In this article, we'll be answering some common questions about privacy for businesses.

This is a very important area for any business, particularly if it has a strong online presence. The legal requirements are increasingly demanding and can get complicated.

In this article we'll be covering:

  • Why privacy law is important
  • Some of the terminology involved in online privacy
  • The purpose and importance of a Privacy Policy
  • Some key requirements under the strict privacy laws of the European Union (EU) and California

Read the entire FAQ straight through as an informative overview, or skip around in the table of contents to find specific questions you may have and read the answers.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What are privacy laws?

Privacy laws (and data protection laws) are all about protecting people's personal data from being exploited.

Some important privacy laws include:

  • The California Online Privacy Protection Act (CalOPPA) in the United States
  • The General Data Protection Regulation (GDPR) in the European Union
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada

More and more privacy laws are being developed, with many more expected in the future. See our article "Privacy Laws By Country" for an up-to-date directory.

Privacy laws can cover business activities such as:

  • Collecting information about individuals (personal data)
  • Direct marketing
  • Tracking people's behavior

"Tracking people's behavior" used to be the activity of state surveillance agencies and private investigators. Now, people's behavior is tracked (both online and in the "real world") by businesses hoping to learn something about the sorts of products people might wish to buy.

Privacy law is now an important consideration for practically every business. This is partly a result of the proliferation of "behavioral marketing," enabled via technology such as cookies and GPS analysis.

But even if your business doesn't engage in such practices, privacy law could apply to your employee records, customer lists, and even your website's log files. If you collect even just an email address from potential customers, privacy laws will apply to you.

Why are privacy and security important?

Why are privacy and security important?

Privacy and security are important for many reasons.

Privacy is a fundamental human right. It has been acknowledged, to some degree, by practically every society in the world.

As well as national and regional data protection and privacy laws, a fundamental right to privacy is recognized in:

As people's lives move more and more online, they are revealing more and more information about themselves to an ever-wider network of businesses and organizations.

Many people are happy to share a great deal of personal information publicly, for example on social media. But they have a right to keep other information private.

The importance of security is inseparable from the importance of privacy. There's no effective way to keep private information private unless it's secure.

What is considered personal data?

Many different types of information are considered personal data (also called "personal information" or "personally identifiable information"). The definition is different depending on local law, but the tendency is for lawmakers to categorize more and more types of information in this way.

Probably the broadest definition of "personal data" can be found in the EU GDPR. at Article 4:

"'Personal data' means any information relating to an identified or identifiable natural person"

This brings the following sorts of information under the definition of personal data:

  • A name
  • An ID number
  • Location data
  • Online identifiers such as cookies, IP addresses, login credentials
  • Information about a person's physical, genetic, or social identity

The list is potentially endless. Any information that could, in theory, be used to identify someone must be treated as personal data under the GDPR.

This definition is increasingly being adopted in other places, too. For example, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides a definition of "personal information" that is almost identical to the GDPR's definition of "personal data."

How do you keep data safe and secure?

There are many measures that your business can take to keep personal data secure, including:

  • Using TLS/SSL protocols when collecting or transferring personal data
  • Applying encryption methods to personal data in storage
  • Maintaining effective access controls and authentication methods among staff

It's also important that you know how to recognize and respond to a data breach. A data breach means the loss or unauthorized access of personal data.

Having policies in place, such as a Data Breach Policy and a Data Protection Policy, can help your company protect personal data against a data breach.

What is a website Privacy Policy?

What is a website Privacy Policy?

A website Privacy Policy is a statement of a company's practices around the processing of personal data. It should provide, among other things:

  • Information about what types of personal data the company collects
  • The reasons for which the company collects personal data
  • How the company uses, stores and shares personal data

Having a Privacy Policy is an essential way to provide transparent information about your company. It will help you to build trust with your customers, manage your data protection practices, and (most importantly) comply with the law.

The precise contents of a Privacy Policy will vary depending on the legal requirements of the jurisdictions in which the company or website operates.

Yes, in most cases it is a legal requirement to display a Privacy Policy on a website.

The requirement for a company to display a Privacy Policy on its website is common to many privacy laws. Commercial companies, websites, and apps that collect personal data are required to display a Privacy Policy in jurisdictions such as:

  • The United States (so long as the website is accessible in California)
  • All EU countries
  • Canada
  • Australia

In fact, there are few industrialized economies where a Privacy Policy is not required.

What does a Privacy Policy tell you?

A Privacy Policy tells you how a company collects personal data (or "personal information") and what it does with the personal data in its possession. Beyond this, the requirements for what a Privacy Policy must contain will vary depending on the business context, and national or regional law.

For example, under the California Online Privacy Protection Act (CalOPPA), operators of commercial websites are required to reveal:

  • The categories of personal information that the company/website operator collects
  • How this personal information might be shared
  • How users can review this information
  • How the website responds to Do Not Track (DNT) requests from users' browsers
  • The effective date of the Policy

What is the difference between a Privacy Policy and a Privacy Notice

The difference between a "Privacy Policy" and a "Privacy Notice" is semantic. A Privacy Policy and a Privacy Notice amount to the same thing.

  • The California Online Privacy Protection Act (CalOPPA) refers to a "Privacy Policy"
  • The UK's Data Protection Authority, the ICO, uses the term "Privacy Notice"
  • The institutions of the European Union use the term "Privacy Statement"

All these documents serve the same function. They provide information about the data protection and privacy practices of the organization that created them.

What is the GDPR regulation?

The GDPR is an EU data protection law that regulates the processing of personal data. GDPR stands for General Data Protection Regulation. The regulation came into force in May of 2018. It was designed to ensure that the data protection law of all EU countries was aligned.

The passing of the GDPR has forced businesses all over the world to think carefully about their data protection practices. Practically all businesses process personal data on a day-to-day basis.

The GDPR means that businesses need to consider things such as:

  • How they collect personal data
  • Whether they have a legal basis for collecting personal data
  • Who they are sharing personal data with

This GDPR's reach even extends to companies that are not based in the EU, so long as they:

  • Offer goods and services to people in the EU. This applies to anyone that, for example, ships products to EU customers, or provides an app that is available to EU users, or
  • Monitor the behavior of people in the EU. This applies to any company that, for example, runs a targeted advertising campaign (involving cookies) that affects individuals in the EU.

The GDPR is an extensive law that touches on all aspects of data protection and privacy. It's enforced by a strict regime of fines and other penalties, and it's pretty easy to violate it (even by accident).

Any business operating in the EU will need to familiarise itself with the GDPR.

Does the GDPR require a Privacy Policy?

Does the GDPR require a Privacy Policy?

The GDPR requires any company (or any organization or individual) that processes the personal data of people in the EU to have a Privacy Policy.

The GDPR sets out its requirements for the information that must be provided by a Privacy Policy across Articles 12-14. These are very extensive and require a company to disclose practically every aspect of its data protection practices, including:

  • The types of personal data it processes (i.e. collects, stores, shares, or otherwise uses)
  • How it collects personal data
  • Its legal basis for processing personal data
  • The types of organizations with whom it shares personal data
  • How individuals can exercise their rights over their personal data
  • How long it stores personal data

A Privacy Policy must be written in clear and accessible language that users can understand (including children if the company aims its products or services at children).

It should be presented to individuals at the point that their personal data is to be collected, such as when a user subscribes to an email newsletter or creates an account with you:

Business Insider email sign-up form: You agree to marketing emails, Terms of Service and Privacy Policy

Your Privacy Policy must always be made accessible, such as in a website footer or mobile app's About menu:

Screenshot of Hacker News website footer

What are the six principles of the GDPR?

The six principles of the GDPR are a set of fundamental values that should underpin the processing of all personal data. They are set forth at Article 5 of the GDPR and are as follows:

  1. Lawfulness, fairness and transparency - Always obey the law; only process personal data in a way that people would reasonably expect; always provide clear information about your practices
  2. Purpose limitation - Only process personal data for a specified purpose
  3. Data minimization - Don't collect personal data you don't need
  4. Accuracy - Ensure the personal data in your possession is accurate and up-to-date
  5. Storage limitation - Don't keep personal data for longer than you need it
  6. Integrity and confidentiality - Keep personal data secure

The GDPR divides companies into "data controllers" and "data processors." All data controllers and data processors must abide by these six principles.

A seventh principle is given for data controllers: accountability. Data controllers must be able to demonstrate their accountability for compliance with the six principles of the GDPR.

What is the California Consumer Privacy Act (CCPA/CPRA)?

The California Consumer Privacy Act (CCPA) is an important privacy law that came into force on January 1st 2020. It was updated by the CPRA, with the amendments and updates taking effect on January 1st, 2023.

It applies to any business operating in California that:

  • Is operated for profit, and
  • Decides why and how personal information (personal data) is processed, and
  • Has at least one of the following characteristics:
    • It has an annual gross revenue of at least $25 million, or
    • It buys, sells, receives or shares personal information from at least 100,000 consumers, households or devices per year, or
    • Makes at least 50 percent of its annual revenue from selling or sharing personal information

Only businesses fitting the description above need to comply with the CCPA (CPRA).

What does the CCPA (CPRA) do?

The CCPA (CPRA) provides consumers in California with certain rights over their personal information:

  • The right to disclosure: Businesses must provide a detailed Privacy Policy
  • The right to deletion: Consumers may request that the personal information businesses hold on them is erased
  • The right to access: Consumers may request a copy of their personal information
  • The right to opt out: Consumers may opt out of the selling, sharing and processing of their personal information
  • The right to non-discrimination: Consumers must not suffer any detriment for exercising these rights
  • The right to opt in (for minors)
  • The right to data portability
  • The right to correct any errors in their information

The CCPA (CPRA) also introduces a new regime of fines which can be imposed where a business suffers a data breach. These fines are up to $7,500 per violation. This can really add up if a large number of consumers are affected.

Under the CCPA (CPRA), consumers are also able to pursue civil claims against businesses who mistreat their personal data.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy