It’s May 2018, and nearly every website you’ve ever visited has sent you an email with a link to its updated privacy policy.
If your website does not include a privacy policy, you’re probably now wondering: Does it need one?
The short answer: Yes.
(The long answer would fill several volumes. Just search Google for “website privacy policy,” and note that the search engine returns 3.2 billion results.)¹
While there is no one law in the U.S. that requires website owners to have and publish privacy policies, there are several federal and state laws that do. For example:
- The California Online Privacy Protection Act covers any company or individual with a website that collects “personally identifiable information” from California consumers. So if your website can be viewed in California, and if your website includes a contact form that collects a name and email address, or if your website gathers any such personally identifiable information by other means, your site must meet the Act’s requirements.
- The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, cemented in 2016 and 2017, establish requirements for transferring data from EU and Swiss countries to the U.S. So if your website is available in the EU and/or Switzerland, and if your website includes a contact form that collects a name and email address, or if your website gathers any such personally identifiable information by other means, your site must meet the Shield’s requirements.
- The Children’s Online Privacy Protection Rule (“COPPA”), enacted in the U.S. in 1998, requires operators of websites or online services that are either directed to children under 13 or know that they are collecting personal information from children under 13 to give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children. If you register kids for camp online, or if you invite kids to connect and comment on a Facebook page connected to your website, you may need to comply with COPPA rules.
That Inbox Glut? Blame It On the Europeans
As these and other laws have been on the books for years, why are companies and non-profits all updating their privacy policies now? Here’s why: The EU’s General Data Protection Regulation (GDPR) took effect May 25, 2018. That regulation imposes a whole host of new requirements for owners of websites available in the EU — and significant penalties for non-compliance.
While GDPR gives only European citizens much greater control over information that is collected by them online, the new regulation affects companies and organizations outside the EU whose websites can be viewed in any EU country (27 in all). For a good basic explanation of the GDPR’s effect on U.S.-based website owners, read The Washington Post’s story, Why you’re getting flooded with privacy notifications in your email.
“The new policies, which will be enforced by the Information Commissioner’s Office, require companies to be explicit in their efforts to seek consent from consumers before collecting their personal information,” the Post reported. “Companies also have to give consumers easy access to their own data, and to delete that data if the customer requests it. Many companies subject to GDPR are expected to appoint a data protection officer. And importantly, companies have to notify users quickly of data breaches when they occur — under the new rules, they have 72 hours to inform the public after a breach is discovered.”
As the Post noted, “A number of U.S.-based news sites — the Los Angeles Times, Chicago Tribune, Baltimore Sun and a raft of others — have basically gone offline as far as European readers are concerned.”
For most website owners in the U.S., complying with the GDPR may simply be too expensive. Even experts in data privacy suggest website owners consult an attorney well-versed in international data privacy laws to determine how best to comply with the GDPR — and many of those experts are still trying to find answers to the FAQs about the GDPR. Owners of websites inside the EU also are scrambling; VPN Mentor reported that, although the EU gave website owners two years to comply with the GDPR, only about a third of websites in the EU were ready in April, the month before the GDPR took effect.
For these reasons, we’ve recommended that most of our small-business and non-profit clients block EU access to their websites.
And we have advised them that, to be legally compliant in the U.S., all websites must include a Privacy Policy that (at a minimum) explains:
- What information you collect about visitors to your website;
- How you collect that information (cookies, sign-up forms, contact forms, comment forms, etc.);
- Which third parties, such as YouTube and Google Analytics, also collect information on visitors to your website;
- How your visitors can block access to information that’s usually collected.
If your website does not include a privacy policy, please contact us for assistance.
FAQs About Website Privacy Policies
Q: Am I correct in saying that NO INFORMATION IS COLLECTED by me about visitors to (my) website? I have phone/email, if submitted, in order to call them or write to them, but I do not permanently keep this info.
A: If you collect names, email addresses and phone numbers, you collect “personally identifiable information,” so you need a privacy policy on your website, whether you keep that information, or not.
It’s important to understand that, in addition to information you personally collect and see — information gathered through the contact form on your website, for example — most websites are collecting lots of other information from visitors. Just for example:
- A website security plug-in installed on millions of websites records the IP (Internet Protocol) addresses of all visitors to those websites. This plug-in also records attempted log-ins and the location of every log-in attempt.
- If your website uses Google Analytics, Google is keeping track of all kinds of information — what pages web visitors view, how long they spend on each page, what actions they take, where visitors are located, what kinds of devices (desktop PC, MAC, phone, tablet) they’re using to view your website, and much, much more.
- If your website includes previews of your social media accounts (Facebook, Twitter, Instagram, Pinterest, YouTube, etc.), then those social networks also are collecting information about your website’s visitors, and it’s difficult or impossible for you to know what those networks are doing with that information. (Note Facebook’s recent revelation that information about at least 87 million Facebook users was compromised.) To better understand how data collected on your website may be used, read Why it’s meaningless to accept a GDPR privacy policy.
Q: I found a copy-and-paste privacy policy that meets the GDPR’s requirements. Can I just use that on my website?
A: You could, but unless you have a way to meet all of the other GDPR’s requirements, you would still be in violation of the regulation. To understand what the DGPR requires of you if your website is available in the EU, read the regulation, do your own research, and hire an attorney who can advise you about GDPR compliance.
Q: Are you certain that I don’t need to comply with the GDPR, even if my website is not available in the EU? I’ve seen at least one blog post that says all websites in the U.S. must meet the regulation’s requirements.
A: One popular website for WordPress site owners suggests that all websites, even those in the U.S. with no EU presence, need to comply with the GDPR. Read The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know for more information. However, a quick search of the web reveals that many experts disagree, and that blocking EU residents from your site probably is sufficient, at least for now.
Q: Are you certain that my website’s Privacy Policy (the one you posted for me) meets all legal requirements?
A: For websites we host, we’re adding custom privacy policies modeled after the policy crafted by Automattic, the people behind WordPress.com.
Like most website service companies, we have clients in many states and a few in other countries, too. It’s not possible or practical for us to research every local, state, federal and international regulation that may apply to all websites in any given jurisdiction. If you want to be certain that the policy on your website meets all of the requirements covered by your local and state regulations as well as all federal laws and international laws, we suggest you contact an attorney well-versed in internet privacy laws. If you have covered the fee for posting your Privacy Policy on a website we host, we will be happy to make any changes you request in that policy, based on your attorney’s recommendations, at no additional cost to you.
Q: We have a Privacy Policy on our website, so we’re good, right?
A: Well, no, because all things Internet are constantly changing. NPR reported May 28 that California is considering a new data privacy law that, if approved by voters in November, “would be one of the broadest online privacy regulations in the U.S. and could impact standards throughout the country.” So it’s important to stay informed and to make changes in your Privacy Policy as laws change.
1. As of May 29, 2018
Disclaimer: While the above information is offered to help website owners understand their responsibilities to their websites’ visitors, we are not attorneys. Please contact your attorney for sound legal advice about your obligations under U.S., state and international privacy laws.