25 June 2019
ICO was concerned about the absence of readily available information explaining how and why Google was processing users' data. It found the descriptions available were too ambiguous, particularly in regards to the improvement of services, the development of new services and the grouping of data over different services.
Google agreed to carry out several changes:
This formal undertaking entered into by Google is useful for your business as it shows the kind of factors that will be considered by EU data protection authorities when reviewing your legal agreement regarding the privacy of your users.
The key point to take away: a high degree of specificity is expected by data protection authorities for Privacy Policies.
This guidance for Google and the undertaking made by Google can be used to fine-tune your own agreement. Here are some of the key points of information you should take from Google's case and apply to your business:
This means that users should be able to access the agreement with one single click. They shouldn't have to go through many pages to find it.
The most popular way to meet this requirement (but only the first step in doing so) is to add a link in your website's footer:
Then make sure it's on your mobile app as well, if you have one:
It's important to include a list of the personal information that you collect.
It's also very important to be extremely specific about the information you collect and use. Twitter does this at the "Information Collection and Use" section.
At the "Information we collect" section, Google specifically lists what information they collect: names, credit card details, telephone numbers and email addresses.
This is divided into two subheadings similar to Google's: "What personal information we collect" and "How we use your personal information."
Apple specifically lists what information they will be collecting: name, mailing address, phone number, email address, contact preferences and credit card information.
For example, Google identifies itself as the controller of YouTube:
Here's how Shopify does it:
To meet this kind of requirement, make sure the link is always visible on your website and users are always aware that they can read your agreement.
Because the dashboard used by DigitalOcean is most likely to be read by its users, it makes perfect sense to add this kind of notification in the dashboard.
If you have a dashboard implement, users should have the ability to consent to, object to, and remove certain personal data.
This is especially important for the most sensitive type of personal data, such as geolocation data. Here's how an iOS app asks for geolocation data:
Here's how Facebook specifies what kind of cookies they store on users' PCs in the Cookies Policy agreement:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.