by Kellie M. Delaney
Chances are, if you operate a business or website, you collect and use more personal data than you realize. You may save contact or shipping information, maintain a newsletter email list, receive credit card payments through your website, or track website visitors and the ways they interact with your company.
Do I really need a privacy policy?
If you collect personal data from your customers, website visitors, and other individuals, those people are entitled to know how you use it and the steps you take to protect it. One way to communicate those details is through a privacy policy that you publish on your website. It is possible to communicate through other means, for example, via an annual email notice, but a published and easily accessed privacy policy is usually easier for the individuals to find and easier for you to create and maintain.
What to do now?
It’s the start of a new year, and there’s no better time to either review your existing privacy policy or determine whether to create a new one. For one thing, some laws require an annual update of your privacy policy. Even if you’re comfortable with the policy you have, be sure to consider whether it covers all of your personal data use cases, where and when you collect it, how you use it, who you share it with, how long you keep it, and what you do to protect it.
When you’re ready to work on your privacy policy, keep in mind that the purpose is to draft an understandable policy that reflects your actual use of personal data.
What laws apply?
California’s Online Privacy Protection Act (CalOPPA)—not to be confused with the more recent California Consumer Privacy Act (CCPA)—requires that anyone who collects personal data from California residents using a web site or online service, for commercial purposes, to post a conspicuous privacy policy on its website and to comply with the practices spelled out in the policy. (Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA). CalOPPA requires that the privacy policy identify the categories of personal data collected and any third parties.
If your business is covered by CCPA, the requirements for your privacy policy are more specific.
It’s worth noting that the Federal Trade Commission generally recommends privacy policies as well, for businesses that collect and share consumer data. If you collect sensitive data, such as data from children, financial data, or health-related data, you may also be subject to specific federal laws that require privacy policies.
What should the policy include?
Compliance with the legal requirements is important, but transparency is equally important. Ideally, the policy should meet these criteria.
- Be easy to find. Link to the policy in your website footer.
Be easy to understand. The privacy policy is a legal document but it’s not required to sound like one.
Reflect how you actually collect and use personal data. The privacy policy of one business does not necessarily fit another. It’s fine to look at examples of privacy policies in businesses adjacent to yours but your policy needs to be accurate and it needs to be suitable to your unique business. When you publish a policy, you are agreeing to abide by the promises you make, so get appropriate advice before you go live.
Be reviewed and updated regularly. Circumstances change, and the personal data you’re using changes with them. It’s best to review your policy every year.
What do I need to disclose in the policy?
To create an accurate privacy policy, the first step is to know your data. What personal data do you collect and how do you collect it? For example, do you collect it through forms, cookies, or through a third-party? Your privacy policy should also cover how you use cookies.
After you identify what personal data, your next step is to catalog how you use it, who you share it with, and how long you retain it. This might include having a point of contact to handle privacy inquiries, and a way to opt-out of data collection or usage.
Finally, your privacy policy should describe in a general way the steps you take to protect the personal data you collect and use. If you are unsure, or you want to know what your service providers handle personal data, look into this so you can consider whether personal data is being protected with appropriate measures, proportional to the risks.
Kellie M. Delaney is an attorney with Clear Sky Law Group, P.C. She has many years experience in privacy law and has worked with a variety of clients ranging from multi-national corporations to small businesses. She can be reached at kdelaney@clearskylaw.com and 760-801-4889.
