Why websites that get leads need to have a Privacy Policy

While a beautiful website is nice, most business owners know that the real purpose of a business website is to get you leads. Leads are any individuals that contact you through your website because they are interested in what you have to offer and closing those leads into paying customers is how you grow your business. One aspect of getting leads through your website though is that you are collecting Personally Identifiable Information (PII). And, PII is protected by multiple privacy laws that can impose certain compliance requirements on your business, such as the requirement to have a Privacy Policy. As privacy law non-compliance can lead to heavy fines and even lawsuits, this is not something that should be overlooked. In this article, we will break down why websites that get leads need to follow the requirements of privacy laws and obtain a comprehensive Privacy Policy.

Getting leads means collecting PII

Websites usually get leads through contact forms or inquiry forms where an individual submits their inquiry into your products or services. These types of forms usually look something like this:

Since you need to know where to respond to the inquiry, these forms always collect some type of contact details such as names, emails, or phone numbers. Names, emails and phone numbers are also considered to be Personally Identifiable Information (PII), as they can identify a particular person. The collection of PII by websites is now regulated by a number of privacy laws. It is important to note that privacy laws can start applying the moment PII is collected and the PII does not need to be shared, sold, or even used for privacy laws to apply.

What privacy laws apply to websites that get leads?

Privacy laws protect consumers and not businesses and thus have a very broad reach. This means that you do not have to be located in the state or country which passed the law for the law to apply to you. To determine what privacy laws apply to you, you should ask yourself the following questions:

• Whose PII am I collecting through my website?

• Where do I do business?

• Where are my customers located?

• To whom do I offer goods or services?

• Who am I tracking through my website through the use of cookies and analytics services?

The following privacy laws can apply to websites that get leads:

1. California Online Privacy and Protection Act of 2003 (CalOPPA): applies to any commercial website that collects the PII of residents of California;

2. California Consumer Privacy Act (CCPA): applies to for-profit entities that do business in California, that collect the PII of California residents and that meet one of the following criteria:

   1. Have annual gross revenues of $25,000,000 or more;

   2. Buy, receive, sell or share the PII of at least 50,000 California consumers, households or devices; or

   3. Derive 50% or more of its annual revenue from selling the PII of California consumers.

3. Nevada Revised Statutes Chapter 603A: applies to operators of commercial websites that collect the PII of residents of Nevada and that do business in Nevada;

4. Delaware Online Privacy and Protection Act (DOPPA): applies to any commercial website that collects the PII of residents of Nevada;

5. General Data Protection Regulation (GDPR): applies to you if you:

   1. Have an establishment in the European Union;

   2. Offer goods or services to European Union residents, regardless of your location;

   3. Monitor the behavior of European Union residents (through cookies, tracking pixels, analytics, CCTV or similar technologies), regardless of your location.

6. United Kingdom Data Protection Act 2018 (UK DPA): applies to you if you:

   1. Have an establishment in the United Kingdom;

   2. Offer goods or services to United Kingdom residents, regardless of your location;

   3. Monitor the behavior of United Kingdom residents (through cookies, tracking pixels, analytics, CCTV or similar technologies), regardless of your location;

7. Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose the PII of residents of Canada in the course of a commercial activity. The law also applies to non-Canadian companies that collect, use or disclose the PII of residents of Canada;

8. Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 though it can also apply to Australian organizations with a lesser turnover in certain industries. The law also applies to organizations if they are formed outside of Australia and have an Australian link (those that carry on business in Australia and collect and hold PII in Australia).

As you can see from the above, quite a few privacy laws can apply to websites that get leads and collect PII. The above privacy laws protect the privacy of individuals by providing them with certain privacy rights and requiring businesses to have a comprehensive Privacy Policy.

The Privacy Policy requirement

While each privacy law is different, they all have one thing in common - they all require businesses to have a comprehensive Privacy Policy that informs consumers of that business’ privacy practices. A Privacy Policy usually informs individuals of what PII is being collected, how that PII is being used, and who that PII is being shared with. While those disclosures are the “meat and potatoes” of a Privacy Policy, each privacy law has a very specific set of disclosures that it requires business websites to have. Thus, the best way to obtain a Privacy Policy is to first determine what privacy laws apply to you and ensure that the Privacy Policy has all of the disclosures required by those laws.

Failure to have a comprehensive Privacy Policy that contains all of the disclosures that are required by the privacy laws that apply to you can have serious consequences. Fines for privacy law non-compliance start at $2,500 per website visitor and can go up to €20,000,000 or more in total. In addition, with over a dozen proposed privacy bills in the United States alone, some states are proposing bills that would allow consumers to sue businesses directly for privacy law non-compliance.

To ensure that you have a comprehensive Privacy Policy and that the Privacy Policy is kept up to date with changing legislation, we recommend that you use Termageddon, which is a software as a service that will help you generate your Privacy Policy and keep it up to date.

*Disclaimer*

"The information provided in this article is not legal advice and is presented for informational purposes only. Please consult with an attorney to obtain legal advice for your business."