Why your website needs a privacy policy

Along with Terms and Conditions, the Privacy Policy is one of the least visited pages on any website. And yet, putting the time and effort into creating one is an important step in making sure that both your customers and your business are protected. Almost every website is affected by consumer privacy laws both in the US and internationally, and the penalties that they can impose for noncompliance.

What laws require a privacy policy?

You may have heard about the strict privacy regulations in the European Union, such as the General Data Protection Regulation (GDPR). They are the main reason for those annoying “cookie notices” at the bottom of many websites. What is less well known is the number of privacy laws that have been passed in the US, with several more in the legislative pipeline. These include:

• California Online Privacy Protection Act of 2003 (“CalOPPA”)
• California Consumer Privacy Act (“CCPA”)
• Nevada Revised Statutes Chapter 603A 
• Delaware Online Privacy and Protection Act (“DOPPA”)
• Virginia Consumer Data Protection Act (“VCDPA”)
• Colorado Privacy Act
• Utah Consumer Privacy Act
• Connecticut SB6

While the details of these laws differ, all of them require qualifying websites to disclose how they collect and use site visitor information. And to be clear, if your website has a contact form or newsletter sign up, you are collecting information from your visitors. As with the GDPR, state laws apply to businesses when residents of that state visit a website, regardless of where the website’s business is physically located. This means that a business in Nebraska can be in violation of a Utah law, triggered by a visit from a Utah resident.

Many laws also require disclosure of the use of cookies, those little data files that get written to a visitor’s computer for a variety of purposes. All sites using Google Analytics, Google Fonts (when not served locally) or Facebook widgets fall into this bucket.

How to write a privacy policy

At a minimum, a privacy policy must include:

• What information about visitors you collect. (e.g. name, email, physical address, credit card information, etc.).
• How you obtain this information. Does the visitor provide it themselves, or is it gathered automatically?
• The reason for requesting personal information.
• How you store and protect information you have collected.
• How you will update visitors when your privacy policy gets updated.
• Who has access to your information? This includes things like email newsletter services, analytics software and other third party tools.

As you can see, it probably won’t work to copy and paste someone else’s policy into your site. It’s also not sufficient to include a hand-wavy statement about valuing your visitor’s privacy without providing specifics. Unless you have an attorney draft a policy, the best approach is to use a privacy policy generator that incorporates site-specific information that you provide.

What about the privacy built into WordPress?

Since version 4.9.6, WordPress provides a generic privacy policy template, along with instructions on how to use it. It is located in the admin area under Settings > Privacy. It also automatically creates a draft privacy policy page. Once you open the privacy policy page for editing, you will see a notification on top with a link to the default WordPress privacy policy page guide.

While the WordPress guide provides a good overview, it does not help you determine what privacy laws apply to you, nor does the template state what privacy laws it helps you to comply with. As with other generators, it will be your responsibility to keep the policy page up to date if your policies or the applicable laws change.

Our chosen solution

After considering various options, Webdancers has selected the Termageddon policy generator to offer our clients. Their President, Donata Stroink-Skillrud, is the chair of the ePrivacy Committee of the American Bar Association, so they know a thing or two about the application of privacy laws globally.

Using a simple Q&A process, Termageddon identifies the privacy laws that apply to you, generates the disclosures required under these laws, and automatically updates your policies whenever these laws change (or when new ones go into effect). In addition to privacy policies, Termageddon also generates Terms and Conditions, Cookie Policies, EULAs and Disclaimers. Cookie consent controls are also provided for those sites that need them.

Webdancers’ management clients may contact us about having Termageddon installed on their sites.