Three Questions to Assess How Detailed Your Organization’s Website Policy Should Be

If your organization has a website, it probably needs a publicly posted privacy notice explaining how personal data is (or is not) collected, used, protected, and shared. Privacy notices are expressly required under some laws, such as the EU’s General Data Protection Regulation (GDPR), the California Online Privacy Protection Act (CalOPPA), and the Australian Privacy Act. Even in countries where a privacy notice for an organization’s website is not expressly required, obligations to process personal data fairly, transparently, and lawfully often make developing a well-crafted privacy notice a cornerstone of any business’s privacy compliance initiative.

In addition, regardless of any legal obligations, Internet users are increasingly sensitive to issues regarding use of their information. Accordingly, a privacy notice is also an important tool to communicate policies and practices, to build consumer trust and goodwill.

Ultimately, the level of detail necessary to include in website privacy notices is highly dependent on the organization. Incidental collection of fairly innocuous personal data from a small geographic area that is used in a manner most consumers would expect typically warrants briefer policies that are easy to understand and focus on high-level disclosures. Sites that collect highly sensitive data, that use personal data in a way that a visitor may not expect, or that process personal information as part of their core functionality often need a far more granular privacy policy in order to accurate and completely detail their processing activities.

Here are three questions to ask yourself to get a sense of how detailed your website privacy notice will need to be.

Does your organization’s website collect “personal data?”

If your organization’s website is entirely “passive” and does not enable visitors to interact with it, provide information to your website, or use cookies to collect information about visitors, no more than a minimal privacy policy will likely be necessary. Once your organization’s website collects information such as names, email addresses, phone numbers, other contact information, demographic information, or any other data attributable to an identified or identifiable individual, the notice needs to include increasingly detailed information about what is being collected, why it is being collected, with whom it is being shared, and how it is being kept safe.

Who does your organization’s website collect personal data from?

In general, laws and regulations related to data security and privacy are based on where (geographically) the person your website is collecting data from is based, NOT where the website owner/operator is based. If your website collects personal data from people all over the world, your organization is responsible for complying with potentially dozens, or even hundreds, of local regulations. On the other hand, if your organization’s website collects personal data strictly from folks in the U.S., more restrictive laws related to the personal data of people in the EU, Canada, and elsewhere do not necessarily apply.

What types of personal data does your organization’s website collect?

In addition to thinking through where your data subjects are located to determine how significant of an undertaking your data security and privacy compliance initiative will be, there are certain categories of data that generally are subject to stricter sets of regulations. While those categories vary by local laws, in general, it is safe to assume that information about children, financial information, and health information are universally heavily regulated. In addition, if your organization processes information about race or ethnicity, religious beliefs, political opinions, sexual orientation, or criminal records from European citizens, similar heightened restrictions may apply.

These three guiding questions highlight why even websites from competitors may require very different approaches to a privacy policy, and why “cutting and pasting” is seldom a practical solution to putting together an organization’s privacy policy.