Should Your Website Have a Privacy Policy?


Should Your Website Have a Privacy Policy?

Last Updated on February 14, 2020

Failure to protect people’s personal information is an avoidable gaff. Privacy is a hot topic in the E.U. and the U.S. over the last few years, with new regulations cropping up, like GDPR, CCPA, Privacy Shield, COPPA. (We’ll explain some of those later.) And Congress has already stated their intention to pass a federal privacy law

Although privacy policies are not currently required by federal law, a great privacy policy shows customers you are being ethical, responsible, and transparent about their data (and will also help you to avoid being fined). So yes, your website should have a privacy policy. And it should be clear, concise, and consumer-friendly.  

Why should you care about data privacy? 

You may choose to have a privacy policy in place to avoid potential lawsuits and fines. But as owners and creators of digital products and data flows, we have a more important duty: to protect our users from attacks on their privacy, their dignity, and their safety. And to respect their personal data we’ve been trusted with. More and more Internet users have had their private information stolen, and experience security issues because of it. People want control over their information—and it’s time to start giving that control back to them.

Some believe that consumers aren’t particularly concerned with data privacy, and don’t take the time to read privacy policies. But research shows otherwise. 

Privacy Policy User Stats

The problem is, privacy policies are so contrived, it would take more than a week to read the privacy policies for the websites you visit. Who wants to do that? 

Today’s privacy policies are simply compliance documents: written for lawyers, not consumers, as a way for companies to cover themselves for mishandling users’ personal data. 

A study by Carnegie Mellon found that it would take the average Internet user between 181 and 304 hours each year to read all the privacy policies for websites they visit (and those policies get updated every year). 

We need a new form of privacy policies. We need to start writing direct, concise, consumer-friendly, plain-language policies that our customers will actually want to take the time to read. It’s simply a matter of making a conscious effort to write a respectful and readable privacy policy. 

Frameworks to consider when writing a clearer privacy policy 

The GDPR: a practical framework for handling data security

A look at what is GDPR

The most rigorous regulations and guidelines for privacy policies are from the EU General Data Protection Regulation (GDPR). This makes it a very practical framework to handling data security for all companies, even if they don’t necessarily need to become fully compliant with the GDPR. Understanding the GDPR and how it applies to your privacy policy will help you protect your customers’ data now and prepare for new data privacy regulations in the future. 

The goal of the GDPR is to unify data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and cohesively shape the way organizations across the region approach data privacy. 

To whom does the GDPR apply? 

The GDPR applies to organizations located within the EU, as well as organizations located outside of the EU. Article 3 of the GDPR states that if you collect personal data or behavioral information from someone in an EU country, regardless of your company’s location, you are subject to the requirements of the GDPR. However, this only applies for consumers physically in the EU—if an EU citizen is actually outside the EU when they access your site this would not apply.  

Want to dive deeper or think you may need to become compliant? Read this article to find out more in-depth details about GDPR, or contact us. We offer a free website assessment, or just a chat.  

GDPR vs. the California Consumers Privacy Act (CCPA) 

GDPR vs. the California Consumers Privacy Act (CCPA)

A new data-privacy regulation in the U.S., the CCPA, goes into effect on January 1, 2020 (actual enforcement date will be 7/1/2020). This law applies only to businesses (based inside or outside of California) that: 

  • Generate $25 million in revenue annually 
  • Acquire information on 50K+ California consumers, households, or devices 
  • Derive 50% or more of their revenue from the sale of personal information 

Where California goes, other states will likely follow. As the California Attorney General’s office gets overwhelmed with compliance violations and complaints, other states will likely become more prescriptive when crafting their regulatory policies. This will likely lead to varying laws across the nation that will apply to some companies and consumers, but not all, and will become increasingly difficult to track. However, lobbyists and members of Congress are talking about creating a federal-level data privacy legislation to simplify and align it all.  

The best way to proceed: Align with GDPR but keep in mind CCPA 

Until CCPA is enforced, it’s best to align your privacy policy with GDPR because it’s the most comprehensive legislation available.  

Ready to write? Our next blog post, How To Write a Privacy Policy, will offer more specifics about writing a privacy policy following the GDPR guidelines. 

If this all sounds too complicated, just contact us. We’re happy to help you sift through the details and create a policy that’s suited to your business.   


This blog post provides information about data privacy laws to help you understand the potential legal issues associated with them, but should NOT be considered legal advice. We highly recommend you consult with a lawyer to determine the application of data privacy laws to your company’s specific circumstances. While we have conducted extensive research to determine that our content here is as accurate as possible, you should consider this blog post as intended for informational purposes only. 


* From a 2013 study by the Pew Research Center