So you’re thinking about developing a product, or starting a business, or maybe you already have clients. One question you should ask: should you have a privacy policy?

To answer this question, it’s helpful to lay out a couple of definitions. First, a privacy policy is a legal statement that tells the user how a company uses, processes, and shares personal data that it gathers from customers. People want to know that the information they provide by using your product or your website is going to be processed correctly and, once stored, that it will be protected. Second, personal information can be anything that can be used to identify an individual, including a first and last name, a home or other physical address, an e-mail address, or any other identifier that permits the physical or online contacting of a specific individual.

Thus, if you are handling any personal information, you should consider providing your business with a privacy policy. Additionally, if your products or services affect personal information belonging to European Union (E.U.) individuals, you should also make sure that your privacy policy complies with recent changes to E.U. law.


Why You Should Have A Privacy Policy

A privacy policy is important for a number of reasons.

First, it helps ensure that your business complies with federal and state privacy laws and regulations. U.S. privacy law consists of various sectoral rules imposing obligations and standards on companies, based on the type of data they treat and the scope of their business. If your business handles personal health information, for example, you should make sure that you are processing information in compliance with the Health Insurance Portability and Accountability Act (HIPAA). The same holds true for many other types of sensitive information, such as financial data or information relating to children.

Additionally, a privacy policy is very valuable from a business standpoint. Consumers try to avoid businesses and products they do not trust, and trust is one of the fundamental elements of today’s market. You want your customers to trust you, and to know that they can disclose information to you because you will treat it with the appropriate amount of care and in compliance with current regulations.

Adopting a privacy policy also helps to ensure compliance with state law requirements. The California Online Privacy Protection Act (CalOPPA), for instance, requires any operator of a commercial website or online service that collects personally identifiable information about California residents to conspicuously post its privacy policy and comply with its policy’s terms. As a result, if you operate an online service and collect any personal information about California residents, you need not only to post a privacy policy and make sure that it is very visible (such as by posting it on the homepage or first significant page entering the company’s website), but you also need to make sure that the policy includes all the information required by CalOPPA, such as a description of the process for notifying users and visitors of material changes to the policy, and a disclosure as to whether other parties may collect information about an individual consumer’s online activities over time and across different websites when a consumer uses your website or online service.

Moreover, if you conduct business outside the U.S., you might need a privacy policy to avoid potentially disastrous sanctions. To get a sense of the potential consequences, the new changes to the General Data Protection Regulation (GDPR) in Europe (which goes into effect May 2018) provide that businesses can be subject to fines ranging from €10,000,000 and two percent of the company’s total annual turnover, or anywhere from €20,000,000 to four percent of the company’s annual turnover—whichever is higher in either case.


The New E.U. Requirements

This leads us to the most recent changes on privacy in the E.U. The system of protections afforded by the new E.U. GDPR establishes stricter requirements for businesses handling personal information of individuals in the E.U. The Regulation will codify the right to be forgotten set forth by the CJEU in the 2014 Costeja case, and it aims to reinforce the system of protections regarding the processing and free movement of personal data.

First, the GDPR will impose many substantial restrictions on data processing. Article 6 establishes the grounds for processing data, and generally provides that companies cannot process personal data unless they obtain consent from the individual, or unless processing such data is necessary for legitimate or vital purposes as delineated in the Regulation. Article 7 then sets the conditions for consent to data treatment, and it requires consent to be given as a written declaration that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Further, under Article 9, it is expressly prohibited to process special categories of personal data—such as sensitive data including that revealing race or ethnicity, religion or beliefs, or genetic, health or sex life—unless specific and stringent exceptions apply.

After data has been processed, the Regulation provides individuals with additional rights. Article 15 creates a right of access for the data subject—made more effective by the provision of the right to data portability, which imposes a duty on businesses to keep data in a format that can be readily accessible for data subjects—and Article 16 affords individuals a right to rectification. Individuals can request correction of inaccuracies in personal data concerning them, and they may also request the completion of incomplete personal data.

These provisions are indicia of how privacy in the E.U. is seen as a general affirmative right to control personal information, rather than just as a shield to wield occasionally against companies dealing with particularly sensitive data in specific sectors, as in the U.S. The notion of right to protection of personal data as control over information about oneself has far-reaching implications and may be extensively interpreted by E.U. courts. As a result, your business should interpret data regulatory protections expansively from the point of view of E.U. individuals in order to avoid liability.

In light of these considerations, if you are collecting information about E.U. individuals, you need to make sure that you have a sound privacy policy that complies with the new requirements. Free tools available online to create a privacy policy might be a helpful initial step to have an overview of what the final document could look like, but you should reach out to a professional to make sure your business is equipped with a privacy policy that complies with the incoming changes and all current legal requirements.