ICO was concerned about the absence of readily available information explaining how and why Google was processing users' data. It found the descriptions available were too ambiguous, particularly in regards to the improvement of services, the development of new services and the grouping of data over different services.
Google agreed to carry out several changes:
- Deliver clear, unambiguous and complete information about its data processing. This should include a full list of all of the types of data which are processed by Google and how that data is used.
- Make it certain to have continual assessment of changes to data processing in the future which may impact privacy which may not be within the reasonable expectations of users so that users can be informed with satisfactory notice of these changes.
This formal undertaking entered into by Google is useful for your business as it shows the kind of factors that will be considered by EU data protection authorities when reviewing your legal agreement regarding the privacy of your users.
The key point to take away: a high degree of specificity is expected by data protection authorities for Privacy Policies.
This guidance for Google and the undertaking made by Google can be used to fine-tune your own agreement. Here are some of the key points of information you should take from Google's case and apply to your business:
This means that users should be able to access the agreement with one single click. They shouldn't have to go through many pages to find it.
The most popular way to meet this requirement (but only the first step in doing so) is to add a link in your website's footer:
Then make sure it's on your mobile app as well, if you have one:
It's important to include a list of the personal information that you collect.
It's also very important to be extremely specific about the information you collect and use. Twitter does this at the "Information Collection and Use" section.
At the "Information we collect" section, Google specifically lists what information they collect: names, credit card details, telephone numbers and email addresses.
This is divided into two subheadings similar to Google's: "What personal information we collect" and "How we use your personal information."
Apple specifically lists what information they will be collecting: name, mailing address, phone number, email address, contact preferences and credit card information.
- You should identify yourself so that your users know who you are.
For example, Google identifies itself as the controller of YouTube:
- You should inform users which third parties you are allowing to collect personal data in your name and how that data will be used.
Here's how Shopify does it:
To meet this kind of requirement, make sure the link is always visible on your website and users are always aware that they can read your agreement.
Because the dashboard used by DigitalOcean is most likely to be read by its users, it makes perfect sense to add this kind of notification in the dashboard.
- Use simple language in your legal agreements.
- You should ensure your employees know to get users' consent whenever new features are launched or services that require new personal information from users.
- You should have the same legal agreement for every device used, e.g. mobile phone, tablet, PC.
- You could consider providing tools for users to manage their personal data, especially if your business is a SaaS application.
If you have a dashboard implement, users should have the ability to consent to, object to, and remove certain personal data.
- Your default settings must be privacy friendly.
- If the dashboard is only available to registered accounts, you should also have a dashboard for non-registered accounts so non-registered users can still view how you collect and manage data.
- Consent must always be asked for before you begin collecting and processing data.
This is especially important for the most sensitive type of personal data, such as geolocation data. Here's how an iOS app asks for geolocation data:
- If you offer multiple services, e.g. like Google's YouTube and Gmail, you should have multiple cookies which allow your users to have more control over the data collected.
Here's how Facebook specifies what kind of cookies they store on users' PCs in the Cookies Policy agreement:
- The Data Protection Directive (EU) also advises that data retention must be reasonable and proportional. The data must also be properly anonymized.