Why Your Website Privacy Policy Matters

If you operate any online business, your business almost certainly collects consumer’s personally identifiable information. Many business owners don’t know whether their website should include a privacy policy, and, if so, what that policy should include.

Why Should You Have a Privacy Policy

Many businesses hesitate to include a privacy policy. Reasons I encounter include not wanting to restrict themselves, not wanting to expose themselves to self-imposed liability, and the folksy “well, I’m not going to do anything with my customer’s private information.” There are at least two reasons why your business’s website should include a privacy policy.

The first reason is for your own business. Believe it or not, consumers look for privacy policies, especially when dealing with an unfamiliar business. From the first time (a decade ago) I had to abandon an overfull email account because an online vendor sold their email address list to a marketing company, I have always performed at least a cursory review of a website’s privacy policy before giving my information. The last thing you want is to lose a potential customer because you didn’t take the time to include a basic privacy policy.

The second reason is legal. Arkansas does not have an online privacy act, but if you are selling products over the internet, then you have potentially fifty state consumer protection laws with which to comply. For example, if you ever sell products to a resident of California, then your website is required to comply with the California Online Privacy Protection Act. If it doesn’t, or if your privacy policy is noncompliant, your customer or even the California Attorney General could sue your business.

Writing Your Privacy Policy

What then should a good privacy policy contain? First, let’s begin with what it should not contain. Many business owners haphazardly cut and paste something to the effect of “We will not share your information with any third party.” This sounds great, and as a consumer I’d be reassured about using your website. The problem is this statement is almost always false. Unless your company simultaneously owns your internet service provider, your courier, and your financial institution that clears credit cards payments, you will almost surely have to share information with someone. But using such restrictive language in your privacy policy means that for each of these legitimate disclosures, you would be breaching a contract.

Second—and this is related to my previous point—identify all types of third parties with whom you might possibly have a reason to share the personally identifiable information. If the list is expansive, it might help to specify the purpose for which consumers’ information might be shared. Consumers are unlikely to be upset that you share their information with your parent company if they are informed that sharing their information will be limited to legitimate and helpful purposes—not simply to flood their email with third-party advertisements.

Third, list everything you collect. This can include a first and last name, physical addresses, email addresses, social security number (make sure you have a good reason to collect this though), telephone numbers, pictures, videos, messages, or any other information that could identify a consumer, even if in combination with other information on the website. Resolve all doubts in favor of disclosure here.

Fourth, provide a process for an individual consumer to review and request changes to their personally identifiable information.

Fifth, describe the process by which consumers will be notified of changes to the privacy policy. This may be as simple as sending out an email stating “Our privacy policy has recently changed. Please click on the link to view the most recent Privacy Policy.”

Sixth, identify the effective date of the Privacy Policy. As long as your privacy policy allows, you are free to change the policy at anytime without advance notice (though you will eventually have to give notice, as described immediately above). But users of your website need to know when the current policy came into effect.

Finally, if you have actual knowledge that children under 13 years old are using your website (a demographic to which I highly advise against directly marketing), an additional set of regulations promulgated by the Federal Trade Commission pursuant to the Children’s Online Privacy Protection Act applies to you. Because they are expansive, they are beyond the scope of this article. I mention them here simply to put you on notice.

In sum, if your website collects personally identifiable information, you cannot afford to not have a privacy policy. But it is not enough to simply copy/paste a policy from someone else’s website. You need a policy that both reassures your customers and protects the legitimate purposes for which you would need to share information.