![\"Mark](\"https:\/\/ik.imgkit.net\/3vlqs5axxjf\/TW\/ik-seo\/uploadedImages\/All_TW_Art\/TWSTF\/MarkPestronk\/Mark-Pestronk.jpg\" "\\"Mark")
<\/p>\n<\/p>\n
Q:<\/strong>Our small agency has a website. Potential clients cannot make reservations or otherwise interact with us through the website, but they can fill in a form to request more information. Our potential clients are nationwide and worldwide. We don\u2019t have a website \u201cprivacy policy,\u201d and we are often contacted by technology consultants who offer to develop one for us. I would rather not have one because I know that if we don\u2019t follow our own policy, we could be sued and penalized for violation. Do we really need one?<\/em><\/p>\n A:<\/strong> Because your website has a fill-in form, you do need a privacy policy under the laws of three states. Those laws protect consumers who reside in those states, regardless of the location of your business.<\/p>\n The first and most famous of the privacy policy laws is the California Online Privacy Protection Act (CalOppa). CalOppa applies if you collect any personal information from California residents. It has very detailed requirements for privacy policies.<\/p>\n If you don\u2019t follow CalOppa\u2019s detailed requirements, the state can fine you up to $2,500 per violation, although you will first receive a 30-day notice to comply.<\/p>\n The only other states that currently have similar laws are Nevada and Delaware. Texas will have a similar law go into effect on Jan. 1, but it will exempt businesses classified as small under Small Business Administration rules, which, in the case of travel agencies, means those with less than $25 million in revenue (i.e., commissions, overrides, fees and markups). That standard exempts almost all agencies.<\/p>\n You may read that Virginia, Colorado, Connecticut and Montana have similar laws, but they apply only to companies that specifically target residents of those states and collect the personal data of at least 100,000 residents of the state per year (50,000 in Montana) or derive 50% of gross revenue from the sale of personal data.<\/p>\n Several more states have laws that will apply if you collect more than 100,000 residents\u2019 data and that will go into effect in the future: Utah on Jan. 1; Oregon on July 1; Iowa on Jan. 1, 2025; Tennessee on July 1, 2025; and Indiana on Jan. 1, 2026.<\/p>\n So, despite the plethora of current and coming privacy policy laws, it turns out that only the laws of California, Nevada and Delaware apply or will apply to your business. According to experts, if you comply with CalOppa, you will also comply with Nevada\u2019s and Delaware\u2019s laws.<\/p>\n You don\u2019t necessarily need to pay anyone to develop a privacy policy that complies with CalOppa. Just Google \u201chow to set up a privacy policy under CalOppa,\u201d and you will get various free websites that provide check-the-box forms that you can use.<\/p>\n Incidentally, there is no federal privacy policy law. However, the Federal Trade Commission takes the position that if you have one and violate it, then you are engaging in a deceptive practice. The FTC has fined several businesses for such violations, so you need to be sure that you follow your policy if you have one.\u00a0<\/p>\n