Did you know your business website needs a privacy policy, even if you're not collecting information via a form? Every SMB (Small and Midsize Business) needs a privacy policy to prioritize the security of their digital assets. A well-crafted privacy policy is not just a regulatory requirement; it’s a shield that safeguards your business and builds trust with your customers. Let’s delve into why every SMB needs a privacy policy and how it can protect your digital assets.
The Importance of a Privacy Policy
Every SMB needs a privacy policy as a critical document that outlines how your business collects, uses, and protects customer information. It is a promise to your customers that their data is safe with you. Failing to have a privacy policy, or having an outdated one, can expose your business to legal risks and damage your reputation.
Regulatory Compliance
In the United States, regulations like the California Consumer Privacy Act (CCPA) demand strict adherence to privacy standards. Similarly, the General Data Protection Regulation (GDPR) in Europe sets high benchmarks for data protection. Whether your business operates locally or internationally, ensuring compliance with these regulations is crucial. Non-compliance can lead to hefty fines and legal battles, which can be devastating for an SMB.
Building Customer Trust
Customers today are more aware of their digital footprints and the potential misuse of their personal information. A transparent privacy policy reassures them that your business values their privacy and is committed to protecting their data. This trust translates into customer loyalty and can set your business apart from competitors.
What Should Your Privacy Policy Include?
Creating an effective privacy policy involves more than just a few legal phrases. It should be comprehensive, clear, and user-friendly.
Information Collection
Detail what types of information your business collects, whether it’s personal data like names and email addresses or technical data like IP addresses and cookies. Be specific about how this data is collected – through website forms, cookies, or third-party services.
Data Usage
Explain how the collected data is used. This could include improving your services, sending newsletters, or personalizing customer experiences. Transparency in this section is key to maintaining customer trust.
Data Protection
Outline the measures your business takes to protect customer data. This includes encryption, regular security audits, and restricted access to sensitive information. Highlight any compliance with recognized security standards like HIPAA or SOC 2.
Customer Rights
Inform customers about their rights regarding their data. This includes the right to access, correct, or delete their information. Provide clear instructions on how they can exercise these rights.
Updating Your Privacy Policy
An effective privacy policy is not a set-it-and-forget-it document. Regular updates are necessary to reflect changes in regulations, business practices, and technology.
Regular Reviews
Schedule annual reviews of your privacy policy. This ensures it stays current with legal requirements and best practices. Involve your legal counsel in these reviews to catch any potential compliance issues.
Notify Customers
Whenever you update your privacy policy, inform your customers. This can be done through email notifications or a prominent announcement on your website. Keeping customers in the loop strengthens trust and transparency.
The Role of Your IT Team
While drafting a privacy policy might seem like a legal task, your IT team plays a vital role in implementing and maintaining the practices outlined in it. They are responsible for securing your digital assets and ensuring that your business adheres to the privacy standards you’ve set.
Getting Started With Your Privacy Policy
Every SMB needs a privacy policy to protect their digital assets and build trust with their customers. It’s a critical component of your business’s online presence and compliance strategy. By prioritizing privacy, you safeguard your business against legal risks and enhance your reputation in the eyes of your customers. Don’t wait until it’s too late – take action now to create and maintain a robust privacy policy for your SMB.
Discover more about how to stay up to date with your website privacy policy in this episode of Stimulus Tech Talk.
Stimulus Tech Talk: Episode 40: Guarding Your Business: The Essential Privacy Policy Guide for Business Owners transcript
Intro 00:00
You're listening to Stimulus Tech Talk. A conversation based podcast created by Stimulus Technologies that covers a range of topics related to business and technology.
Sherry Lipp 00:15
Hello, and welcome to a Stimulus Tech Talk. I'm Sherry Lipp, marketing manager at Stimulus Technologies. And I'm here with Stimulus Technologies CEO Nathan Whittacre. And today we're going to be talking about privacy policy website privacy policy. And we're going to start with a little bit of a new segment, which is kind of a what's new in, in our world. So welcome Nathan.
Nathan Whittacre 00:38
Hi Sherry, welcome, everybody to Siemens Tech Talk. So just a brief thing that we've seen, from a cybersecurity trends standpoint that I want to bring to everybody's attention, we're seeing a significant number of increases in what are called brute force VPN attacks. This is where attackers are going after devices that provide virtual private networking services. So this is like the type of connection you'd get access to your corporate network if you're remote. And we're seeing a lot of attacks on these VPN servers. So we wrote a blog article about what you should do and what you need to do to protect yourself. So you can go to blog.stimulus tech.com, and look at the latest blog that was posted, I believe, earlier this week, or last week to discuss that. But if you are running a VPN, or VPN service, there are some things you should do to protect yourself because of the high number of attacks that we're seeing on the networks, and they could take down potentially your VPN services if you're unprotected and or get access into your network, if you know if you breach so definitely something to take a look at right away.
Sherry Lipp 00:38
Yeah, definitely. So one of the links for that. And of course, you can always reach out to us with questions. And so to get into privacy policy, one thing I've noticed, especially in smaller businesses, that people put websites together, themselves is that they might be missing the privacy policy, because they don't know the need for it. So start out like what is a website privacy policy?
Nathan Whittacre 02:19
So it's pretty basic. For small business websites. It's designed to let the user know of what you're doing with their information when they access your website. So when you're going out to a website, your web browser is communicating a lot of information to the web server. And it just basically the defines how the content provider, your business or whoever you're going to, is using that information, what they're collecting, what they're storing, how they're utilizing that public information. And you know what your actual policy is, and honestly, it should be kind of a two pronged thing, just writing a privacy policy isn't sufficient is ensuring your website is also adhering to the privacy policy that you define.
Sherry Lipp 03:10
And are there different types of privacy policy? You know, I've seen different like for California, there's there's specific wording.
Nathan Whittacre 03:20
Yeah, so California here in the US has, you know, some particular requirements that you have to ensure that you're complying with so whether or not you do business in the State of California, you probably have visitors to your website in California. And so it's really a good practice to make sure that you are compliant with the CCPA, or their regulations in the state of California. If you do any business or have any visitors from Europe, they have their own regulations, it's under GDPR that you have to adhere to. So it really is just basically around protecting the information, ensuring that you're not sharing that information with third parties without, you know, the visitors permission and the destruction of the data. So, you know, just kind of a quick little story. I was actually talking to a group of business owners last night and somebody shared this story that they were consulting with these auto repair shops in California, and they ran into this issue that their websites weren't ADA compliant. Now, this is a little bit different regulation, but their website was weren't ADA compliant. And a lawyer was specifically targeting companies and specifically auto repair shops for lack of ADA compliance, and he was winning these lawsuits and settlements in court against website owners that weren't ADA compliant. I know a story is very similar to that that there are law firms that are very boutique and that's all they do is they go after websites that aren't compliant with having a real privacy policy in place. And it's not current with the current regulation requirements. You know, California is definitely a state that is prone to that. And I know we have a lot of listeners that are probably in the state of California or neighboring states. You know, here in Nevada, you probably have customers that are in California or do business in California. So it's, it's really important that, you know, you are meeting those regulations in the strictest state, which I believe California is probably the strictest state of the US right now. So and this is something that, okay, whether or not you have it or not, in place could be an issue for a lawsuit that you could lose, or, you know, a regulatory issue that you could lose on if you don't have this in place.
Sherry Lipp 05:56
Yeah, and that was going to be one of my next questions is, what are the repercussions? Are there other repercussions besides a lawsuit?
Nathan Whittacre 06:04
I think, you know, that's the biggest thing right now, as is, you know, there's private attorney firms, like I said, the boutique firms that are going after these companies that are not complying. So, you know, I don't think the state of California for large or for small businesses are going after, you know, a ma & pa auto shop. But when they, you know, what's happening is these boutique law firms are using the regulations out there to go after specific industries or specific types of businesses that, you know, don't comply. Obviously, if you're a Facebook or Google or Amazon, you know, then they're under the microscope of the regulators a lot more than obviously, those those big websites like Facebook, you know, or Amazon or Google are collecting a lot more data and storing it, because we're sharing it with them. I mean, that's social media websites, we give them a lot of information. And Facebook was, if you remember, a few years ago, ran afoul with regulators about Cambridge Analytica. And there was a huge fine because of that, because their policy differed than their acts, you know, and a lot of compliance is about defining your policy and then abiding by your policy. And with that instance, with Facebook, they had a policy, and the data that they were sharing with this outside firm, was outside of what they were telling people they were doing, and they lost a huge case. You know, and I don't remember how much they were fined, but it was, it was pretty significant. I mean, the news for quite a while. So that's, that's really what it is, is what are you going to do with the information and ensuring that you comply with what you're saying you're gonna do?
Sherry Lipp 08:03
Right. And do you do a lot of people might think that they might not need one if they're not actually collecting information or taking payments, but we're also talking about like cookies and stuff, too. So does every website need one?
Nathan Whittacre 08:18
Every website needs one, because every website collects and distributes cookies. Now, what is a cookie? I love Oreos. And unfortunately, I went on a little bit stricter diet this last month. So even saying cookies right now makes my stomach desire, some Oreos, or some type of cookie, but so cookies are when you visit a website, the web server will send back information to the web browser that is stored locally on the machine. And what's nice about a cookie is it allows you like if you go to a website, it might pre fill in some information about your login or something like that, you know, if you ever click on remember me, on this website, it's it's saving that information. But what also is happening is that cookies transmitted to your web browser. And then when you go and visit potentially another website. Have you ever seen an ad that pops up about a company that you visited before? Or suddenly like you maybe did a search for, you know, smoker grills, you know, you were looking you know, summers coming, you're looking for a new barbecue grill, you might want to new smoker or something like that to get some good meats for the summer. And you did a quick search on that you went out to the site. And then suddenly, like every page that you go to has an advertisement for, you know, barbecue grills. And that's because of the cookies that are put on to your web browser that your web browser knows that you did that search and so every website now can direct advertising to you. And so that privacy policy is going to define how that webs that website is putting cookies on your page and how that information is shared between sites. So you'll notice on a lot of websites now, and they're supposed to pop up and ask you about the cookies. And it's kind of annoying, you know, a lot of websites, it's like this big banner that pops up right when you log into the website. And a lot of people will either deny or accept all or, you know, not really read through it, and just click through it. And it's basically websites are supposed to require you to opt in, under new regulations opt into these these cookies on the on the site, so it's important if your website doesn't have that opt in, that's part of the new regulations and requirements, you know, talk to your web designer about getting the privacy settings set up on your website. So you can either accept or deny the cookies that might be placed on your machine.
Sherry Lipp 11:06
And then definitely, we could probably have a whole other podcast on managing your cookies. Back to privacy policy,
Nathan Whittacre 11:15
I like talking in the milk, you know, that's how I like to manage cookies as I put them in a stack and they dunk up like half at a time? And is that what we're talking about?
Sherry Lipp 11:23
Yeah we can probably have a whole podcast on best Oreo flavors, but um, So how often should a privacy policy be updated?
Nathan Whittacre 11:36
Anytime you make a major change on your website, you should review your privacy policy, or if there's regulatory changes, you may need to update your privacy policy. So I'm a you know, as a general business rule, it would be good to have a discussion with a business attorney once a year that you know, is at least up to date on what's going on. You know, make sure you have your business records in place, and then ask about the digital assets and what you need to be doing. So just you know, from a, from a business operations standpoint, having that annual meeting with an attorney and then make this part of the discussion on what you need to do. So your corporate books are in alignment, and also your digital assets are protected too.
Sherry Lipp 12:19
And what are the requirements for notifying customers, viewers and users about an update? Does it depend on how they're using the website? Or is there a standard?
Nathan Whittacre 12:32
I think that's what it generally is, I'm not an attorney. So I think a lot of times, if there is a, you know, major change to your privacy policy, and they've collected a lot of information on it, you'll you should send out an email. I'm sure we all are getting those periodically from the social media websites, especially that they're communicating with users about updates to privacy policy. But a lot of times, you know, for most small businesses that aren't collecting a lot of information, you could just post the updates on your website periodically and just say the privacy policy has changed, you need to accept it to continue. I think that goes along the lines of having that banner that pops up periodically that they have to accept the new privacy policy. But again, if you have a website that you're collecting a lot of data about users as they are registering through your website, it's important that you communicate changes to your privacy policy through email or some other type of communication.
Sherry Lipp 13:33
Do you think every everybody with a business website should use a lawyer to to write this or can some people write their own or use a template for privacy policy?
Nathan Whittacre 13:44
There's certainly a lot of templates out there that are probably sufficient, but I would recommend just having an attorney review it just especially because of those regulations in the state of California and your you just want to make sure that you're compliant with them. Because you might download a template off, you know, a quick Google search that is old that is compliant with some of these new regulations. So I would recommend having an attorney look through it.
Sherry Lipp 14:15
And also if somebody contacts you, if you're you're you're the business owner, or somebody contacts you about privacy concern with the website, what kind of steps do you take?
Nathan Whittacre 14:28
So we don't honestly at Simulus We don't get a lot of concerns or issues about our privacy policy. But you know, it's something that you can share with them, you know, specific data protection methods that you have. If you are audited for compliance for any industry if you're ready HIPAA or Soc two or FTC safeguards you can share with them. You know, the that you've been audited, and you're you know, you've gotten to these compliance procedures. So you know, There are things that you can share with your customers about the protections that you've put in place inside your organization. And you probably should mention those in your privacy policy of the type of things that you're doing and updates that are happening. So if it becomes an issue, if it's like an attorney firm that's contacting you, then you then I would recommend getting an attorney involved so that you're not saying something you shouldn't. Because, you know, again, a lot of these things come because we're not abiding by what we're saying, we're supposed to be doing, you know, if you tell everybody, hey, we share information with everybody. And that's our policy and compliance with the regulations that are out there, then you can do whatever you want. But if you say we protect user data, 100%, we don't share information information with outside firms. And then suddenly you sell your list to, you know, a vendor or something like that you could be liable for, you know, sharing data that you said you weren't going to share. So it's really important that you know, what you communicate as is correct, and especially if there's any concerns or questions about it, then you should get experts involved so that you can answer correctly and don't say something you shouldn't say.
Sherry Lipp 16:12
Right And do you know, any resources that people can use? Like, there's questions like, and then you may or may not know the answer right off the top of your head, I mean, people should consult, like, what happens with you collect data, and then there's a major update and regulation, can you still use that data that you collected before a privacy policy update?
Nathan Whittacre 16:36
I feel like a broken record here. That would be you know, depending on what the regulatory changes are, sometimes there's some nuances to regulatory changes, that maybe, maybe not depending on what it is. So, again, you know, gotta read the regulations, if you don't want to read them yourself, get some professionals that can help you read them and understand what they are. Again, you know, having a professional help you through this process is really important. And a lot of that it's not that hard. I mean, we're not talking, you know, hundreds of hours of work, it could be a couple of hours for an attorney to look through it, you know, all your records annually. And make sure that, you know, you're compliant with, you know, both your, you know, state required, you know, document records to keep your LLC or corporation active and correct, and then discuss the digital assets, it's probably a couple of hour meeting a year, and then you know, you're, you're okay, so it is an onerous, but it is something that you just have to keep in mind and what to do.
Sherry Lipp 17:39
Yeah, and goes kind of emphasizing what we said the beginning, it's definitely important to have a privacy policy is not something you can just brush off, because it could come back to bite you and get your website shut down. And how do you like kind of the last part of this, how do you display your privacy policy?
Nathan Whittacre 17:56
So there's, there's got to be a link. On your website. Most websites, if you scroll down to the bottom, there's a privacy policy link for your cookie policy. And for some regulations, you have to opt in or accept the privacy policy. So there should be some type of pop up banner. For the first time a visitor comes to your website that they accept or deny the collection of information. So it's important that you you have those banners in place, and you have the links readily visible. For anybody to review your privacy policy, at any point, it should just be a page on your website. But, you know, depending on the state, and depending on what information you're collecting, or if you're placing cookies, you need to have that pop up banner, at least one time when the visitors visit your website.
Sherry Lipp 18:46
All right, well, and this is not a top this is a topic that people might think their their IT person does. But actually we're we don't do the privacy policies kind of where we're, we're talking about it like it's a guide for people to, to go on to the next steps if they don't know what it is. But any final tips or thoughts on this one, Nathan?
Nathan Whittacre 19:08
Yeah, I think that's a great point. You know, it's a collaboration between your attorney and your web provider, you know, whoever is designed and managing your website, this is the communication that you need to have to ensure that you have all that up and running. So this isn't really an IT related topic, but it is following the scope of compliance in general. And so it might be a bigger discussion that we can talk to you about is, you know, regulatory compliance around different areas, whether it's, you know, FTC safeguards or, you know, soc two or HIPAA or something like that, you know, we're part of that discussion. And this is, this is part of those whole discussions is just protecting your digital assets and make sure that, you know, you're complying with the regulations that you're supposed to be complying with.
Sherry Lipp 19:53
All right, well, thank you, Nathan. And thank you, everybody.
Nathan Whittacre 19:57
Thanks everybody, for being here. Have a great rest of your week
