Does my website need a privacy policy?

If you're just taking your business online, you'll no doubt have a list of to-dos as long as your arm.

One item than can easily be overlooked is the addition of a privacy policy to your website — though vitally important following the introduction of GDPR (General Data Protection Regulation) throughout Europe (and more recently, UK GDPR, which is explained further down). With these regulations being relatively new, it's easy — especially for startups and small-business owners — to overlook the importance of a coherent privacy policy.

But what exactly are they? Does every small business need one? And what are the repercussions if you fail to include a privacy policy? These are just some of the questions we're going to answer for you in this blog.

What Is a Privacy Policy and Who Are They For?

When a user visits or registers on a website, they are asked to agree to the terms and conditions laid out by the site's owner. This provides businesses with an opportunity to collect data, individually tailor the user experience and improve their site's overall effectiveness. It also brings with it additional legal considerations.

EU GDPR compliance is required for any business or individual that handles user data, no matter where the website's servers are based and regardless of the size of business. It applies to all websites that offer goods or services to people in the EU, including small businesses and startups.

The definition of 'data collection' is a broad one, covering everything from storing payment and personal details, all the way to including third-party tracking cookies on your site. Names, dates of birth, email addresses, payment and shipping information, phone numbers and bank details are all examples of personal user data (but that list is not exhaustive).

As such, privacy policies are required to comply with GDPR regulation which came into effect in May 2018. The regulation requires that all companies have a clear statement outlining the type of data being collected, what they do with this information, why it is being used, how long it will be stored for and under what conditions, and what third parties (if any) this data will be shared with. Alongside this, a privacy policy will also cover how consent is obtained from customers and what rights they have over this data.

They Are a Legal Requirement

Before the introduction of the EU-wide GDPR in 2018 (and UK GDPR, brought in following Brexit), many businesses took a 'nice to have' approach to privacy policies, but the introduction of this data regulation brought with it the real threat of legal action against site owners who failed to both include and operate in line with their policy.

It should also be noted that anonymous data is treated differently to personal and therefore does not require any specific protections or consent gathering. The caveat to this being that it can be difficult to guarantee any data is truly anonymised, so it is wise to cover such information in your privacy policy.

Also keep in mind that even if you don't collect identifiable data from users, if third parties have access to user data — via APIs, for example — you will, at least in part, be legally responsible for what they do with that data.

What Happens if I Decide to Go Without a Privacy Policy?

Your business could be out of pocket, to the tune of up to £18m or 4% of annual turnover, whichever is greater. For small businesses, the latter possibility would, understandably, usually apply.

Aside from fines, the UK's Information Commissioner's Office (ICO) can also issue a number of other punishments for non-compliance, such as:

• Issuing warnings and reprimands
• Imposing a temporary or permanent ban on data use
• Ordering the rectification, restriction or erasure of data
• Suspending data transfers to third countries

The documentation surrounding GDPR rules is long and complex, but the overwhelming majority of cases found to be in breach of the regulation have violated Articles 5, 6 and/or 32:

Article 5 — Data Processing Principles

Personal data must be:

• Accurate and kept up to date
• Stored no longer than necessary
• Processed to ensure appropriate security
• Processed lawfully, fairly and transparently
• Collected only for specific legitimate reasons
• Adequate, relevant and limited to what is necessary

Article 6 — Lawfulness of Processing

Personal data can only be processed:

• For purposes in the public interest
• If the subject (user) has consented
• For legitimate organisational interests
• To protect the data subject’s vital interests
• To meet and comply with contractual and legal obligations

Article 32 — Security of Processing

Requires data is controlled and processed to implement: “appropriate technical and organisational measures” to secure such personal data.

Are They Free? How Much Do They Cost?

Ideally, this would be a uniform figure across the board. In reality, the answer is, 'It depends.' As a rule of thumb, the cost will fairly reflect the complexity and detail required. There are a number of factors that could add to the cost of producing a legally adherent privacy policy; unfortunately, there's no shortcut available here.

Important to Remember

• If you handle user data, you need a privacy policy
• The UK leaving the EU has not affected this
• You must clearly outline how user data is stored and processed
• Include any third party usage of data from your site
• However, truly anonymous data does not need to be covered
• Failure to include and abide by policy can lead to hefty fines
• A compliant privacy policy is an essential business cost

P.S. If you're interested in more advice on building and growing your small business website, we have more excellent articles on the subject:

• Why Do I Need a Website for My Small Business?
• How to Create a Website for Your Business
• How to Optimise Images for Your Business Website
• How to Get Customers to Put More in Their (Online) Basket
• 9 Ways to Get Email Addresses From Your Customers

Or you can discover even more topics here.

Information correct as Feb 2022. 

John Ford

Copywriter