Does my California Small Business Website Need a Privacy Policy

Published
Image of woman holding a clipboard with paper. Yellow shield on left with padlock on it.

Most likely the answer to this question is: Yes, you need to have a privacy policy on your website. Let’s review the reasons why.

Disclaimer: This is not legal advice, just our understanding.

The California Consumer Privacy Act (CCPA)

The CCPA gives California residents four fundamental privacy rights that affect the information you collect and handle:

  • Right to know
  • Right to delete
  • Right to opt-out
  • Right to non-discrimination

Your business is subject to this law if you are targeting California residents whether or not your business is located in California. Smaller businesses may not be required by California law to have a privacy policy unless they meet the following criteria (pulled from the Office of the Attorney General’s website):

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

The General Data Protection Regulation (GDPR) and other foreign laws

If you are a California business or non-profit organization that targets residents in Europe, then you definitely need a privacy policy regardless of the size or scope of your website. Other countries have similar laws that require a privacy policy. Check the privacy laws for any country that you target its residents.

Other businesses that provide products or services to you may require it

When we set up promotions for our customers on LinkedIn, they ask for a link to a privacy policy page. While other organizations may not ask you for a link to your privacy policy, they may still require it. Nobody reads terms of service agreements but these requirements are probably in there. You may have agreed to have a privacy policy without knowing. 

Here are just a few of the organizations that you may be working with that may require you to have a privacy policy depending on how you use them:

  1. Google
  2. Facebook
  3. Stripe
  4. Paypal
  5. Instagram
  6. LinkedIn
  7. Twitter
  8. Shopify
  9. WooCommerce
  10. Squarespace
  11. Mailchimp

How to create a Privacy Policy

The best privacy policy will probably be one that is custom made and updated by a legal professional for your specific business use.

In the absence of your own legal representative, you can write your own policy (if you have that type of know-how and time). Otherwise there are free and paid options available for you. (Not legal advice, just what I have used in the past).

Termly

Termly has a free privacy policy generator that can be used for websites with low traffic (up to 10,000 visitors).  You must update manually if/when new laws are introduced. They also have a very good paid plan with unlimited views and auto updating policy.

Auto Terms of Service and Privacy Policy (WordPress plugin)

Create a privacy policy for free from your WordPress dashboard. You have to manually update the policies if/when new laws are introduced. They have lifetime deals for their paid plans.

Termageddon

Our favorite privacy policy generator is Termageddon. They do not have a free plan but we feel their auto updating policy is a good value. We use Termageddon for our own privacy policy and use it for many of our customers.

Conclusion

You may not be required by California law to have a privacy policy on your website but other service providers that you use may require you to have one. If you are not tracking analytics on your website, advertising on your website, leading people to your website with ads or social media, or selling products on your website, then you may be able to get away with not having one. In our experience, most businesses should be doing some of those things or else why even have a website?