You also know that it can help solidify your values as a business, but what on earth should be in it?
Well, a lot of stuff.
How do you even get started?
The same way all great things do, with some info and a list
Can't you just copy and paste the one from Instagram?
Please don’t. It won't fit your business. Unless you also happen to be developing a visual forward, phone favored, worldwide influencer creating an app. If you are, you probably aren't reading this blog.
Where do you start?
Your business doesn't ask for the same information as a doctor’s office, Instagram, or Amazon....but it does need to tell folks about what you do with all the data you do use. You can start with a template, but need to make it relevant to your business and the information you collect.
That’s why a data audit is the crucial first step. You can check out how to do that here.
What to include?
The bare minimum sort of thing. Virginia’s CONSUMER DATA PROTECTION ACT, says that a “reasonably accessible, clear, and meaningful” policy should say
What kind of data you collect (the label on the clear bin)
Why you ask for that data (the reason it wasn’t thrown out in the audit), specifically telling them if you use it for targeted advertising or if you sell the data
Which kinds of data you share outside of your business aka with contractors or software you use.
What kinds of contractors or software companies you are sharing that data with aka your email marketing program, your accountant, your lawyer, your project management tool, your virtual assistant, etc.
How folks can access that data, correct it, delete it, opt-out of the sale of that data.
California’s 4 different laws (California Online Privacy Protection Act (CalOPPA), "Shine the Light" law, California Consumer Privacy Act (CCPA), and the "Online Eraser" Law) add a couple of additional things that need to be there:
Describe how you’ll let folks know the policy was updated,
The date and the policy ‘kicks in’ and starts being the law of your digital land,
states your Do Not Track (DNT) policy,
Disclose whether third parties may collect visitors’ personally identifiable information on a business’s website or online service.
It can quickly become overwhelming to make sure your policy is up to par, especially when the government adds new requirements for most years.
Did you ever read through the terms of iTunes that updated every month or that long-ass book your teacher/prof assigned in class?
I didn't think so.
Handing it to the annoying kid next door and asking for a book report on it is even better. It's also a great way to get them to be quiet for a whole afternoon (but that's just an idea).
I don't play with scare tactics, so I'm going to level with you.
Likely that letter will come with a warning to fix your policy in the next 30 days or face the consequences. It’s not going to put you out of business the second you get it but those letters are scary. Even if you know you are doing everything right and the last thing any entrepreneur needs is added stress.
**Disclaimer: This is only general information, not legal advice specific to your situation, and does not create a client-attorney relationship. If you need legal advice, please contact a lawyer in your area.