Privacy Policies - What are they and why do I need one?

This blog post was first published on 8 June 2019

Privacy policies - that page you link to the footer of your website with all the boring legal stuff in

OR

A mandatory document to implement a global standard on data protection?

The answer...

It's both. I totally understand that most people approach data protection with a bit of a groan but it's big stuff for businesses. Whilst the legislation was implemented by the EU it applies to businesses all over the world.

What's it all about?

Put simply if your website collects the personal information or someone from one of the EU member states then you need to protect their data and your privacy policy is the mandatory document which tells people how you are handling their data.

Does it apply to me if I don't sell products online?

It applies to you if you collect personal data, so if you have a mailing list and capture people's name and email address you're required to comply. It is also required if you use Third Party services which track users for analytics. Whilst it may seem unidentifiable it is deemed as identifiable as it can be used in conjunction with another piece of data to identify an individual. Google Analytics terms of service state that if you use their service you must disclose the use of Google Analytics and how it uses and processes data. Other third parties which you may use such as Mail Chimp and Facebook all have similar statements which require that users of their services have clear Privacy Policies.

What is the classification of ‘personal data’?

Personal data includes name, date of birth, email address, billing and/or shipping address.

Which countries require me to have one and under what laws?

• Australia - Privacy Act of 1988
• Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
• European Union - General Data Protection Regulations (GDPR)
• United Kingdom - Data Protection Act 1998 (DPA)
• United States - there is not one piece of legislation, but a number including: The Americans with Disability Act, The Cable Communications Policy Act of 1984, The Children’s Internet Protection Act of 2001, The Computer Fraud and Abuse Act of 1986, The Computer Security Act of 1997 and The Consumer Credit Reporting Control Act and California Online Privacy Protection Act (CalOPPA)

How can I get one?

You can create one. Simply prepare a document setting out how you manage and process people's data. You can find a template document which I have prepared here which also has drafting notes do that you can easily implement it onto your site.

I’ve got a Privacy Policy, where should I disclose it?

There are no legal specifications about exactly where it should be put but there are legal requirements which include that it must not be hidden and should be easy to access for all website visitors.

How can I find out more information?

If you're a UK business a great place to start is the ICO website, head to ico.org.uk.

Please be aware that the detail on this post is information only and does not constitute legal advice. If you need legal assistance you should instruct a legal professional in your jurisdiction.