If you don't have a Privacy Policy in place, it's time to add one. A privacy policy lists out what personally identifiable information you collect from users, what you do with it, and what you've done to protect that data.
There are various laws either set by countries or by states here in the USA that may or may not individually apply to you, but there are enough of them overlapping that it's not worth the time of figuring out which apply and when. For example CalOPPA is a set of rules adopted by California for any resident of California. Your company does not have to have a presence in California for it to apply to you, you just have to be accessible to someone in California. One of the rules is a "clearly visible and accessible Privacy Policy". The General Data Protection Regulation (GDPR) applies to any business that targets users in the European Union (EU) or European Economic Area (EEA), but "targets" can be quite unclear. For example offering translations of your website in French could be seen as targeting users in France, even if your intention was a courtesy to locals.
You might think "well I don't collect anything sensitive", but examples of personal information include:
- Names
- Email addresses
- Birthdays
- Billing and shipping addresses
- Phone numbers
Information that would typically be considered public, or public enough, still qualifies as something that needs special actions.
Google Analytics
Some websites don't actively collect any information from users. However, if your website uses Google Analytics, then you need to update your Privacy Policy to meet the Google Analytics Terms of Service. Google Analytics uses cookies to track user behavior, so a Privacy Policy is required. Cookie consent is also required unless it's configured to anonymizes the IP address.
Google Adsense
If you use Google Adsense to display ads, google says your privacy policy should include the following information:
- Third party vendors, including Google, use cookies to serve ads based on a user's prior visits to your website or other websites.
- Google's use of advertising cookies enables it and its partners to serve ads to your users based on their visit to your sites and/or other sites on the Internet.
- Users may opt out of personalized advertising by visiting Ads Settings.
Facebook tracking pixels collect personally identifiable information about your visitors, so all the same rules apply there.
Conclusions
There's a lot to track here, and every one of them is a moving target. If you don't know how to get started, there are a number of services that generate the main parts of a privacy policy for you. Some are free for the basics but charge you for some nitty gritty components. If you have no policy at all you should get one up as soon as possible. They can always be updated and tweaked as needed. If you have one already, review it once in a while to make sure it's covering all the bases it needs to be (or covering some that are no longer needed.)