Privacy policies are key legal disclosures about how your company protects an individual’s data. If you collect data from consumers, you should read this privacy overview.
While the United States does not currently have a federal, comprehensive data privacy law, several states do. Furthermore, if you collect personal information from countries in the EU or from China, you are probably subject to those laws. It’s best to ensure that you have a policy which strictly adheres to those regulations. Otherwise, you could be liable for significant fines.
So why is all of this necessary? Privacy policies give consumers more control over how their personal information is used. This helps website owners and users to set expectations and ensure transparency. The key is to find a balance between businesses getting information they need to provide their services, as well as for marketing and other commercial purposes, and individuals being able to control which data they share.
Although laws vary by territory, there are a few key points to include within your policy:
- Website owner
- Type of data collected
- How the data is collected
- The legal basis for collection (e.g., necessary to provide the service, consent, and more)
- The purpose of data collection (e.g., marketing and analytics)
- Types of information collected
- Whether third parties will have access to the information
- Whether third parties may collect data through widgets, including social media buttons
- Cross-border and overseas data collection information
- Rights of users to view, edit, and delete their own data and how to do it
- The effective date
Currently, five states require companies and websites to include detailed privacy policies: California, Colorado, Connecticut, Utah, and Virgina. All of these laws include provisions to access and delete personal information, and opt out of the sale of their personal information.
Some states are more restrictive than others, and their penalties may vary. For example, California includes special protections for minors whose data is collected.
The FTC also requires companies to comply with the promises they make in their privacy policies, regardless of what states they operate in.