Legal
Share this article!
TwitterLinkedInFacebookPocketBufferEmail

A privacy policy is required whenever a commercial website or online service collects any information that identifies or can be used to identify an individual, such as an individual’s name, address, email, or phone number. Collectively, these types of information are called “personally identifiable information” or “PII” (also called “personal data” under European laws, such as the GDPR). PII can in some circumstances include identifiers that can be used to contact a specific individual (like a username on an online messaging service), or non-PII when held in combination with PII (like location data or an IP address associated with a user account).

A privacy policy can more accurately be understood as a “privacy notice,” in that it puts people on notice of a company’s PII collection, use, and sharing practices. The laws that require providing individuals with notice of a company’s privacy practices, such as the California Online Privacy Protection Act or the European Union’s General Data Protection Regulation (GDPR), do not exclude startups from compliance. That means, for example, that a closed beta launch of an online service by a two-person startup very likely requires a privacy policy for the beta users.

Even if a company’s website or online service is not collecting online data for the company’s own use, third-party services such as Google Analytics or Amazon Affiliates may collect information through the company’s website. These third-party services generally require their users to post privacy policies disclosing the collection of information by the third-party service. In these cases, the contract between a company and its service provider may require the company to post a privacy policy.

Share this article!
TwitterLinkedInFacebookPocketBufferEmail