Part 1: Does Your Privacy Policy Need A Tune-Up?


Whether your small business sells goods and services online, or you’re simply using your website to market to your customers, having a quality website privacy policy can build consumer trust and distinguish your business in a crowded online marketplace.

The Federal Trade Commission recommends privacy policies for most websites that collect and share consumer data, including data collected passively using cookies. What’s more, a few states, including California, require privacy policies for websites collecting various categories of data from their residents. Federal laws require privacy policies for businesses collecting sensitive data, such as personal information from children under 13, protected health information, or information collected to provide certain financial products or services (e.g., loans, investment advice, insurance) to consumers.

Whether or not it’s legally required for your business, it’s a good idea to develop and maintain a comprehensive privacy policy. Your customers have a right to know what privacy protections they can expect when they interact with your business online.  Even if you’re not processing sales transactions on your site, you may be collecting your visitors’ personal data to generate leads, make appointments, manage newsletter subscriptions, or to share with advertisers. You’re probably using web analytics to gather data to optimize your website’s performance.  If you don’t have a privacy policy in place, or your current policy doesn’t accurately reflect your data privacy practices, it’s time to get to work.

Make Sure Your Privacy Policy is Effective

Keep it visible. Don’t make your privacy policy hard to find -consider including a prominent link in the header or footer of every page so visitors can check out your policy before they interact with your site.  At a minimum, your privacy policy should be linked to from your homepage and any other pages where data is collected.

Keep it simple. The policy is a legal document, but consumers don’t want to read technical jargon or legalese. Your privacy policy should be clear, concise and written in plain language so that your customers can readily understand how you’re handling their information.

Keep it real. Say what you do and do what you say. Your policy is a pledge to your customers about how your business will handle and protect their personal data. It should accurately reflect data practices unique to your business. You can check out policies of similar businesses for inspiration, but don’t cut and paste another company’s policy – one size does not fit all!

Keep it current.  Make sure your policy is updated if you change your business and privacy practices affecting customer data. Communicate any substantial changes in data use or sharing to customers before they take effect

Key Issues to Address in your Policy

What data is collected. Identify the types of data your site collects. In addition to names, home addresses, email addresses, phone numbers, credit card information, and IP addresses, you may be collecting information about your customers’ interests and purchase histories or demographic information such as their gender, age, income or marital status.  Your analytics provider, your advertisers, your third party shopping cart or payment processor may all be collecting information on various parts of the site. These activities should be identified and consumers should be directed to any third party privacy policies that may apply.

How data is being collected. Online forms used to enter email details for newsletters and credit card data for purchases may be obvious to the consumer. Data collection using cookies and other trackers placed on the visitor’s computer browser may go unnoticed. You should clearly explain your cookie practices to customers. 

What you are doing with the data.  Tell your customers how you’re using their data and how, where and how long you will store it. If you share customer data with affiliates or service providers, sell data you collect to business partners, or allow marketers or others to collect data on your site, be sure to explain what information is being shared or sold and how it may be used. 

How customers can control their data. Provide a point of contact at your business – an email address or phone number - to help customers change passwords, unsubscribe from mailing lists, close accounts, or complain if there’s a problem. If marketers are using your site to collect browsing data for interest-based advertising, you should also provide customers with opt-out information for this activity.    

How you protect the data.  You should be protecting customer data with strong data integrity and security measures. You can reference these measures in your published policy to provide assurance to your customers, but avoid going into detail -- publicly revealing too much about your security practices could put your systems at risk.    

Remember, you are legally responsible for abiding by the privacy promises you make in your policy. If you have questions about your obligations, seek legal guidance before finalizing the policy to make sure it complies with federal and state laws that may apply to your business.

Looking Under the Hood

If you’re drafting a privacy policy for the first time, or your current privacy policy has not been reviewed for a year or more, you should start by reviewing how and where your business collects consumer data and your procedures for using, sharing, storing, securing, and disposing of it, to identify any privacy risks and ensure you have appropriate protections in place.  In the next section, we’ll discuss that process in more depth.