Customizing a Website Privacy Policy Template for Your Small Business

/ Information, News / By

Customizing a Website Privacy Policy for your Small Business

By: M. Zane Johnson, Esq.

Each year, more and more business is done online. Research indicates that currently, one out of every six businesses is now entirely virtual. And  it’s estimated that by 2025 nearly one-third of all business will be conducted online. In response, an increasing number of national and state governments are passing laws to regulate how companies collect information from consumers online.

While protecting consumer information is critical, for solopreneurs with a million things on their mind, privacy laws are intimidating. And navigating their requirements can feel like an impossible burden. But, you don’t have to lose sleep over the idea of creating a website privacy policy. In fact, if you find a simple website privacy policy template designed with small businesses in mind, drafting one can be relatively simple. 

In this post, I’ll break down what the average solopreneur/small business owner needs to know about website privacy policies. What are they? Who needs them? And what should they say? And by the end, you’ll be equipped with the knowledge to start drafting website privacy policy for your small business using a professionally drafted template.

Download our website privacy policy checklist

Before we get into the nitty-gritty, take a second to download our website privacy policy checklist. It’s a simple, easy to use resource to help ensure that your own privacy policy addresses the essentials. When you complete and submit the form, we’ll send a pdf of the checklist directly to your inbox. 

What is a website privacy policy?

A website privacy policy outlines your business’s policies regarding the storage and use of information collected through your website. The policy is often viewed as a legally enforceable agreement between your company and the visitors to your website. By accessing and using the website, customers agree to accept and abide by the policy. Meanwhile, your company is agreeing to follow the terms outlined in the policy.

Typically, a company’s privacy policy is posted on their website, and accessible through a link in the website’s footer. The privacy policy’s substance depends on a number of factors, including:

  • Where the business and its customers are located
  • The age of the business’s audience
  • The nature of the information being collected

Why are privacy policies important?

If your business has a website, it’s important to have an online privacy policy for two reasons. 

The first reason is legal compliance. There’s a good chance your business is subject to one of the many online privacy laws in place around the world. I’ll touch on some of those laws later in this post. But for now, it’s important to recognize that having a well drafted privacy policy in place can help you stay within the confines of the law. 

Secondly, a privacy policy is critical to establishing your company as a trustworthy and reliable brand. In a world in which major data breaches seem to occur more and more frequently, people want to know that they can trust you with their personal information. A clearly written privacy policy sends a signal to your customers that you take their privacy seriously. 

So, even if none of the many online privacy laws applies to your business, it’s still important to have a privacy policy. If you don’t, expect potential new customers to think twice about doing business with you. 

What’s the difference between a website privacy policy and online terms and conditions?

Sometimes business owners confuse online privacy policies with online terms and conditions. While some businesses may choose to include both in a single document, it’s important to understand that they’re not the same thing. 

Website terms and conditions (also known as “terms of use”) outline the general rights and responsibilities that a user has on a website. While this may include rights relating to privacy, it typically also includes rights related to:

  • Purchases
  • Content
  • Permissible use
  • Intellectual property
  • Appropriate behavior
  • Content restrictions
  • Disclaimers and limitations of liability

While the terms and conditions also outline the relationship between your business and website visitors, terms and conditions cover a broader range of issues than a privacy policy does. The privacy policy (or a link to it) may be included within the terms and conditions. But due to its importance, the privacy policy is often a separate document. 

Businesses are not required to have terms and conditions on their websites. However, it’s always a good idea to post them anyway. There’s always a risk that you may run into a dispute with a customer or visitor to your website. Your terms and conditions help you manage this risk by outlining your website visitor’s rights, and limiting your potential liability. 

Do I need a privacy policy for my website?

Legally speaking, it depends. Every website should have a privacy policy. However, it’s not a legal requirement in all cases. Based on the major privacy policy laws in place as of January 2025, here are the key factors that determine whether a website is required to have a privacy policy. 

Do you collect sensitive personal information through your website?

You’re probably required to post a privacy policy on your website if it collects sensitive personal information. Examples of sensitive personal information include health care information (covered under HIPPA) and financial information (covered under the Gramm-Leach-Bliley Act). What exactly you need to include in your privacy policy depends on the requirements of the specific laws that apply to such information. 

Is your website for children?

The Children’s Online Privacy Protection Act (“COPPA”) requires any website designed for children under the age of 13 to have a privacy policy. COPPA is a federal law, enforced by the FTC, that imposes requirements on websites directed to children under 13, and businesses that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Where are your website visitors located?

When it comes to regulating activity on the internet, the main challenge for governments is the fact that while their jurisdiction is restrained by borders, the internet is global. In order to enforce their laws against businesses around the world, they make them applicable based upon where the website visitor is located instead of where the company is located. Therefore, the location of your website visitors will often determine whether a particular internet privacy law applies to your website. 

For example, the GDPR applies to your site if you collect information from people in the European Union

In most cases it doesn’t matter whether the visitors are actual customers. What matters is whether your site collects their information. So if you’re trying to avoid falling under the jurisdiction of one of these laws, the best way to do so is to block website traffic from that country or state. This generally makes sense if you don’t offer products or services to customers located in these places. 

Small business exceptions

Many state privacy laws also have threshold requirements designed to exempt small businesses. For example, the California Consumer Privacy Act only applies to for-profit businesses doing business in California if they meet the following criteria:

  • Gross annual revenue of more than $25 million
  • Buy, sell, or share personal information of 100,000 or more California residents
  • Derive 50% or more of their annual revenue from selling California residents’ personal information

Each law has different thresholds, and some have no small business exemptions. So it’s important to work with a professional who can help you keep track of the many laws as they change. 

What should my privacy policy address?

Currently, 19 US states have passed comprehensive online privacy statutes. And there are 8 more states that are considering legislation as of January 21, 2025. Those numbers don’t even account for industry specific regulations, and laws popping up internationally. With multiple laws and various legal requirements at play, it’s hard for solopreneurs to figure out what they need to address in their privacy policies. 

I don’t know your situation. So I can’t say what exactly needs to be included in your privacy policy in order to keep your website legally compliant. However, the key principle when it comes to developing a privacy policy is transparency. Be as transparent as possible about the information you collect, and how it’s used, stored, and shared. 

With that in mind, here are the issues that the average privacy policy should address. 
 

What information are you collecting and how?

Specify what information you collect through your website, and how it is collected. Typical categories of information include:

  • Personally identifying information (names, phone numbers, emails, mailing addresses, etc.)
  • Demographic information (gender, age, race/ethnicity, religion, etc.)
  • Preferential information (political party, etc.)
  • Technical data (cookies, IP addresses, etc.)
  • Miscellaneous (usernames, passwords, etc.)

Not only should you specify what information you’re collecting, but you should also be transparent about how you’re collecting it. Do visitors have to provide the information willingly through a form? Is it collected automatically using third party software (e.g., Meta pixel)? Or is the information collected in some other way? Let visitors to your site know. 
 

How do you plan to use that information?

Be transparent about how you plan to use the information you’re collecting, so visitors understand why you’re collecting it. 

Common uses for visitor information include:

  • Service or product delivery
  • Service customer complaints
  • Advertising
  • Research purposes
  • Sale of information

Who are you sharing the information with?

Who do you share the information you collect with? This question often trips up small business owners who only think about situations where they actively take the information they’ve collected and share it with a 3rd party. In addition to those situations where you give data to a 3rd party, you should also consider situations where you’re using a 3rd party to help you collect, analyze, or store the data you’ve collected. 

For example, when you collect visitor data from your website using 3rd party software such as Google analytics or social media pixels, you’re sharing data with these companies. Likewise, when you set up an automated integration that sends information collected through a form to AirTable, you’re sharing data. And when you use customer data to send out an email blast or newsletter through MailChimp, you’re sharing data. 

So think comprehensively about how you’re sharing data with 3rd parties. Then let your visitors know, so they can make informed decisions. 

How do you store and protect that information?

Your policy should provide at least basic information about how you protect and store the information collected through your website. This signals that you take data protection seriously. For example:

  • Does your website have an SSL certificate?
  • Is access to data protected by password, 2 factor authentication, etc.?
  • Do you ensure that your data is only stored in databases located in certain countries?

Contact Information

Include company contact information for website visitors who have questions about their data. It may seem like sharing contact info on your website invites trouble. However, the opposite is true. By providing contact info, invite visitors to reach out if they have an issue, which gives you the opportunity to address it before it becomes a larger problem. 
 

Privacy laws

There are a bunch of online privacy laws currently on the books, and more going into effect each month. However, most of these laws aren’t meant for solopreneurs . They’re designed to rein in companies like Meta, Google, Apple, etc., and ensure accountability in their privacy practices.

That said, the cost of non-compliance can be high. Maximum fines are in the millions of dollars. And violators may also be required to pay compensation to anyone who suffers as a result of their non-compliance. As a business owner, you should have someone on your team to help keep you on the right side of the law and minimize the risks of non-compliance. 

To help you become a better informed business owner when it comes to online privacy, here’s a short list of the most consequential online privacy laws currently in force. 

(Caution! This list is not exhaustive. Talk to a professional for assistance determining your legal obligations.)

The GDPR

The EU passed the GDPR in 2016. It is the farthest reaching and most comprehensive general data privacy law out there. The GDPR applies to all businesses that process the personal data of EU citizens or residents, as well as businesses that offer goods or services in the EU. Personal data includes any information that can be used to uncover a person’s identity. This obviously includes names, email addresses, and phone numbers. But it can also include information such as location, demographics (e.g., gender, ethnicity), and preferences (e.g., political party). 

It is worth noting that there are no threshold requirements for the GDPR. It applies equally to small businesses and multinational corporations.

At the most basic level, businesses whose data collection practices fall under the GDPR must:

  • Have a legal justification for the collection of data
  • Disclose their data collection, processing, and storage practices
  • Implement and maintain appropriate measures for data protection
  • Create internal data security policies
  • Sign a data processing agreement with any 3rd parties that process data on your behalf
  • Appoint a representative within an EU member state who can communicate with EU data protection authorities
  • Provide contact info and a process for people to: request a copy of their data, correct or update inaccurate data, and request the transfer or deletion of their data
  • Give users a simple opt-out process

(Source)

It’s difficult for small businesses to successfully follow all of the requirements laid out by the GDPR. In truth, if your small business doesn’t market to customers in the EU, you may be better off blocking web traffic from the EU to avoid these responsibilities all together.

State Privacy Laws

There aren’t any nationwide laws regarding online data privacy generally in the US. Instead, it’s been left up to each of the individual states to pass laws protecting their citizens. As of the date of this post, 19 states have passed a comprehensive data privacy law. The laws in each of these 19 states vary. However, most of them have the following in common:

  • Consumers have the right to access, correct, and request deletion or transfer of their data
  • Covered businesses must give consumers the ability to opt out of the sale of their personal data to 3rd parties
  • Consumers must opt-in to allow processing of sensitive personal information
  • Covered businesses must provide notice about certain privacy policies and data collection practices

Unlike the GDPR, most state data privacy laws have thresholds that exclude small businesses. Businesses that (1) have less than $25 million in revenue, (2) do not process the personal data of more than 50,000 residents of any one state, (3) do not make 20% or more of their revenue, and (4) qualify as a small business under the definition provided by the SBA are likely to be exempt from these state laws. 

Tips for using a small business privacy policy template

All of this is a lot to process. Especially for you solopreneurs out there who wear all of the hats in your business. So let me boil all this information down into three key points to keep in mind when crafting your own privacy policy:

  1. Every business that collects information online should have a privacy policy. It signals to potential customers that you take the security of their information seriously.
  2. A good website privacy policy is transparent, respectful of the privacy rights of visitors, and tailored to your business practices. The worst thing you can do is add a policy to your site that you aren’t going to follow. At the end of the day, your privacy policy is essentially a contract. Any failure to follow through on the commitments in your policy will open you up to lawsuits for breach of contract. So don’t copy and paste a privacy policy from someone else’s website. You’re better off customizing a template to your needs, or getting an attorney to draft one for you. 
  3. Privacy laws are created primarily to reign in the behavior of large, multinational corporations, and prevent consumers’ personal data from falling into the wrong hands. As long as you’re taking appropriate steps to protect the data you’re collecting, and you’re not using it for nefarious purposes, the risk of facing a fine from a privacy enforcement agency is relatively low. Respect your customer’s rights, and you’ll most likely avoid any issues.

Attorney drafted online privacy policy template for small businesses

If you’re looking for a simple website privacy policy template that you can use for your online business, you can find one in the MZA Legal Café. The Café is an online resource hub, filled with professionally crafted templates, checklists, and guides designed to help you build a solid foundation for the future growth of your business. 

I created the Café to be a space where solopreneurs, freelancers, and small business owners can easily access professional legal know-how without having to empty their pockets. Unlike other attorneys who charge hundreds of dollars for access to ONE template, you can get access to our entire library of contract templates, guides, checklists, recorded workshops, and more for about the price of a large pizza and a two liter soda. 

Check out all that the Café has to offer, and join our movement to make professional legal know-how accessible to all entrepreneurs. 

Let's talk:

215-999-7790
215-999-7790