Why You Need a Privacy Policy on your Website

A website privacy policy is a legally binding statement that says how your site will collect and use your visitors’ personal data. It tells users about the specific personal data that’s collected and whether it will remain confidential, shared with affiliates, or sold to other companies. Another purpose of a privacy policy is to tell users about  what rights they have and how to exercise them. 

Let’s look at this in detail.

What Should My Website's Privacy Policy Contain?

The term “privacy policy” is frequently used interchangeably with others like “privacy notice,” “privacy policy statement,” and “privacy agreement,” and your privacy policy should be customized to your platform. It should consider your location and business type. At the very least, your business’s website privacy policy should include the following:

  • The identity of the website owner/operator;
  • Details about the type of user data your company collects;
  • How and why you use the data you collect;
  • The ways that you maintain the accuracy and relevance of user data;,
  • The legal basis for data collection;
  • Details on if and how you share user data, with whom you share it, including parent companies and subsidiaries;
  • Any legal obligations to disclose user data;
  • Any third parties that may have access to the data;
  • Info on international transfers (if applicable), such as safeguards to ensure safe and legal data transfer; 
  • User rights and a description of the notification process for users and visitors when the privacy policy is updated; and
  • The email addresses for marketing and customer service.

What Types of Data is Typically Collected?

A standard privacy policy details the interactions with business website and users' personal details, which could mean anything that identifies a specific person, including:

  • Name and address;
  • Phone numbers and email address;
  • Date of birth;
  • Marital status;
  • Financial and credit information:
  • Medical history;
  • Travel locations; and
  • Propensity to purchase certain goods and services.

What Does New York Law Say About Website Privacy Policies?

The New York Office of Attorney General has published guidance for website privacy controls. And while New York doesn’t have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to state consumer protection law. These laws prohibit businesses from engaging in deceptive acts and practices. The AG says that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

The AG specifically states that representations about privacy controls must be accurate and not misleading, and businesses in the state should be sure that their privacy controls work properly and as described. It also warns against implying that visitors can opt into the use of cookies and similar technologies if that’s not true. As an example, the Attorney General said that banners with “Accept Cookies” or “Accept All” buttons, accompanied by text stating that clicking the button means “you agree” to the use of cookies, may give the impression that cookies will be used only if the consumer clicks the button. The Attorney General explained that, in its view, that language could be misleading if cookies are deployed no matter if the user clicks the button, if this happens as soon as they land on the website.

The Attorney General also asks New York companies to ensure their websites’ user interface isn’t misleading and noted that a website with intuitive controls is less apt to run afoul of New York’s consumer protection laws. Plus, the Attorney General provided a list of “mistakes to avoid” when deploying tags and other similar technologies. The AG also has a “Dos and Don’ts” section for effective disclosures and actions that companies may take to identify and prevent problems with these technologies. 

Finally, the Attorney General also encouraged companies to use plain, clear language, label buttons clearly, make interfaces accessible, and give equivalent options equal weights (like making “Accept” and “Decline” buttons the same size and color). Plus, they asked companies to avoid using large blocks of text consumers won’t read, ambiguous buttons, complicated language, and confusing interfaces.

My Business Solicits Clients from California… What’s Their Privacy Law? 

The California Consumer Privacy Act of 2018 t provides California consumers with right to access, delete, and opt out of the sale of their personal information. Businesses must maintain a privacy policy detailing those rights and the business’s privacy practices.

The CCPA established six rights for consumers:

  1. The right to know (and request disclosure of) personal information that’s been collected by the business about the consumer, from whom it was collected, the reason for collecting it, and, if sold, to whom;
  2. The right to delete personal information collected from the consumer;
  3. The right to opt out of the sale of personal information (if applicable);
  4. The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
  5. The right to nondiscriminatory treatment for exercising any rights; and
  6. the right to bring a private cause of action for data breaches.

In addition, the California Privacy Rights Act (CPRA) created two more rights:

  1. The right to correct inaccurate personal information; and
  2. The right to limit use and disclosure of sensitive personal information.

The definition of a consumer is a natural person who’s a California resident as defined in the state’s tax regulations; the CCPA defines “personal information” as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

What About the GDPR for Soliciting Clients from Europe?

The General Data Protection Regulation (GDPR) is a legal structure that provides guidelines for the collection and processing of personal information from people in and outside of the European Union (EU).

In effect since 2018, this framework is the strictest security and privacy law in the world. It’s designed to give consumers say as to their own personal data by holding companies responsible for the way they use this information.

Note that these regulations apply no matter where a websites is located. As such, its scope includes any website that is accessed by European visitors—even if they don't specifically market goods or services to EU residents. The GDPR aims to prevent companies from misleading consumers with confusing or unclear language when they visit their websites. In addition, the GDPR makes sure that:

  • Website visitors are notified of the data collected;
  • Visitors explicitly consent to information-gathering by proactively clicking on a button or some other action;
  • Websites timely notify visitors in the event that their personal data held by the site is breached;
  • There is an assessment of the site's data security;
  • Whether a dedicated data protection officer (DPO) must be hired, or if an existing staffer can carry out this role.

These requirements are much tougher than those of New York and other states in the U.S. where the site is located.

Takeaway

A privacy policy for your website is essential for clarity on data handling practices, providing visitors with an understanding of what information is collected, and how it’s used. Complying with state laws and regulations will help you avoid penalties and litigation. It can also help build trust with your potential clients.

LOVE LAW FIRM can help you draft your business website’s privacy policy and assist you will any issues that arise in operating your business.

If you liked this article, check these out as well:

Data Breaches, Security, and Privacy Issues in your New York Small Business

7 Reasons You Need an Employee Handbook as an Employer

Francine E. Love is the Founder & Managing Attorney at LOVE LAW FIRM PLLC which dedicates its practice to serving entrepreneurs, start-ups and small businesses. The opinions expressed are those of the author. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

© 2025 LOVE LAW FIRM PLLC All rights reserved

5 star reviews for LOVE LAW FIRM

Francine E. Love
Francine E. Love
Connect with me
Founder and Managing Attorney at Love Law Firm, PLLC which dedicates its practice to New York business law