This is the second blog in our series about Legal Documents you need for your website. Our first blog, Web Legal 101, gives an overview of Privacy Policies, Terms and Conditions, and Cookie Policies, and you can also check out our detailed blogs about Terms and Conditions and Cookie Policies.

If you have gotten to this point in reading up about legal documentation for your website, congratulations! You are a responsible website owner, and recognize that since your website uses:

ecommerce
analytics
third party software

OR

interacts with anyone outside the US

OR

collects information from kids in the US under 13,

then you’ve got legislation and regulation to deal with. And you are grown-up enough to pour yourself an adult beverage and start learning. Welcome. Our goal is to make all of this as straightforward and easily understandable as possible, and to explain what laws and regulations affect your business, what you need to pay attention to, and what you need to do to have a law-abiding website.

But first, the obvious:

We are not lawyers. We are not a law firm. Nothing that we say or write should ever be used or seen as a substitute for professional legal advice. At most, you should take any of our discussion of legal issues in the same way that you would take good advice from your gardener neighbor about pruning your shrubs. (Our lawyer made us say that. Not the shrubs bit, though. We added that in ourselves.)

What It Is

Privacy Policies disclose what pieces of personal information you gather from users of your website, how you collect, store, and use that data, and what rights a user has to view or change this data.

Who Needs It

At the top of the blog, we ran through a quick checklist of criteria that will legally obligate you to post a privacy policy on your site that meets the obligations of the legislation that you fall under. Here are the reasons behind it all:

Ecommerce websites and sites that use analytics tools (such as Google or Squarespace analytics) are required by law to have a privacy policy, because they collect personal data from customers (email addresses, first and last names, shipping address, etc.).
If your site incorporates third-party software, such as AdSense, Google GSB, Adwords, Apple App Store, or other advertising or remarketing sites, your agreement with that company includes requirements for your Privacy Policy.
If any of your website audience is outside the US, and you collect personal data from them, then you are required to comply with any laws governing the country (or area) that your web visitors are in. Ecommerce sites that have customers outside the US fall into this category, as do other websites that are not sales sites, but do collect personal information from people outside the US, such as Facebook.
Websites that target a young audience, and collect information from kids in the US under the age of 13, fall under the only online privacy laws in the US that are federal. The US has been fairly relaxed about online privacy, except when it comes to the kiddos. These regulations are strict, the fines for failure to comply are high, and they are enforced.

As the laws already enacted evolve and more legislation is passed, it is a pretty safe bet that eventually almost anything published online will need to have a privacy policy attached. Which might not be a bad thing. Right now, though, with the patchwork of state, national, and international laws that we have, it is tricky to determine what laws your website must adhere to.

Lightning-Quick Summary of US Online Privacy Law

Privacy law in the United States is really weak compared to many other parts of the world. In the US, the only national legislation that deals with online privacy is the Children’s Online Privacy Protection Act (COPPA), which deals with websites collecting personal info from kids under 13. If your site is geared toward adults, then the US doesn’t have one unified federal regulation for online data protection in place.

This lack of federal law makes it a lot harder on small companies with only an American audience. If your website receives a visitor from a particular state, then your site is obliged to follow the privacy regulations of that state. Since every state has its own individual laws, your website has to make sure to follow them all. The best way to manage all of this is to create your privacy policy so that it follows the strictest regulations demanded by any state.

As of this writing (20 March 2022), only three states: California, Colorado, and Virginia have enacted comprehensive consumer data privacy laws. California’s laws are already in effect, with stricter guidelines taking effect 01 January 2023. Legislation for Colorado and Virginia will not take effect until 2023.

Significant US Laws On Online Privacy:

COPPA - Children’s Online Privacy Protection Act federal legislation enacted 1998, revised 2013

CalOPPA - The California Online Privacy Protection Act enacted 2004, revised 2014

CCPA - California Consumer Privacy Act enacted 2020

CPRA - California Privacy Rights Act takes effect 01 January 2023

VCPA - Virginia Consumer Data Protection Act takes effect 01 January 2023

CPA - Colorado Privacy Act takes effect 01 July 2023

Currently, for an American website targeted to adults, California has enacted the most comprehensive digital privacy law in the nation. So, right now we are looking to California to provide the strictest guidelines to follow.

How The Heck Do I Know Which Laws My Site Needs To Follow?

Fair question. Here is where we break down what your website does, who it does it for, and what legislation you need to follow because of that. Think of it as a game of Never Have I Ever, but with websites.

Category 1: Easy Peasy

If your website DOES NOT USE:

ecommerce, OR analytics tools, OR incorporate third-party software or other advertising or remarketing sites

AND DOESN’T COLLECT PERSONAL INFORMATION FROM:

Kids in the US under 13 OR anyone outside the US,

then you are not legally obligated to have a privacy policy on your website. Nothing at all. No further details necessary. Do a happy dance, because you are done here.

Category 2: Basic Privacy Policy

If your website USES:

ecommerce, OR analytics tools, OR incorporates third-party software or other advertising or remarketing sites

BUT DOES NOT:

Collect personal information from kids in the US under 13 OR anyone outside the US

OR

Have annual gross revenues exceeding $25 million

OR

Buy, sell, receive, or share personal information from at least 50,000 devices, consumers, or households annually

OR

Make at least 50% of its annual revenues from the sale of consumers’ personal information,

then you are legally obligated to have a privacy policy on your website that follows CalOPPA (The California Online Privacy Protection Act) and you need to comply with the requirements of any third-party software you use.

Here are the fundamentals of a Basic Privacy Policy that satisfies CalOPPA:

The website’s homepage should have an easily-seen and clearly marked link to the Privacy Policy.
The Privacy Policy itself needs to inform users in detail of the handling, notice, choice, access, and security of their personally identifiable information (their data). To cover all the legal requirements, at the minimum, you need to address these topics in your Privacy Policy:

List the types of information you collect and explain how it’s collected.
Explain how you use the data you collect and why you need it.
Describe how you store and protect customer information.
Provide a description of your process for notifying users of updates to the Privacy Policy and of notifications in case of security breech.
List the date from which the Privacy Policy takes effect.
List who (or what organizations) have access to customers’ data. This includes email newsletter services, analytical software, payment processors, and other third-party tools.
Explain how a user can access information you’ve collected about them.
Explain how users can request changes to their data.
Disclosure whether your website honors “Do Not Track” (DNT) requests.

Category 3: Advanced Privacy Policy

If your website USES:

ecommerce, OR analytics tools, OR incorporates third-party software or other advertising or remarketing sites

AND ALSO:

Has annual gross revenues exceeding $25 million

OR

Buys, sells, receives, or shares personal information from at least 50,000 devices, consumers, or households annually

OR

Makes at least 50% of its annual revenues from the sale of consumers’ personal information

BUT DOES NOT:

Collect personal information from kids in the US under 13 OR anyone outside the US,

then you are legally obligated to have a privacy policy on your website that follows the CPPA (California Consumer Privacy Act) and the CPRA (California Privacy Rights Act), and you need to comply with the requirements of any third-party software you use.

The CPPA and CPRA regulations are stricter than the CalOPPA, because of the way they define personal information. CalOPPA uses the term personally identifiable information, which includes any personal data that can identify an individual consumer, such as:

Full name
Address (Home or other physical address, including street name and name of a city or town)
Email address
Phone number
Social security number
Anything else that enables you to contact a specific person (either physically or online)
User information collected by a website or online service - if stored in a “personally identifiable form” in combination with one of the above identifiers. Cookies and IP addresses might be considered personally identifiable information depending on how this information is stored. If you store someone’s IP address alongside another piece of their personal information, (for example, their email address) the IP address then constitutes personal information.

CCPA defines personal information in much broader terms than the CalOPPA. In addition to all of the examples of stand-alone personal information that are cited under CalOPPA, CCPA includes browsing and search history and information regarding a customer’s interaction with a website as personal information, no matter how you have stored the information. Therefore, IP addresses, location data, and other information in web server log files, now qualifies as personal data and must be treated as such.

Here are the fundamentals of a Advanced Privacy Policy that satisfies CPPA and CPRA:

At or before the point of data collection, the website must disclose:

What personal information you collect, from what sources, and for what business purposes
What personal information you disclose to service providers and third parties, and the categories of parties you share it with
What personal information you sell to third parties and what categories of third parties you sell to
What privacy rights consumers have with regard to their personal information
How to make a privacy request

Additionally, the website must explain consumer privacy rights:

The right to know: Businesses must disclose to a consumer the specific pieces of personal data they collect, sell or disclose about them.
The right to opt out: If a business sells consumers’ personal information (including by using interest-based advertising), it must give consumers the opportunity to opt out.
The right to deletion: With some exceptions, businesses must permanently delete any personal information about a consumer upon request.
The right to non-discrimination: Businesses may not discriminate against consumers who have exercised these rights.
Children are required to opt in to any sale of their personal data.

Added by the California Privacy Rights Act (CPRA):

The right to correct inaccurate personal information.
The right to limit use and disclosure of sensitive personal information. This gives consumers additional control over specific categories of personal information.

Category 4: International Privacy Policy

If your website DOES:

Collect personal information from anyone outside the US, through ecommerce, analytics, third-party software, forms for mailing lists, or by any other means. (This does not include consent for cookies.)

BUT DOES NOT:

Collect personal information from kids in the US under 13,

then you are legally obligated to have a privacy policy on your website that complies with:

Either the CalOPPA or the CPPA and CPRA regulations (depending on your site, see categories 2 &3)
Requirements of any third-party software you use
The legislation in whatever foreign country your website does business in, or collects personal information from.

That’s a lot. Generally speaking, the GDPR, which covers the European Union, has produced some of the strictest legislation on privacy. But, the GDPR does not cover every aspect of the other foreign legislation, or even of the American legislation. That means you must still make sure that you follow the privacy laws of every country your website and business interact with.

Major International Online Privacy Laws:

GDPR - The European General Data Protection Regulation, enacted in 2018, it governs anyone in the EU.

UKGDPR - In 2021, The United Kingdom revised and added multiple privacy laws of their own to compensate for their lack of legislation after Brexit. This checklist of laws is referred to as the UKGDRP.

PIPEDA - The Personal Information Protection and Electronic Documents Act, enacted 2000, governing Canada.

APP - Australia’s Privacy Principles, enacted in 1988.

PIPL - China Personal Information Protection Law, enacted 2021.

POPI - Protection of Personal Information Act, enacted in 2013, governing South Africa.

LGPD - General Personal Data Protection Law, enacted in 2020, governing Brazil.

Category 5: Children’s Privacy Policy

If your website collects personal information from kids in the US under the age of 13, then you are legally obligated to provide a privacy policy that follows the legislation passed for any other category discussed above that you fall in to (CalOPPA, CPPA, CPRA, GDRP, etc.)

AND

Comply with COPPA - The Children’s Online Privacy Protection Act, which deals with websites collecting personal info from kids under 13 in the United States.

This is the only federal legislation that America has passed dealing with online privacy, enacted way back in 1998 and revised in 2013. Since its enactment, Hershey’s, Sony, Google, TikTok, YouTube, Mattel, Hasbro, Fisher-Price, and Nickelodeon have gotten into trouble over COPPA, with millions of dollars of fines levied.

Again, we are not lawyers and cannot give any kind of legal advice. Our friendly advice, however, is this: with COPPA penalties set at $40,000 per violation, it would be catastrophic for a small business to run afoul of this law. If you are even thinking about using your website to collect information from kids under 13, schedule a visit to a lawyer that specializes in this field.

OK, Define Personal Data...

Privacy Policies deal with the data that a website receives from its visitors, but every law uses different terms for this information, all of which have different legal definitions.

Personally Identifiable Information

CalOPPA (The California Online Privacy Protection Act) uses the term personally identifiable information, which includes any personal data that can identify an individual consumer, such as:

Full name
Address (Home or other physical address, including street name and name of a city or town)
Email address
Phone number
Social security number
Anything else that enables you to contact a specific person, physically or online
User information collected by a website or online service - if stored in a “personally identifiable form” in combination with one of the above identifiers. Cookies and IP addresses might be considered personally identifiable information depending on how this information is stored. If you store someone’s IP address alongside another piece of their personal information, (for example, their email address) the IP address constitutes personal information.

Personal Information

The CPPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act) use the term personal information. These regulations are much stricter than CalOPPA, in part because they define personal information in much broader terms than CalOPPA’s personally identifiable information.

In addition to all of the examples of stand-alone personal information that are cited under CalOPPA, CCPA includes browsing and search history and information regarding a customer’s interaction with a website as personal information, no matter how the information is stored. Therefore, IP addresses, location data, and other information in web server log files, now qualifies as personal data and must be treated as such.

Personal Data

The privacy laws governing the European Union’s General Data Protection Regulation (GDPR) utilize two terms. The more general term is personal data. This term is used differently than the CPPA’s personal information, in that the GDPR only explicitly refer to individuals. The CPPA definition refers to information relating to households in addition to information related to individuals.

Special Categories of Personal Data

The second term used in the GDRP is special categories of personal data, referring to sensitive data such as health and medical information. The GDPR prohibits processing this such data, unless the website falls under a specific exemption. The CCPA does not separately define special categories of personal data, and excludes from its protection categories of medical information, as well as data related clinical trials, since the privacy of an individual’s health information is covered by HIPPA.

How to Create Your Privacy Policy

Now, just as we promised that you wouldn’t have to learn to code or become a graphic designer to create a brilliant website, we are also promising you that you don’t need a law degree. We have already paved this path for you. I’m going to suggest two options for creating your privacy policy, and tell you one big no-no.

First option:

Online compliance software services host Privacy Policy generators, which ask you questions about your company, and then generate your Privacy Policy for you. Some of the websites are free to use, some charge a flat fee or monthly subscription for advanced features that tailor the content more specifically to your business.

Pros: Inexpensive, Completed copy ready for you to use within minutes.

Cons: If your business is complex, you may need more customization. Some usage and legal terms may be confusing.

This route is a pretty inexpensive way to go, but it does require that you do your homework. Some popular, trusted, and reliable website generators for you to begin your research:

Shopify Free Privacy Policy Generator

Privacy Policy Online

Get Terms

Terms Feed

Second option:

Enlist a lawyer’s services. If you are not comfortable searching and comparing options offered by online websites and doing some reading up on the requirements yourself, then pass this work on. And, if you are dealing with a large enterprise, company, or organization, Privacy Policies are more sophisticated and complex, with an enormous amount of detail. A lawyer will help you sort out what you need to do and advise you on how to best protect your business while keeping everything legally binding.

Pros: Complete customization, along with having an expert advising specific and precise language to include to best protect your business.

Cons: Expense. It may be days before you have working copy.

The Big No-No

I know that it is tempting. It is easy to think that one quick cut and paste could make all your problems go away. But keep your eyes on your own website!

Do not copy. Do not go to another, similar website, copy the legalese and paste it on your website. Nope. Just don’t. Seriously. We’ve got to be grownups about this. First, the agreements from another site are probably not going to fit all the needs of your website. And, if you don’t adequately address all of the regulations that you are legally required to, you could be headed for some nasty fines. Your local newspaper loves to print stories like that, and your poor mother would be ashamed.

Extra Credit On Your Privacy Policy

Now you have a pretty good idea about what you legally have to address in your privacy policy. You can also probably see how far behind the rest of the world the good ole’ USofA is with regards to protecting online privacy. If you are seeing things from the perspective of the customer, and want to improve your privacy policy even more, here are some good ways to start.

Not US mandated, but really good ideas:

Provide contact information for the company should customers want to reach you.
Explain how you go about modifying or deleting customer data.
Inform users that their data might be collected and sold to others.
Provide the option to withdraw their consent to have their data collected (opt out).
Include a Do Not Sell My Personal Information option, allowing users to withdraw consent.
Detail how users will be contacted in the occurrence of security breaches that impact their data.
Give notice if you will be sending marketing information to their email address.
Explain how your company uses tools like cookies, log files, and other tracking tools.

mini Monster also has detailed looks at other legal documents that you may need to create for your site. Check out our deep-dive blogs on Terms and Conditions and Cookie Policies.