Guest Blog Post for Redwood Valley Technical Solutions by Donata Kalnenaite, Esq., CIPP
While business websites are a great way to inform future customers of your products or services, introduce them to yourself and your brand and to provide educational resources, let’s be real about the true reason as to why so many businesses have websites - to generate leads. You put in so much time, money and soul into your business website because you want it to make money for you. You want potential customers to contact you through the website and book you for your services or buy your products. While this is all well and great, there is an unfortunate by-product of having a successful website that generates leads, and that’s privacy concerns. Don’t fear though, most of these privacy concerns can be taken care of by a Privacy Policy for your website. In this blog, we’ll talk about which websites need a Privacy Policy, why these websites need one and some of the risks of not having one.
Which websites need a Privacy Policy
Does your website need a Privacy Policy? Most people think that only websites that collect financial information need a Privacy Policy or if your website is secure then you don’t need one. Others believe that only websites that share personal information with others need to have a Privacy Policy. All of the above are common myths surrounding privacy. While privacy regulations can get really complicated depending on whose information you are collecting, the answer as to whether you need a Privacy Policy is actually very simple.
Any website that collects Personally Identifiable Information needs to have a Privacy Policy. PII is any data that could identify an individual. Examples of PII include: name, email, phone number or physical address. You may notice that your contact form collects some or all of the above. You may also have an email newsletter sign up form, which asks for an email to receive updates about your company and offerings. An email newsletter form also collects PII. Therefore, if you have a contact form or an email newsletter sign up form on your website, you need a Privacy Policy.
Why some websites need a Privacy Policy
Now that you know that your website needs a Privacy Policy, you may be asking yourself “why”? The truth is that regulation of the use of Personally Identifiable Information has become a serious concern fairly recently. What changed? Ever since the abuse of data by large companies such as Facebook and all of the privacy scandals that ensued, consumers are more and more interested in the protection of their privacy and their data. As such, the law makers have listened and multiple countries and states have passed their own data protection laws.
The following laws require websites that collect PII to have a Privacy Policy:
- General Data Protection Regulation (GDPR): it’s a European Union law that protects the privacy of EU residents. One of the main concepts of GDPR is obtaining consent to collect and use PII. Having a compliant Privacy Policy is key to getting proper consent. GDPR applies to:
- Organizations inside of the EU;
- Organizations outside of the EU if they offer goods or services to EU residents or monitor the behavior of EU residents.
- The California Online Privacy Protection Act (CalOPPA) has been around since 2003 and applies to anyone whose website collects the PII of California consumers. This law applies regardless of where your business is located and requires you to have a Privacy Policy that has very specific disclosures.
- The California Consumer Privacy Act passed recently and the law goes into effect on January 1, 2020. It applies to companies that do business in California and:
- Have annual gross revenue of more than $25,000,000;
- Annually buys or receives the PII of 50,000 or more California residents; or
- Derives more than 50% of its revenue from the selling of PII of California residents.
- Lastly, we have Nevada’s privacy law and its recent amendment, which went into effect on October 1st, 2019. The law requires you to have a Privacy Policy and for it to provide very specific disclosures. The law applies to:
- Businesses in Nevada;
- Companies outside of Nevada who:
- Direct their activities to Nevada;
- Transact with Nevada consumers; or
- Are sufficiently connected to Nevada.
Other states, including Minnesota, are proposing privacy bills as well.
Note that a lot of these laws have provisions that would make them applicable to businesses outside of that particular state. When consumers search Google, they go to the website that answers their questions or fulfills their needs. Searches are not always by the location of the business. This means that these state-specific laws may apply to you regardless of your physical location.
These laws govern the collection and use of PII on websites and may apply to you regardless of your business size. The fact is that other states are trying to catch up as well and approximately ten states have now proposed their own privacy laws. These laws would require a change in the disclosures contained in your Privacy Policy.
The risks of non-compliance
Now that you know that you need a Privacy Policy and why that is the case, you may be asking yourself “well, what happens if I don’t have one”? The truth is that penalties for non-compliance can be high. Most privacy laws have provisions that penalize non-compliance by $2,500 per violation or $7,500 per intentional violation. Some privacy laws provide penalties of $5,000 per violation, such as the Nevada law. In these cases, per violation means per website visitor so this can rack up to hundreds of thousands of dollars in penalties, even if you have only a few hundred visitors to your website each month. Furthermore, GDPR provides for a penalty of up to €20,000,000, which would put any small business out of business immediately.
While fines and penalties are horrible, there are other reasons for complying as well. Consumers care about their privacy and, all other things being equal, will use the service that respects their concerns. Furthermore, showing to your customers that you care can win you business. Getting a compliant Privacy Policy is a win-win for everyone.
Your website needs a Privacy Policy and having a compliant one can help you avoid fines and penalties, win customers and prevent sales losses. We hope that you consider Termageddon for your Privacy Policy needs. Termageddon is a generator of Privacy Policies that updates them whenever the laws change to make sure that you are always compliant.
Ready to Implement your Privacy Policy?
RV Tech Solutions Care Plan clients can add a Privacy Policy and other policies to your website via your plan! If you're not on a Care Plan and you need assistance getting a Privacy Policy on our site, just reach out as the RV Tech Team is here to assist you!
About the author: Donata is the President of Termageddon and the engineer behind the policy questions and text. She is a licensed attorney and a certified information privacy professional. She often volunteers at the Illinois State Bar Association holding courses on the General Data Protection Regulation where she teaches other attorneys on the importance of privacy and what Privacy Policies should contain. This post is provided for informational purposes only and should not be considered legal advice.