Depending on what type of website you have, whether or not you collect personal information from users, either explicitly or implicitely, the answer in most cases is, yes, you do need one. Even if your website does not require the user to provide personal information, such as name, address, email, credit card info; the use of session or permanent cookies and other technical data collection mechanisms, could have considered a collection of personal information.
Basic regulations pertaining to privacy policies include:
– Information and Data Privacy, which requires the business or website to make sure that it has not and will not leak, give, or sell to any other party.
– Child Privacy; if a child is 13 years or younger, the law prohibits collection of any personal data. When retrieving information, you can request an age to continue. If the user supplies a false age, your site is notiable.
– Consent; the policy should detail what will be done with their personal information, and ask for consent before continuing or prior to any changes.
– Right to stop; all visitors and / or subscribers should have the right to cease communications and the receipt of advertisements. There should be an unsubscribe link on the site, as well as in any email advertisement sent to the individual.
In the end, it's all about being upfront and fair. You will find customers will be more willing to give personal or business information about themselves if they feel it will be handled the right way and kept secure.