If you've ever tried in vain to find a way to directly contact a business only to discover that they have no contact information listed on their website, then you know how frustrating the experience can be.
It is considered a general customer service best practice for every online business to provide easy-to-access contact details for customers and clients. However, this is not the only reason you should post your business's contact details.
When it comes to online privacy, some contact information is required by law to be listed in your Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
Privacy Laws Regarding Contact Information
Although not every international privacy regulation requires public contact details, the laws that do exist will likely apply to your business.
GDPR Requirements
Any business in the world that collects personal information from people in the EU (even if it's just an IP address) will be required to comply with the following General Data Protection Regulation (GDPR) Privacy Policy stipulations:
- List the physical location where consumer data is being stored and processed
- State the name and contact details of both the data controller and any data processors, if applicable
- Post the contact details of the Data Protection Officer (DPO), if applicable
- Post the contact details of the European Representative, if applicable
Let's take a look at each stipulation and how to satisfy it.
1. List the physical location where consumer data is being stored and processed
EU residents, often referred to as data subjects, have the right to be informed of where their personal information is being stored and processed. For this reason, it is required that you include the name and physical location of your business in your Privacy Policy.
This is usually disclosed at the very top of the policy, as demonstrated by Workable:
2. State the contact details of both the data controller and the data processors, if applicable
The data controller and the data processor could be one and the same entity or, in most cases, two different companies. For example, if your business collects personal information directly from customers and uses that same data to send its own marketing messages and advertising, then you are both the data controller and the data processor.
In this case it is only necessary to publish your own contact information as the data controller, as does Workable in this example:
Note that the contact details aren't in this sentence, but because they're in the previous paragraph in Workable's Privacy Policy (as seen in the earlier example screenshot), this will be sufficient.
On the other hand, many businesses use third-party services like Google Adwords or Facebook Ads that process customer information in order to provide analytical and advertising services. If this is the case, then you would also be required to list the names and locations of the third-party organizations you contract to process your user data.
You can see a simple way to fulfill this requirement within the Celonis Privacy Policy:
In this paragraph, Celonis lists Facebook as a data processor. It make sure to state Facebook's postal address as well as a link to Facebook's Privacy Policy so that data subjects understand who, where, and how their data is being processed.
3. Post the contact details of the Data Protection Officer, if applicable.
If your business requires the appointment of a Data Protection Officer (DPO), you'll need to include their contact information within the Privacy Policy. This could be as simple as an email address, such as in the Mailchimp Privacy Policy:
Other entities, like Nestlé, prefer to include a physical mailing address as well:
4. Post the contact details of your European Representative, if applicable
For businesses located outside of the European Union, a European Representative may need to be appointed as a point of contact for EU data subjects and supervisory authorities. This is another requirement that may not apply to every non-EU based business.
In general, if your business only does occasional processing of EU user data, and doesn't deal with sensitive or crime-related categories of data, your business probably won't need one.
However, as always when dealing with the GDPR, it is better to be safe than sorry. In the case that you do appoint an EU-based representative, you will need to list their information in your Privacy Policy as a point-of-contact for EU residents.
Here's how Product Hunt lists both a physical and email address for its EU representative:
PIPEDA Requirements
Like the GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) applies to any company that processes the personal information of Canadian residents. In regard to business contact information, PIPEDA only dictates two requirements.
Businesses must make the following items publicly available in their Privacy Policy:
- Name or title and contact details for the person who is accountable for your organization's privacy policies and practices
- Name or title and contact details for the person to whom access requests should be sent
In most cases, the contact for these two items will be the same job title and address, as you can see in Osler's Privacy Policy:
CalOPPA
The California Online Privacy Protection Act (CalOPPA) is a California state law that applies to any company that collects personal information from California residents. Since most companies that do business in the United States have at least a few California residents as customers, this law will apply to most companies.
The only requirement that CalOPPA designates regarding contact information is the following:
Businesses must post a clear explanation of how users can request amendments to any personal data that is collected.
This can be achieved by providing users with an online portal to view, change, or delete their personal information, or by providing an email address or contact form to make such requests.
Apple has both:
As you can see, Apple provides both an online portal so users can access their personal information, as well as a link to a privacy contact form to make direct requests.
So long as you have a process in place for accepting user requests and inform your users how to make the requests, you can choose to use forms, email addresses, user account interfaces or any other method of contact.
Examples of Contact Information Clauses
Living Clean meets legal and consumer expectations by posting all of the required contact information in its Privacy Policy. First, its physical address is listed at the beginning of the policy:
Customers are informed about how they may access, change, or delete their personal information:
Next, Living Clean details which data processors it uses and provides a physical address as well as a web link for those processors:
Finally, Living Clean posts contact information for its US-based privacy officer. Since this is a small company that does not process large quantities of EU consumer data or sensitive categories of data, it isn't required to appoint a DPO or EU Representative.
The German-based vehicle manufacturer Audi provides a thorough Privacy Policy for consumers. It begins by stating the name and location of the company as a data controller:
The contact information of the DPO is also listed at the beginning of the policy:
In order to give consumers full access to their personal data, a link to a dedicated contact form is provided:
Finally, Audi lists out each of its data processors, along with links to opt-out or obtain more information:
Geocaching.com, owned by Groundspeak, Inc., manages geocaching programs across the world. For this reason, its Privacy Policy must carefully comply with regulations in all of the countries where its participants live.
Location and contact details are included in the policy in a clearly-labeled clause:
The Privacy Policy lists several different methods for users to gain or request access to personal information. First, a link to the account settings section is provided:
Contact information is provided for exercising data subject rights by way of an email address, mailing address and dedicated contact form:
In compliance with the GDPR, Groundspeak supplies full contact information for both their Data Protection Officer and EU Representative:
Although technically a location for data processors should also be provided, Groundspeak does provide a list of data processors as well as links to their respective websites:
By taking the simple steps outlined above, you can meet both legal requirements regarding privacy contact information as well as consumer expectations. The easier you make it for your customers to contact you regarding privacy complaints or requests, the easier it will be to resolve any potential privacy problems before they escalate into legal issues.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
