Common Privacy Misconceptions Amongst Web Designers

You all better strap in for this one! I’ve been waiting my whole life to cover this topic and the day has finally come. Where to even begin?

First off, we only say ‘ARRRGGG’ for special occasions and the whole skull-and-crossbones thing went out of style after the second Pirates of the Caribbean mov… wait, what?

Oh, p-r-i-v-a-c-y, not pira… fine, let’s get on with it.

Here are some common misconceptions web designers often have about privacy.

Privacy Policy Misconceptions

Misconception #1: “My website doesn’t collect personal information so I don’t need a Privacy Policy”

Hey, it’s the early 2000s calling and they want their website back. They probably would like this joke back too, while you’re at it.

Most modern websites collect personally identifiable information (PII) that’s protected by privacy laws – thus, requiring those websites to have a Privacy Policy. 

Still don’t believe me? Why, that’s a mighty fine ‘Contact Us’ form you’ve got there. Be a real shame if it collected PII like names, email addresses, and phone numbers. OH, WAIT, it does. And don’t get me started on email newsletter subscriptions, payment information, analytics tools, digital ads using pixels, and third-party embeds.

Alright, alright. Admittedly, I’m still a little worked up about the piracy confusion, but there’s nothing wrong with a website collecting PII. Most businesses need to collect PII to operate efficiently and interact appropriately with customers. It’s what websites do with that PII that could get sketchy.

Misconception #2: “I don’t share/sell PII so my site doesn’t need a Privacy Policy”

Well, you’re likely half-correct. Most websites don’t sell PII (i.e. exchange their users’ PII for money), but they do typically share PII. Some common examples of sharing include:

• Sending emails using a third-party marketing vendor (e.g. MailChimp)
• Customers ordering a physical product from your website will have their name/address shared with the shipping company (e.g. USPS or FedEx)
• Using third-party analytics will share user IP addresses with those analytics tools (e.g. Google Analytics)
• When users submit a contact form, the business owner will be automatically notified with an email with the customer’s contact information. The contact information has been shared with the email service provider (e.g. Gmail) and the CMS (e.g. WordPress)
• If a user interacts with embedded features like social media posts or video clips, that person’s IP address will be shared with the platform (e.g. YouTube, Facebook, Vimeo).

Now that we got that out of the way, this whole misconception is a trick question. You need a Privacy Policy the moment you collect PII. In fact, you don’t even need to use the data you collect for privacy laws to apply to you. So, sharing/selling that PII just has an impact on what disclosures go inside the Privacy Policy, not whether or not you need one. 

Misconception #3: “Website visitors submit their information voluntarily, so I don’t need a Privacy Policy”

While “voluntarily submitting information” would be considered the “consent” legal basis under GDPR, it does not negate the requirement to have a Privacy Policy.

In otherwords, when people submit their data to you, that means you are collecting it. As mentioned above, multiple privacy laws start applying as soon as you collect people’s personal information.

Misconception #4: “I run a nonprofit so my website does not need a Privacy Policy” 

While it’s true that most privacy laws specifically exempt nonprofits, several privacy laws don’t distinguish between the two and apply to both. These include: 

• The General Data Protection Regulation (GDPR)
• The United Kingdom Data Protection Act (UK DPA)
• Quebec Law 25

“Nice try Mr. Blog-writer-pirate-guy, but those laws clearly list countries/regions I’m not located in.”

What a great and confident response, Mr./Mrs. Blog-reader! But…

Privacy laws are designed to protect individuals, not nonprofits (or for-profits for that matter). Even if your organization is outside of these areas or countries, you may still be required by law to comply with them if you collect the PII of their residents or track individuals from those areas through tools such as cookies, pixels, or analytics.

Misconception #5: “My business is too small for a Privacy Policy” 

Look, who has any right to say what is/isn’t “too small” for a PP?



Privacy laws. That’s who.

Several privacy laws require small businesses to have a Privacy Policy if they collect data. As of the writing of this blog, those include:

• California Online Privacy and Protection Act (CalOPPA);
• Nevada Revised Statutes Chapter 603A;
• Delaware Online Privacy and Protection Act (DOPPA);
• General Data Protection Regulation (GDPR);
• United Kingdom Data Protection Act (UK DPA);
• Personal Information Protection and Electronic Documents Act (PIPEDA);
• Quebec Law 25;
• Australia Privacy Act 1988; and
• Rhode Island Data Transparency and Privacy Protection Act (Coming soon);

Misconception #6: “There are plenty of free Privacy Policy Generators and Templates out there, those should work just fine for my Privacy Policy” 

While I’m as passionate about free things as the next guy (seriously, I’ve camped out overnight for a restaurant’s ‘Grand Opening’ to secure free food for a year… twice), the truth is there isn’t a single ‘free’ option out there that’s comprehensive enough to protect your website.

Templates and free Privacy Policy Generators simply aren’t able to help websites comply with today’s modern privacy laws for several reasons: 

1. They do not create policies based on your actual business and privacy practices
2. They do not take the time to determine which privacy laws apply to your business
3. Since they don’t get to know your business, they can’t create all the appropriate disclosures required by law
4. They do not automatically update your policies when laws change or new ones go into effect

If you still don’t believe me, we wrote a whole blog on reasons to avoid free Privacy Policy Generators. 

Misconception #7: “Creating a Privacy Policy is a one-time task” 

10/10 recommend doing that if you’re passionate about doing things the wrong way.

Privacy Policies should not be considered a static document. There are several factors that may require you to update or change your Privacy Policy, including:

• Changes in your business – Your business changes locations, phone numbers, or what email is best to contact regarding privacy concerns.
• Changes in business practices –  Maybe you’re running a new digital ad campaign on Facebook and have added a pixel to your website or have decided to start/stop tracking users via a third-party analytics tool. 
• New privacy laws – Each year, new privacy laws are going into effect. If these impact your business, your Privacy Policy will need updates to address any disclosures you’re now required to make under those laws. 
• Changes to pre-existing laws – If a privacy law is amended or changed, this may impact the disclosures listed within your Privacy Policy.

This is why it’s crucial for website owners to use an attorney or a Privacy Policy Generator that auto-updates policies as these things change. 

Misconception #8: “It doesn’t matter where I put a Privacy Policy on my website” 

“A Privacy Policy is a work of art and it would be a travesty to all mankind if one was hidden away on some website.” – Me, a Privacy Policy Generator employee, just now.

Ok, it’s not just me saying that. Courts have decided in many cases that a Privacy Policy needs to be displayed in a clear and easy-to-find manner. Many laws also point this out, specifically. This means no hiding it under a ‘legal’ hyperlink or making the font #FFFFFE on an #FFFFFF background. 

Misconception #9: “I can copy and paste a competitor’s Privacy Policy and be good to go”

This was once a relatively normal occurrence (though it was still illegal due to copyright laws). However, today’s world takes privacy far more seriously and fines are far more common.

Privacy Policies are very business-specific in that not every business will need to comply with the same laws. Even a close competitor will often have a very different Privacy Policy to match the privacy law disclosures if different laws apply to them.

So, by going this route, you may be neglecting certain laws that apply specifically to your business… Leading to missing specific disclosures required by those laws… leading to fines that typically start at $2,500 per person whose rights have been violated. 

Cookie Consent Banner Misconceptions

Misconception #10: “My website does not need a cookie consent banner because I don’t run ads”

Chocolate Chip cookies may be the only cookies that matter in the dessert realm, but there are several different types of cookies in the digital realm that can require a cookie consent banner to be placed on your website – not just advertising/marketing cookies.

If your website collects non-essential cookies and certain privacy laws apply to your business, then you’ll need a Cookie Consent Banner to ensure users are opted out prior to your website placing non-essential cookies. For example, cookies from Google Analytics and Google Fonts may require may require getting consent first from the visitor.

Misconception #11: “I can track my website visitors through analytics without consent because analytics are essential for my business.” 

Clinging to this misconception is like telling your wife that a new motorcycle is essential for your mental health. You may feel that’s a completely reasonable stance to have, but you’re opening yourself up for a rude awakening.

Analytics cookies are considered to be ‘marketing cookies,’ meaning they require consent before being fired onto a website.

The only cookies that don’t require consent are those necessary for a website to work (authentication, security, session management, consumer interface preferences, etc.). This is implore important than ever as CIPA: the 30-year-old privacy law that’s getting website owners sued left and right is currently looming around the United States.

Misconception #12: “A cookie consent banner that only has an “ok” or an “accept” option is compliant because people are agreeing to be tracked”

This paragraph uses cash. By reading this you’ve consented to paying me $20. 

A) Accept

B) Ok

Not much of a choice, is it? A cookie consent banner must have an “accept” and “decline” option to obtain proper consent. We even wrote an entire blog on why your cookie consent banner must include a “decline” option. 

General Privacy Misconceptions

Misconception #13: “I can keep personal information indefinitely because I may need it in the future”

Unlike Pokémon cards, hoarding users’ data isn’t cool for several reasons:

1) It’s against the law. Multiple privacy laws such as GDPR and UK DPA prohibit the indefinite retention of personal information.

2) It’s risky. People’s data is your responsibility for as long as it’s stored by you.. So, the longer you keep it around, the greater the chance something goes wrong (e.g. a data breach).

Data should always be deleted as soon as you no longer have a specific, valid purpose for it. For example, an individual who is not a client subscribes to your email marketing list. Once they unsubscribe, you should delete their information.

Misconception #14: “The same privacy laws apply to everyone”

Privacy laws that apply to you will depend upon where you do business, whose personal information you are collecting, where you offer goods or services, and who you track online.

For example, some laws such as CalOPPA require only the collection of personal information from residents of California for that law to apply to you. Other laws such as Nevada Revised Statutes Chapter 603A apply if you collect the personal information of residents of Nevada and do business in the State.

So, if you’re simply trying to keep up with the Joneses’ privacy laws, you may be missing privacy laws you need to comply with or filling your Privacy Policy with privacy rights that are not applicable for your business.

Misconception #15: “If a tool is provided by a big company (e.g. Google), that means that it’s automatically compliant”

BAAAAAAAAAAAAAAAHAHAHAHAHAHAHAHAHAHAH. Good one.

Oh, you’re serious. Well, let’s just take two of Google’s biggest tools as examples. Google Fonts (when not self-hosted) and Google Analytics were both found to violate GDPR.

Your safest best when using any tool is to do a little research to ensure it’s a privacy-friendly option. 

Misconception #16: “I don’t have any privacy laws where I live, so I don’t need to worry about privacy”

We’ve saved one of the most common misconceptions for last.

Privacy laws protect residents of a certain area, not the businesses. So, if your website collects data from users in other states/countries, those laws may very well apply to you. 

Conclusion

Look at that, we’ve reached the end already. Time flies when you’re explaining all the ways people are wrong.

To be fair, privacy can be extremely confusing. Having worked in this industry for a few years now, I’ve learned two key things: 1) people at parties will regret asking you what you do for a living and 2) There’s almost as much misinformation floating around as actual information.

That’s why, if you have ANY privacy questions, reach out to me… and I’ll pass it along to our President – the actual privacy attorney. Though, she will be the first to tell you it won’t be legal advice.

Thanks for reading! ‘Til next time.