Skip to content

Here's Why You Need a Privacy Policy for Your Website

Paige Harris 4/7/22 9:00 AM

Table of Contents

Do I Need a Privacy Policy for My Website? 

Shopify Privacy Header (3)

Privacy policies can be intimidating if you have an online business. While they can protect you and your company from legal liability related to privacy breaches, they can be rather confusing with their legal jargon. 

You may be worried that your policy isn't robust or posted clearly enough. Or you may be wondering if you even need a privacy policy at all. Chances are, you do. 


How Do You Know if You Need a Privacy Policy?

"Do I need a privacy policy for my website?"

If you have a website, app, or e-commerce store, there's a good chance your online business requires a privacy policy. The deciding factor as to whether you need a privacy policy comes down to a straightforward question: Are you collecting personal data? If you are, you will need to post a clearly visible privacy policy.

Are You Collecting Personal Data?

If you collect personal data from visitors to your website or app, you will need a customized privacy policy.

The California Online Privacy Protection Act (CalOPPA), is one of the leading privacy policy laws in the U.S. It was introduced in 2004 to regulate the collection of personal data. Small- to medium-sized businesses should be aware of this law. Big companies with gross revenues over $25 million and those who actively sell personal data must also abide by the California Consumer Privacy Act (CCPA). 

Do Not Sell

According to CalOPPA, there are two types of data collection of interest: the collection of direct and indirect data.

If you are collecting data directly, indirectly, or by a combination of the two, you will need an appropriately tailored privacy policy to protect your company's liability against data protection lawsuits and fines.

Collecting Personal Data Directly

If you collect personal data from your visitors this is considered direct data collection. This could be as innocent as collecting e-mail addresses for your monthly newsletter, having customers fill out an online form, or creating a customer login that requires a username and password.

Collecting Personal Data Indirectly

Indirect data collection happens when a third party collects the data. These third parties could include apps or plug-ins that you use to maintain your website. Indirect data collection can also happen when your site's visitors have their data collected by cookies or electronic data miners.

It's possible that you aren't even aware that your online presence is indirectly collecting data. It's important to protect your business against this possibility.

What Is Considered Personal Data? 

Depending on where your business is located in the world, the laws may define personal data differently. For example, the U.S. and the U.K. have slightly different personal data collection laws. While they offer similar protections to their citizens, they differ in how they define personal data.

bonlook account 1 1

There are currently no federal privacy protection laws governing companies' collection of online data. However, many states have enacted privacy laws to govern companies within their jurisdictions or to protect residents within their borders.

For example, CalOPPA protects California residents from businesses that improperly collect personal data from their visitors. This means if your online presence attracts users from California, and you collect personal data — either directly or indirectly — then you must post a privacy policy.

CalOPPA defines the collection of personally identifiable information (PII) as any of the following:

  • First and last names
  • Physical addresses that include street names and the town or city
  • E-mail addresses
  • Phone numbers
  • Social Security numbers

CalOPPA also regulates any other PII that could be used to identify someone online or in-person in conjunction with the above PII data. Examples of other identifiers may include:

  • Shopping cart data
  • Online activity
  • User preferences
  • Data from online forms
  • Security answers

How likely is it that your website collects personal data? 

According to the Federal Trade Commission (FTC), in 1998, 92% of surveyed commercial websites collected personal data, with only 14% providing any notice about their data collection practices. In the decades since, more websites have posted privacy policies, particularly after the 2004 enactment of CalOPPA.

In 2017, as many as 79% of websites used trackers to collect user data (such as shopping preferences) to provide targeted ads. This doesn't include the vast amounts of other ways websites can collect personal data.

The chances are very high that your website tracks some form of personal data, thereby requiring a detailed privacy policy.

Hims (1)

Do I Need a Privacy Policy if I Don't Collect Data?

If you absolutely do not collect data directly or indirectly, you will not require a privacy policy. For example, let's take a simple one-page website that hosts your portfolio. You don't have a contact form or collect e-mail addresses. You merely link to the site via your resume. You use no apps or plug-ins that may be indirectly collecting data.

So far, so good. But to be certain, here are a few questions to consider: 

  • Do you use Google Analytics?
  • Do you have a blog?
  • Do you use Google AdSense?
  • Is your site hosted by WordPress or any other platform that allows users to create accounts and post comments? 

While there are many other scenarios that require a privacy policy, if you answered "yes" to any of the above common practices, you should post an encompassing privacy policy to your site to protect yourself from liability.

Does Every Website Need a Privacy Policy? 

No, not every website needs a privacy policy, but the overwhelming majority do. It is possible that someone could genuinely run a website without collecting personal data, but in today's online world, that person would have to make a concerted effort to fall into this category.

What Happens if You Don't Have a Privacy Policy?

If you don't have a comprehensive privacy policy prominently displayed on your website, you can't simply plead ignorance if you get caught. Ignorance is not an acceptable defense against data protection laws. If you collect personal data and get caught, you could get slapped with substantial fines or even lawsuits.

Lawsuits for Personal Data Collection

In the past several years, there have been lawsuits aimed at big corporations such as Google and Facebook for their data collection practices. In early 2022, Meta, Facebook's parent company, settled a data privacy lawsuit for $90 million. Filed in 2012, this was the longest-running data privacy suit in the U.S.

In 2021, Google was sued for $5 billion in a class-action lawsuit aimed at the tracking of "private" internet use in its Incognito mode. Google failed to kill the suit in 2022 and it is currently ongoing.

But it's not just big corporations at risk of lawsuits for the covert collection of personal data — these are just the stories that make headlines.

Fines for the Collection of Personal Data

You face a more likely risk of being slapped with hefty compliance fines from data protection regulators. 

For example, intentional violations of the CCPA are fined at $7,500 per event, which can add up quickly if you have many users. Unintentional violations of the act are $2,500 per event. Generally, the CCPA considers an event unintentional if there were mostly adequate protection measures in place at the time.


However, if the CCPA fines you, it opens the door for a class-action lawsuit if your customers band together to file suit after your fine. This could result in another potentially devastating economic hit to your business.

What Needs To Be In a Privacy Policy?

If you've determined that you need a privacy policy for your online presence, there are several pieces of information that policy must disclose, including:

  • What personal information you will collect
  • How you will use the collected personal information, such as for shipping information, customer service, or general communication
  • Whether your site uses cookies to enhance functionality
  • Whether third parties collect personal data and the details associated with its usage
  • Whether your company shares your data with affiliated companies or others
  • How you will keep the data secure

These are a few of the standard requirements of a privacy policy. Depending on the local laws your business operates under, there may be additional regulations you must adhere to.

Since the average website owner may not feel comfortable drafting a privacy policy on their own, it is generally safe to use a privacy policy generator — as long as they offer a high-quality product. These tools can help protect website owners like you from legal liability for your data collection activities.


How Can Enzuzo Help Me With a Privacy Policy?

"I want to create a privacy policy for my website. How can Enzuzo help me?"

Enzuzo specializes in powerful privacy tools that can be automated to easily manage data privacy for your online presence. We will help you discern what personal data your site is collecting — directly and indirectly — and determine the best wording for your privacy policy to keep you and your company protected.

Enzuzo is easy to work with and install, and integrates into popular platforms like Wix, WordPress, Shopify, and more. We stay up to date on regulations and will keep your website, app, or e-commerce store always in compliance. Our team of experts is always available to tackle your website's privacy concerns and help you protect your brand and your customers.

Generate a Free Privacy Policy