May 28, 2025

Website Privacy Policies - What to Know

Whether you’re launching your first fund or stewarding a veteran 20-year-old firm, there’s one thing you likely should have on your website – a privacy policy.  

Over the years, we’ve watched too many firms fall into the “I’ll get to that later” trap when it comes to privacy policies.  The reality is, if you have a website that collects any type of data, you need a privacy policy (even if you don’t collect information, it’s still a good idea).  The absence of one exposes your firm to material risks, including regulatory fines, costly litigation, and reputational harm that could impair capital-raising efforts and client trust.

The good news is creating a privacy policy has become more accessible than ever. Today, a range of low-cost tools can streamline the first draft — though rigorous review and oversight from your legal/compliance teams remains essential. But before we jump into implementation, let’s review the foundational elements of privacy policies:

Why Do you Need One: In most cases and jurisdictions, it’s legally required. State, federal and international privacy laws and regulatory frameworks mandate that businesses disclose what data they collect online, how they use it, and what rights individuals have over their personal information. Having a privacy policy helps you meet legal and regulatory requirements and is a key in building client trust.

What Makes a Good Policy: Privacy policies should be clear, concise, and as short as possible while still being thorough. Policies should provide firm contact information (names, address, contact details), specifics on what personal info is collected, why it's collected, how it is used, whether it is shared or sold, the rights people have over their personal data, and how they can act on those rights.

Navigating the Regulatory Landscape: Data privacy regulations are notoriously complex and change over time. Keeping up can feel daunting. It’s important to remember that the regulations your firm must follow apply to where you are based AND where your clients and prospects are located.

For example, a US firm with clients in the UK, New York, Connecticut, and California would need to follow multiple regulations including General Data Protection Regulation (GDPR); UK GDPR, UK’s Data Protection Action of 2018; CalOPPA (California Online Privacy Protection Act); the California Consumer Privacy Act (CCPA); and the Connecticut Data Privacy Act (CTDPA).

Getting Started:  Input and review from legal and compliance teams is essential, particularly for companies in the finance space.  However, there are multiple tools to help youstart drafting a policy. Law Depot, TermsFeed, and others take you through a set questionnaire where you provide basic information about your firm and disclose the tools your firm is using -- such as Mail Chimp, Sales Force, HubSpot, Google Analytics etc. A preliminary policy is created based on those inputs. After a review by your legal and compliance experts you should have a basic policy that can grow with your firm over time. Don’t forget you can also checkout the privacy policies of other firms to compare with your draft.

Updates are Essential: Once implemented, your privacy policy should evolve with your organization.  Every time you adopt a new technology, enter a new market, change data handling practices or how you are using the collected data, your policy should be updated. These changes are often straightforward but critical to ensure that you are providing accurate information and protecting yourself in the case of lawsuits or inquiries.

Fines and Lawsuits: If someone has a privacy related issue with your firm, a clear, concise and well-maintained privacy policy is there to hold up in court or at least show that your firm took reasonable steps to communicate its practices.

Privacy violations are typically the result of three types of failures:

1. weak data security (companies gather data but don’t protect it)

2. ignoring user requests (request data access, deletion, or opt-out)

3. vague or non-existent privacy policies.

Fines for these failures can be significant. Regulators have shown a willingness to impose strict financial penalties. GDPR fines can range up to 4% of a company’s annual revenue. CCPA violations can cost firms up to $7,500 per incident. The largest GDPR fine ever was issued to Meta for €1.2billion in 2023 for unlawful data transfers.

Additionally, the volume of class-action lawsuits against companies are on the rise with large settlements for the plaintiffs becoming the norm.

Privacy policies are a complex but essential part of doing business. The good news is there are significant benefits to having one which we will explore in part 2. As always, the team at Emerson Ward is standing by if you’d like to talk about making sure your website is working hard for your firm.

< Back to All Blog Posts
Previous Blog Post >
No previous post
Next blog Post >
No next post

What we do

Emerson Ward is a boutique creative agency focused exclusively on providing custom, professional web, collateral, and content solutions to the asset management and fintech ecosystem. We work with traditional and alternative asset managers, fund distributors, RIA's, VCs and more, in both the US and abroad.

Our services

Pitch Books, Fact Sheets & Other Collateral
Website Design & Development
Branding & Communications
Digital Marketing Services
Video Production
Corporate Naming Services
Ongoing Support Services

More

About 
Our Partners
News & Updates
Awards & Recognition
Blog
Careers
Contact 
Privacy Policy
Cookie Policy
Emerson Ward Logo
© 20XX Emerson Ward Creative, LLC. All rights reserved. Emerson Ward is a trademark of Emerson Ward Creative, LLC. All other trademarks are those of their respective owners.
Davey Award Gold WinnerDavey Award SilverDavey Award GoldGD USA WinnerVega Arcturus AwardVega Centauri Award
Phone:
(203) 989-0452
Toll Free:
(844) 853-2752
YouTube IconLinkedIn Icon