Do I Need a Privacy Policy if I Don't Have a Website?

As a business owner, the question of whether you need a Privacy Policy may have crossed your mind. The answer is: it depends. If you don't have a website, you probably don't need one unless you're doing business in Australia or the European Union.

However, if you have a website or an online presence in any way, shape, or form, you do need a Privacy Policy regardless of where you operate.

This article will explain when a Privacy Policy is needed and how to go about creating one appropriately.

What is a Privacy Policy?

A Privacy Policy is a legal document that provides information as to how your business collects, stores, uses, and protects data belonging to customers.

It also informs users about their rights regarding the use of their personal information by you or third parties (such as Google Analytics).

Many companies have a single generic policy covering all aspects of data use, but you should customize yours to ensure all sections are relevant for your business.

Why Do I Need a Privacy Policy?

There are a variety of privacy laws in place that businesses must adhere to when it comes to data privacy. Most of the legislation involved targets companies with websites. However, some laws are broader than that.

For example, Australia's Privacy Act of 1988 doesn't single out businesses with a website, and neither does Europe's General Data Protection Regulation (GDPR).

In fact, the GDPR states that its regulations are applicable to the processing of personal information partly or wholly "by automated means and to the processing other than by automated means of personal data" that forms part of a filing system or are intended to form part of a filing system.

The point is that these well-known privacy laws target businesses as a whole and whether they collect personal information. Having a website or not isn't relevant.

What matters is that companies are collecting personal data about those who come into contact with their businesses, not the method of data collection.

On the other hand, some laws in the United States, such as the California Online Privacy Protection Act (CalOPPA), specifically single out businesses with websites.

Therefore it's crucial for business owners to be aware of these regulations, understand which ones are relevant, and ensure compliance.

You may not be subject to some of the laws mentioned above because you don't operate internationally. However, it's still a best practice to have a straightforward Privacy Policy in place for your business with or without a website. Having a well-written one will help you build trust with customers and limit liability should there be any breaches or data loss (such as physical theft).

What Should a Privacy Policy Include?

This question has no one-size-fits-all answer, as the contents of a Privacy Policy will vary depending on the type of business and the data that is being collected and used.

However, some general things should be included in every Privacy Policy:

• The types of personal data your company collects and how
• How your company uses the personal data it collects
• Whether the company shares collected personal data with third parties, the personal information it discloses and to whom it is disclosed
• How your company manages and protects the personal data it collects

Keep in mind that specific industries, such as financial services, education, and healthcare, have more stringent privacy requirements. But, no matter which industry your business is in, it is crucial to take steps to protect the data of your customers.

Third Parties Also Require Privacy Policies

As the owner of a business, it is important to be aware of the different types of data you may collect from your users without even realizing it.

For instance, maybe you don't have a website, but you still collect credit card information. In that case, you're obviously collecting personal data.

Or, say you use third-party services to help your marketing and sales processes online. You might be using services, such as:

• Amazon Associates
• Apple's App Store
• ClickBank
• Facebook Pages, Stores, and Apps
• Google AdSense
• Google AdWords
• Google Analytics
• Google Play Store or other app stores
• Twitter Lead Generation

Each of these collects the personal data of your website's visitors. Therefore, you are required to inform users about that fact and about how those third parties may use their information. The way to do this is with a Privacy Policy.

Here's an example of how you can let users know that you share information with third parties:

And here's a clause that mentions that third parties are used, and in what ways:

Make note of all the third parties you work with, and let the public know about this. That way they're aware of not only how you use their personal information, but if and when you share that information with others.

What if You Don't Collect Personal Information?

Most businesses actually do collect private data without even knowing it. And even if you're certain you do not, you should still post a Privacy Policy that declares you don't collect personal information. This is because people expect to see a policy, and not having one will make you seem quite untrustworthy.

Here's an example of how this could look:

Everything comes down to the definition of personal information, and in many cases, even offline businesses collect this type of information in one way or another.

For example, under most privacy laws, personal information includes but isn't limited to:

• Name
• Address
• Phone number
• Email address
• Credit card numbers and other financial information
• Date of birth
• Social Security numbers
• Military ID numbers
• Religion
• Sex
• Gender
• Sexual preference
• Political affiliation

It should be remembered that much depends upon context, and there are some exceptions.

For instance, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) states that personal data doesn't "include the name, title or business address or telephone number of an employee of an organization."

Why You Should Have a Privacy Policy No Matter What

After reading through the list of personal information above, let's say you don't collect any of that information. And then let's say your company doesn't have a website.

Writing and posting a Privacy Policy is still a best practice for the following reasons.

It Helps Customers Trust You

You're telling your customers that you believe in their right to privacy by posting a Privacy Policy.

You are showing them that you also believe in transparency, that you're aware that Privacy Policies are increasingly commonplace, and that you believe in professionalism.

You Have an Obligation to Meet Third Party Requirements

If you work with any third-party companies, they may have their own requirements for Privacy Policies. Even if you don't collect or store any personal information on your customers, meeting these requirements is still a best practice.

Avoiding Legal Issues

Even if you don't collect personal information and don't have a website, you could still get reported to a privacy authority like the Attorney General in many U.S. states, or the Data Protection Authority in Europe.

That's a legal headache you can easily avoid by having a Privacy Policy in place.

Summary

In short, having a Privacy Policy is just good business. It's an easy way to protect your company from legal trouble and build customer trust, whether you have a website or not.

Laws and third parties may require you to have one on display, and not being compliant can be costly.

Even if you don't collect any personal information, display a short Privacy Policy that simply states this to help you remain trustworthy with your users and in the eyes of privacy law authorities.