The short answer: Yes.
While there is no one law in the U.S. that requires website owners to have and publish privacy policies, there are several federal and state laws that do. For example:
- The California Online Privacy Protection Act covers any company or individual with a website that collects “personally identifiable information” from California consumers. So if your website can be viewed in California, and if your website includes a contact form that collects a name and email address, or if your website gathers any such personally identifiable information by other means, your site must meet the Act’s requirements.
- The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, cemented in 2016 and 2017, establish requirements for transferring data from EU and Swiss countries to the U.S. So if your website is available in the EU and/or Switzerland, and if your website includes a contact form that collects a name and email address, or if your website gathers any such personally identifiable information by other means, your site must meet the Shield’s requirements.
- The Children’s Online Privacy Protection Rule (“COPPA”), enacted in the U.S. in 1998, requires operators of websites or online services that are either directed to children under 13 or know that they are collecting personal information from children under 13 to give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children. If you register kids for camp online, or if you invite kids to connect and comment on a Facebook page connected to your website, you may need to comply with COPPA rules.
That Inbox Glut? Blame It On the Europeans
As these and other laws have been on the books for years, why are companies and non-profits all updating their privacy policies now? Here’s why: The EU’s General Data Protection Regulation (GDPR) took effect May 25, 2018. That regulation imposes a whole host of new requirements for owners of websites available in the EU — and significant penalties for non-compliance.
While GDPR gives only European citizens much greater control over information that is collected by them online, the new regulation affects companies and organizations outside the EU whose websites can be viewed in any EU country (27 in all). For a good basic explanation of the GDPR’s effect on U.S.-based website owners, read The Washington Post’s story, Why you’re getting flooded with privacy notifications in your email.
“The new policies, which will be enforced by the Information Commissioner’s Office, require companies to be explicit in their efforts to seek consent from consumers before collecting their personal information,” the Post reported. “Companies also have to give consumers easy access to their own data, and to delete that data if the customer requests it. Many companies subject to GDPR are expected to appoint a data protection officer. And importantly, companies have to notify users quickly of data breaches when they occur — under the new rules, they have 72 hours to inform the public after a breach is discovered.”
As the Post noted, “A number of U.S.-based news sites — the Los Angeles Times, Chicago Tribune, Baltimore Sun and a raft of others — have basically gone offline as far as European readers are concerned.”
For most website owners in the U.S., complying with the GDPR may simply be too expensive. Even experts in data privacy suggest website owners consult an attorney well-versed in international data privacy laws to determine how best to comply with the GDPR — and many of those experts are still trying to find answers to the FAQs about the GDPR. Owners of websites inside the EU also are scrambling; VPN Mentor reported that, although the EU gave website owners two years to comply with the GDPR, only about a third of websites in the EU were ready in April, the month before the GDPR took effect.
For these reasons, we’ve recommended that most of our small-business and non-profit clients block EU access to their websites.
- What information you collect about visitors to your website;
- How you collect that information (cookies, sign-up forms, contact forms, comment forms, etc.);
- Which third parties, such as YouTube and Google Analytics, also collect information on visitors to your website;
- How your visitors can block access to information that’s usually collected.
FAQs About Website Privacy Policies
Q: Am I correct in saying that NO INFORMATION IS COLLECTED by me about visitors to (my) website? I have phone/email, if submitted, in order to call them or write to them, but I do not permanently keep this info.
It’s important to understand that, in addition to information you personally collect and see — information gathered through the contact form on your website, for example — most websites are collecting lots of other information from visitors. Just for example:
- A website security plug-in installed on millions of websites records the IP (Internet Protocol) addresses of all visitors to those websites. This plug-in also records attempted log-ins and the location of every log-in attempt.
- If your website uses Google Analytics, Google is keeping track of all kinds of information — what pages web visitors view, how long they spend on each page, what actions they take, where visitors are located, what kinds of devices (desktop PC, MAC, phone, tablet) they’re using to view your website, and much, much more.
A: You could, but unless you have a way to meet all of the other GDPR’s requirements, you would still be in violation of the regulation. To understand what the DGPR requires of you if your website is available in the EU, read the regulation, do your own research, and hire an attorney who can advise you about GDPR compliance.
Q: Are you certain that I don’t need to comply with the GDPR, even if my website is not available in the EU? I’ve seen at least one blog post that says all websites in the U.S. must meet the regulation’s requirements.
A: One popular website for WordPress site owners suggests that all websites, even those in the U.S. with no EU presence, need to comply with the GDPR. Read The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know for more information. However, a quick search of the web reveals that many experts disagree, and that blocking EU residents from your site probably is sufficient, at least for now.
A: For websites we host, we’re adding custom privacy policies modeled after the policy crafted by Automattic, the people behind WordPress.com.
1. As of May 29, 2018
Disclaimer: While the above information is offered to help website owners understand their responsibilities to their websites’ visitors, we are not attorneys. Please contact your attorney for sound legal advice about your obligations under U.S., state and international privacy laws.