If your organization has a website, it probably needs a publicly posted privacy notice explaining how personal data is (or is not) collected, used, protected, and shared. Privacy notices are expressly required under some laws, such as the EU’s General Data Protection Regulation (GDPR), the California Online Privacy Protection Act (CalOPPA), and the Australian Privacy Act. Even in countries where a privacy notice for an organization’s website is not expressly required, obligations to process personal data fairly, transparently, and lawfully often make developing a well-crafted privacy notice a cornerstone of any business’s privacy compliance initiative.
In addition, regardless of any legal obligations, Internet users are increasingly sensitive to issues regarding use of their information. Accordingly, a privacy notice is also an important tool to communicate policies and practices, to build consumer trust and goodwill.
Here are three questions to ask yourself to get a sense of how detailed your website privacy notice will need to be.
Does your organization’s website collect “personal data?”
Who does your organization’s website collect personal data from?
In general, laws and regulations related to data security and privacy are based on where (geographically) the person your website is collecting data from is based, NOT where the website owner/operator is based. If your website collects personal data from people all over the world, your organization is responsible for complying with potentially dozens, or even hundreds, of local regulations. On the other hand, if your organization’s website collects personal data strictly from folks in the U.S., more restrictive laws related to the personal data of people in the EU, Canada, and elsewhere do not necessarily apply.
What types of personal data does your organization’s website collect?
In addition to thinking through where your data subjects are located to determine how significant of an undertaking your data security and privacy compliance initiative will be, there are certain categories of data that generally are subject to stricter sets of regulations. While those categories vary by local laws, in general, it is safe to assume that information about children, financial information, and health information are universally heavily regulated. In addition, if your organization processes information about race or ethnicity, religious beliefs, political opinions, sexual orientation, or criminal records from European citizens, similar heightened restrictions may apply.