You must have a privacy policy if you collect or process personal information about any identifiable individual (like your customers). A privacy policy is very important because it’s your promise to the people whose personal information you process (like your customers) as to what you’re going to do with their data. Once you have decided on your policy, it’s crucial to stick with it, as non-compliance can lead to serious trouble. So not only is it important what you say, but also how it is said. Some people call this a POPIA policy, but it is actually called a privacy policy.

A privacy policy should appear on all websites that collect personal information about visitors to the website. However, it should not be limited to your online visitors. If you collect, maintain and use consumer personal information in other ways, then the policy should cover that as well.

How can we help you

  • Ensure you have a great privacy policy by asking us to draft a bespoke, tailored one specifically for you using our template.
  • Draft a privacy policy yourself by using our template. We have developed a template. Comments for the customisation and implementation of the policy are included as footnotes. The policy is designed to satisfy your requirements regards the personal information of others and their privacy.
  • If you already have a privacy policy, check that it is in line with the latest law by asking us to review it for you.

Types of privacy policies

Broadly speaking, there are two types of policies:

  1. A Customer Privacy Policy (external), which deals with how you process customer personal information; and
  2. An Employee Privacy Policy (internal), which deals with how you process employee personal information.

This article deals with a Customer Privacy Policy. It does not deal with Employee Privacy Policies or any of the other issues that form part of employee privacy, such as geolocation, nor does it deal with personal information policies, procedures and practices.

Factors to consider whilst drafting a customer Privacy Policy

Whilst you have most certainly encountered a maze of privacy policies whilst surfing the Internet, it is very tempting to simply copy one and cut and paste from it to suit your own needs. Think before you do so, as the maze of policies you encounter is a direct result of legislation and court judgments in other countries that serve to protect personal information. In many instances, that legislation and those poor judgments are of no relevance in your country.

The goals of a privacy policy

Your policy must keep three goals in mind:

  1. The policy must satisfy the legal requirements required by law (such as the GDPR, Protection of Personal Information Act, the Consumer Protection Act and the National Credit Act) and industry requirements (which will be spelt out in various Industry Codes, which POPIA makes provision for). Organisations doing business on a global basis must consider a multitude of international privacy laws as well.
  2. The policy must satisfy your business objectives.
  3. The policy must reassure data subjects (privacy is an emotional issue for most consumers. Many people feel as though there is a full frontal assault on their personal information. They believe they have little or no control over the collection and use of their personal information. As a result, a policy must be designed to allay consumers’ concerns and make them feel comfortable doing business with your organisation.

Your policy provides high-level statements of your positions on particular issues, whereas procedures bring those positions down to earth by laying out specific actions and responsibilities.

What are the benefits of having a privacy policy for customers?

  1. It may reduce the risk of your company being sued for infringing on a customer’s right to privacy.
  2. The policy should also ensure that you comply with the law and therefore avoid sanctions for non-compliance.
  3. It will help you gain consumer confidence.
  4. Hopefully, bad publicity, which can have serious economic consequences, can be avoided.
  5. Your potential customers will not feel the need to seek out your competitors with better data privacy practices.
  6. A privacy policy should demonstrate good practice, thereby helping to attract new customers and retain existing ones.
  7. A well-drafted privacy policy should also enable you to deal with the personal information of customers in a manner which is beneficial to you.
  8. The personal information relating to your customers is a valuable business asset which should be protected and possibly even developed.

Do you collect personal information?

Personal information can be collected by various means, and you should carefully analyse the functioning of your business or website to establish if and to what extent you gather personal information. You might even collect personal information without knowing it!  Ways in which personal information is collected include:

  • visitors subscribing to a newsletter,
  • a user registering on a blog or forum,
  • users submitting their details via a form,
  • in the process of contracting online,
  • taking orders,
  • through the personalisation of a website by a user,
  • through the use of cookies,
  • monitoring user access and habits,
  • sending or receiving e-mails,
  • SMSs or other similar messages.

You must update your privacy policy often

A privacy policy is a dynamic document and should be amended as the law relating to privacy and your business develops and changes. Your policy should therefore be reviewed on a regular basis.

Please remember the following important pointer: Many organisations assume that once their privacy policy is in place, the job is completed. This is a mistake. Whenever content or services are added or website functionalities change, there is a risk of exposing users to privacy breaches. It is critical for every online business to review its policy regularly as the business evolves, ensuring that any necessary changes are made to meet new challenges.

Acceptance of the privacy policy

It is suggested that you alert users to the fact that their personal information will be dealt with under a policy by way of a clear and prominently displayed notice at the bottom of each webpage of your website.