Main Menu Main Content
Blog Post  | 
Does My Business Need a Privacy Policy?

Yes! Website privacy policies have become a standard part of doing business online, and website visitors these days likely expect one. While there is no general federal law requiring a privacy policy (though many states are passing legislation that may require one, and some businesses have privacy requirements through various data-specific federal statutes such as HIPAA, Gramm-Leach Bliley, etc.), it is generally good practice to have such a policy, especially if your business gathers contact information or other sensitive personal data (like credit card information).

Note, however, that a privacy policy should NOT be aspirational in nature but should be thought of as a contractual promise made to website visitors. Be sure to abide by what you put in your policy. And do not just copy and paste a policy that does not reflect what your business does. Carefully consider what data your business collects. The cookies tracking visitors to your website are engaged in data collection, but simply directing a customer or visitor to a third-party vendor (such as PayPal) for credit card transactions may not constitute data collection.

What happens if my organization’s website does not have a privacy policy?

Businesses that chose not to have a privacy policy in place can open themselves to potential litigation or investigation by the Federal Trade Commission (FTC) for unfair and deceptive trade practices. Absent comprehensive federal legislation, the implications of a violation of a customer’s privacy are often determined by the application of a patchwork of state laws and the practices (and contracts) of commercial actors.

The convoluted state of the law in this arena makes the old saying “an ounce of prevention is worth a pound of cure” particularly true. Taking the time and relatively modest effort to put a privacy policy in place may be far more efficient (and cost-effective) than navigating a lawsuit after the fact because the business allegedly did not protect its customers’ privacy interests.

How can I ensure my business has a privacy policy that meets our needs?

Unfortunately, the current “patchwork quilt” of laws causes uncertainty as to what is or is not required in a privacy policy, and there is no standard set of rules as to what should be included. Sound practice is to focus on transparency and clarity – have a policy that is straightforward and reasonably easy to read and understand, with technical terms explained and “legalese” minimized. The first step is to consider what data you collect and what you do with it. Be clear as to what data is collected, preferably with examples, and how and with whom that data is shared. Drafting a website privacy policy is more iterative than prescriptive. Do not overpromise or make statements that are absolute (like “we will always protect your data”) or otherwise problematic (“we use state-of-the-art cybersecurity measures”) that may create a contractual obligation that would be actionable if your systems were breached or were found to be out of date.

The following tips can help your privacy policy mitigate risk (an essential purpose).

  • Transparency. When putting this policy together keep in mind that a clear policy helps build trust. Identify clearly its scope (e.g., “the website at www.XYZ”). Do not make statements you may not adhere to (like “we will not share your data,” if there may be instances where you want or have to share the data, such as mergers and acquisitions or as required by law). If your site gathers data via cookies, say so. Provide specific examples of what may or may not be done with the data collected. Similarly, notify customers of updates. Customers realize that you may need to update the policy from time to time. Proactively reach out with an email or letter to let them know of any material changes.
  • Don’t Copy and Paste! While it may be tempting to use a policy already posted by another company, if the policy you post is not in line with your practices, it may be considered unfair and deceptive trade practice, actionable by the FTC and potentially subject to class action litigation. It is prudent to delegate the task of drafting a policy to professionals. Those with experience drafting these policies can better ensure you get one that meets your needs while protecting your business’ interests.
  • Follow the Policy! Having a privacy policy is not the end. You need to regularly revisit the policy to ensure it reflects your practices and fits your needs and update it when it doesn’t. If you plan on sharing data in collectives or targeted advertising, the policy should clearly articulate these contemplated uses. If you say you will only retain data for a certain timeframe, do so. Failure to follow one’s own policy can lead to liability.

Calfee attorneys regularly help clients identify their objectives related to doing business and collecting information online. Then, with those considerations in mind, an appropriate privacy policy can be drafted that carefully and accurately discloses what data is collected and what is done with it in order to help shield the website owner from liability.

Businesses looking for comprehensive legal counsel and oversight of online privacy and data security issues can trust Calfee, with locations in Ohio, Washington D.C., Indianapolis and New York as well as globally through the Lex Mundi legal network.

Calfee Connections blogs, vlogs, and other educational content are intended to inform and educate readers about legal developments and are not intended as legal advice for any specific individual or specific situation. Please consult with your attorney regarding any legal questions you may have. With regard to all content including case studies or descriptions, past outcomes do not predict future results. The opinions expressed may not necessarily reflect the viewpoints of all attorneys and professionals of Calfee, Halter & Griswold LLP or its subsidiary, Calfee Strategic Solutions, LLC.

Non-legal business services are provided by Calfee Strategic Solutions, LLC, a wholly owned subsidiary of Calfee, Halter & Griswold. Calfee Strategic Solutions is not a law firm and does not provide legal services to clients. Although many of the professionals in Calfee’s Government Relations and Legislation group and Investment Management group are attorneys, the non-licensed professionals in this group are not authorized to engage in the practice of law. Accordingly, our non-licensed professionals’ advice should not be regarded as legal advice, and their services should not be considered the practice of law.

Updates related to all government assistance/incentive programs are provided with the most current information made available to Calfee at the time of publication. Clarifications and further guidance may be disseminated by government authorities on an ongoing basis. All information should be reaffirmed prior to the submission of any application and/or program participation.


Recent Posts


Jump to Page