- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 2.1. Privacy Law Compliance
- 2.2. Reduce Disputes and Liability
- 2.3. Build Trust With Customers
- 3.1. Your Contact Details
- 3.2. What Data You Collect
- 3.3. How You Use the Data You Collect
- 3.4. Whether You Share or Sell Data, and with Whom
- 3.5. How You Protect the Data You Collect
- 3.6. User Rights
- 3.7. How Long You Keep the Data
- 5. Summary
While definitions vary across different rules and regulations, "personal data" usually means any information that can be used alone or with other information to identify an individual.
Privacy Law Compliance
In many cases, the law applies regardless of the size of your business, meaning they would apply to your small business.
- The EU's General Data Protection Regulation (GDPR)
- Brazil's Lei Geral de Proteção de Dados (LGPD)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- The California Consumer Privacy Act (CCPA) and its expanded requirements via its CPRA amendment
Reduce Disputes and Liability
Build Trust With Customers
Many privacy laws say that Privacy Policies must be written in clear language. For example, the GDPR requires information in "a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."
- Use straightforward, familiar language wherever possible
- Only use legal terms where they have a precise meaning, and explain this meaning where necessary
- Avoid excessively long sentences and paragraphs
- Use lists where relevant
Your Contact Details
As well as giving your full business name and registered address, you should include all appropriate ways for contacting you with any personal data queries. Make clear if your business is a subsidiary or parent company of any other relevant business.
Here's how Open University provides an email address, telephone number and postal mail address for people to use to contact the university:
What Data You Collect
For a small business, you can often list the types of personal data you collect. Make sure you review this section regularly to keep it up to date with what you're actually collecting.
How detailed the information you put in this section should be, and how best to present it, may depend on your size and how wide a range of data you collect.
Raleigh Tutoring gives both the broad types of data it collects, plus specific examples:
How You Use the Data You Collect
In most cases, you simply need to list the key ways you use data. As with the types of data you collect, you should give enough detail to give a clear picture without overwhelming the reader.
With some laws such as the GDPR and LGPD, you will also need to list a lawful basis for using the data in this way. For a small business, the most likely are lawful bases will be:
- You have the data subject's consent, which must be active, informed and unambiguous
- The data use serves your legitimate interest (such as marketing a product or processing orders) and this does not outweigh the data subject's privacy rights
Sierra Tucson gives a clear and well-organized list of how it uses personal data:
Whether You Share or Sell Data, and with Whom
This section should address:
- What data, if any, you disclose to third parties, or an overview of the types of data
- Who receives the data, or an overview of the types of recipients
- Whether you receive payment for the data
- Where relevant, the reasons why you pass on the data. This can reassure customers that you are only passing on data where necessary.
Here's how Snap explains that it may share data, with whom (other Snapchatters), and specifically what data it shares:
How You Protect the Data You Collect
Most data privacy laws hold you responsible for protecting data. Telling customers about your protection measures can reassure them and make them more confident about providing personal data. That means you should never lie about or exaggerate your security measures.
Remember that protection isn't just about preventing unauthorized access to data, but also unauthorized alteration or destruction.
You don't need to detail your security measures to a high and specific degree, particularly where doing so might undermine the security. Instead, you can cover the types of security you use, such as physical, organizational and technical.
Many businesses will also include a statement in this section to say they cannot guarantee data will be secure, particularly when being transmitted over the internet to or from a customer.
Here's how Bakersfield Accountants details its security, including compliance with federal regulations:
Some common rights that can appear in this section include:
- The right to know what data you store about a person
- The right to correct errors in data
- The right to ask you to delete outdated or irrelevant information
- The right to ask you not to sell data to third parties
As well as saying whether customers have these rights, you should detail how they can exercise them, as well as how a customer who is dissatisfied with your response to a data access request can appeal to you or complain to a data regulator.
Here's how PubMatic explains how users can exercise data rights granted under the CCPA:
How Long You Keep the Data
You should either say how long you will keep personal data or how you will decide when to dispose of it. For example, this could be when it's no longer needed for a specific purpose, or after a period of time after a user deletes an account with you.
Explain if any laws say you must keep data for a particular period, for example to satisfy financial or legal obligations.
It's also useful to explain how you will delete data to prevent it being restored or accessed without authorization later on.
Here's how Snap discloses the different ways it handles different types of data, and the potential timeframes for storing and deleting the data:
Here's how Whole Foods Market displays its Privacy Notice in its website footer:
Here's how Amazon displays its Privacy Notice as part of its account creation process:
Do not use any method that could be ambiguous or misleading. This includes measures such as a pre-ticked checkbox or a note that continuing to use a website counts as consenting to data use. Several rulings on the GDPR have said consent gathered through such methods is invalid.
Let's recap what you need to know about small business Privacy Policies:
- What data you collect
- How you use it
- Whether you share or sell it
- How you protect it
- How to access and correct data
- How long you keep data