Is Contact Information Required In Your Privacy Policy?

Is Contact Information Required In Your Privacy Policy?

If you've ever tried in vain to find a way to directly contact a business only to discover that they have no contact information listed on their website, then you know how frustrating the experience can be.

It is considered a general customer service best practice for every online business to provide easy-to-access contact details for customers and clients. However, this is not the only reason you should post your business's contact details.

When it comes to online privacy, some contact information is required by law to be listed in your Privacy Policy.


Privacy Laws Regarding Contact Information

Privacy Laws Regarding Contact Information

Although not every international privacy regulation requires public contact details, the laws that do exist will likely apply to your business.

GDPR Requirements

Any business in the world that collects personal information from people in the EU (even if it's just an IP address) will be required to comply with the following General Data Protection Regulation (GDPR) Privacy Policy stipulations:

  • List the physical location where consumer data is being stored and processed
  • State the name and contact details of both the data controller and any data processors, if applicable
  • Post the contact details of the Data Protection Officer (DPO), if applicable
  • Post the contact details of the European Representative, if applicable

Let's take a look at each stipulation and how to satisfy it.

1. List the physical location where consumer data is being stored and processed

EU residents, often referred to as data subjects, have the right to be informed of where their personal information is being stored and processed. For this reason, it is required that you include the name and physical location of your business in your Privacy Policy.

This is usually disclosed at the very top of the policy, as demonstrated by Workable:

Workable Privacy Policy: Physical business address section

2. State the contact details of both the data controller and the data processors, if applicable

The data controller and the data processor could be one and the same entity or, in most cases, two different companies. For example, if your business collects personal information directly from customers and uses that same data to send its own marketing messages and advertising, then you are both the data controller and the data processor.

In this case it is only necessary to publish your own contact information as the data controller, as does Workable in this example:

Workable Privacy Policy: Data controller clause

Note that the contact details aren't in this sentence, but because they're in the previous paragraph in Workable's Privacy Policy (as seen in the earlier example screenshot), this will be sufficient.

On the other hand, many businesses use third-party services like Google Adwords or Facebook Ads that process customer information in order to provide analytical and advertising services. If this is the case, then you would also be required to list the names and locations of the third-party organizations you contract to process your user data.

You can see a simple way to fulfill this requirement within the Celonis Privacy Policy:

Celonis Privacy Policy: Facebook clause

In this paragraph, Celonis lists Facebook as a data processor. It make sure to state Facebook's postal address as well as a link to Facebook's Privacy Policy so that data subjects understand who, where, and how their data is being processed.

3. Post the contact details of the Data Protection Officer, if applicable.

If your business requires the appointment of a Data Protection Officer (DPO), you'll need to include their contact information within the Privacy Policy. This could be as simple as an email address, such as in the Mailchimp Privacy Policy:

Mailchimp Privacy Policy: DPO contact clause

Other entities, like Nestlé, prefer to include a physical mailing address as well:

Nestle Privacy Notice: DPO contact clause

4. Post the contact details of your European Representative, if applicable

For businesses located outside of the European Union, a European Representative may need to be appointed as a point of contact for EU data subjects and supervisory authorities. This is another requirement that may not apply to every non-EU based business.

In general, if your business only does occasional processing of EU user data, and doesn't deal with sensitive or crime-related categories of data, your business probably won't need one.

However, as always when dealing with the GDPR, it is better to be safe than sorry. In the case that you do appoint an EU-based representative, you will need to list their information in your Privacy Policy as a point-of-contact for EU residents.

Here's how Product Hunt lists both a physical and email address for its EU representative:

Product Hunt Privacy Policy: EU Representative clause

PIPEDA Requirements

Like the GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) applies to any company that processes the personal information of Canadian residents. In regard to business contact information, PIPEDA only dictates two requirements.

Businesses must make the following items publicly available in their Privacy Policy:

  • Name or title and contact details for the person who is accountable for your organization's privacy policies and practices
  • Name or title and contact details for the person to whom access requests should be sent

In most cases, the contact for these two items will be the same job title and address, as you can see in Osler's Privacy Policy:

Osler Privacy Policy: Openness about Privacy Practices and Access to Your Personal Information contact clauses

CalOPPA

The California Online Privacy Protection Act (CalOPPA) is a California state law that applies to any company that collects personal information from California residents. Since most companies that do business in the United States have at least a few California residents as customers, this law will apply to most companies.

The only requirement that CalOPPA designates regarding contact information is the following:

Businesses must post a clear explanation of how users can request amendments to any personal data that is collected.

This can be achieved by providing users with an online portal to view, change, or delete their personal information, or by providing an email address or contact form to make such requests.

Apple has both:

Apple Privacy Policy: Access to Personal Information

As you can see, Apple provides both an online portal so users can access their personal information, as well as a link to a privacy contact form to make direct requests.

So long as you have a process in place for accepting user requests and inform your users how to make the requests, you can choose to use forms, email addresses, user account interfaces or any other method of contact.

Examples of Contact Information Clauses

Examples of Contact Information Clauses

Living Clean meets legal and consumer expectations by posting all of the required contact information in its Privacy Policy. First, its physical address is listed at the beginning of the policy:

Living Clean Privacy Policy: Company physical address section

Customers are informed about how they may access, change, or delete their personal information:

Living Clean Privacy Policy: Accessing and Updating Information clause

Next, Living Clean details which data processors it uses and provides a physical address as well as a web link for those processors:

Living Clean Privacy Policy: Google Analytics clause

Finally, Living Clean posts contact information for its US-based privacy officer. Since this is a small company that does not process large quantities of EU consumer data or sensitive categories of data, it isn't required to appoint a DPO or EU Representative.

Living Clean Privacy Policy: Contact clause

The German-based vehicle manufacturer Audi provides a thorough Privacy Policy for consumers. It begins by stating the name and location of the company as a data controller:

Audi Privacy Policy: Controller contact section

The contact information of the DPO is also listed at the beginning of the policy:

Audi Privacy Policy: DPO contact section

In order to give consumers full access to their personal data, a link to a dedicated contact form is provided:

Audi Privacy Policy: Data protection rights contact form section

Finally, Audi lists out each of its data processors, along with links to opt-out or obtain more information:

Audi Privacy Policy: Google AdWords User Lists clause

Geocaching.com, owned by Groundspeak, Inc., manages geocaching programs across the world. For this reason, its Privacy Policy must carefully comply with regulations in all of the countries where its participants live.

Location and contact details are included in the policy in a clearly-labeled clause:

Geocaching Privacy Policy: Contact Information clause

The Privacy Policy lists several different methods for users to gain or request access to personal information. First, a link to the account settings section is provided:

Geocaching Privacy Policy: Accessing personal information section

Contact information is provided for exercising data subject rights by way of an email address, mailing address and dedicated contact form:

Geocaching Privacy Policy: Contacting us to exercise your rights with any questions clause

In compliance with the GDPR, Groundspeak supplies full contact information for both their Data Protection Officer and EU Representative:

Geocaching Privacy Policy: Details of our EU DPO and EU-based representative clause

Although technically a location for data processors should also be provided, Groundspeak does provide a list of data processors as well as links to their respective websites:

Geocaching Privacy Policy: Third-party advertising cookies clause

By taking the simple steps outlined above, you can meet both legal requirements regarding privacy contact information as well as consumer expectations. The easier you make it for your customers to contact you regarding privacy complaints or requests, the easier it will be to resolve any potential privacy problems before they escalate into legal issues.

Jaclyn K.

Jaclyn K.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.