There has been an avalanche of legislation in the United States and Europe regarding online privacy since the rise of the Internet. Today, publishing anything on the web requires familiarity and compliance with privacy laws to avoid the possibility of legal action or fines.
Before I continue, I need to stress that I AM NOT A LAWYER AND THIS IS NOT LEGAL ADVICE! Please consult a lawyer for legal advice for your particular situation.
This article contains some rough guidelines I found in my research on privacy compliance for small business websites. This is an extremely complex legal issue spanning many pieces of legislation on multiple continents, and I am by no means an expert! Please see the links at the end of this article for more information on online privacy.
Why Privacy Is Relevant to Your Website
You may be thinking, “my website doesn’t collect any private information, so I don’t need to worry about any of this.”
Well, if your website has Google Analytics installed on it (or any analytics service for that matter), you’ll need to worry about privacy compliance.
If you have target users in Europe and you use Google Fonts, you’ll need to worry about privacy compliance.
Any time your website collects an email address, that’s private information. So that may include comment forms, contact forms, and blog subscription forms. If you have any of these, you need to worry about privacy compliance.
Every Website Needs a Privacy Policy
Every public-facing website needs a privacy policy that explains what data you collect, what you do with it, how users can control their data, and possibly much more depending on what information your site collects, where its customers reside, and how big your company is. Termly.io has a good explanation of what needs to be in a privacy policy for a small business.
If your company is big enough to have in-house counsel or counsel on retainer, you should definitely use them for guidance on your website’s privacy policy. If your company collects sensitive information or sells personal information as part of its business model, you should also contact a lawyer.
Otherwise, you may be able to use one of the many privacy policy generators online. Two examples are Termsfeed.com and Termly.io. Termsfeed has a free privacy policy template at the end of this article.
For a more robust policy, I would recommend purchasing a privacy policy subscription from Termageddon, the industry standard for privacy policies. When you purchase their service, they’ll help you generate a policy specifically geared for your site, and they’ll make sure it is always updated to comply with current laws.
Whatever you do, do not just copy another company’s privacy policy. The privacy policy reflects your website’s particular features, as well as your company’s particular policies for handling personal information. Therefore, the privacy policy must be customized for your site and organization.
Disclosure: Some of the links on this page are affiliate links. This means if you click on the link and purchase the item, I will receive an affiliate commission at no extra cost to you. I test or research each service before endorsing it. I own this site and the opinions expressed here are mine.
California Consumer Privacy Act of 2018 (CCPA)
The CCPA is further legislation aimed at protecting user privacy online. It can apply to any site with visitors in California, no matter where your company or organization is based.
The CCPA applies to for-profit entities which meet at least one of the following conditions:
- Over $25 million in annual gross revenue
- Receives information for 100,000 or more consumers (up from 50K due to the CPRA going into effect in 2023)
- Derives 50% or more of its annual revenue from selling consumer personal information
Note that nonprofits and California state and local government entities are exempt!
Note that 100,000 annual visitors translates into 274 daily visitors, which is not that high a threshold.
For information on how to comply with CCPA, check out this Termly.io article on the CCPA.
One hallmark of the CCPA is the requirement for a “Do Not Sell My Personal Information” option if your organization sells personal information collected by the site. While you may not think you sell personal information, the law applies even if there is no monetary exchange. For example, you might get some free services from a CRM company if you use them to manage your email list. Thus you might still need to provide a way for users to opt out.
General Data Protection Regulation (GDPR)
GDPR is a privacy law created in the European Union, but it affects businesses located anywhere in the world that have users in the EU. Termly.io has a great summary of GDPR for dummies.
You may still be wondering if the GDPR applies to your organization. I’ve found somewhat conflicting information on this. Some sources say that if your site has even one visitor from the EU it does apply. But, I found this blurb on the official European Commission Website:
When the [GDPR] regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
In any case, I would think that a local-focused brochure website for Joe’s Barber Shop in Omaha, Nebraska, for example, would not be a high-priority target for European regulators.
Many of the requirements of the GDPR are good privacy practices and can be handled in your privacy policy and your organization’s operational policies (i.e., having someone assigned to remove a person’s data upon request, for example).
Probably one of the most painful parts of GDPR compliance for a small business website that doesn’t collect names or email addresses is making Google Analytics compliant. Google Analytics tracks users so it is not compliant by default. To make it compliant, you need to get permission from the user before activating Google Analytics on your site. That means an annoying popup. Furthermore, a good number of folks will choose not to be tracked, so you’ll lose some valuable analytics data.
You’ll just have to make the risk analysis for your organization. How valuable is having complete analytics data and not annoying visitors with a popup vs. strict compliance with GDPR?
You’re Not Done Yet
Let’s say you’ve gone through the work of constructing a good privacy policy and maybe even a privacy compliance popup. You’re not done yet.
In fact, you’re never done, because privacy compliance is an ongoing thing. It’s not enough just to say that you’ll remove someone’s personal information upon request in your privacy policy. You have to have someone in your organization available to receive that request who can remove the info in a timely manner.
This is where privacy trolls come in. They make a request to a site to remove their info. If they don’t get a response in the time specified by law, they may threaten legal action.
So, it’s important that your organization has policies to deal with these privacy requests on an ongoing basis.
Furthermore, new laws are always being passed. That’s why some services like Termly.io provide a subscription service with ongoing updates.
More Information
I’ve barely scratched the surface of website privacy compliance, but I hope I’ve pointed you in the right direction. Here’s where to get more info:
- Termageddon – The industry-standard website privacy policy generator.
- Jetpack Privacy Policy Helper – Text to add to your privacy policy for various Jetpack services.
- Termly.io – Provides policy generators but also has a great collection of easy-to-understand articles about privacy laws.
- Termsfeed.com – Provides policy generators but also has a useful blog. I use their templates for my privacy policies.
- Cookiebot.com – Article on Google Analytics and GDPR.
- Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
I am a freelance web developer and consultant based in Santa Monica, CA. I’ve been designing websites using WordPress and from scratch using HTML, CSS, PHP, and JavaScript since 2010. I create websites and web applications for businesses, nonprofits, and other organizations. I have a degree in Electrical Engineering (BSEE) from California Institute of Technology and a degree in Engineering Management (MSEM) from Stanford University.