Is Your Website’s Privacy Policy Putting You at Risk?

Share this article

This article was provided by Thank you for supporting the partners who make SitePoint possible.
Did you know that you’re legally accountable for the statements made in your website’s privacy policy? Have you read and understood each provision in your privacy policy? Do you know what your responsibilities are? In this article, I’ll present five mistakes with privacy policies that could put you at risk of fines or lawsuits. I’ll also discuss why it’s important to have a privacy policy, and some concluding thoughts on how to avoid legal problems.

Words and Actions That Can Put You at Risk

Here are five things website owners need to watch out for when drafting and managing privacy policies.
  1. Guaranteeing That Visitors’ Personal Information Will Be Safe

    Many website owners tell visitors that their personal information will remain safe and secure by using a provision in their privacy policy similar to this one:
    Our website uses secure data collection, processing and storage procedures and other security methods to protect against unauthorized access, disclosure, change or destruction of your personal information, password, username, transaction information and data stored on our website and servers. Your personal information is safe and secure with us.
    Should your visitors’ and customers’ personal information be made public because your website gets hacked, or because the information becomes publicly disclosed by other means, the fact that you used a provision similar to the one above could—in the United States— get you sued by the Federal Trade Commission (FTC), for violating Section 5 of the FTC Act, which prohibits unfair and deceptive practices in commerce. (Similar rules apply in other countries, as I’ll discuss below.) The trouble doesn’t end there. Visitors and customers could also file a lawsuit against you because their personal information was disclosed after you had guaranteed its safety in your privacy policy. Under the law, you must take reasonable steps to protect important information and keep it secure. At a minimum, you must obey the privacy guarantees you make to your visitors and customers in your privacy policy.
  2. Making Exaggerated Statements in Your Website’s Privacy Policy

    The FTC has also taken legal action against companies that have made exaggerated statements in their websites’ privacy policies—statements that can’t be verified. Always make sure you can keep any promises made in your policy.
  3. Promising to Not Share or Sell Your Email Address and Personal Information

    “We will not share or sell your email address and personal information.” This is a common statement you’ll find in most privacy policies, because it’s a reasonable promise that makes visitors and customers feel comfortable giving you their email addresses and personal information. Website owners like this, of course, because it helps them grow their email lists, which can be one of their most important assets. But what if you sell your company? Unless you stipulate in your privacy policy that your visitors’ and customers’ personal information and email addresses will be included as part of the sale, you cannot include them with the sale without first getting your visitors’ and customers’ consent. If you don’t get their consent first, you’re violating your own privacy policy, which could get you into legal trouble with the FTC, your visitors and your customers. You could send notice to your entire database asking for permission to sell or transfer their information to the new owners. However, you may not get a positive response to such a request.
  4. Letting Your Guard Down After Your Company Files for Bankruptcy

    Your users’ privacy doesn’t go out the window just because your company goes out of business. Few business owners consider the privacy obligations that still apply if their companies go bankrupt. For a company that thrives on information, a database of customers’ emails and personal information is a valuable asset that can easily be sold. Many business owners think that once their company files for bankruptcy, their customers’ information can be auctioned off to the highest bidder. Not true. Unless stipulated in the company’s privacy policy, or unless notice was given to customers giving them the option to delete their information before the information is sold, doing so violates the FTC Act and subjects the owner to legal action. Again, you could send notice to visitors and customers asking for permission to sell their information, but most people value their personal information and will say no. In any event, at this point, the FTC prefers that you simply destroy your customers’ information.
  5. Changing Information in Your Privacy Policy

    Changing a website privacy policy is a common practice. However, it’s often done without considering the legal obligations. Many privacy policies include a provision like this:
    We reserve the right to change our privacy policy at any time. We encourage you to review our privacy policy when you visit our website. We will post revisions to this policy on our website’s home page or in another obvious position, and the revision shall be effective immediately on such posting. You agree to review our privacy policy posted on our website periodically to be aware of any revisions.
    A website owner might make significant changes to the website’s privacy policy, assuming that—because of the above provision—the change will affect all past visitors and customers. Well, it’s a convenient assumption, but the law doesn’t work that way. Your privacy policy is an agreement with your visitors and customers, and you’re required to comply with it. If you want to make changes in the way you use visitors’ and customers’ personal information, and you want those changes to apply to past visitors and customers, you need to notify them first. You’ll need to contact them by email or a physical mail delivery service, and tell them of the changes to your privacy policy—thereby giving them the chance to accept or opt out of the changes. Think about the notifications you get from companies explaining the changes to their privacy policies or terms and conditions. They notify you because they’re legally required to do so if they want the changes to apply to past customers. For the most part, the same (but not all) privacy laws and legal requirements apply to you when you operate your website or blog.

Other Things to Consider When Developing Your Privacy Policy

Google Requires You to Have Specific Provisions in Your Privacy Policy

Google and other major online companies require that you have specific disclosures in your privacy policy to comply with their terms of service. If you’re using Google Analytics, AdSense and certain AdWords advertising features on or for your website, you’re required to have specific disclosures in your privacy policy explaining the use of these services. Otherwise, you’ll be violating their terms of service. Here’s a privacy provision that’s required if you’re using Google Analytics:
You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors. You must post a Privacy Policy that includes providing notice of your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data. You will use commercially reasonable efforts to ensure that a Visitor is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the Visitor’s device where such activity occurs in connection with the Service and where providing such information and obtaining such consent is required by law.
The above requirement is for Analytics only. Google has additional privacy requirements for its AdSense and AdWords program.

Global Privacy Laws

Since websites are reachable worldwide, you’re obligated to comply with the privacy laws of the countries where your website is accessible to visitors and customers, even if you don’t live or do business there. As an example: if you do business in the United States, you’re required to comply with the privacy laws of the United Kingdom, European Union, Australia, Canada and other countries that have privacy laws if visitors and customers in those countries can access and use your website.

Mobile Apps

The privacy laws that affect website owners also affect mobile app sellers. In the United States, the FTC and the state of California are paying special attention to mobile app sellers, because of the capabilities of some mobile apps to gather data without the knowledge of the app user. The FTC has also commented that many of the mobile app privacy policies are in hard-to-find areas of the mobile app and the app developer’s website. Both the FTC and the state of California have filed suit against numerous app sellers for privacy violations.

Posting Your Privacy Policy: The “Clear and Conspicuous” Requirement

Your privacy policy is required by law to be posted on your website in a “clear and conspicuous” place that’s obvious to your visitors and customers. Ideally, this is on your navigation bar, so that it shows throughout all pages on your site and above the fold of the page. (Avoid putting the link to your privacy policy in the footer of your page.) Also, the link to your privacy policy should be displayed at a size at least as large as the surrounding text and links—though, preferably, it should be larger and in a contrasting color.

Some Final Thoughts on Avoiding Legal Problems

I’ll conclude this article with the following pointers.

Read Your Privacy Policy

You’re posting an important document on your website; you should understand what it says. Are there any promises or guarantees that you might not be able to comply with? If so, don’t leave these in your privacy policy unless it’s a legal requirement. If you’re unsure or confused, get some good legal advice.

Don’t Use Free Privacy Policies

In our review of free privacy policies being offered on the Internet, we found that not one was in compliance with laws governing website privacy policies. Many contained provisions that could get you into legal trouble. An attorney-drafted website privacy policy is inexpensive insurance when running an online business. Buy one; it’s worth it. provides an attorney-drafted privacy policy to comply with the new laws and regulations.

Choose Your Attorney Carefully

Generally speaking, the average attorney has little experience with Internet law and privacy requirements. Make sure you have a privacy policy that was drafted by an experienced Internet attorney.

Frequently Asked Questions (FAQs) about Website Privacy Policies

What are the legal requirements for a website privacy policy?

The legal requirements for a website privacy policy vary depending on the country and the specific laws in place. However, generally, a privacy policy should clearly state what personal data is collected from users, how it is used, and how it is protected. It should also provide information about users’ rights regarding their data, such as the right to access, correct, or delete their data. In some jurisdictions, websites are also required to disclose any third parties with whom they share user data.

How often should I update my website’s privacy policy?

It’s recommended to review and update your website’s privacy policy at least once a year. However, you should also update it whenever there are significant changes to your data collection practices, your use of user data, or relevant privacy laws.

What are the consequences of not having a privacy policy on my website?

Not having a privacy policy on your website can have serious legal consequences. You could face fines or lawsuits, especially if you collect personal data from users. Additionally, it can harm your reputation and trust with users, as many people are concerned about their online privacy and prefer to use websites that clearly state how they handle personal data.

What information should I include in my website’s privacy policy?

Your website’s privacy policy should include information about what personal data you collect from users, how you use this data, how you protect it, and any third parties with whom you share it. It should also provide information about users’ rights regarding their data, such as the right to access, correct, or delete their data.

Can I use a template for my website’s privacy policy?

While you can use a template as a starting point for your website’s privacy policy, it’s important to customize it to accurately reflect your website’s data collection practices and use of user data. Using a generic template without customization can lead to a privacy policy that is not compliant with privacy laws and does not accurately inform users about how their data is handled.

How can I make my website’s privacy policy more user-friendly?

To make your website’s privacy policy more user-friendly, use clear and simple language, avoid legal jargon, and organize the information in a logical and easy-to-follow manner. You can also use headings and subheadings to make it easier for users to find the information they’re looking for.

Do I need to have a separate privacy policy for different regions or countries?

Depending on your website’s audience and the specific privacy laws in different regions or countries, you may need to have separate privacy policies. For example, the European Union’s General Data Protection Regulation (GDPR) has specific requirements that may not apply to users in other countries.

How can I ensure that my website’s privacy policy is compliant with privacy laws?

To ensure that your website’s privacy policy is compliant with privacy laws, it’s recommended to consult with a legal professional who is knowledgeable about privacy laws in the jurisdictions where your website operates. You can also use online resources and tools that provide guidance on privacy law compliance.

What is the difference between a privacy policy and a terms of service agreement?

A privacy policy explains what personal data a website collects from users, how it uses this data, and how it protects it. A terms of service agreement, on the other hand, outlines the rules and guidelines for using a website, including user responsibilities and disclaimers.

How can I make sure users are aware of my website’s privacy policy?

You can make users aware of your website’s privacy policy by placing a link to it in a prominent location on your website, such as the footer. You can also require users to acknowledge that they have read and agree to the privacy policy when they sign up for an account or submit personal information.

James ChiodoJames Chiodo
View Author

Jim Chiodo is the owner of, a Minneapolis-based company that provides attorney-drafted website protection and compliance documents for website, blog and mobile app owners worldwide. These documents include, but are not limited to, privacy policies, terms and conditions, advertising agreements, legally required disclosures and specific industry-related disclaimers.

disclaimerprivacy policywebsites privacy policy
Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form