MSN Law Office

Why Your Business Website Must Have a Privacy Policy

Business Website Must Have a Privacy Policy Columbus, OH

If your business has a web presence (and in the 21st century, you really should), then you probably need a privacy policy on your website. Several relatively recent laws require business websites to post a privacy policy, but these laws aren’t universal in their applicability, especially when it comes to small businesses. Complicating matters, this area of the law is developing and changing rapidly.

According to a recent survey, customers are not only starting to care about their online privacy, but they are also willing to take action to protect their privacy, even going so far as to switch businesses or service providers because of their privacy policies. This means your customers are increasingly likely to want to know what data they are giving up when they interact with your business and what your business is doing with all that data in the first place. In this post, we’ll talk about the legal requirements for your website privacy policy: What should be included in your privacy policy? What are some best practices for keeping your privacy policy up to date?

​While Ohio has not passed any laws specifically requiring websites to post privacy policies, such laws have been passed in several other jurisdictions. And these laws typically apply even if your business isn’t located in that state or country.

Practice Note: Ohio law hasn’t addressed privacy policies yet, but Ohio’s Data Protection Act does protect businesses from lawsuits if they take steps to protect the security and confidentiality of personal information, among other requirements.

The most common example of this is California’s Online Privacy Protection Act which requires websites and apps to post a privacy policy if they collect any personally identifiable information from California residents. Regardless of where your business is located and who your target customer is, unless you can be absolutely certain that you’ll never collect information from someone located in California, then this state law from across the country applies to your website. 

Under California law, your privacy policy must let visitors know what personally identifiable information your site collects and who you share that information with. The law doesn’t dictate what information you can or cannot collect or even what you can or cannot do with that information once you have it, but it does require that your business comply with whatever privacy policy you establish. 

Similarly, the European Union’s General Data Protection Regulation (GDPR) applies not only to businesses based in the EU, but also to businesses that offer goods or services to residents of the EU or that collect data from the EU. As we discuss below, most websites these days use third-party services to track website visitors. That alone potentially makes the GDPR applicable to your small business because an EU resident could stumble across your site, even if you aren’t specifically targeting the EU. So while the GDPR technically applies to almost every website in the world, (a) as a practical matter, it seems unlikely that regulators will be targeting small businesses that inadvertently obtain insignificant amounts of data, and (b) it does include an exemption to the more onerous record-keeping requirements for small businesses with less than 250 employees. 

The GDPR is a complex law with a lot of requirements. But most importantly for small businesses, it requires that you:

  1. be transparent about the data you collect,
  2. have a legitimate purpose for collecting that data,
  3. only collect as much data as is necessary for those purposes, and
  4. get specific, unambiguous consent for collecting and processing that data. This is a major reason why so many websites now have those annoying cookie notifications popping up everywhere. 

In addition to the patchwork of legal regulations requiring a privacy policy, the services you or your website designer may have built into your website also typically require the use of a privacy policy. For example, most websites rely on Google Analytics to try to understand how visitors find and interact with their website. When you signed up to use Google Analytics on your site, you agreed to their terms of service, which require the use of a privacy policy on your site. Other data analytics tools, third-party advertising services, your payment processor (if your business is involved in e-commerce), even the chat bot that interacts with your visitors, all typically require that your site post a privacy policy. 

What to include in your privacy policy

Your website’s privacy policy should let visitors to your site know:

  • What information your website collects about visitors
  • How that information is collected (i.e., through forms a visitor fills out, cookies that collect information automatically, etc.)
  • What you will do with that information once it’s in your possession
  • How you will keep that information safe
  • What information collection your visitors can opt-out of (and how that might impact their use of your site or services)
  • What third-party services you use to collect, process, or store information. (In addition, you should check the terms of services with those third-parties to make sure your privacy policy complies with their requirements.)   

Best Practices for Drafting and Maintaining Your Website Privacy Policy

This is a messy area of the law that is only likely to get messier as the privacy debate continues. At this point, you might be thinking, “I’ll just copy a privacy policy from a website that seems similar to mine and call it a day.” But be careful! The law may not be clear about what your privacy practices should be, but it is clear that, at a minimum, your business must comply with the terms of whatever privacy policy you set. Failing to do so or misrepresenting what you do with consumers’ personal information is an unfair or deceptive trade practice. In other words, your business can face legal liability simply for failing to follow your own privacy policy.

​As your business practices change, your privacy policy should also be updated to reflect those changes. And because this is an evolving area of the law, your privacy policy should be reviewed periodically to ensure compliance with the changing regulatory landscape.

If you have questions or concerns about the legal requirements applicable to your website privacy policy, please schedule a consultation.

Related Posts