A purple and blue graphic of a piece of paper surrounded with the words "Terms and Conditions"

The importance of Privacy Policies and Terms and Conditions for your WordPress website (and how it relates to GDPR and California laws)

Introduction (and disclaimer)

So you are launching a website, and you couldn’t be more excited about getting your messaging (or offering) out to the public eye.  What an exciting time, congrats!  

Chances are you found yourself adding features to your website. Perhaps you added a contact form to generate leads/inquiries. Or maybe you added a newsletter subscription or perhaps you went all out and deployed an ecommerce experience for customers to make online purchases. Whatever features you added, I’m sure there was quite a lot to learn, but hopefully rewarding as well!

There seems to be an endless stream of potential features that could be added to a WordPress website. This is what makes WordPress such a powerful website platform!  When operating a website, regardless of what features you’ve added, it is important to understand what personal data you are collecting from your website visitors, as this is when privacy laws can start applying to you.  Whether it be through analytics tools collecting personal data behind the scenes, or through contact forms where site visitors type out and submit their data, it is important for website owners to understand the legal implications of data collection, and determine what disclosures they need to make within their website policies to comply with applicable laws. 

Website owners not only need to create policies to comply with applicable laws, but also have to have a strategy to keeping their policies up to date with changing legislation. New privacy laws are being passed every year, requiring respective website owners to update their website Privacy Policy with newly required disclosures. Failure to provide these required disclosures could result in non-compliance fines (which start at $2,500 per website visitor whose rights you’ve infringed upon!), so hopefully this article can help you!  

Privacy is becoming a bigger and bigger deal. More laws are being passed, giving more and more people privacy rights, and we as website owners have an opportunity to respect those rights using proper website policies.

In this article, I’m going to lay out not just what Privacy Policies are (and how to obtain proper ones), but also how you can use other policies like a Terms and Conditions statement to help limit your liability in general.

Yes, I know reading an article about website policies is likely not the most exciting thing to read, but by the end of this article, you will have a great understanding of what website features require policies, and what you can do to protect yourself, your business, and your new website. 

Disclaimer: With all that said, please note that the information I am providing today should not be considered legal advice. Nothing beats hiring an attorney to advise you on the proper steps you specifically should take to comply with laws and limit liability.  With my own Disclaimer out of the way, let’s get into it!

Why even care about policies?

So why should we even care about website policies?  Does anyone even read this stuff? 

I am going to get on my high horse briefly and just share a quick note. I’ve been in the privacy industry for the better half of the last decade, and if I were to sum up my thoughts in a single sentence, it would be this:  humans are more important than businesses.  We must put legislation in place that protects our personal data as much as possible.  As we enter this new digital world we find ourselves in, we want to ensure that we as individuals have the right to tell companies what they can (and can not) do with our data. 

My name is my name. My email address is my email address. My phone number is my phone number.  Companies need to respect that, and that is why privacy laws exist (and more laws are being passed). 


Outside of wanting to comply with laws and avoid potential fines or lawsuits, I think it’s important to consider website policies as your opportunity as a website/business owner to show your respect for your website visitors’ rights.  Respecting people’s online privacy can even be a competitive advantage!

Okay, rant over.et’s get you educated on what policies are (and how you can obtain them).

Policy Definitions

Each policy has a separate purpose, whether it be to comply with laws or limit liability (or both), so let’s discuss these individual policies in more detail.

What is a Privacy Policy?

A Privacy Policy is a statement that describes what personal data your website collects, what you do with that data, and a series of disclosures that you are required to make under the privacy laws that apply specifically to you.  

Personal data (otherwise known as Personally Identifiable Information) is any information that could be used to identify an individual.  For example, if you have a contact form asking people to submit their name and email, that is an excellent example of when you’re not only collecting personal data (like names and emails) but are also likely sharing that data with third party “Email Service Providers” (aka GSuite, Outlook, or any other third party email system you use).  If you are embedding/adding third-party fonts to your website, or adding analytics tools to your website, you may be sharing personal data with third-party providers (such as IP addresses and “information regarding people’s interactions with the website”). 

Privacy laws can start applying to you as soon as you collect a single piece of personal data from a particular website visitor.  For example, if you collect an email address or an IP address from an individual from California, CalOPPA applies, requiring specific disclosures to be made within your Privacy Policy.   We call these “broad reaching privacy laws”, where the law can apply as soon as personal data is collected from one individual (or as soon as you track an individual).  There are also other laws (like CPRA), which have business size restrictions, meaning the law will only apply to you if you surpass certain thresholds (like making $25 million or more in annual revenue).  

So to summarize this, a proper Privacy Policy contains the exact disclosures you are required to make, under the privacy laws that specifically apply to you.  

What website features require a Privacy Policy? 

Website features help give your visitors an excellent experience when viewing your website’s content.  There are several commonly implemented website features that may have privacy implications, so you should take this into consideration when creating a Privacy Policy. 

Here’s a non-exhaustive list of website features that collect personal data (and therefore may require a Privacy Policy):

  1. Contact forms – contact forms often collect name, email, and phone number, which are personal data.  Additionally, when a contact form is submitted, this often triggers an email that is sent to your inbox with that person’s contact details. This means you’re not only collecting personal data, but you are sharing that data with your third-party email service provider.
  2. Email subscription signup forms – if you are asking people to subscribe to a newsletter, you are likely collecting their email and then sharing that data with your third-party email marketing provider (Mailchimp, Constant Contact, Activecampaign, etc).
  3. Map embeds – if you are embedding a map, perhaps to show your business’s location, you may be sharing personal data with third party map software providers to allow this feature to exist.  
  4. Third-party website analytics – analytics tools can collect data behind the scenes such as “IP address” and “device information”.  That data may also be shared with third-party data analytics providers. 
  5. eCommerce – eCommerce features often collect personal data (names, emails, addresses, etc.) and may share that data with third-party payment processors (and fraud prevention service vendors).
  6. Registration forms – registering for an online account is commonly created for websites offering a customer or user portal. These registration forms often collect personal data like names and email addresses. 
  7. Video embeds – embedding third-party videos may collect and share personal data like “IP address” and “device information” with the third-party provider. 
  8. Advertising pixels – if you are running social media or search engine ads, you may have implemented a tracking pixel on your website to help understand and improve your conversions. It is important to disclose what personal data you are sharing with these third-party platforms to utilize these tracking pixels.

It is important to remember: there is nothing wrong with collecting and even sharing personal data that you capture through your website.  You may simply be required to disclose this fact to your website visitors so they understand these details.  Transparency is key when it comes to privacy compliance, so be sure to inform your visitors of the data you collect and share through features on your website.

What is GDPR? What is California’s CCPA or CPRA?

There are two privacy laws that have captured the attention of the masses: GDPR and CPRA.

The European Union’s GDPR (General Data Protection Regulation) is probably the most popular.  This is a broad reaching privacy law that protects the personal data of EU residents. This law can apply to any website owner offering goods or services to EU residents, or simply by tracking an individual from the EU on the website (ad tracking and analytics tools are common examples of where this can occur).  This privacy law has also resulted in thousands of businesses being fined for non-compliance, with the fines typically starting in the mid 5 figures and working upwards from there.

California’s CCPA went into effect and also caused a stir online.  This law then changed to CPRA (California Privacy Rights Act) in 2022, and this law has restrictions before it can apply to a business owner.  You not only have to do business in California, but you have to either have >$25million in annual revenue, share or sell the personal data of 100k or more California consumers (or housewholds) in a year, or derive 50% or more of your annual revenue from selling the personal data of California consumers.  

Often we see website owners thinking they need to comply with CPRA, only to find out they do not meet the business thresholds for that law to apply.  But then they realize California has a second law (CalOPPA) that applies to them the moment they collect a single piece of data from a visitor from California). 

These two laws are quite popular, but they have very different definitions for when the laws apply to an individual (or company).  This is a great representation of why it’s important you first identify the laws that actually apply to you, and only then determine the disclosures you specifically need to make. We talk more about this in the ‘how to obtain website policies’ section below. 


It is crucial to understanding that each privacy law is unique, with its own set of qualifiers to see if the law applies to you, and its own set of unique disclosure requirements. It’s also important to understand that the EU’s GDPR and California’s CPRA are just two of many privacy laws already in existence. There are also new laws going into effect each year which may require updates to your policies to comply with those laws as well.  Learning about GDPR and CPRA is important, but it would be a mistake to consider those the only two privacy laws to keep an eye out for. 

What is a Terms and Conditions statement?

A Terms and Conditions (aka Terms of Service, Terms of Use, Terms) is a statement you provide on your website that helps limit your liability by stating the rules for using your website. 

A Terms statement can be beneficial for virtually any business, as it can provide a series of disclosures that can help prevent lawsuits and even non-compliance fines.  For example, if you offer links to third-party websites, you can use a Terms statement to explain to users that you offer third party links, and aren’t responsible if they click that link and the other site gets hacked and the visitors lose a bunch of their data.  Terms can help you explain to users that you aren’t responsible because you can’t control those third party links. 

In addition to limiting liability just in general, a Terms of Service may be required to comply with consumer protection laws. If you have an eCommerce website, for example, you need to make a series of disclosures to help explain to your website visitors your shipping, refund, cancelation policies (and potentially more). Otherwise, default consumer protection rules will be applied by default and could potentially be unfavorable to you and your business efforts.  

What website features require a Terms and Conditions statement? 

Here is a non-exhaustive list of website features that could require a Terms and Conditions statement: 

  1. Third party links – if you offer links to third party websites, you’ll want to use a Terms of Service to explain to visitors that you aren’t responsible when they click on those links. 
  2. eCommerce – if you provide the ability to purchase goods, services, donations, or digital products directly through your website, you should use a Terms statement to define the rules for making a purchase. This includes shipping policies, return policies, and refund policies (which can all be placed within your Terms statement, or you can split them out into separate policies if you wish).
  3. Account creation – If users can register an account, you’ll want to explain how they can have their account deleted in the future if they wish to do so. You’ll also want to explain the rules to having an account (e.g. you can’t share your account password with others).
  4. Public Comments – if users can post comments on your website (perhaps on WordPress blog posts), your Terms can include content that you prohibit from being posted (such as abusive language, copyright infringement, and more).
  5. Misuse of logos, company name, or other IP – you can use a Terms statement to protect your intellectual property (logos, company names, etc) by provide users information on who to contact if they believe someone is infringing on your intellectual property.  This section can also include how an individual can contact you if they believe you’re infringing on their intellectual property.

There is nothing wrong with having third party links, eCommerce features, or anything else listed above.  It’s just important to protect yourself by making certain disclosures within your Terms to help limit your liability (while providing education to your visitors).

Are there other types of policies?

There are several other policies a website owner may need to comply with laws as well as to further limit their liability.

Cookie Policy (and cookie consent solution)

A Cookie Policy is required under some (not all) privacy laws and should outline what cookies your website may place on a visitor’s browser and/or device.  A cookie consent solution is a tool that helps ensure you get consent from a user before placing  third party cookies on a user’s browser and/or device.  

Disclaimer

A Disclaimer helps further limit the liability of individuals by disclosing additional details that may not be clearlyunderstood by a website visitor. For example, if your website provides affiliate links, or provides information that could be seen as legal or health/fitness advice, you would want to provide a Disclaimer clarifying these facts.  Disclaimers help consumers understand these additional details to help ensure transparency between you and them. 

Accessibility Statement

Accessibility statements help explain to website visitors the accessibility standards you have reached with your website.  W3.org provides a free accessibility statement, which you can find by visiting the following link: https://www.w3.org/WAI/planning/statements/generator/#create

How to obtain proper policies for your WordPress website

Providing proper policies (and keeping them updated over time with newly required disclosures) is essential to demonstrating your respect for your visitor’s rights and also for limiting your liability and avoiding costly non-compliance penalties. 

There are good ways to get proper policies in place for your website, and then there are bad ways. Let’s jump into what you need to know before you start investing your time and resources into getting policies created for your website.

Know the basics of getting proper policies in place

To get a compliant Privacy Policy in place, you need to first identify the privacy laws that apply to you.  Only then can you determine what disclosures you need to make, as each privacy law has its own set of disclosure requirements.  

It’s important to understand that Privacy laws protect people, meaning if you’re collecting personal data from website visitors from across state, territory, or country lines, you will need to determine if laws outside of where you’re located also apply to you.  As we noted early in this article, GDPR is a good example of a privacy law that could apply to you as soon as you track an individual from the EU on your website (even if you’re located outside of the EU). CalOPPA is a law that applies to any website owner that collects as little as an email address from a Californian visitor. There are many more privacy laws in existence; it will be important to find a way to identify which of these laws specifically apply to you, because only then can you determine the disclosures you’re required to make.

To get a compliant Terms and Conditions in place, you need to understand if consumer protection laws apply to you, and if yes, what disclosures you want to make to ensure your website visitors understand your rules when using your website. Additionally, a Terms statement for your website can be beneficial just in general to help limit your liability as a website owner.

Should you use a free template? 

A lot of people’s first thoughts when it comes to getting website policies is to go the cheap route with a free template.  Although this will be nice in the sense that you don’t have to pay anything up front, what’s unfortunate here is that free templates are limited with how many laws they ‘cover’, and for the laws they claim to cover, they fall short on.  Several privacy laws like GDPR and CPRA have ‘if this, then that’ type disclosure requirements. For example, you are required to provide a toll free number if CPRA applies (unless you are exclusively online and has a direct relationship with the customer). With templates working as a ‘fill in the blank’ type of format, it can be hard/impossible to break down these types of conditional requirements listed within each privacy law.

Additionally, templates do not keep your policies up to date over time with newly required disclosures.  In 2024, for example, four more privacy laws are going into effect, requiring new disclosures within a Privacy Policy if those laws apply to you (and penalties for non-compliance start at $2,500 per website visitor whose rights you’ve infringed upon). 

Best option: work with an attorney

The best option to obtain compliant website policies is to work with an attorney who specializes in privacy and consumer protection laws.  

When selecting an attorney to work with, I would recommend the following:

  1. Ask them their fees up front, thus creating no surprises for you. 
  2. Ask them about their approach to creating a Privacy Policy.  You’ll want to make sure they discuss the importance of first identifying the privacy laws that apply to you (because only then can the exact disclosures be determined). This is a great ‘litmus test’ to determine if you’re working with a great privacy attorney or not. 
  3. Ask them about their ongoing fees associated with monitoring privacy law amendments and privacy bills. This is yet another great test to see if this attorney is focused on keeping their clients’ policies up to date over time with changing legislation.
  4. Ask them to describe their process for drafting a Terms and Conditions statement. They should be focused on asking you a series of questions to determine all the disclosures that will need to be provided to help limit your liability. 

The benefit of working with an attorney is that you get legal advice.  And this is a huge benefit!  Hiring an attorney to keep website policies updated over time can however be a very expensive endeavor.  This is why a lot of website owners turn to comprehensive website policies generators to get policies in place. We will talk about the pros and cons to website policy generators in the section below.

Second best option: use a website policy generator 

If it is too costly to hire an attorney to draft your policies and keep them up to date over time with changing legislation, the second best option would be to work with a reputable website policies generator. 

A good website policies generator will:

  1. Walk you through a series of questions to determine what website-related law(s) apply to you.  Only then will the tool ask you the questions necessary to create the respective disclosures required under each applicable law. 
  2. Notify you when new legislation passes and/or existing legislation is amended.  
  3. Push updates automatically to your policies whenever new disclosures become required.
  4. Have leadership within the organization with legal backgrounds
  5. Be attorney-friendly and allow your attorney to review and even customize the generated policies to their liking.


The pro to a website policies generator is that it is cost effective and you can get comprehensive policies added to your website the same day you sign up.  The con to a website policies generator is that they don’t provide legal advice.  That is why you should verify the generator you work with is attorney friendly, in case you want to share access with your attorney now or some time in the future as your business grows.

Being a Co-Founder of a website policies generator myself (Termageddon), I am a bit biased in my opinion, but I think getting started with a website policies generator is a comprehensive and cost-effective way to get auto-updating policies added to a website. And as your business grows, you can share access to the generated policies with your attorney, who can review everything to ensure that it all looks good (and make any customizations they wish).  This is a great way to keep costs down when getting going with a new website, while still giving you the added benefit of offering an attorney access to your policies so they can review/customize further(which is a lot less expensive than to draft from the start) and customize the policies however they wish in the future.

Conclusion

Providing your website visitors with comprehensive policies demonstrates your respect for people’s privacy and consumer rights.  They also help you limit your liability and avoid costly non-compliance fines or lawsuits. 

Free templates are tempting, but they almost always are non-compliant and are unable to address the continual updates that need to be made over time.  Consider working with an attorney or a comprehensive auto-updating website policies generator to get proper policies added to your website.

Michelle Frechette

Michelle Frechette

You might
also like

Similar Posts