Determining the Cost of a Privacy Policy
A thorough Privacy Policy specifically designed for your website is one of the most important investments you can and must make. What should you expect to pay for a Privacy Policy that will meet your legal obligations for handling visitor data and limit your legal liabilities?
Costs can vary greatly depending on the nature of your business, the demographics of users, and the laws governing the private information you collect.
This article will address a few important legal considerations when creating your Privacy Policy and help provide some guidance on potential costs.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
A One-Size Privacy Policy Does Not Fit All
It might be tempting to try to borrow another company's Privacy Policy for your own site. Let's face it - researching state, federal and global privacy laws and drafting Privacy Policy language to comply with them probably isn't your favorite thing to do. Unless you're a lawyer, it's certainly not your area of expertise.
However, having a properly constructed and legally-effective Privacy Policy on your website is not only important for limiting your legal liability, but it's also required by law.
Failure to fully and accurately disclose your policies and procedures for handling private user data could lead to steep fines and in some jurisdictions, criminal enforcement.
Investing now in a bulletproof Privacy Policy is like buying insurance for your business. The investment will pay off each and every time a customer or guest visits your website.
However, the estimated costs to create a Privacy Policy are all over the map. A corporate attorney might charge up to $1,000 or more to create a custom Privacy Policy for you, and take several days or even weeks after your initial meeting to produce a final draft.
Some online sources promise free Privacy Policies but beware of this because some free resources cut corners and may not give you a fully compliant end result.
Other sources can produce a Privacy Policy starting at around $100 and up, depending on the structure of your business, geographic location of your visitors, third party relationships and whether or not you manage a separate mobile app.
Why Such a Big Price Difference for Privacy Policies?
First and foremost, it's important to understand there is no such thing as a "standard" Privacy Policy. Let's look at some key reasons why this is true.
Unique Business Practices
Your business is unique. There might be a dozen or a hundred other businesses in your space, but no other business is exactly like yours. Your products, sales processes, customer service protocols and even your website architecture are unique to you. Because privacy laws touch on all of those individual components - and then some - you can't copy-and-paste another website's Privacy Policy.
Let's compare two popular and similar US businesses: Target and Walmart. Both are brick and mortar retailers with national websites serving a US audience.
However, their Privacy Policies are different.
Target's Privacy Policy includes 10 sections:
Walmart's Privacy Policy includes 18 sections:
Both Target and Walmart have clauses pertaining to California privacy laws, protection of children, and information sharing with third parties. They also include clauses for company contacts and consumer rights to control the information they collect and share. However, Walmart includes additional clauses for policy changes.
Regardless of the specific reasons for the differences in these two companies' approaches to their Privacy Policies, the basic reason is that no two businesses are the same.
Hence why there is simply no such thing as a "standard" Privacy Policy.
Your Unique Customers
Not only is each business unique, but your site visitors are also unique.
Where your website visitors live is crucial to the design of your Privacy Policy.
If you have customers in California, your website must adhere to California privacy laws like CalOPPA and the CCPA. If you have website visitors who live in Europe, you are subject to EU privacy laws like the GDPR.
Does your website attract minors? If yes, then you need to implement special privacy protections for minors and make additional privacy disclosures in your Privacy Policy.
Because eBay serves a global customer base through its website and mobile app, its Privacy Policy was written to account for customers living in essentially all parts of the world. and includes a clause specifically addressing "Global Privacy Standards."
In this clause, eBay simply and succinctly communicates its policy to standardize its privacy procedures in compliance with the EU's directive on privacy, widely considered the strictest in the world.
If your website attracts vsitors from the EU, your privacy procedures and your Privacy Policy must comply with the EU's General Data Protection Regulation (GDPR).
The GDPR requires very specific procedures for handling private consumer information. It also requires specific methods for advising consumers of the data being collected about them, and how that data is handled.
The burden is on the website owner-operator to clearly and plainly address all requirements of the GDPR in a conspicuously-posted Privacy Policy easily accessible to website visitors.
The GDPR also imposes requirements for how your Privacy Policy must be written and posted. It must be easy to find, concise, easy to understand, and written in language your typical website visitor will understand, especially if you attract minors under the age of 16.
Your website visitors also must be able to request a copy of your Privacy Policy and/or their data at no charge.
EU privacy law also requires a separate Cookies Policy for websites using cookies to collect personal consumer data.
Because eBay serves customers in the EU, it posts both a Privacy Policy and a Cookies Policy in its footer.
You will recall from the examples above that Target and Walmart do not post a Cookies Policy. This is because those websites does not serve EU residents.
The EU's GDPR includes a number of other requirements you'll need to become familiar with if it applies to you.
Additionally, if your website attracts visitors from California, you also need to comply with California's Online Privacy Protection Act (CalOPPA).
Both Target and Walmart provide separate links specifically addressing CalOPPA.
While Target abbreviates California to "CA," Walmart writes out the state's full name in its link. While this makes it more clear for users, it's not required and either way will be successful.
Like the EU's GDPR, CalOPPA is considered to be the most stringent set of privacy guidelines in the US.
The state of California enacted the CalOPPA to ensure that website owners would protect the personally identifiable information being collected from California residents.
The act requires websites to post an easy-to-find and easy-to-understand Privacy Policy on the website, and to write the policy in language the typical website visitor can understand. The act also gives special rules for websites attracting minors.
If your website attracts California residents, you must create a Privacy Policy that includes clauses specific to CalOPPA, and post the policy on your website in accordance with the act's requirements.
Here is how Target discloses its policies pertaining to CalOPPA:
It's rather generic, but still meets the legal obligations.
Walmart's is slightly more specific:
Again, the differences between the Target and the Walmart approach likely have to do with differences in legal experience or internal privacy procedures, and act as a reminder of the importance in creating a custom Privacy Policy.
Unique Third Parties
The combination of third-party technology partners you use are unique.
Nearly every website utilizes powerful third-party tools to attract, engage, convert and retain a growing list of loyal customers.
In order for those third parties to function, they collect visitor data from and through your site, and might even transfer that data to their own third parties to perform various functions. Google Analytics, AdWords, AdSense, social platforms, blog comment forums, email clients and payment processors are examples.
Mailchimp, for example, requires its customers to agree to certain procedures for meeting privacy regulations, including compliance with EU Data Privacy Policy, specifically, and "all applicable laws," generally.
If there is even one third-party service collecting data through your site, you must disclose this in your Privacy Policy and meet legal obligations to protect your customer data from possible misuse. Make sure to check third-party Terms and Conditions of Use to see what your specific obligations are when using the services.
Mobile App or Not?
Do you have a mobile app?
Additional privacy laws apply to content your users might generate in a mobile app, as well as to your handling of in-app payments. If you have a mobile app, your legal obligations are broader than if you have a website alone.
The app platform(s) you use also will impose their unique rules for how you handle private customer data.
It's logical to expect to pay a little more for a Privacy Policy that covers both a website and a mobile app. This is because you will need to display your Privacy Policy on your website and in your mobile app, and the policy must address all of the ways customer data is collected, managed and shared across your website and mobile app.
Apple's App Store Review Guidelines for app developers states:
All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner.
Google's Developer Distribution Agreement has Privacy Policy requirements for Android developers:
"You agree that if You make Your Products available through Google Play, You will protect the privacy and legal rights of users. If the users provide You with, or Your Product accesses or uses, usernames, passwords, or other login information or personal information, You agree to make the users aware that the information will be available to Your Product, and You agree to provide legally adequate privacy notice and protection for those users. "
A Privacy Policy Is Important
The various privacy laws around the world practically guarantee that regardless of your online business, you will need a custom Privacy Policy to protect your customers and limit your liability.
Whether you operate a blog, ecommerce site, mobile app or any other online service, a comprehensive and custom Privacy Policy is your best safeguard against privacy-related litigation. While the cost of creating one can vary greatly depending on how you create it and the nature of your business, it's always going to be well-worth the investment. Not only will it help you avoid legal fines, but it will help with customer acquisitoin and retention.
