The truth about website policies: small business and the law

The current privacy landscape and the requirements of businesses to protect and respect consumer privacy can be quite confusing. Laws are being passed, bills are being proposed and businesses are getting sued. The fact is that businesses are now required by law and encouraged by consumers to protect and respect privacy. However, with all of the news and opinions, it’s easy to get lost and lose sight as to what the actual requirements are and how to abide by those requirements. As a small business owner, you may be asking yourself which of those requirements apply to you and what you should do to ensure that you are compliant. In this blog, we will break down the three most important things you need to know – websites that collect personal information, the current laws and proposed laws so that you can stop wondering and be in the know.

 

1. Collecting personal information

The first thing that you need to know in determining whether you need to comply with the privacy laws is whether your website collects personal information. Personal information is any information that relates to a person that can be identified. Examples of personal information include the following:

1. Name;
2. Email;
3. Address;
4. Phone number.

If your website has a contact us form or an email newsletter sign up form where users can input their personal information and send it to you, then you are collecting personal information and need to comply with privacy laws. If your website does not collect personal information, then chances are that you are in the clear and can go on and do more fun things instead of reading the remainder of this article.

 

2. Current privacy laws

If you have a website that collects personal information, the following laws may apply to you, thereby requiring you to have a compliant Privacy Policy:

1. General Data Protection Regulation (“GDPR”) requires websites to obtain consent prior to collecting personal information. A large part of consent is being educated on what information is collected, what is done with that information and who it is shared with via a Privacy Policy. GDPR applies to you if you:

  • Are located in the European Union;
  • Offer goods or services to European Union residents, regardless of your location;
  • Monitor the behavior of European Union regisidents, regardless of your location; or
  • Process and hold the personal data of European Union residents, regardless of your location.

If the above applies to you then you are required to have a Privacy Policy or you will face heavy fines and penalties.

2. California Online Privacy Protection Act of 2003 (“CalOPPA”) requires the proprietors of commercial websites to have a Privacy Policy as well. This law applies to you if you collect personally identifiable information about consumers residing in California, regardless of where your business is actually located.

3. California Consumer Privacy Act (“CCPA”) is a new California law that goes into effect on January 1st, 2019. The law requires certain website owners to have a Privacy Policy that includes the consumers’ rights under this new law. This law does not distinguish by where the actual business is located either. The CCPA applies to any for-profit business that:

  • Has annual gross revenues of over $250,000,000;
  • Annually buys, receives, sells or shares the personal information of 50,000 or more California residents, households or devices; or
  • Derives 50% or more of its annual revenue from selling the personal information of California residents.

Penalties for non-compliance are $2,500 per violation or $7,500 per intentional violation so having a compliant Privacy Policy can save you a lot of headache and money.

4. Nevada privacy law requires website owners to have a Privacy Policy as well. The law does not apply to just Nevada businesses but also to businesses that consummate transactions with Nevada residents, advertise in Nevada or collect and maintain the personal information of Nevada residents.

If the laws above apply to you and your business, then you need to have a Privacy Policy on your site. Remember, consumers, do not search for websites according to the location of the business operating the website but do a search for what they need. Therefore, it is likely that the laws of other states will apply to you.

 

3. Proposed privacy laws

While the laws above may seem overwhelming, it’s important to remember that various other states are also proposing their own privacy bills that would change the requirements to have a Privacy Policy and would affect the disclosures that need to be made in those policies. Currently, there are approximately ten states that have proposed their own privacy bills. All of these bills would require changes to Privacy Policies and their reach may extend outside of the states in which the bills were written. In addition, the federal government has proposed four privacy bills, all of which would also require changes to Privacy Policies. It’s important to remember that this area of law is uncertain and changing fast so your obligations regarding privacy may change as well and it’s important that your business keeps up to date with those changes.

 

4. Getting a Privacy Policy

Knowing that Privacy Policies is something that almost every business website needs, 4 Directions Media has partnered with Termageddon to help you get compliant. Termageddon is a generator of Privacy Policies, Terms of Service, End User License Agreements and Disclaimers. The best part is that Termageddon will update your policies whenever the laws change so you don’t have to worry about it. Contact us if you’re interested in protecting your business!