Do you need a privacy policy?

Yes, you do need a privacy policy. The days when some websites or apps could get by without one are long gone. No website or app should appear on the internet without a privacy policy.

And that is just one element of compliance with data protection laws.

The privacy policy is a document that describes your data privacy practices to users. You need to be transparent with them and this is how you provide such transparency.

Some laws explicitly require a privacy policy, while others require transparency where having a privacy policy is the most practical way to be transparent.
To sum it up, you need a privacy policy for your website or app as soon as they get to the internet.

But that's not enough for compliance

Having some text named privacy policy on your website is not enough for compliance.

There are two things you have to keep in mind:

1. The privacy policy has to contain a minimum set of elements to be compliant with the relevant data protection laws. At a minimum, in most cases, you’ll need to tell users what data you process, why and how you collect it, with whom you share it, and what are the users’ rights in relation to their data. These elements are beyond the subject of this post. I will write more about it soon.
2. You need to obtain the user’s explicit consent where the relevant law (such as the GDPR or LGPD) requires so. Having a privacy policy doesn’t make you compliant with the GDPR if your website uses cookies without asking users for consent.

A privacy policy is not all you need for compliance with the relevant data protection laws. It almost never is.

The only exception is if you are based in the United States and all your users come from the United States or another country with non-comprehensive or non-existent data protection law. In any other case, having a privacy policy is not enough.

This post originally appeared in the second issue of my newsletter Bite-Sized Legal. You can sign up here.