Guest Author: Nicole Cheri Oden

Chances are you’ve got an opt-in form on a landing page or your website. Or you have some other way of gathering email addresses (or other personal information) in exchange for your freebie or discount. Or you ask for a person’s email address before they can join your Facebook group.

BUT…do you have a Privacy Policy? And if you do, does it address everything it should? Is it posted where it should be?

Let’s chat about what a Privacy Policy is, what it should include, and where is should go.

But first, know that everything I chat about here is intended to provide legal information and education. It is not business, financial, or legal advice, and does not create an attorney-client relationship between us. I’m an attorney licensed in the United States, so everything will be from the perspective of United States law. You should consult with an attorney in your area who understands your particular business situation so that you can take the right steps for you and your business.

What is a Privacy Policy?

Simply put, your Privacy Policy puts your website viewers on notice that you’ll use care in collecting their personal information and tells them how you plan to use it. And it’s required by the California Online Privacy Protection Act (CalOPPA). CalOPPA was the first United States law to REQUIRE online business owners to post a Privacy Policy on their websites if they collect personal information from website viewers who reside in California. “Personal information” includes first and last name, email address, physical address, telephone number, social security number, birthday, height, weight, and any other information that can be used to contact the Californian website viewer physically or via email.

And since you have no idea if the people interacting on your website or landing page is in California or Timbuktu, you should comply.

When the General Data Protection Regulation (GDPR) went into effect in May 2018, it complicated things a bit. I’m not going to get into all of the nitty gritty specifics here. BUT it is important to know that the GDPR applies to any business that processes personal information from even ONE PERSON in the European Union (E.U.) or U.K.

The GDPR also has an expanded definition of personal information – it’s “any information relating to an identified or identifiable natural person.” Holy cow. This includes the items named in CalOPPA (first and last name, email address, physical address, telephone number, social security number, birthday, height, weight) BUT it also includes anything relating to the person’s “physical, physiological, genetic, mental, economic, cultural, or social identity.” This includes IP addresses. All the tracking software and cookies you have on your website? Yeah, you need your website viewer’s consent.

What Should My Privacy Policy Include?

CalOPPA requires your Privacy Policy to include 6 main things to put your website viewers on notice:

  1. What personal information you collect;
  2. What third parties you share the personal information you collect wit
  3. How a website viewer can contact you to make changes to or update any personal information that was collected;
  4. How you deal with “Do Not Track” requests;
  5. How you notify website viewers of changes to your Privacy Policy; and
  6. The date the Privacy Policy went into effect.

In addition to the things required by CalOPPA, the GDPR requires that your Privacy Policy also include:

  1. How and why you collect personal information;
  2. What you do with the personal information;
  3. How you keep the personal information safe;
  4. How long you retain the personal information
  5. If you share or sell the personal information with or to third parties (and if so, what third parties); and
  6. If you use cookies.

Where Do I Post My Privacy Policy?

CalOPPA requires online business owners to “clearly and conspicuously” post their Privacy Policy. This means either:

  1. On the home page of your website, or
  3. Via a hypertext link on the home page of your website that contains the word “privacy” written in capital letters (also known as a “browse wrap” in internet law). This is the more common practice across the interwebs, just look at the bottom of the websites that you visit on a daily basis.

Better practice is to actually take it a step further and have a method for your website viewers to affirmatively agree to your Privacy Policy BEFORE providing you with their personal information. So, before they receive your freebie or discount offer, they have to check a box (also known as a “click wrap” in internet law) that indicates they have read and agree to your policy.

And this is because the GDPR requires affirmative consent from your website viewers to process their personal information.

This means:

  1. Your website viewer’s consent must be “freely given, specific, informed, and unambiguous;” AND
  2. Your website viewer must take some sort of action to say, “Yes, you can process my personal information.” Which is why it’s a better practice to have your website viewers check a box that they agree with your Privacy Policy.

So, there you have it. A quick run-down of what a Privacy Policy is, what it should include, and where is should go. And if it seems like too much, you can snag a GDPR-compliant Privacy Policy Template in my legal shop.

I also did a more in depth interview with Michelle on this topic and you can check that out here!