Does your business need a Privacy Policy?

Special Advertising Section

If your company operates a commercial website that collects, shares and uses personally identifiable information from users, you are required to have a Privacy Policy posted on your website. A Privacy Policy is a legal document that describes the type of information your company collects from users. Not to be confused with Terms of Use (also known as Terms of Service), which is a legal agreement that states the rules a user must agree to in order to use your website. Unlike a Privacy Policy, Terms of Use are not required by law.

While there is no comprehensive federal law that requires a Privacy Policy, there are various state and federal laws that regulate what must be disclosed in a Privacy Policy. A few states have laws that require Privacy Polices. For example, the California Online Privacy Protection Act requires commercial websites that collect personal information from California residents to have a conspicuously posted a Privacy Policy, regardless of where the company is located.

The Federal Trade Commission (“FTC”) regulates data protection for U.S. consumers. The FTC has issued guidelines to follow with respect to what a Privacy Policy should entail. In general, a Privacy Policy should include:

  • The kind of personal information your company collects and how;
  • How your company uses the personal information it collects;
  • Whether the company shares collected personal information with others, the personal information it discloses and who is it disclosed to; and
  • How your company manages and protects the personal information it collects.

Depending on your company’s business, there are other legal requirements regarding Privacy Policies. For example, certain industries such as education, healthcare and financial services have more stringent privacy requirements.

Many third-party service providers such as Google Analytics, Facebook Lead Ads, and Google AdSense also require a Privacy Policy. Even if your company does not collect personal information from users, using a third-party service such as Google Analytics means that you are collecting personal information and you must inform your users.

Your company is legally accountable for and required to follow the privacy practices included in its Privacy Policy. Therefore, it is essential that your company creates its own customized Privacy Policy that accurately reflects how it collects and uses personal information. When developing a new Privacy Policy or updating an existing one, you should begin by analyzing how your company collects and uses personal information. Because every business is unique, it is not advisable that you use a generic template or copy a Privacy Policy from another website. Also, whenever your company changes the types of personal information it collects or the way it uses that information, the Privacy Policy should be updated to reflect your company’s privacy practices.

In sum, no matter the size of your company, if it collects, shares or uses personal information such as email addresses, names, and/or payment information from its website users, you are required to have a Privacy Policy that explains what your company does with the personal information it collects. 

Lisa N. Thompson is Chair of the New Hampshire Bar Intellectual Property Section and an attorney with Hage Hodes, PA in Manchester. Her practice focuses primarily on business and intellectual property matters. She can be reached at

Categories: Legal Advice