As more of our personal information is stored online, data privacy is becoming more important than ever.
If you’re a business, chances are most of your customers are wary about how their data is being used — and whether it will be sold to third parties. In fact, four in five adults say they’re concerned about how companies are using their data, according to a 2023 Pew Research survey.
A growing number of government regulations are giving online users more say over where their personal data goes. From the European Union to Iowa, this rising number of data privacy laws means it’s increasingly vital to ensure your business website has its bases covered.
At Webspec, we recommend that all websites have a clear, well-written privacy policy. These policies inform users what data you are collecting from them and how you’re using it. They’re also vital to help you meet legal requirements, protect your business from lawsuits, and build trust with your users.
Let’s take a closer look at when having one is necessary and why it’s so important.
What Is a Website Privacy Policy?
A website privacy policy is a written statement that outlines how your website gathers, stores, and uses the personal information it collects. Privacy policies are important because today’s websites can collect personally identifiable information (also known as PII) in many ways:
- If you’re an ecommerce platform, you’re collecting payment information and addresses from customers.
- If you have a contact form on your site, you’re gathering names, emails, and phone numbers.
- If you’re a website using Google Analytics, you’re gathering IP addresses and tracking the actions that users take on your website.
In each of these situations — and many more — it’s important to have a privacy policy displayed prominently to let users know what data you’re collecting and how you’re using it.
Many sites link to their privacy policy in the footer of each page. You may have also seen pages in website footers like “Terms and Conditions,” “Terms of Use,” or “Terms of Service.” These types of pages are separate from privacy policies and focus on the guidelines for people using your website, including issues like intellectual property rights, dispute resolution processes, product warranties or refund policies, and more. While they are separate, both are important.
When Do I Need a Privacy Policy?
While privacy policies are important, many websites still don’t have them. A 2023 review of millions of websites by researchers at Penn State found that only one in three websites make their privacy policy available to viewers.
At what point, exactly, does your website require a privacy policy? If your site collects any kind of personally identifiable information, you probably need one. The best way to determine if you need a privacy policy is to work with a trusted third party who understands the legal ramifications of your website and what you need to include.
Not having one could mean your business is liable for costly noncompliance fines. There is a growing sea of legal requirements surrounding data privacy that websites must comply with, depending on where their users are located. Understanding these legal requirements will also help you know what to include in the policy.
Here are some of those requirements:
The European Union’s General Data Protection Regulation (GDPR)
This landmark data privacy law was passed in the European Union, but it could apply to you if you receive web traffic from one of the EU’s 27 member nations. It requires websites to do a number of things, including:
- Show visitors a cookie notice when they enter the site
- Clearly define how data is used in their privacy policy and terms and conditions statement
- Allow users a choice in what data websites collect and store.
For more information, read our deep dive into GDPR here.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) updated a previous privacy law in California. State law requires businesses to notify customers about how they are using personal information and gives customers certain rights including to delete certain personal information and opt out of their information being sold.
CPRA applies to businesses that operate in California and meet certain requirements, such as sharing personally identifiable information of 100,000 or more California residents.
Other Applicable State Laws
A growing number of states are passing their own data privacy laws that require businesses to disclose the data they collect to users. According to a tracker maintained by the privacy policy company Termageddon, there are currently 17 states with privacy laws on the books, and eight new laws will go into effect in 2025.
This includes Iowa, where a new privacy law begins Jan. 1 requiring businesses inside and outside of the state to have a privacy policy if they meet specific requirements, such as processing the data of more than 100,000 Iowans each year.
How to Get Started
Regardless of whether a privacy policy is required for your site, being transparent about your website and including a prominent, readable disclosure of your privacy practices will help to build trust with your users.
With such a large number of privacy laws around the U.S. and the world, it may feel overwhelming to know where to start in making sure you’re compliant. But you don’t have to do it alone.
At Webspec, our team works daily on website projects in a variety of industries. We’ll work with you to help find the privacy policy expertise you need for your project. We have a partnership with Termageddon to help websites generate privacy policies, terms and conditions, and other important notices, and we’d love to put you in touch.Want to learn more? Contact our team of website experts today!