Why You Need a Privacy Policy If You Are Using a Contact Form
By Gravity Forms Published April 21, 2020Written by Donata Kalnenaite
When you really sit back and think about it, contact forms are a bit magic – anyone, anywhere in the world could inquire about you or the products or services that you offer at any time. This sure beats the old ways of snail mail! Contact forms allow you to make more sales, provide better customer support and simply grow your business, making them indispensable and thus featured on almost every modern website.
Unfortunately, there is one thing that you need to keep an eye out for if you have a form on your website, and that’s compliance with privacy laws. Spoiler alert: there are many great solutions to help you with this compliance!
A big part of that compliance is having a Privacy Policy. If you are wondering whether your website needs a Privacy Policy once you’ve installed a form, you have come to the right place. In this post, we will discuss:
- Contact forms and what it means to collect Personally Identifiable Information;
- Why this collection matters and why websites with forms need to have a Privacy Policy;
- Consequences of non-compliance;
- What compliant contact forms look like; and
- Where you can get a Privacy Policy.
Please note that this post is for informational purposes only and should not be considered legal advice.
How contact forms collect Personally Identifiable Information
The purpose of a contact form is to allow someone to contact you. If a website visitor has a question or a comment, you obviously need to respond to them to answer that question or comment and that is why contact forms collect information such as names, emails, and addresses.
This information is called Personally Identifiable Information, or PII for short, as it can be used to identify a particular person. Below is an example of a contact form from Active Campaign, an email marketing tool that is an add-on to Gravity Forms.
As you can see, this form collects emails, which is an example of Personally Identifiable Information. Below is another example of a contact form, this one from Postmark, which is also an email marketing tool and an add-on to Gravity Forms.
This form collects names and emails, which are also examples of PII. If your website has similar forms where users can contact you, subscribe to your newsletters, or otherwise submit their information, you are also collecting PII.
Privacy laws govern the collection, use, and disclosure of PII and websites that collect PII may be subject to these privacy laws, and thus should have a Privacy Policy.
Why websites with contact forms need to have a Privacy Policy
Due to intense pressure from consumers, some countries and states have implemented privacy laws to protect the privacy rights of consumers. These laws apply to certain websites that collect PII through, for example, contact forms. One of the main requirements of these laws is for websites to have a Privacy Policy that discloses:
- What PII is collected;
- How that PII is used; and
- Who that PII is shared with.
While these are the main sections of a Privacy Policy, privacy laws have a litany of other disclosures that must be made as well. The United States, European Union, Canada, and Australia have the following privacy laws that protect the privacy rights of residents of those countries and states:
- California Online Privacy Protection Act of 2003 (CalOPPA), which protects the PII of residents of California;
- California Consumer Privacy Act (CCPA), which also protects the PII of residents of California;
- Nevada Revised Statutes Chapter 603A, which protects the PII of residents of Nevada;
- General Data Protection Regulation (GDPR), which protects the PII of residents of the European Union;
- Personal Information Protection and Electronic Documents Act (PIPEDA), which protects the PII of residents of Canada; and
- Australia Privacy Act of 1988, which protects the PII of residents of Australia.
To be clear, these countries and states may have other laws that apply to specialized industries such as healthcare, finance, and industries geared towards children. To keep this simple, we will focus on the six laws above because they apply to the most common small business industries.
In the next few sections, we will discuss each law, who it applies to and what its requirements are for businesses that use contact forms on their websites.
California Online Privacy Protection Act of 2003 (CalOPPA)
CalOPPA was one of the first laws in the United States that was created to govern the privacy rights of U.S. consumers on websites. CalOPPA applies to an operator of a commercial website that collects the PII of residents of California. It is important to note that this law can apply to you, regardless of where your business is located, as long as your website collects the PII of California residents.
Since any consumer from anywhere across the world can submit their information through a contact form, this law applies to virtually all websites that have contact forms. CalOPPA requires websites to have a Privacy Policy that does the following:
- Identifies the categories of PII that the website collects and the categories of third parties with whom the PII is shared;
- If you maintain a process for consumers to review and request changes to their PII, provides a description of that process;
- Describes the process by which you notify consumers of material changes to your Privacy Policy;
- Identifies its effective date;
- Discloses how the website responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII and about their online activities over time and across third-party websites, if you engage in such collection; and
- Discloses whether other parties may collect PII about a consumer’s online activities over time and across different websites when a consumer uses your website.
In order to fully comply with CalOPPA, you not only need to have a compliant Privacy Policy, but you also need to “conspicuously post” the policy itself. The terms “conspicuously post” includes posting the Privacy Policy through any of the following:
- Posting the Privacy Policy on the website’s homepage or first significant page after entering the website;
- An icon that hyperlinks to the Privacy Policy page if the icon is located on the homepage or first significant page after entering the website, and if the icon contains the word “privacy”. The icon must also use a color that contrasts with the background color of the page or is otherwise distinguishable;
- A hyperlink to the actual Privacy Policy page on the homepage or first significant page after entering the website, if the hyperlink does one of the following:
- Includes the word “privacy”;
- Is written in capital letters equal to or greater in size than the surrounding text;
- Is written in a larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
Remember that the hyperlink needs to be displayed in a way that a reasonable person would notice it so do not hide your policy as otherwise it will not be compliant.
While this is an older law, non-compliance is no joke as the penalty is $2,500 per violation. Per violation means per website visitor whose privacy rights you violated, which can quickly add up even if you have only a few dozen visitors to your website per month. Any website that collects the PII of California residents needs to have a Privacy Policy that is compliant with CalOPPA requirements.
California Consumer Privacy Act (CCPA)
The CCPA also protects the privacy rights of California residents. This law went into effect on January 1st, 2020 and will start to become enforceable by the California Attorney General on July 1st, 2020. This law applies to any for-profit business that does business in California and meets one of the following thresholds:
- Has annual gross revenues of $25,000,000 or more;
- Annually buys, receives, sells or shares the PII of 50,000 or more California residents, households or devices; or
- Derives 50% or more of its annual revenue from selling the PII of California residents.
If your business does not meet the requirements above but you work with companies that do, make sure to check your contracts to see if they require you to be CCPA compliant. The CCPA was passed to provide residents of California with more control of their data online and, to that end, the law provides California residents with the following privacy rights:
- The right to know what PII is being collected;
- The right to access the PII that the business has collected on them;
- The right to know whether their PII is sold or disclosed and to whom;
- The right to say no to the sale of their PII; and
- The right to equal service and price, even if they exercise their privacy rights.
If the CCPA applies to you, then your website needs to have a comprehensive Privacy Policy that includes the following disclosures:
- The rights that consumers are provided under the CCPA;
- The categories of PII that you have collected on consumers;
- The categories of sources from which you have collected the PII:
- The business or commercial purposes for which you collect the PII;
- The categories of third parties with whom you have shared the PII;
- Instructions for submitting a verifiable consumer request to exercise privacy rights;
- The process by which you will verify the consumer request, including any information that the consumer must provide;
- Whether you sell any of the PII that you collect. If you do sell PII, you will need to make additional disclosures and have a “Do Not Sell My Personal Information” page on your website where California residents can opt out of the sale of their PII;
- How a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf;
- Your contact information; and
- The date the Privacy Policy was last updated.
You will also need to review your Privacy Policy once per year to ensure that it is still correct and to update it if your data management practices have changed.
As outlined above, this law has very specific requirements for what your Privacy Policy needs to include. Not having a compliant Privacy Policy can lead to very steep fines of $2,500 per violation or $7,500 per intentional violation.
Just like CalOPPA, CCPA defines per violation as per website visitor from California whose privacy rights you violated, meaning that these fines can add up quite quickly. CCPA will start to be enforced on July 1st, 2020 by the California Attorney General. The Attorney General can bring actions for violations that occur between January 1st and July 1st, as well as violations taking place after that time period so it is imperative that you start complying with this law as soon as possible if it applies to you or you can face high penalties.
Nevada Revised Statutes Chapter 603A
Nevada’s recently amended privacy law protects the PII of Nevada residents and applies to “operators”, which is defined as any person who:
- Owns and operates a website for business purposes;
- Collects the PII of Nevada residents through that website; and
- Purposefully directs its activities towards Nevada, consummates a transaction with a resident of Nevada or the State of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada.
To put it simply, if you are collecting the PII of Nevada residents and do business in that state, you need to make sure that you are in compliance with this law. This recently amended law provides the residents of Nevada with the right to opt out of the sale of their PII and requires websites to have a Privacy Policy that makes the following disclosures:
- The categories of PII collected;
- The categories of third parties with whom that PII is shared;
- A description of the process (if such process exists) for the user to review and request changes to their PII;
- A description of the process by which you let users know of any changes to your Privacy Policy;
- If a third party collects information about the user throughout different websites through, for example, cookies;
- The effective date of the Privacy Policy;
- Whether you sell the PII that you collect; and
- A designated request address through which a user may submit a request asking you not to sell the PII.
It is important to note that you must provide the designated request address regardless of whether you actually sell the PII. This law is enforced by the Nevada Attorney General and the penalty of non-compliance can be up to $5,000 per violation (per website visitor). If you collect the PII of residents of Nevada through your contact form and have customers in Nevada, you need to have a Privacy Policy that complies with the requirements of this law.
General Data Protection Regulation (GDPR)
GDPR is one of the most extensive privacy laws in the world, in terms of protections for the privacy rights of residents of the European Union and enforcement of violations of the law. GDPR applies to you if you meet one of the following:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location; or
- Monitor the behavior of European Union residents, regardless of your location.
GDPR has been created to protect consumers and not businesses and its compliance requirements apply to companies far outside of the European Union. What makes GDPR fascinating and quite different from other privacy laws is that it actually prohibits the collection of Personally Identifiable Information by default.
Fortunately, there are some exceptions (also called “legal bases”). The following are the legal bases most commonly used by small business websites to process PII:
- The consumer consented to the processing of their PII;
- Processing is necessary to perform a contract with the consumer or to take steps at the request of the consumer prior to entering into a contract; and
- Processing is necessary for compliance with a legal obligation that the website owner is subject to.
Most contact forms collect PII via the consent legal basis as the user is agreeing (or consenting) to you collecting that PII. You must be able to show this consent, as otherwise it is invalid. In order to give consent, the user must be fully informed as to your privacy practices and this is where your Privacy Policy comes in.
Furthermore, as GDPR was implemented to protect the PII of residents of the European Union, the law provides privacy rights to such residents. The privacy rights included in GDPR are as follows:
- The right to be informed, meaning the right to receive a Privacy Policy that contains the required disclosures;
- The right to access the PII that you hold on that consumer;
- The right to rectification, or the right to ask for correction of any inaccurate PII that you hold about that consumer;
- The right to erasure of the PII that you hold about that consumer;
- The right to restriction of processing, meaning that the consumer can limit the way you use their PII;
- The right to data portability, which means that the consumer has the right to receive the PII that you hold about them in a structured, commonly used and machine-readable format and have the right to transmit that PII to another company;
- The right to object to the processing of their PII; and
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the consumer or similarly affecting the consumer.
If the above was not clear, European Union residents literally have the right to be informed about your privacy practices, meaning that you need to have a Privacy Policy and the consumer must be able to see it or your business will be non-compliant. A GDPR-compliant Privacy Policy needs to contain the following disclosures:
- Your identity and contact details and, where applicable, your representative’s identity and contact details;
- The contact details of the Data Protection Officer, where applicable;
- The purpose of processing the PII as well as the legal basis for processing;
- The recipients or categories of recipients of the PII, if any;
- Whether you intend to transfer the PII to a third country or an international organization. If you do intend to make such a transfer, then you will need to provide additional disclosures;
- How long you store the PII. If that is not possible, the criteria used to determine how long you will store the PII;
- A list of the rights provided to European Union residents under GDPR;
- Where processing is based on consent, the existence of the right to withdraw consent at any time;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of PII is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the consumer is obligated to provide the PII and the possible consequences of failure to provide the PII; and
- The existence of automated decision-making and profiling. If you use PII for these purposes, you must also include meaningful information about the logic involved, as well as the significance and consequences of such processing.
As you can see from the above, GDPR compliant Privacy Policies can be pretty extensive and it’s important to include all of the required disclosures as GDPR is heavily enforced. GDPR non-compliance can be extremely expensive, with fines up to €20,000,000 or 4% of annual turnover, whichever is higher.
We have seen large companies such as Google, British Airways and Marriott being fined millions of Euros, but enforcement has not been limited to large companies only. To date, Data Protection Authorities have fined hundreds of companies for violations, with some fines being issued to small businesses or for the violation of the privacy rights of one consumer.
As the likelihood of being fined for GDPR non-compliance is relatively high, you need to make sure that your website has a Privacy Policy with all of the required disclosures if this law applies to you.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a privacy law that protects the privacy rights of Canadians. This law applies to private sector organizations across Canada that collect, use and disclose the PII of Canadians in the course of a commercial activity. Canada’s Office of the Privacy Commissioner has also stated that PIPEDA applies to companies that have a real and substantial connection to Canada, meaning that you may need to comply with this law even if you or your business is not based in Canada.
As with other privacy laws, PIPEDA was created to protect the PII and privacy of consumers. To that end, the law provides the following privacy rights to Canadians:
- The right to access the PII that you hold about them; and
- The right to request that you correct any incorrect PII that you hold about them.
PIPEDA also requires companies to obtain meaningful consent for the collection, use, and disclosure of PII. To make consent meaningful, consumers must understand what they are agreeing to regarding their PII and that’s where the Privacy Policy comes in, providing consumers with the information that will help them understand what they are agreeing to. In order to properly obtain consent, your Privacy Policy should pay particular attention to and make disclosures in the following key areas:
- What PII is being collected;
- With which parties the PII is being shared, if any;
- For what purposes the PII is being collected, used or disclosed; and
- What are the risks of harm or other consequences.
PIPEDA is relatively unique in that it requires website owners to follow ten fair information principles when it comes to collecting, using and disclosing PII. Without going through each principle individually, they also require your Privacy Policy to include the following disclosures:
- The sources from which you obtain the PII;
- How you protect the PII that you collect;
- Your policies, procedures, standards or codes that govern privacy and security, if any;
- Who is accountable for your privacy practices and procedures;
- Your complaints handling procedure;
- The fact that Canadians may lodge a complaint with the Office of the Privacy Commissioner;
- Who the consumer should contact to exercise their privacy rights;
- What information the consumer will need to provide to verify their identity to exercise their privacy rights;
- How you will notify users of changes to your Privacy Policy;
- Whether you intend to transfer PII outside of Canada; and
- A list of the privacy rights offered to Canadians under PIPEDA.
Failing to have a Privacy Policy that complies with PIPEDA can lead to lawsuits. Individuals can apply to the Federal Court of Canada for a hearing. The Court can then issue an order requiring the company to change its privacy practices to be compliant and can award damages to the individual as well. If PIPEDA applies to you, you need to have a compliant Privacy Policy to avoid these lawsuits.
Australia Privacy Act of 1988
The Australia Privacy Act of 1988 was passed to protect the PII and privacy rights of residents of Australia. This law applies to Australian government agencies and organizations with an annual turnover of $3,000,000, even though some exceptions are made for smaller businesses.
This law can also apply to companies that have an “Australian link”, which means that, in very limited circumstances, it can apply to people and businesses outside of Australia. This law provides the following rights to residents of Australia:
- Right to know why their PII is being collected, how it will be used, and who it will be disclosed to;
- Right to have the option of not identifying oneself or of using a pseudonym in certain circumstances;
- Right to access the PII that is held about them;
- Right to stop receiving unwanted direct marketing;
- Right to request the correction of PII that is incorrect;
- Right to make a complaint about an organization covered by the law, if the consumer believes that the organization mishandled their PII.
As consumers have the right to know, this law requires websites to have a Privacy Policy that makes the following disclosures:
- Your organization’s name and contact details;
- What kinds of PII you collect and store;
- How you collect the PII and where you store it;
- The reasons why you need to collect the PII;
- How you will use and disclose that PII;
- How a consumer can access their PII and ask for a correction;
- How a consumer can lodge a complaint if they think that their PII has been mishandled and how you will handle that complaint; and
- If you are likely to disclose PII outside of Australia and, if practical, which countries you are likely to disclose the PII to.
Fines for failure to comply with this law can range from $525,000 to $2,100,000 for a body corporate and from $105,000 to $420,000 for any other entity or individual. You need to have a compliant Privacy Policy to ensure that you are not fined for failing to comply with this law.
As websites with contact forms collect the Personally Identifiable Information (e.g. names, emails, and phone numbers) of consumers all over the world, chances are that one or more of these privacy laws apply to you.
This means that you need to have a compliant Privacy Policy or you could face costly fines and lawsuits. While this is a sufficiently extensive requirement in and of itself, you also need to be aware of the fact that privacy compliance is a constantly evolving field, especially in the United States.
New privacy bills affecting websites with contact forms are being proposed and passed by states
While other countries have one set of rules that apply to websites that collect PII, that unfortunately is not the case in the United States. Due to intense pressure from consumers, multiple states are proposing their own privacy bills, each with unique requirements as to what a Privacy Policy needs to contain and unique penalties for non-compliance.
In fact, some states such as New York, are proposing that residents can sue businesses of any size, located anywhere just for having a contact form without a compliant Privacy Policy. While the privacy bills of these states are obviously different, there are some similarities:
- Requiring a Privacy Policy that makes very specific disclosures for certain websites that collect PII;
- Applying to businesses outside of that state; and
- Imposing heavy fines for non-compliance.
Due to the frequent changes in privacy law in the United States, it is imperative that you not only have a Privacy Policy that complies with current requirements, but that you also have a strategy for keeping your Privacy Policy up to date with new laws.
How to add a consent checkbox to a form
Since multiple laws require websites that collect PII to obtain consent prior to such collection, your contact form must be properly configured for consent. Remember that consent must be affirmative and demonstrable, meaning that checkboxes should not be pre-checked. This tutorial will show you how to add a consent checkbox to a form.
Part 1: Drag and drop the ‘checkbox’ field into your form.
Part 2: Editing your checkbox
- Replace the title with “Privacy” or leave it blank to hide the title
- Add a statement, where users can agree to your Privacy Policy. Be sure to include a link to your policy, for example, <a href=”DOMAINNAME.com/privacy-policy” target=”_blank”>Privacy Policy</a>
- Delete the additional optional “Choices”
- Mark the field as required.
Part 3: Update your form
Part 4: Test and verify that the form is working!
Where you can get a Privacy Policy
After looking through the requirements and information above, it is pretty clear that the websites that collect PII through a contact form need to have a Privacy Policy. Privacy laws apply to businesses outside of the states and countries where they are passed and websites not only need to have a Privacy Policy but a strategy for keeping it up to date with changes. But where can you get a Privacy Policy?
The maze of required disclosures, updates to privacy laws and new bills make writing your own too complicated unless you are a privacy lawyer or want to leave your business to become one. Small businesses should pay particular attention to the following criteria when choosing a Privacy Policy provider:
- Reasonable and transparent cost. While having a licensed privacy attorney is the best option for getting your Privacy Policy drafted, the cost can be large – up to a few thousand dollars. Generators (a software that asks you questions about your website and business and then generates a custom Privacy Policy based on your answers and needs) are a great, more cost effective solution for small businesses. Beware of “free” generators as most will charge extra for the most basic privacy law compliance, leaving you with either a large bill or a non-compliant Privacy Policy at the end. Also beware of Privacy Policy templates, as they may not be a good fit for your privacy management practices and they do not update whenever the laws change.
- Auto-updating whenever a new law goes into effect and when existing privacy laws change. As we have previously discussed, you not only need a Privacy Policy that complies with existing privacy laws, but also a strategy for keeping that Privacy Policy up to date when things change. Some generators state that they will keep your policies up to date but not all follow through on that promise. Make sure that the generator that you choose has made the following updates:
-
- October 1st, 2019: effective date of SB220, an amendment to Nevada’s Revised Statutes Chapter 603A;
- January 1st, 2020: effective date of the California Consumer Privacy Act;
- February 1st, 2020: effective date of the agreement by which the United Kingdom withdrew from the European Union.
If the generator has not made updates to their clients’ policies on those dates, that means that you are on your own for keeping track of privacy law changes.
- Written and reviewed by real privacy attorneys. Any generator that you use should be written and reviewed by privacy lawyers to ensure compliance. Check out the “about” or “team” pages of the Privacy Policy generator that you intend to use to verify this requirement.
Keeping all of these criteria in mind, we recommend that you use Termageddon to protect your website from privacy-related fines and lawsuits. Termageddon is a Privacy Policy Generator that keeps your policies updated with newly required disclosures, helping you avoid privacy related fines and lawsuits.
You can also generate a Terms of Service, Disclaimer and End User License Agreement if needed. Termageddon’s policies were created by a privacy attorney who is also a Certified Information Privacy Professional, the newsletter editor of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.
A Termageddon license costs $99 per year for one website and that cost includes all compliance and all clauses so that you can be sure that you are protected.
Regardless of what solution you choose for your website, we hope that you seriously consider having a Privacy Policy to protect yourself and your business.
Gravity Forms has partnered with Termageddon to bring you a couple of fantastic offers – use promo code GRAVITY for 10% off your first order or, if you own a web design, development, or marketing agency, check out this special Gravity Forms promotion.
Donata Kalnenaite is a privacy and technology attorney and the President of Termageddon, a Privacy Policy generator. Donata is a Certified Information Privacy Professional, the newsletter editor for the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. Donata has taught GDPR to other attorneys at the Illinois State Bar Association and excels at breaking down complex topics such as privacy law into easy to use and actionable tips.
If you want to keep up-to-date with what’s happening on the blog sign up for the Gravity Forms newsletter!