Short answer:
Yes, most modern websites need policies like a Privacy Policy – including small business websites.
BUT… this isn’t always the case. That’s where a longer answer is needed.
Longer answer:
Privacy laws are designed to protect people’s data. This data is often referred to as Personally Identifiable Information (PII). Therefore, privacy laws typically apply to websites that collect PII, which happens more often than many website owners realize.
Examples of PII and PII collection
PII looks slightly different depending on the law, but it usually refers to:
- Names
- Email addresses
- Phone numbers
- Physical addresses
- IP addresses
- Payment information
Small business websites usually collect this information by using:
- ‘Contact Us’ forms
- Newsletter/email subscribers
- eCommerce forms
- Google Analytics or other analytics tools
- Advertising tools such as the Facebook Pixel
What privacy laws apply to small businesses?
Every privacy law is designed to protect people’s PII from being collected or used in a secretive or inappropriate manner, but some of these laws will exclude small businesses or nonprofits.
For example, many privacy laws (CPRA, VCDPA, Connecticut SB6, Utah Consumer Privacy Act, and Colorado Privacy Act) note that a website must collect a certain amount of data or make a certain amount of money off collecting this data for the law to apply to them. Most of the time, these numbers are far beyond what a typical small business would see.
That being said, some of the world’s most advanced privacy laws do require small businesses have a Privacy Policy if they collect PII. These include:
- CalOPPA
- Nevada Revised Statutes Chapter 603A
- Delaware Online Privacy and Protection Act (DOPPA)
- GDPR
- UK DPA
- PIPEDA
- Quebec Law 25
- Australia Privacy Act of 1988
*NOTE: A business doesn’t have to be located in the state/country of a particular privacy law for that law to apply to it. The laws are designed to protect residents of that area. So, if a website just collects (or is open to collecting) PII from people living in these areas, the laws could apply to that business.
Do small businesses ever get fined over privacy laws?
It’s no surprise that news headlines usually focus on large corporations getting fined hundreds of millions of dollars. There’s a shock value to that kind of number that gets clicks.
However, that doesn’t mean there aren’t small businesses also getting fined. In fact, with fines typically starting at $2,500 per website visitor whose rights have been infringed upon, fines can add up in a way that can be more devastating to smaller businesses.
While it’s still somewhat rare for a small business to be sued, it is becoming more and more common each year. GDPR, one of the world’s most comprehensive privacy laws, does a superb job of tracking each GDPR lawsuit. Browsing through their tracker will reveal two things:
1) That businesses ranging from massive corporations to mom-and-pop shops are being fined, and;
2) The number of fines is increasing dramatically each year.
GDPR – being one of the first and most comprehensive privacy laws – is usually a good indicator of what other privacy laws across the globe are doing as well. That’s why we’re also seeing a growing number of fines and lawsuits from other privacy laws as well.
How does a small business get a Privacy Policy?
The best option for small businesses is to hire an attorney who specializes in privacy law. Not only can a privacy attorney find out what laws apply to a particular small business and write website policies specifically for that business, but they can also keep the policies up to date as laws change (eight new ones going into effect over the next two years).
An attorney can also offer legal advice, which is why it’s the best option… for businesses that can afford it.
It’s no secret that attorney fees can get expensive. It’s fair to say not all small businesses are in a spot where they can afford such services. That’s why we recommend Termageddon as an alternative.
Termageddon is a Privacy Policy Generator that was founded by a privacy attorney. The generator helps businesses identify what laws apply to them and then generates the appropriate policies. Unlike most other generators, Termageddon will also monitor upcoming privacy laws and automatically update policies to help businesses stay protected.
Conclusion
Privacy laws are here to stay and that’s not a bad thing. Small businesses should want to respect the privacy of their website visitors. Getting onboard with good privacy practices now, while it’s still somewhat new, can even prove to be a competitive advantage for small businesses.