You see them all over the place. Sometimes they are subtle links in a footer or sidebar. Other times you will see them linked at the end of a required form. I’m talking about the all important Privacy Policy. A lot of people assume that Privacy Policies and Terms of Service agreements are the same thing—lengthy legal mumbo jumbo that can be summed up in “please don’t sue me.” Really, though, they each serve specific functions. More importantly, they are both binding and important legal documents—not just for you but for the people who visit your website, buy your products or even work for your business.

What is the Difference Between Your Terms of Service Policy and Your Privacy Policy?

It is important to understand that, while you can and should include clauses addressing privacy in your Terms of Service (TOS) Agreement, those clauses are not the same thing as having a definitive privacy policy. A Terms of Service Policy (or TOS) (that thing you scroll through and then click “agree” so that you can get back to shopping on iTunes) spells out a bunch of stuff that is expected of the user. It details what kind of information will be gathered from them and their computers. It spells out what kind of behavior you expect. It tells them exactly what you will do if their behavior, while on the site (or talking about the site), is deemed inappropriate or if it violates the clauses they have already agreed to obey. It is all about what you can legally expect from your users. A Privacy Policy, however, is all about you. Your privacy policy spells out exactly how you will behave. It tells users exactly what you can or will do with their private information and what you cannot and will not do. It is often what you use to get your site’s users to trust you with their information in the first place. A privacy policy tells your users what they can legally expect from you and, by extension, your affiliates (if you have any).

Who Needs Privacy Policies?

You. That’s the short version. The longer version is this: any website or company that collects any form of personal data from its users needs a privacy policy. That means if you ask for personal information of any kind or if you hope to use cookie tracking, you need a clearly worded statement that says what you’re going to do with that information—even if all you’re going to do is store it on an internal server for your own customer service needs. It isn’t just website owners that need privacy policies. Anybody who makes products and collects customer information is going to need a privacy policy. This includes brick and mortar retail stores that ask people to sign up for email lists, app developers, and everybody in between.  In some states, there are laws that dictate who must have a privacy policy as well as what that privacy policy must contain.

What Should A Privacy Policy Say?

The language of your privacy policy is largely variable and is going to depend on what kind of information you collect and how you plan to use it. There are several places online that offer a basic template that you can download and fill out. Before you do, though, it is important for you to understand that there is no cookie cutter or one size fits all privacy policy that you can simply copy and paste for yourself. That said, most privacy policies cover the following areas: Who, specifically, is collecting the information? Most of the time this is going to be you. Sometimes, though, companies will contract through third parties for things like email list management, order fulfillment, etc. Make sure that every person or entity that comes into contact with a customer’s information is included here. Is anybody else going to have access to this data? For example: are you going to be sending your demographic data out to a marketing research firm to help with your branding? Will you be sending it to your drop shipper? Do you want to keep the door open to potentially sell your email list if money gets tight? These are the things that need to be detailed in this part of your privacy policy. How is this data going to be used? Some data will be used for simple product delivery. Other data will be stored for customer service, branding and marketing purposes. For example, maybe you want to know your users’ demographic information so that you can ensure that your advertising is properly geared. It is important that users know exactly how the information they share will be put to use. Where and how are you getting this data? Most of the time this is pretty obvious—a website user has to fill out a form. Other times, like if you use cookie tracking, it is more subtle and not immediately clear. How are you keeping this data safe? Are you using secured servers? Are you storing it on the cloud? What steps are you taking to protect users against hackers, theft, etc?

Should Privacy Policies Be Written By Lawyers?

If you really want to make sure that all of your legal bases are covered and that you aren’t leaving the door open to potential lawsuits, it is best to have a legal professional put together your policy. Remember, the laws for privacy protections vary from state to state. Your attorney will know how to make sure that your privacy policy holds water at a state and at a federal level. Yes, this is probably going to cost you some coin but really: isn’t it better to spend that now to ensure that you are protected than to wait to get sued for so much more? Finally—remember, privacy policies, TOSes and all of those other crazy long things you usually don’t actually read aren’t just put there to be annoying. They serve real purposes. Including them on your site and other business literature is important. A simple “we promise never to sell or share your info” won’t keep you from getting into trouble.