Last updated on 20 May 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
Privacy laws do not exempt businesses from protecting customers' privacy just because they are small. As a small business, you are just as responsible for any breaches or mishandling of data as a billion dollar multinational corporation would be.
Personally identifiable information is the universal description of any information that can be used to identify, contact or locate an individual. It includes but isn't limited to the following:
Small businesses have the most to lose from poor data practices. You can handle data in a way that's consistent with local laws and your internal policies, but if a customer interprets that as mishandling, you may face liability or at least an expensive and time-consuming legal battle to fight the claim.
Almost all Privacy Policies start with a description of the data collected. Here is where you'll tell customers exactly what information you will collect, such as names, addresses, email address, and payment information.
It is better to be overly specific in this section rather than vague. You can make this into a list format for readability.
ABC Fitness lists the information it collects and offers specific examples:
Notice the use of plain language. When it comes to explaining to customers what type of data you require and request, keeping things simple is the best course of action.
The information regarding how you collect information may be included in your clause with the types of information you collect, or in can be in its own clause.
ABC Fitness makes it clear that it obtains some data in the course of processing payment in the following clause excerpt:
This clause will vary depending on the nature of your business. Just make sure you let users know how you end up obtaining their data, whether it's from them, from a third party, or via cookies.
Most companies share or disclose some sort of information under some types of circumstances, such as when required by law, when consent is obtained to share the information, or if the business is sold. Make it clear to your users when and under what circumstances their data will be shared.
Here's how ABC Fitness does this, and lets users know that information may be shared with clients, debt collection agencies, service providers and third-party vendors:
Telling consumers how you protect data is required in laws like the UK's Data Protection Act. It is also reassurance for your users that their data will likely stay safe with you.
While you don't have to go into specifics about your security practices, you should at least note the general steps you take.
ABC Fitness states that it uses SSL, firewalls, encryption, and also limits the numbers of employees that have physical access to the data center amongst its steps to secure date:
Make sure that whatever you say you're doing, you're actually doing to keep data secured.
Many countries have laws restricting unsolicited email or spam. You are required to give customers the chance to opt out of these communications and failure to do so could result in civil liability and fines.
It is also simply a nice thing to do. If a customer made one purchase and no longer wants promotions from you, offering a procedure to make this request helps your goodwill. While you may consider the promotions a money-making effort, being respectful towards customers also helps you gain in your market.
Here's how ABC Fitness does this:
Other places to provide a link to your Policy include on sign-up pages, online checkout pages, email subscription forms and other places where personal information is collected.
More specific Privacy Templates are available over our blog.