fbpx

Privacy Policy Importance And Is A Lawyer Required

Privacy Policy Importance And Is A Lawyer Required

Several privacy policy considerations need to be accounted for when attempting to comply with the various recent privacy and data protection laws. One of the most common questions, especially by newer and smaller businesses, pertains to why the privacy policy is of importance and whether a lawyer is required to draft their website or app privacy policy versus the common alternative of using a privacy policy generator such as through a service like Rocket Lawyer. The short answer is no; a lawyer is not legally required to create a privacy policy. With that said, as is often the case with legal matters, it is more complicated than just a yes or no answer. There are important nuances to account for because the regulatory world is very fact and scenario-specific. 


For starters, if you are the one in a million business owner who is somehow an expert in privacy and data protection law, there is surely no need for a privacy policy lawyer to do the drafting and analysis. Beyond that, while it is always better to have an expert perform a service, realistically, especially for smaller businesses, budgets are limited, and a cost-benefit analysis is necessary. The core factors to consider generally revolve around the business’s data processing practices, size, and overall risk profile. Therefore, to help you determine whether it is wise to work with a lawyer in creating your privacy policy, in this discussion, we analyze the factors at play and tips to keep in mind.

A Brief Primer On The History Of Privacy Policies 

Privacy policies geared toward companies operating in the online world have been around practically since the advent of the Fourth Industrial Revolution, when digital and the internet made the electronic collection of personal information increasingly ubiquitous. Thus, even before the flurry of recent privacy laws such as the GDPR and the CCPA came into effect, there was a steady move toward providing users of websites and apps at least a minimum amount of clarity about what information was collected and processed. 

As technology and associated tracking and data-backed advertising proliferated with “data becoming the new oil,” there was a growing concern among consumers and governments about the potential for abuse or danger from such unbridled collection and processing of personal information. Spurred by incidents where personal data was indeed used for what was perceived as nefarious purposes, new, often complex, and potentially arduous new privacy laws have been passing at a rapid pace. 

What Should A Privacy Policy Include

Though each law has its nuances and compliance requirements, several core themes permeate practically all privacy-focused laws. One of these is that of notice. It generally refers to giving consumers information about what personal information is collected and how it is used (including shared or sold), secured, and stored. It also relates to notifying users about how they can exercise any rights afforded under relevant regulatory frameworks. These rights commonly include rights to opt-out of various forms of data use as well as deletion rights. The notice element is a common requirement of privacy laws, including under the CCPA and the GDPR. It focuses on ensuring that users are informed in their decision-making regarding their data and protected to some degree. In that respect, the privacy policy acts as the legally mandated notice. Beyond notice, there are various other tenets included in a privacy policy and depend on the specifics of the company in question. 

Why Is A Privacy Policy Increasingly Important

The passage of privacy laws in both the United States, such as California’s CCPA and on the international scale, such as the European Union’s GDPR, has upped the stakes for businesses that do not follow the relevant laws they are subject to. Beyond fines and the cost incurred navigating or defending regulatory enforcement actions relating to privacy law violations, companies that provide clear privacy policies and other transparency measures are more trusted by potential customers leading to business growth. In that light, having an up-to-date and best-in-class privacy policy not only protects a business from costly government action but also helps improve the bottom line. 

The Size and Type Of Business

One of the first and primary considerations when deciding whether to use an attorney for one’s business’ privacy policy depends on the size of the business in question. The general rule is that the larger the company, the more legal risk. The risk comes in the form of both the increased attention from regulatory enforcement agencies for potential privacy law violations and the more significant number of customers that could be points of risk in the privacy realm. Further, specific privacy law regulatory frameworks, such as the California Consumer Privacy Act (CCPA), only apply to businesses that reach specific revenue or data processing benchmarks. Still, though, we have seen numerous instances of what can be considered smaller companies to be the targets of regulatory action due to various privacy and data protection infractions, including relating to specific clauses in their privacy policy. 

The Data Processing Activities Of The Business 

Beyond the size of a business, the scope and kind of data processing it undertakes also plays a significant role in its overall risk posture and, consequently, what type of effort and resources must be put into the privacy policy it utilizes. Using customer personal information for targeted advertising, profiling, sharing, and selling will add credence to the critical need for a robust privacy policy. Regulatory frameworks added focus on the processing activities mentioned as they increase the likelihood of abuse and damage to people’s fundamental privacy rights. Therefore, engaging in these activities requires an added level of scrutiny and oversight by a business, including a well-drafted privacy policy that protects the business overall and ensures compliance and avoidance of enforcement actions. 

The Location Of The Business

Though privacy laws generally have extraterritorial reach and regulate businesses beyond the country or state’s borders, the actual location of a company does play a role in the overall approach to a compliance regimen. For example, a company based in California and operating almost solely domestically with a small number of customers in Brazil (which has their privacy law, called the LGPD) would do well to focus more on the CCPA and its impending replacement, the CPRA. Still, the actual location of a company is not the be-all-end-all; instead, the customer base, which we discuss next, is also very relevant. Regardless, ascertaining which privacy laws apply and need to be accounted for in the privacy policy is necessary.

The Location Of Customers 

Beyond the physical location of a business and its legal nexus, in the context of privacy laws, more focus is actually put on the location of the persons who are having their personal information collected or processed. For example, the European Union’s s GDPR focuses on residency in the EU, and the CCPA uses the terminology of “California consumers.” Therefore, though a business might be outside of the EU or California, it very well might be subject to the regulations contained therein if it collects personally identifiable information (PII) of residents of a jurisdiction with a privacy law framework that has extraterritorial reach. 

The Danger Of A Privacy Policy That Overpromises

When embarking on securing a privacy policy, one of the more common courses of action that smaller companies embark on is via either an automated policy generator or simply copying and pasting from a policy on the internet. However, this course of action poses additional openings for legal action beyond the potential copyright infringement risk. First, making overbroad promises in a privacy policy, which can be construed as a contract with the website or other asset visitors, can be leveraged against a company. Specifically, suppose a company claims in their privacy policy to engage in a specific regimen of data collection, processing, and securing that is in reality in contravention with their actual practices. In that case, what can result is private action from consumers and enforcement from regulatory agencies to include the Federal Trade Commission (FTC) or State Attorney Generals. On the private action side, legal liability may be argued based on consumer protection statutes. On the enforcement side, such false promises are often pursued based on Section 5 of the FTC Act, which regulates unfair and deceptive practices or state-specific unfair or deceptive acts or practices (UDAP) laws. A lawyer drafting a company’s privacy policy and advising stakeholders on their responsibilities helps ensure that false promises are not being made. Second, it helps the relevant actors understand their compliance duties outlined in the privacy policy. 

Updates As The Privacy Law Regulatory Landscape Evolves

There are few if any areas of the law that are more dynamic and fast-changing as privacy and data protection regulations. On a practically weekly basis, a new law is being introduced, coming into effect, or significant guidance emanates from one of the relevant regulatory bodies. For this reason, privacy policies and associated compliance efforts are not an area where “a set it and forget it” approach is prudent. Even when automated privacy policy generators will push updates to previously created policies when there is a change in the law, the question becomes how one ascertains whether the new law or change applies to their specific business. In contrast, when working with a lawyer, especially when there is an engagement that includes privacy tune-ups, which we recommend for most businesses yearly, there is a steady assurance that privacy policies and practices are up to date and provide adequate compliance and protection. Further, the attorney will already be familiar with the core facts about the business and data practices. Therefore, said regular tune-ups could be minimal in resource expenditure, and new clauses can be seamlessly incorporated into existing assets. 

Handling Requests Relating To Consumer Rights

Another common theme that runs through the current privacy law frameworks revolves around requests from consumers exercising their rights under the relevant regulations. For instance, under both the GDPR and CCPA, there are rights where a consumer can contact the company in question that has collected their personal information and request that such information is provided or deleted, among several other Data Subject Access Requests (DSARs). There are a whole host of nuances that come into play with such requests, including how to respond and under what legally allowed timelines, among other legally mandated procedures. Not following the required methodologies can result in regulators deeming a business to be non-compliant and subject to enforcement measures. 

In light of the technical complexities, having an attorney who provided the privacy policy for one’s business and is familiar with its operations is in a unique position to most efficiently help navigate proper handling of these requests. In contrast, for the company that used an auto-generated privacy policy from Shopify, Rocket Lawyer, or some other vendor (without a tailored review from an attorney), they are unlikely to be familiar with DSAR requirements. The company will therefore find itself in a challenging situation when it comes to compliance. Further, should the company in question decide to get counsel for proper compliance, it is likely that the cost will be higher than it would have if they used an attorney to create a privacy policy from the outset. This is because the new attorney will have to do the additional legwork of learning the business and their privacy practices instead of the attorney who would have already been familiar with the company. After all, they drafted the initial privacy policy. 

What If There Is Regulatory Action?

As privacy laws come into effect and regulators phase out what was seen as initial good faith compliance windows and attitudes of leniency, there is an expectation that enforcement measures will become more aggressive. For those businesses who have a privacy policy drafted by an attorney, navigating any associated action for noncompliance through the said attorney will be more seamless as there is already a familiarity with the company’s specifics. 

The Business Value Of A Robust Privacy Policy

As we touched on briefly earlier, beyond the legal requirements and associated considerations for a privacy policy, there are also other advantages. Specifically, having a robust and straightforward privacy policy portrays to customers that a company is best in class and values its customers. Further, as time goes on, prospective customers look to understand how their information is processed. In line with this, having a tailored privacy policy that focuses on simplicity and clarity while being custom to the company in question helps maximize the business value of a privacy policy. 

Apple Has Recently Been Adding Robust Privacy Features & Touts Them

Comparing Rocket Lawyer & Other Privacy Policy Generators With A Lawyer

There is a clear advantage of the privacy policy auto generators such as the ones offered by Rocket Lawyer as they are free, and costs are always front of mind for newer businesses. With that said, the points we covered previously outline some of the significant disadvantages that should be considered and weighed against the advantages associated with free privacy policies. As we mentioned, much of the decision will revolve around the specifics of the business in question, including its location, size, and type of data processing activities, among a host of other factors.

The Dynamic And Ever Changing Privacy Law Landscape

Regardless of the route a company chooses to pursue regarding a privacy policy and associated compliance, the privacy law landscape is highly dynamic and changing regularly. From new state laws to developments on the international front, businesses must stay updated to avoid any costly regulatory action. Beyond the legal side, consumers are increasingly looking for disclosure from companies about their privacy practices. Transparency through a best-in-class privacy policy leads to an increase in trust and brand loyalty among customers, making privacy a creative way to differentiate from competitors and gain market share.