Why You Need a Privacy Policy Even if You Don't Collect Personal Data

Even if you don't collect personal data from people who visit your company's website, it's good practice to draft and publish a Privacy Policy anyway.

Creating a Privacy Policy now saves you time, hassle, and stress down the line if you ever decide to start capturing personal data. It also boosts your professional image and gives visitors confidence in your brand.

The good news is that drafting a Privacy Policy is straightforward. You only need a few well-worded clauses to comply with international data protection laws, including the following:

• California Consumer Privacy Act (CCPA) as amended by the CPRA
• Australian Privacy Act (APA)
• General Data Protection Regulation (GDPR)
• Personal Information Protection and Electronic Documents Act (PIPEDA)

If you're not collecting any personal data or personally identifiable information at all, your Privacy Policy can say exactly that! That's the approach taken by Rudd Studio:

We'll look at this Privacy Policy again later, but for now, all that matters is that you draft one and make it easy for website visitors to find, whether there's a link in your footer or a sidebar.

So, what's the big deal around Privacy Policies, anyway? Why should you bother drafting one if you don't collect personal data from anyone?

To help you understand, let's take a look at what a Privacy Policy is.

What is a Privacy Policy?

Think of a Privacy Policy as a type of contract, or agreement, between you and those who visit your website. The Privacy Policy sets out:

• How you plan on gathering personal data
• What you'll use the data for
• How long you'll store someone's personal data it
• Who you intend to share it with
• What rights the person has over their personal information

In other words, it's a professional document that both you and your visitors can rely on.

It's worth emphasizing that most companies, in some form or another, do handle or collect personal data, even if they receive it indirectly through third parties. So, let's be clear on what personal data is so you can be completely clear on whether you process it or you don't.

What is Personal Data?

Helpfully, privacy and data protection laws across the world are pretty consistent in how they define "personal data." It's basically any data that could be used to identify a specific individual.

In other words, personal data is any information that makes someone personally identifiable.

The clearest definition of personal data is in Article 4 of the EU's GDPR. The examples of personal information provided aren't exhaustive, but they give you the general idea of what information is "personal."

Personal data, then, includes:

• Full name
• Home address
• IP address
• Employment details
• Email address
• Social Security or Passport Number

It's always best to err on the side of caution. If you're not sure whether data is personal, assume that it is.

When you do draft a Privacy Policy, it's good practice to define "personal data" for your own visitors, even if it's just to say you don't collect it.

Here's an example of a simple personal data definition from Lululemon, in its "Collection of Personal Data" clause:

So, you've had a look over your website and considered what data you handle. You're still sure that you're only handling anonymized or non-personal data. Why, then, should you draft and publish a Privacy Policy?

There are a few compelling reasons. Let's look at them in turn.

Privacy Policies and Legal Compliance

Having a Privacy Policy, even if it's only a few lines long, shows that you take regulatory compliance requirements seriously. It shows that you care about your website visitors and want to reassure them that their personal information stays private.

And, when it comes to legal compliance, there's also an even more compelling reason to publish a Privacy Policy. Data protection agencies and other legal authorities expect to see one on every website.

In short, if you don't post a Privacy Policy on your website, you invite accusations that you're handling personal data and not declaring it. Such accusations can lead to lengthy disputes and data audits that are easily avoided just by including a short, concise Privacy Policy.

Ask yourself, is it worth opening your company up to legal scrutiny just because you haven't drafted a Privacy Policy and put it online?

Technically, it's not a stretch to say that literally every website should have a Privacy Policy, anyway, because it's the only way to actually comply with privacy laws.

Why? Because it's arguable that, since privacy laws like the GDPR expect you to set out what personal information you collect, you still need to answer this question by saying "none."

Although it sounds a little tedious, this is another way that legal authorities could challenge you if you don't have a Privacy Policy.

Remember, you need a Privacy Policy even if you collect personal data indirectly, or if third parties access personal data through your website. Methods of indirect data collection include:

• Accessing personal data that's already publicly available
• Receiving data from third parties such as analytics services
• Transferring data to third parties including payment processors

When you think about it, there's a very good chance that you receive some personal information about your site visitors, or other individuals, even if it's through third parties.

Take Green Alliance, for example. It declares that it doesn't collect personal data:

However the company may receive private information about individuals from third parties, such as analytics providers and corporate partners. This is specified in clause 1.2:

The principle of "better safe than sorry" clearly applies to Privacy Policies. It's better to have one and cover your bases than not draft one at all.

How a Privacy Policy Boosts Your Professional Image

We can't emphasize this enough. A Privacy Policy can directly influence how customers perceive you and your brand. Why? Because we're all so accustomed to seeing Privacy Policies now and reading Cookie Notices that people notice if a Policy isn't there.

If people can't find your Privacy Policy, they'll question how seriously your company takes data protection. This will, most likely, affect whether they do business with you or continue browsing your website.

Think of it this way: If visitors can contact you in any way, whether it's over social media or email, they must provide at least a name and/or contact details. This is personal data.

If people can't see how you protect this data, why should they contact you?

A Privacy Policy of any length instantly makes your company appear more professional and forward-thinking.

A Summary: Why You Should Draft a Privacy Policy Now

Before we consider some quick tips for drafting a Privacy Policy, let's summarize why they're important and why you probably need one more than you think.

• Privacy Policies are professional
• Authorities expect to see a privacy document, even if it's short
• Technically speaking, you're complying with the relevant legislation, even if it seems a little over-cautious
• There's a good chance you'll need one in the future, so draft it now
• There's an even greater chance you're already handling personal data in some way, so cover your bases

Tips for Drafting a Privacy Policy

Every legally-compliant Privacy Policy should include a few key clauses. Here's a brief summary of how to draft these clauses if you're not actively capturing personal data.

Introduction

Every Privacy Policy should include a brief introduction explaining what it is and what it applies to.

Here's an example from Disconnect. The introduction specifies that:

• The Policy came into force in February 2020
• The company cares about user privacy
• This is a document laying out how Disconnect collects, uses, and shares personal data

The bullet points and concise statements make this a highly readable and effective introduction:

Even if you're not collecting personal data, you should still set out the effective data and what the Privacy Policy is.

Contact Details

Include some way for individuals to contact you for more information or with concerns.

It should be reiterated that the moment someone can contact you, whether they email, call you, or fill in an online form, you're collecting their personal data! This data must be properly safeguarded.

All you need to do is include an email address and/or telephone number to fulfill the requirement here, like Green Alliance:

Data Collection

Sure, you're not collecting personal data yet, but like we've stressed before, that's all you need to say to make this Privacy Policy work.

However, like we've stressed before, if you capture so much as an email address, you need to declare this.

Here's an example from Disconnect. The company is quite clear that it doesn't collect personal information as standard. However, it does gather some data on occasion. This includes, for example, if a customer emails support.

The point is that Disconnect covers its bases and explicitly states that it collects personal data on occasion. It's also transparent about what non-personal data it captures.

This type of clause applies to most companies who only periodically capture personal information, so you should familiarize yourself with it:

Purpose of Collection

Specify your reasons for collecting any data that you do capture. This could be, for example, to fulfill a contract, to resolve a legal dispute or to communicate with a customer.

If you fall under the scope of the GDPR, you need to state your legal bases for collecting any data.

If you're not yet capturing personal data, keep this clause vague. Here's how Green Alliance covers reasons that may apply to data collection e.g. where users have consented to giving their personal data, or when it's necessary to complete an order.

The clause is a comprehensive way to cover the company's possible future needs, so there's no need to revise this clause any time soon:

Data Use

Set out how you plan on using any personal data you do capture, whether it's to communicate with customers about orders, or simply to respond to individual enquiries.

What's important is that you're specific about how you use data so that people know exactly what's happening to any information shared across your platform.

Here's a good example. This clause is concise, clear, and specific about the uses of the limited data captured:

Data Sharing

You must specify if you share any personal data, even if it's just an email address, with third parties of any kind. It doesn't matter if you only share data once in a while, either. All sharing with third parties must be declared.

Here's an example from PBworks. The company doesn't share personally identifiable data and makes this very clear:

But, there's an exception: Third party data sharing. PBworks shares personal data with some external service providers when it's necessary e.g. to fulfill a contract or complete a transaction:

So, if you share data, or receive it from third parties, specify this.

Changes to Your Privacy Policy

State that you can amend your Privacy Policy at any time. If you'll notify users of any updates or changes, let them know how you'll do this. Or, encourage them to review your Policy occasionally to always have the most up-to-date information.

Here's a brief example of such a clause from Disconnect:

Consent Revocation

Be clear that people can ask you to delete their personal data or modify their consent at any time. Even if you're not collecting personal data right now, it's good practice to just include a short, broadly worded clause so that you don't need to worry about it if you do start capturing private information.

Here's how you can explain that visitors can contact you at any time to modify the data stored on them:

How to Create a Privacy Policy for Your Website

Where to Put Your Privacy Policy

Privacy Policies, like any legal contract, are only valid if both parties have a chance to view and consent to them. In other words, you should post it somewhere visible on your website.

Because you're not collecting personal data, you're probably not using pop-up boxes such as newsletter sign-up forms, and you won't be capturing data through account registration. So, the best place to put a link is in your website footer, like Rudd Studio:

Conclusion

Even if you're not actively collecting personal data, you should still draft and publish a short Privacy Policy making this clear.

A Privacy Policy makes your company website appear more professional and it boosts your brand profile. It's also something that legal authorities expect to see on every website because everyone should take data privacy seriously. Technically, it's also a way to explicitly comply with the law.

Your Privacy Policy should include at least the following clauses:

• Contact details and an introductory clause
• Details of what data you do collect, even periodically
• Information on what data people can choose to supply to you e.g. to contact you
• What happens to any data you capture
• Third party data sharing policies
• How people can revoke consent to data collection

Save yourself hassle in the long run and publish a Privacy Policy now.