A privacy policy is not always legally required, but often a good idea for most startups - from tech company to service business and everything in between. To know whether your startup is legally required to have a privacy policy ask the following three questions:


1.Does the startup sell online?

eCommerce businesses are not the only startups that sell things online. Here are a few examples of other ways that companies may accidentally find themselves selling online:

  • Directing customers to their website to purchase/pay for their services to reduce administrative or paper contracts;
  • Organizing and hosting events that charge attendees; or
  • Charging other companies for product placement or advertising on your website.

To sell anything on your website, it means that the customer is providing personal identifiable information (i.e. name, billing address, credit card numbers, etc.). This is valuable information and it needs to be protected. Startups choosing to know their customers by collecting this information should have a privacy policy to ensure that they are properly handling customers’ information.


2.Do children under 13 use the website?

There are companies that clearly aimed at children (i.e. children’s toys, clothes, books, etc.). However, this can be a more complicated question than most expect. In many cases, children may access or use the services offered by the company on its website or download the app. Some examples of unexpected situations where children may enter a website include:

  • Message boards on a website enabling users to communicate with each other;
  • Photo-sharing functionality for members of the website;
  • Posting event details that would be attractive for children to attend (i.e. character appearances, bands, sports, etc)

There are ways to build in more restrictions to prevent children from accessing the site. There are also some functionalities to consider in how your startup will monitor content that is posted on its website, app, or social media. Together, website functionality and a well written privacy policy are critical to ensuring that children and your startup is actually protected for the long term.


3.Do California residents access the startup website?

This question is incredibly broad because that is how the statute is written. The California Online Privacy Protection (CAL-OPPA) is read broadly and includes companies that:

  • Have clients located in California;
  • Advertise to residents of California;
  • Ship to California; or
  • Receive comments or feedback from California residents

Remember that residency is a legal question that does not require the person to always be in California. So, most every company that has a website should have a privacy policy that is compliant with CAL-OPPA. Electing not to comply could result in hefty fines, penalties, and avoidable complications to your startup.


If you answered yes to any of the above, then your startup most likely needs a privacy policy on its website. Be wary of a generic privacy policy as it can often be more problematic than none at all. Avoid this common problem by customizing the privacy policy to the realities of your business. Loop Legal offers services to entrepreneurs built on an innovative pricing model to help start-ups from launch through scaling. Contact us today to learn more.