy and display it adequately on your small business website.

What is a Privacy Policy?

A Privacy Policy is simply a statement disclosing how you handle personal data, including how you collect it, use it and share it with any third parties.

While definitions vary across different rules and regulations, "personal data" usually means any information that can be used alone or with other information to identify an individual.

Why Have a Privacy Policy

Having a Privacy Policy can help you comply with laws, reduce your risk of legal liability in legal disputes, and help build trust with your customers or potential customers. As a small business, this is especially important since your reputation will help grow the company, and a faulty reputation can crush you.

Handling customer data has privacy implications. Making sure customers know how, when and why you use their data can avoid legal problems and make them better informed. A Privacy Policy is a one-stop way you can address all these relevant issues.

Let's look deeper at the laws, how a Privacy Policy can help reduce disputes, and how it can help build trust with the public.

Privacy Law Compliance

Many laws around the world govern how you handle personal data, and some specifically require you to inform customers about your data handling, for example through a Privacy Policy.

In many cases, the law applies regardless of the size of your business, meaning they would apply to your small business.

Here are just a few of the privacy laws that require a Privacy Policy:

• The EU's General Data Protection Regulation (GDPR)
• Brazil's Lei Geral de Proteção de Dados (LGPD)
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• The California Consumer Privacy Act (CCPA) and its expanded requirements via its CPRA amendment

Reduce Disputes and Liability

Having a Privacy Policy can reduce the likelihood of time-consuming legal disputes and hassle with customers about your data handling. This could include you dealing with complaints, answering questions about data handling, and dealing with threatened legal or regulatory action, all of which can eat into a small business's limited resources.

Build Trust With Customers

A clear and useful Privacy Policy makes clear you have nothing to hide. This will help customers recognize that you are playing fair and treating them with respect. It also means they can make an informed decision about providing you with personal data, making them more confident about your business arrangement.

How to Write a Small Business Privacy Policy

Your Privacy Policy needs to cover key details such as what information you collect, how you collect it, and what you do with it. This can be accomplished with a number of different types of clauses, each of which we'll explore below.

Many privacy laws say that Privacy Policies must be written in clear language. For example, the GDPR requires information in "a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

A good approach when writing your Privacy Policy is to:

• Use straightforward, familiar language wherever possible
• Only use legal terms where they have a precise meaning, and explain this meaning where necessary
• Avoid excessively long sentences and paragraphs
• Use lists where relevant

And now let's look at the specific clauses and points of information that your small business Privacy Policy should have.

Your Contact Details

As well as giving your full business name and registered address, you should include all appropriate ways for contacting you with any personal data queries. Make clear if your business is a subsidiary or parent company of any other relevant business.

Here's how Open University provides an email address, telephone number and postal mail address for people to use to contact the university:

What Data You Collect

For a small business, you can often list the types of personal data you collect. Make sure you review this section regularly to keep it up to date with what you're actually collecting.

How detailed the information you put in this section should be, and how best to present it, may depend on your size and how wide a range of data you collect.

Raleigh Tutoring gives both the broad types of data it collects, plus specific examples:

How You Use the Data You Collect

In most cases, you simply need to list the key ways you use data. As with the types of data you collect, you should give enough detail to give a clear picture without overwhelming the reader.

Remember that this part of your Privacy Policy helps people make an informed choice about whether or not to provide personal data, and sometimes, whether to be a customer at all.

With some laws such as the GDPR and LGPD, you will also need to list a lawful basis for using the data in this way. For a small business, the most likely are lawful bases will be:

• You have the data subject's consent, which must be active, informed and unambiguous
• The data use serves your legitimate interest (such as marketing a product or processing orders) and this does not outweigh the data subject's privacy rights

Sierra Tucson gives a clear and well-organized list of how it uses personal data:

Whether You Share or Sell Data, and with Whom

This section should address:

• What data, if any, you disclose to third parties, or an overview of the types of data
• Who receives the data, or an overview of the types of recipients
• Whether you receive payment for the data
• Where relevant, the reasons why you pass on the data. This can reassure customers that you are only passing on data where necessary.

Here's how Snap explains that it may share data, with whom (other Snapchatters), and specifically what data it shares:

How You Protect the Data You Collect

Most data privacy laws hold you responsible for protecting data. Telling customers about your protection measures can reassure them and make them more confident about providing personal data. That means you should never lie about or exaggerate your security measures.

Remember that protection isn't just about preventing unauthorized access to data, but also unauthorized alteration or destruction.

You don't need to detail your security measures to a high and specific degree, particularly where doing so might undermine the security. Instead, you can cover the types of security you use, such as physical, organizational and technical.

Many businesses will also include a statement in this section to say they cannot guarantee data will be secure, particularly when being transmitted over the internet to or from a customer.

Here's how Bakersfield Accountants details its security, including compliance with federal regulations:

User Rights

Different laws give individuals different rights over their data. These rights must be disclosed within a Privacy Policy, and users informed of how they can exercise them.

Some common rights that can appear in this section include:

• The right to know what data you store about a person
• The right to correct errors in data
• The right to ask you to delete outdated or irrelevant information
• The right to ask you not to sell data to third parties

As well as saying whether customers have these rights, you should detail how they can exercise them, as well as how a customer who is dissatisfied with your response to a data access request can appeal to you or complain to a data regulator.

Here's how PubMatic explains how users can exercise data rights granted under the CCPA:

How Long You Keep the Data

You should either say how long you will keep personal data or how you will decide when to dispose of it. For example, this could be when it's no longer needed for a specific purpose, or after a period of time after a user deletes an account with you.

Explain if any laws say you must keep data for a particular period, for example to satisfy financial or legal obligations.

It's also useful to explain how you will delete data to prevent it being restored or accessed without authorization later on.

Here's how Snap discloses the different ways it handles different types of data, and the potential timeframes for storing and deleting the data:

Now that you know what to put into your small business Privacy Policy, it's important to know just how to display it to your customers or potential customers. We'll look at that next.

How to Display Your Small Business Privacy Policy and Get Agreement to it

A Privacy Policy is only really helpful for customers if they can easily find it when needed, and understand it. They also must agree to it in a legally valid way for it to be enforceable.

Here are a few of the best ways to display your Privacy Policy and obtain valid agreement.

First, you should always have your Privacy Policy as a standalone web page. This lets you add a link to your Privacy Policy to places such as your website footer and elsewhere.

Here's how Whole Foods Market displays its Privacy Notice in its website footer:

You should always make your Privacy Policy available when customers are about to provide personal information, such as when you collect email addresses to share your email newsletter, or if you allow customers to register for an account.

The checkout page of ecommerce sites is another great place to display your Privacy Policy.

Here's how Amazon displays its Privacy Notice as part of its account creation process:

You should always make sure customers have a reasonable opportunity to read and agree to your Privacy Policy before providing personal information, particularly if you rely on consent to make data processing legal.

You can get agreement by requesting some kind of action from the user, for example ticking an "I Agree" checkbox or clicking a button that's clearly marked as agreeing to the Privacy Policy.

Do not use any method that could be ambiguous or misleading. This includes measures such as a pre-ticked checkbox or a note that continuing to use a website counts as consenting to data use. Several rulings on the GDPR have said consent gathered through such methods is invalid.

West London Pick & Mix uses a checkbox to get users to show they agree to the Privacy Policy when they share an email address to sign up for the company's email newsletter::

Summary

Let's recap what you need to know about small business Privacy Policies:

A Privacy Policy details how you collect and use customer data. Publishing a Privacy Policy can help you comply with laws, reduce administration and hassle, and build trust with customers.

Many privacy laws around the world require a Privacy Policy, even from small businesses in most cases.

• A Privacy Policy should cover:

  • What data you collect
  • How you use it
  • Whether you share or sell it
  • How you protect it
  • How to access and correct data
  • How long you keep data

Display your Privacy Policy so people can easily check it both before and after providing you with personal data. Some spots for this is in the website footer, and anywhere where you collect personal data such as an email newsletter sign-up form or account creation form.

Don't forget to get clear consent from customers that they have read, understood and accepted your Privacy Policy. An "I Agree" checkbox is a great way to do this.