Why is a Privacy Policy Required?

Whether you're developing an app, creating a website, or selling goods through an ecommerce store, you need a Privacy Policy.

But why do you need one? What will happen if you don't have one? And does anyone even read those things?

Let's find out.

There are many reasons why you need a Privacy Policy. Here are three of the most important:

1. It's a requirement under privacy law
2. Many third-party services you use require it
3. It shows that you're professional, responsible, and respect your users' privacy

Is a Privacy Policy Legally Required?

Yes, a Privacy Policy is legally required in almost every major economy.

Here are some of the laws that require businesses to publish a Privacy Policy.

• United States

  • California Online Privacy Protection Act (CalOPPA)
  • California Consumer Privacy Act (CCPA) as amended by the CPRA
  • Children's Online Privacy Protection Act (COPPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
• European Union: General Data Protection Regulation (GDPR)
• United Kingdom: Data Protection Act 2018
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• Australia: Privacy Act 1988
• Brazil: Brazilian General Data Protection Law (LGPD) (not yet in force)
• China: Personal Information Security Specification
• India: Personal Data Protection Bill (PDPB) (not yet in force)
• Japan: Act on the Protection of Personal Information (APPI)
• Nigeria: Nigerian Data Protection Regulation 2019 (NDPR)
• South Africa: Protection of Personal Information Act (POPI Act)

Almost all of these laws apply to foreign businesses operating within the relevant jurisdiction. So, for example, if you ship to the EU or to California, you'll need to obey EU or California privacy law even if you don't have any physical presence in those regions.

For more information, see our article: Privacy Laws By Country.

Besides privacy law, a Privacy Policy is also required under your agreements with the third-party services your business relies on.

Here's a selection of some common third-party business tools. Under the legally-binding terms associated with each of these tools, the user is required to create a Privacy Policy.

• Google:

  • Play Store
  • Firebase API
  • Crashlytics
  • Google Ads
  • AdSense
  • AdMob
  • Google Analytics

• Facebook:

  • Facebook Pixel
  • Conversions API
  • App Events via Facebook SDK
  • Offline Conversions
  • App Events API

• Apple:

  • iOS SDK
  • App Store
• Adobe Analytics
• Matomo Analytics

When Am I Legally Required to Have a Privacy Policy?

There's a huge range of circumstances in which you're required to create a Privacy Policy. Here are a few of the common business activities that require a Privacy Policy.

When Operating a Website

Most websites collect some sort of personal information. Bear in mind that many types of data qualify as "personal information."

Increasingly, privacy laws define "personal information" as any information that can be linked, directly or indirectly, to an identifiable individual.

Many, if not most, websites collect the following types of data, all of which may qualify as "personal information:"

• IP addresses
• Cookie data
• Device ID
• Browsing history
• Data about how people use your website and interact with ads

If you store any of the above information in your server logs, or if your website uses cookies or similar technologies for analytics or advertising purposes, you're collecting personal information and would be required to create a Privacy Policy by many privacy laws, including:

• California Online Privacy Protection Act (CalOPPA) (when stored in combination with other, directly identifying types of personal information)
• California Consumer Privacy Act (CCPA/CPRA)
• The EU's General Data Protection Regulation (GDPR)
• The UK's Data Protection Act 2018
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

For more information, see our article: What is Personal Information Under Privacy Laws?

When Developing or Publishing a Mobile App

Mobile apps typically collect a lot of data. Some of this data can be particularly sensitive, such as when using location and camera permissions.

As well as the privacy laws listed above, the terms of your agreements with third-party services will also require you to create a Privacy Policy when creating a mobile app.

For example, under Google's terms of its Google Play Developer Distribution Agreement, any app collecting "personal and sensitive information," which includes a very broad range of user data, must have an associated Privacy Policy:

In the case of iOS apps, you need a Privacy Policy even if your app collects no user data at all.

Here's the relevant section of Apple's App Store Review Guidelines:

Without a Privacy Policy, you'll find it near-impossible to distribute your app, and you're also risking legal issues and reputational damage.

When Maintaining a Mailing List

Pretty much every legal jurisdiction has a law specifically regulating commercial email and prohibiting "spam." Examples include:

• United States: CAN-SPAM Act
• European Union: ePrivacy Directive
• United Kingdom: Privacy and Electronic Communications Regulations (PECRs)
• Canada: Canada's Anti-Spam Law (CASL)
• Australia: Spam Act 2003

These laws impose rules that prohibit unsolicited email marketing and require businesses to allow users to unsubscribe from mailing lists.

Maintaining a mailing list, whether used to send marketing materials, newsletters, or special offers, means collecting, storing, and "controlling" email addresses. Email addresses are personal information, and you must explain, via a Privacy Policy, how you use this data.

It's a good idea, and may also be a legal requirement, to present a link to your Privacy Policy alongside your mailing list signup form.

Here's an example from Central London Orchestra:

Your users will be more likely to feel comfortable sharing their email addresses with you when they can review your privacy practices if they wish. Even if they don't check your Privacy Policy, you providing a link to one will show you're transparent.

What Are the Fines For Not Having a Privacy Policy?

The fines for violating privacy law are increasingly harsh, and failing to have a Privacy Policy is a serious violation of most privacy laws.

Here are some examples of the sorts of fines you can incur for not having a Privacy Policy under some major privacy laws:

• CalOPPA: Civil penalties of up to $2,500 per consumer, per violation

• The CCPA (CPRA):

  • Civil penalties of up to:

    • $7,500 per intentional violation
    • $2,500 per unintentional violation
  • Damages for private claimants of between $100 and $750 per consumer, per incident
• COPPA: Civil penalties of up to $43,280 per violation
• The GDPR: Civil penalties of up to €20 million ($22 million) or 4 percent of total worldwide turnover (whichever is greater)
• PIPEDA: Civil penalties of up to $100,000 CAD (approximately $73,000 USD) per violation

For more information, see our article Fines For Not Having a Privacy Policy.

In sum, a Privacy Policy is required by laws and by third parties to ensure you respect the privacy of your users and have transparent privacy practices.