Samantha Bradshaw
Make your website's privacy policy legal everywhere
Updated: Jan 31, 2022
So, you know you need a privacy policy for your business?
You also know that it can help solidify your values as a business, but what on earth should be in it?
Well, a lot of stuff.

How do you even get started?
The same way all great things do, with some info and a list
Can't you just copy and paste the one from Instagram?
Please don’t. It won't fit your business. Unless you also happen to be developing a visual forward, phone favored, worldwide influencer creating an app. If you are, you probably aren't reading this blog.
Where do you start?
Your business doesn't ask for the same information as a doctor’s office, Instagram, or Amazon....but it does need to tell folks about what you do with all the data you do use. You can start with a template, but need to make it relevant to your business and the information you collect.
That’s why a data audit is the crucial first step. You can check out how to do that here.
What to include?
A good privacy policy does all the things the law requires of it.
The bare minimum sort of thing. Virginia’s CONSUMER DATA PROTECTION ACT, says that a “reasonably accessible, clear, and meaningful” policy should say
What kind of data you collect (the label on the clear bin)
Why you ask for that data (the reason it wasn’t thrown out in the audit), specifically telling them if you use it for targeted advertising or if you sell the data
Which kinds of data you share outside of your business aka with contractors or software you use.
What kinds of contractors or software companies you are sharing that data with aka your email marketing program, your accountant, your lawyer, your project management tool, your virtual assistant, etc.
How folks can access that data, correct it, delete it, opt-out of the sale of that data.
Europe adds that you have to explain how you protect the information with the GDPR. It’s basically the privacy policy version of demanding a receipt to be reimbursed. They want to know the details of what you’re doing, not just that you slapped something up on a website.
California’s 4 different laws (California Online Privacy Protection Act (CalOPPA), "Shine the Light" law, California Consumer Privacy Act (CCPA), and the "Online Eraser" Law) add a couple of additional things that need to be there:
Describe how you’ll let folks know the policy was updated,
The date and the policy ‘kicks in’ and starts being the law of your digital land,
states your Do Not Track (DNT) policy,
Disclose whether third parties may collect visitors’ personally identifiable information on a business’s website or online service.
It can quickly become overwhelming to make sure your policy is up to par, especially when the government adds new requirements for most years.
A great privacy policy does that in a way that makes sense to that middle school-aged kid next door.
Have you ever heard the phrase ‘I didn’t have time to write you a short letter, so I wrote you a long one? Well, apart from having its origin hundreds of years ago in France, this phrase says exactly what a privacy policy would ideally do.
Let’s be honest, even if you have the best privacy policy, if it's 40 pages long, no one is going to read it. They likely won’t even be able to find what information they need when they try.
Did you ever read through the terms of iTunes that updated every month or that long-ass book your teacher/prof assigned in class?

I didn't think so.
So taking the time to make sure your privacy policy doesn’t have the information it doesn't need is crucial. Being concise is going to make it shorter. Using headlines to organize it and make things easy to find is great.
Handing it to the annoying kid next door and asking for a book report on it is even better. It's also a great way to get them to be quiet for a whole afternoon (but that's just an idea).
You can't control who visits your website, so make sure everyone can understand your privacy policy. That includes the annoying kid next door.
An epic privacy policy does all of that in a way that 100% matches the processes and software you use in your business.
And that means it should be evaluated every time you make a major change in your business or at least once a year. That data audit is the best tool you have in seeing what changed so your lawyer can make sure your privacy policy has you covered.
If you don't have every single part in your privacy policy that you need, when something goes wrong, you'll get a nasty letter from the government or some other lawyer.
I don't play with scare tactics, so I'm going to level with you.
Likely that letter will come with a warning to fix your policy in the next 30 days or face the consequences. It’s not going to put you out of business the second you get it but those letters are scary. Even if you know you are doing everything right and the last thing any entrepreneur needs is added stress.
Making sure that you have a 100% custom policy will not only prevent any scary letters from the government from coming in the mail in the first place. It also means that when you take the extra steps and disclose if you use cookies, how your website works with affiliated websites or orgs, that their privacy policies control what happens in their systems, etc., you are being transparent with your customers. That will go a long way in building trust.
If you want a short (7 pages max), a comprehensive privacy policy that will give you that baseline protection and set clear expectations for your website visitors, you can check out this lawyer-drafted, Virginia specific one over at the Shop for 1/10th of what it would cost to have a lawyer write one just for you.
**Disclaimer: This is only general information, not legal advice specific to your situation, and does not create a client-attorney relationship between you and Samantha Bradshaw, a Virginia licensed small business lawyer, or InLine Legal, a 100% virtual law firm. If you need legal advice, please contact a lawyer in your area.