What is a Privacy Policy?

A privacy policy is a public-facing document — usually posted on your website — that tells your clients and website visitors how you collect, use, and share their personal information.

A privacy policy answers questions like:

Privacy policies are required by various state laws (like CCPA in California) and are required by payment processors like Stripe.

What is a WISP?

A Written Information Security Plan is an internal operational document — not public-facing — that describes how your business actually protects the data you hold. It's your security program in writing.

A WISP answers questions like:

💡 Think of it this way: your privacy policy tells clients what you do with their data. Your WISP tells the FTC and IRS how you protect it. They serve completely different purposes and one does not replace the other.

Key Differences at a Glance

Do You Need Both?

Yes. They serve different legal requirements and different audiences. Having a privacy policy doesn't satisfy your WISP requirement. Having a WISP doesn't replace a privacy policy.

⚠️ If a tax preparer tells you their privacy policy satisfies their FTC Safeguards Rule obligation, they are wrong. The FTC explicitly requires a separate written information security program — a WISP.

What About a Terms of Service?

A terms of service is a third separate document that governs the legal relationship between you and your clients — what services you provide, payment terms, liability limitations, and so on. It's separate from both the privacy policy and the WISP. Each document has its own purpose. None of them substitutes for the others.

Get Started

Need Help Organizing Your WISP Documentation?

  • Guided questionnaire included
  • Customized WISP document
  • Word & PDF versions
  • Loom video walkthrough
  • Delivered in 48 hours
Start Here →

SafeguardsReady is not a law firm and does not provide legal advice. Documents are prepared based on publicly available FTC and IRS guidance. Consult a licensed attorney for advice specific to your compliance obligations.