Privacy Policy FAQ
What is a Privacy Policy Statement?
A privacy statement refers to a privacy policy put in place by a company regarding the collection, use and management of customer data gathered on its website. A privacy policy is legally required to appear on your website. Privacy policies are in effect in the European Union (GDPR), California (CCPA), Canada (PIPEDA) and Australia (The Privacy Act, 2018). As of 2021 more U.S. states have enacted privacy policies. Be sure to look for your state’s privacy policies.
According to Medium.com, the strictest data protection act in the world is the EU’s GDPR. As of May 25, 2018, the General Data Protection Regulation (GDPR) went into effect regarding customer data collection. If an individual who resides in the EU visits your website in the U.S. and you collect personal identifying information from them, then you need to be GDPR compliant or face fines. According to Intersoft Consulting “fines must be effective, proportionate and dissuasive for each individual case.” In the most severe cases fines can be in the tens of millions of dollars. Google, the first U.S. company to be fined under the GDPR, was fined $57M.
What you really need is a strong, effective privacy policy. Generally, privacy policies cover everything from the types of data collected and the purpose for collecting that data to the use of cookies, from data storage, security and access, and details of data transfer to affiliated websites or organizations. Your privacy policy should specify the kinds of personal information you gather from website visitors (i.e. names, birthdates, photos, / IP / email / billing /and shipping addresses, banking information, phone numbers, even social security numbers, etc.).
PrivacyPolicies.com provides a Privacy Policy Generator. To get started click here.
NOTE: Be sure to review your privacy policy with your attorney.
Do I Need A Privacy Policy?
Yes, a privacy policy is legally required if your website collects any personal information about visitors. You need to be aware of Europe’s General Data Protection Regulation (GDPR) which you can learn about on The Marketing Department’s Blog: GDPR, Ignore it at Your Peril. The GDPR went into effect in May 2018.
In a nutshell “the GDPR is designed to protect EU citizens’ personal data from misuse.” Wikipedia asserts that “According to the European Commission personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Why would a U.S. company need to obey the GDPR?
The Internet is worldwide, and citizens of the EU may visit your website. If data is collected your company is required to follow the rules of the GDPR.
Similarly, California has passed its on privacy law, The California Consumer Privacy Act (CCPA). The CCPA went into effect January 1, 2020. The law allows consumers to opt out of the sale of their personal data. By opting out they may sue any company that has failed to implement “reasonable” security practices allowing consumer personal information to be sold or pirated.
There is a plethora of information on the Internet on both these laws. You can find check lists, sample privacy statements, and detailed information on both. You would be well advised to either get help from or run a draft by your attorney before posting it on your site.
More states have implemented their own privacy laws, so be vigilant.
What is General Data Protection Regulation (GDPR) and What Does it Have to do With Me?
On May 25, 2018, the General Data Protection Regulation (GDPR), a new European law, went into effect. The GDPR is designed to protect EU citizens’ personal data from misuse. While it primarily applies to European Union (EU) countries, under certain circumstances it will also apply to many other countries, including the United States (US). Unlike preceding EU directives, this is an enforceable regulation and non-compliant companies can face stiff fines.
The European Commission defines personal data as any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from simply your name to something more serious, such as your medical information. What else might be on that list? A computer’s IP address, posts on social media sites, bank details! If you have a form on your website that collects data and someone from a European country fills it out, you must disclose your personal data policy. Why? Because not only does the regulation apply to the EU, it also applies to any company in any country doing business over the Internet with anyone in the EU. Even if visitors do not make a purchase, if your company is collecting personally identifiable data without complete transparency as to why the data was collected and how it will be used, your company will be in violation. So, if you are collecting data get in compliance quickly. It’s not a simple update, it takes some effort. It means creating and implementing a privacy policy.
Here are some links to online resources:
The Marketing Department Blog – GDPR – Ignore it at Your Peril:
SAS – Five Steps to Sustainable GDPR:https://www.sas.com/en_us/insights/articles/data-management/5-steps-to-sustainable-gdpr-compliance.html
Firemon – GDPR is Nothing to Fear: https://bit.ly/2CSdGXv
Do I Need to be GDPR Compliant?
Simply put, yes. While the laws governing GDPR are based in the EU, if your website has visitors from the EU, and you collect personal data of any kind, your company falls under the jurisdiction of the GDPR; this is especially true for eCommerce sites. Failure to comply can lead to fines of tens of millions of dollars.
An advantage of being GDPR compliant is you can feel comfortable knowing your privacy policy will also be compliant with other privacy policies (notably in California, Canada, and Australia).