You’ve just built your website. You need a privacy policy. But there are new laws about digital privacy, and new practices too. Google is getting rid of third-party cookies, GDPR is in force, and the CCPA might affect you too.
You need a privacy policy that’s compliant, so you don’t get in trouble, and that reassures your visitors. This is not a post that teaches you how to do that, because that would be legal advice, and you want to talk to a lawyer about that. Instead, this is an overview of what a privacy policy should contain in 2021.
What it all means:
- GDPR: General Data Protection Regulation. A European law that affects everyone who does business with Europeans, and imposes strict limits on data collection and storage.
- Cookies: Code from websites that sits on your computer and tells the website, or other sites, about you. Used for advertising, marketing and making websites work.
- CCPA: California Consumer Privacy Act. Creates obligations to notify people about their data, let them see it, and opt out of having it used or sold. Applies to larger businesses with annual revenue over $25 million.
- Tracking Pixel: A tiny piece of code that lets companies follow users and see their behavior on the internet.
What do you have to tell people who visit your site? And how should you put your privacy policy together?
You could:
Copy and paste someone else’s privacy policy. Bad idea: theirs is probably out of date and this might be how they did it in the first place. You could be following someone who’s following someone — who doesn’t know the way.
Copy and paste WordPress or another CMS’ privacy policy. Also a bad idea; tons of it won’t apply to you. And privacy policies can contain elements of contract; you might find yourself making promises in your privacy policy that you shouldn’t be making or can’t deliver on.
Get a lawyer and have them write it. You can’t go wrong (assuming you pick the right lawyer).
However you do it, your privacy policy will need to include some crucial information.
Here’s what you need to know.
What does my privacy policy need to include?
Your privacy policy now needs to be compliant with two new laws: the Californian CCPA and the European GDPR.
Who does GDPR apply to?
- Any company that processes data and is located in the EU, wherever the data is processed.
- Any company that offers goods or services to EU citizens and processes their data. This one applies to a lot of businesses. If you’re deliberately selling anything to EU citizens, GDPR probably applies to you.
GDPR creates rights for European citizens, then obliges companies from everywhere in the world to respect those rights. Company location doesn’t matter. And it applies to personally identifiable data, regardless of the business relationship. If someone can be identified by the data you’re collecting, even if it’s their business email address, GDPR applies. So, B2B businesses are not exempt.
Unlike CCPA, there’s no company size exemption to GDPR, though smaller businesses might be exempt from some specific elements, like the requirement to appoint a Data Protection Officer.
Who does CCPA apply to?
For-profit companies that:
- Have over $25 million annual gross revenue
- Buy, receive or sell personal information of 50,000 or more California residents, households or devices
- Derive 50% or more of their annual revenue from selling the personal information of California residents
You don’t need all of these — any single factor on the list means you’re covered by CCPA, wherever in the USA your business is located.
(The Wikipedia page for GDPR and CCPA are good places to learn more, but you can just read this guide…)
Financial services and the Gramm-Leach-Billey Act
If you offer financial services your privacy policy should also be compliant with the Gramm-Leach-Billey Act, which requires companies that offer financial products or services, including loans, advice and insurance, to explain how they share information and to safeguard sensitive data.
Medical services and HIPAA
If you offer medical services, you’ll need to be compliant with HIPAA. This includes some therapists; HIPAA covers anyone whose website stores or transmits protected health information (PHI).
That includes:
- Identifiable demographic or genetic information related to health
- Information that relates to the physical or mental condition of an individual
- Payment or financial information related to healthcare
This applies to any information-gathering tools on your website, including contact forms, patient reviews and testimonials, or live chat.
If you’re collecting any information like this, HIPAA makes it your responsibility to take reasonable measures to protect it; if you’re keeping personally identifiable information it should be on a server that’s encrypted and secure.
Your email servers, web forms and all other communications used for PHI should also be encrypted and secure.
What should your privacy policy include?
With these laws in mind, your privacy policy should tell visitors:
What data you’re collecting and how
You don’t have to be forensically accurate, but you do need to be clear enough that a normal person can figure out what you’re doing. If you collect any personally identifiable information, say so and say what kind (names, medical information, IPs, phone numbers and email addresses). If you don’t, say so.
What you’re going to use it for
Briefly tell visitors what you’re using their data for. If it’s to make some aspect of your business work, let them know.
Will any third parties have access to it?
If they do, you should tell your visitors. Are you selling it, or passing it on to someone else who will? Are you sharing it for professional reasons?
Visitors’ data rights
Realistically, hardly anyone is going to want you to give them all their data. But you should tell people their rights.
Changes and dates
How will you notify visitors about changes? Even if you’re not exactly planning on editing your privacy policy, laws and regulations can change. Tell visitors when your privacy policy comes into effect too.
Active consent
GDPR requires that consent for data collection and processing be freely, clearly and actively given. ‘By using this website, you agree…’ won’t fulfill the requirements of GDPR, and neither will the pre-checked boxes we’re used to seeing on cookie permission popups. Users shouldn’t have to search for GDPR consent forms, so the best practice is a popup that lays out what you’re doing in plain English, links to your full privacy policy, and requires a user action like checking a box actively to proceed.
Google Analytics and user information
If you installed Google Analytics after October 14, 2020, there’s good news: you’re GDPR-compliant by default, because Google Analytics 4 anonymizes IP addresses by default.
Legacy Google Analytics is not GDPR-compliant ‘out of the box.’ (No EU customers and no plans to ever have any? Then you might not care.)
It collects visitors’ IP addresses. You don’t see them directly, but they go to the Geo reports, service provider reports, and can be used to filter results. The point is that collecting user IPs without permission violates GDPR and you’re doing that with Google Analytics, even though you never actually see them directly.
If you’re using legacy Google Analytics, you can change its settings so it doesn’t collect personally-identifiable information by changing the Javascript tag that Google Analytics uses to collect data.
Javascript is the programming language used for interactive and moving elements on websites. Your Google Analytics tag is in the Head section of your website’s HTML.
Out of the box, it collects users’ whole IP address, which looks like this:
With this IP address, you can identify my location and the specific device I’m using to connect to the internet. (In this instance, you can identify an ExpressVPN server, but you get the idea.) It’s the last few numbers, after the third period, that identify my device. And you can set Google Analytics to cut those numbers off by setting them to zero.
You’ll need this tag:
gtag(‘config’, ‘<GA_MEASUREMENT_ID>’, { ‘anonymize_ip’: true });
For post-2020 installs you probably don’t need to do anything.
How do you know which version of Google Analytics you have?
If you’ve got someone helping you with the technical aspects of your site, just get them on it. If not, you can do this:
- Open your website in Chrome browser
- Right-click anywhere on the site
- Select Inspect
- Look in the Head section. If it looks like this:
Just click on it to open it up.
- You’re looking for this:
If you see a ‘Global site tag,’ you have Google Analytics 4. If you have a different type of tag the chances are you’re running an earlier version.
Facebook tracking pixels and your privacy policy
Facebook tracking pixels make you subject to GDPR because they collect personally identifiable information about your users.
Contact forms
If you’re collecting personally identifiable information via web forms, like if you ask for names, addresses, email addresses or phone numbers on your ‘get in touch’ form, you need to notify your customers of that and store the information you collect securely. Encrypted servers should be used, and you should store this kind of data in a way that lets you easily delete or share it in response to customer requests. This is even more important if you also ask for information about why your users want to contact you.
Collecting consent
If you need visitor consent for specific forms of data gathering, like Facebook tracking pixels, get it in a cookie banner that pops up when visitors arrive at your site. Add a link to the section of your privacy policy where you explain what that item does.
Conclusion
To tailor your privacy policy to your exact needs, you should get legal advice and, to be clear, nothing in this post constitutes legal advice! But while I’m no lawyer, I am a marketer. Your privacy policy can be a dreary boilerplate that you have to drag yourself through and your visitors will never see. But if you make it prominent and readable, and make the effort to come across as friendly, approachable and open in your privacy policy, you can turn it into an element of your branding process and a tool to show your prospective customers who you are.