Apr. 25, 2019 • by Jeffrey Pote

Share on:

You’ve designed a website for your business. Or, maybe you’ve developed a mobile application (app) to help you connect with your customers. If so, you may be wondering whether you should have a privacy policy.

If you’re interested in learning more about whether you need a privacy policy for your website or mobile app, below are the top five (5) reasons to develop and implement a solid privacy policy.

1. Required by Law:

For many businesses it is legally required that they conspicuously post a privacy policy on their website or display one in their mobile app. While this is not true for all businesses, when it is, this is pretty clearly the top reason to have a privacy policy.

Failure to comply with data privacy laws can lead to fines and other penalties. So who is legally required to have a privacy policy?

A modern blue background with the word 'privacy' written in large letters next to the side profile of a person's face.

Currently, there is no general federal requirement - and Colorado does not specifically require - that consumers be provided with a privacy policy. However, several states do require privacy policies and a business does not have to be located in one of those states to be subject to those laws.

Perhaps the most important of these privacy laws is also the oldest: the California Online Privacy Protection Act (CalOPPA).FN1 This law has a very broad application and requires the operator of any commercial website that collects personal information on California residents to conspicuously display a privacy policy on their website.FN2

CalOPPA requires the operator of any commercial website that collects personal information on California residents to conspicuously display a privacy policy...

Furthermore, the law also specifies important elements that are to be included or addressed within the required policy. For example, site users must be informed, among other things, about how collected information is used and with whom it is shared or otherwise disclosed. (Additional information about CalOPPA can be found here.)

Given the size and commercial importance of California, this privacy law will be enough to require most businesses to have a privacy policy. But other states have similar laws.

Delaware and Nevada, for example, are also states that impose legal requirements much like those of CalOPPA.FN3 Both of these states are noteworthy due to their popularity for incorporating or otherwise organizing business entities.

The privacy laws of Delaware and Nevada apply to businesses, large and small, that collect information about their residents. The specific elements that the required policy must address are very similar to those of CalOPPA. (Additional information on Delaware's privacy law can be found here. Information about Nevada's law can be found here.)

There are also federal laws that apply to some businesses depending on the type of business or from whom information is collected. For example, the Children’s Online Privacy Protection Act (COPPA) requires certain policies and practices from business that collect information from children under the age of thirteen (13). Additionally, businesses that collect or maintain educational or health information may fall under the scope of other federal laws.

Given the application of these various state and federal laws, most commercial websites and mobile apps will need to have a solid privacy policy.

2. You've Agreed to It:

Owners and operators of commercial websites or apps often have entered into agreements that require them to have and display a privacy policy to their customers. These agreements are generally internet agreements that have been entered into as a part of the terms and conditions, or terms of use, of third party services.

Mobile apps that wish to be included in Google or Apple stores, for example, must have certain privacy policies and procedures in place. Likewise, websites that make use of services from Google, Facebook or Twitter will often have to display a privacy policy that satisfies the specified terms.

To learn more about internet agreements and their enforceability, see the previous entry titled "Creating Enforceable Internet Agreements."

As a result, websites and apps that make use of services from these tech giants will generally need to develop and display a privacy policy. For example, Google Adwords and Analytics both state in their respective terms and conditions that users will display a privacy and cookie policy.

These policies generally specify elements or practices that are to be included like, e.g., disclosing the site’s use of that particular Google service or not associating any personal information with trackable information about site activity.

If you’ve entered into one of these agreements, then you are contractually obligated to display a privacy policy and to comply in practice with what it says.

3. Providing Consumer Protection:

Privacy is often pitted against security. Enhancement in privacy, it is thought, comes at a cost to security. This, however, is not true of data privacy and cybersecurity.

Cybersecurity safeguards data privacy. You do not have to give up on security for the sake of privacy. Instead, improvements in security better secures the data that is to be protected and kept private.

Regardless of their size, businesses that collect personal and other information from their customers should be protecting that information. They have been entrusted by the patrons of their products and services with information that if it were to fall into the wrong hands could wreak considerable havoc in their lives.

Enhancement in privacy, it is thought, comes at a cost to security. This, however, is not true of data privacy and cybersecurity...

As a result, businesses need practices and procedures in place to protect this information and consumers need information about these practice and procedures in order to make an informed choice.

A solid privacy policy will provide information about how consumer information is protected by that business. But businesses that collect information about Colorado residents should consider not only developing a privacy policy, but also a security and disposal policy that governs their handling of this information.

For more information about Colorado’s law requiring an information security and disposal policy, see the previous entry on “Colorado’s Data Privacy Law.”

4. Transparency and Consumer Trust:

We are all consumers of various products and services and, in the 21st century, this means providing a lot of personal and other sensitive information to the businesses that provide the things we want and need.

A privacy policy tailored specifically to your business’s practices and procedures is a great opportunity for you to let interested consumers know exactly what you’re doing with their information...

As a result, modern businesses are increasingly being urged by consumers to protect their valuable information. A privacy policy tailored specifically to your business’s practices and procedures is a great opportunity for you to let these interested consumers know exactly what you’re doing with their information, how you’re protecting it, and whether you’re sharing it with anyone else.

For most small businesses, this transparency is a great chance to build trust.

Unlike the tech giants and other large multinational corporations that get so much attention when it comes to data privacy, smaller businesses generally do not have the resources or budgets to allow them to profit from storing and analyzing large amounts of data from their customers.

Furthermore, they are not often in the business of selling any of their consumer data. If you were already not going to be selling customer information, why not be transparent about that and disclose it in a privacy policy?

For these reasons, small businesses can use their privacy policies as a marketing tool in order to earn consumer trust that larger businesses may be unable to credibly claim.

5. A Bad Policy can be Costly:

Perhaps you already understand that your site needs a privacy policy, so you’ve copied one from another site or hastily thrown one together. This is a dangerous strategy because an inaccurate or misleading policy can create additional liability and legal troubles.

It is important not simply for a website or application to have a privacy policy, but for that policy to actually reflect the business’s procedures and for those procedures to be complied with in practice. Your business’s privacy policy needs to disclose to your customers the ways in which you collect information and how that information is used, shared and protected.

Answers to these questions are unique to your business. Incorrect, incomplete or misleading information here may run afoul of federal or state consumer protection laws. The Federal Trade Commission, for example, can bring suit against businesses who engage in deceptive trade practices.

Colorado, like other states, also has its own laws designed to protect its residents. Successful claims under these laws can result in significant fines designed either to bring about compliance or to punish the business for its deceptive practices and the resulting harm to its consumers.

Furthermore, all fifty (50) states now have data breach notification laws and liability under these laws can depend upon whether the practices and procedures described by a privacy or security policy were actually followed in practice. To learn more about Colorado's data breach notification requirements, see the previous entry titled "Colorado Data Breach Notification."

As a result, because of laws that require privacy policies, laws providing consumer protections, or laws related to data breach notification, a bad privacy policy can do more harm than good.

In short, developing a well drafted privacy policy is good for business and good for consumers. If you'd like assistance with your privacy policy, please Reach out, Today!


Click Here to Toggle End Notes:

FN1: The California Online Privacy Protection Act (CalOPPA) is the short title given to the California Business and Professions Code, Div. 8, Chap. 22 §§ 22575-22579.

FN2: CalOPPA is not to be confused with Californa's newest privacy law, the California Consumer Privacy Act (CCPA), which has a much more limited application but is considerably more onerous to comply with. CCPA goes into effect January 1, 2020 and imposes legal requirements that are independent of CalOPPA's requirements.

FN3: The Delaware Online Privacy and Protection Act (DOPPA) is the short title given to 6 Del. C. § 1201C. Nevada's law is N.R.S. § 603A.300 which is titled "Notice Regarding Privacy of Information Collected on Internet from Consumers."



Stay Informed

Subscribe below to receive a newsletter focusing on legal issues relevant to small business owners.