Run | 9 October 2017

I have a website. Do I need a Website Privacy Policy?

Reading Time: 3 minutes

The short answer is: if your website doesn’t collect any information about its users, there’s no need to include a Website Privacy Policy on it. Some websites are simply online advertisements, providing an overview of your company, your team and the products or services you offer. However, if you collect any personal information from users, you should have a Website Privacy Policy.

What does the law say?

We use the term “data protection” to describe the principles, policies and procedures used to ensure personal information is handled properly by the person to whom it is given. In some countries, there are substantial data protection laws and regulations controlling how your personal information is used by organisations, businesses and government (for example, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)). Although it is an EU  Regulation, the GDPR also applies to businesses operating outside the EU if they offer goods or services EU persons (data subjects) or monitor their behaviour. ADGM and DIFC each have comprehensive data protection legislation but the laws on this subject are less developed outside these free zones. However, some of the region’s civil and criminal laws address a person’s right to privacy.

If it isn’t compulsory, why do I need one?

As we’ve said in relation to your Cookies Policy (in our Article I have a website. Do I need a Website Cookies Policy?) even if there is no law directly applicable to your business, your business can set itself apart from your competitors by showing respect for your users’ privacy. If your website has a Website Privacy Policy, you are following global best practice which should enhance your credibility in the market and foster trust with your customers and users. Having a Website Privacy Policy in place also provides an element of future-proofing should other jurisdictions in the region move to adopt more comprehensive data protection and privacy laws and regulations.

But I only collect the personal information so I can deliver my product to my customer.

Personal information may be collected for a variety of reasons. You may only collect names and email addresses as a first “sign up for more information” or registration step. You may need physical address, phone number and credit card details to complete the sale of your products and deliver them to your customer. You may ask your customers to complete a feedback form which provides additional demographic information about them which you would like to use as part of a future marketing campaign. The end purpose does not matter: it is the collecting of the personal information that is important.

What do I need to include in my Website Privacy Policy?

A Website Privacy Policy will set out the terms on which your business collects, manages, stores and uses the customer’s personal information. It should answer the following questions:

•  What personal information will you collect?

•  How will your business collect the personal information?

•  How will your business use the personal information you collect?

•  How will you manage the personal information you collect?

•  Who else will see or use the personal information?

•  If your business will transfer the personal information to others, can the user opt out of sharing their personal information with those third parties?

What else do I need to know?

•  Walk the talk: Your Website Privacy Policy must be accurate and reflect what your company does in practice do with personal information. However, to avoid having to update your Website Privacy Policy constantly, you should consider future-proofing it by including aspirational statements i.e. notifying the user what you may do with the personal information in the future, even if you do not have the systems in place currently to do all those activities.

•  Children and minors: If your business is aimed at children, or you collect personal information which indicates children are users of your website, consider whether you should take additional steps in relation to this information e.g. parent/legal guardian consent. The legal age of majority in the UAE is 21 years (i.e. the age at which a person is considered an adult).

•  Third party APIs: If your website uses APIs licensed by social networking sites (e.g. Facebook or Twitter), you must comply with their policies and they may impose additional requirements on you in relation to data protection.

•  GDPR: If the GDPR applies to your business, your Website Privacy Policy must comply with its provisions. The GDPR sets out requirements not only on the information which must be included in your Website Privacy Policy but also the way in which it is presented to users.


Click here to generate your ScaleUp Website Privacy Policy.