You probably gather information from your website visitors, including their name & email, their IP address, cookies, and perhaps other contact information (phone number, mailing address) when they sign up for your list or join your membership site. You may also collect their financial information if you sell products and services directly on your site, or collect health information if you are a healthcare practitioner. If you collect any such personal identifying information from your website visitors, you need a Privacy Policy and to follow the below guidelines:

1. California’s Online Privacy Protection Act. This is the most strict rule in the U.S., and applicable to you unless you block California visitors from coming to your website. Per California’s act, you must have a conspicuous privacy policy that states the following facts:

  • Types of personally identifiable information you gather from your web visitors (such as name, email, address, telephone number, social security number, and IP address);
  • How the information is shared with other parties, if any;
  • How to change or delete the web visitor’s data; and
  • The policy’s effective date and the last time changes were made.

Best practice is to link to the privacy policy from every page of your website, such as in the footer, and also from any form where you collect such data, such as an email list enrollment form.

2. The Children’s Online Privacy Protection Act (COPPA). This is a U.S. law which states that if you are directing your website to children under the age of 13, there are many procedures you must have in place to protect them (including obtaining parental consent, among others). This law is administered by the U.S. Federal Trade Commission. If you have a website or app for kids, you need to get on this. 

3. The European Union Data Protection Directive. This governs how private information is gathered from EU residents, and how such information can be used. Not only do the rules require disclosure of a privacy policy, but they also have specific requirements for how the information will be handled, such as whether it can be taken and stored outside of the EU. This is especially important if you are storing data on a server, or if you are using a third-party processor that operates outside the EU. They also have detailed “informed consent” rules for cookies. 

If you a U.S. company, the U.S. Commerce Department has a “Safe Harbor Framework” where you self-certify to take information out of the EU while in compliance with EU law, including example privacy policies.

4. Canada’s Personal Information Protection and Electronic Documents Act. This requires that businesses obtain the consent of people before collecting personal data, and they explain why they need the information, what it will be used for, and if any third parties will have access to the information. Similar to the EU, it requires that Canadian residents be notified if their information will be taken out of the country.

5. Health Information Portability and Accountability Act (HIPAA). If you have a business that collects health information from U.S. residents, you will need to comply with HIPAA, as well as other similar rules specific to your jurisdiction. For example, you will need to use specific software that meets HIPAA security requirements, and you will need more strict internal procedures to protect that health data. If you are collecting health information and/or in a healthcare field, you need expert advice about how to collect and maintain that information.


Would you like to discuss specifics for your business? Let’s chat!

Don’t Wait Any Longer. Send a Message & Get Started Today!

  • This field is for validation purposes and should be left unchanged.