Be specific in your Privacy Policy

Be specific in your Privacy Policy

The current Privacy Policy of Google allows them to combine data from their different services they currently operate. For example, data collected from YouTube could be combined with data collected from Google searches.

The Article 29 Working Party, which is a group of European Data Protection regulators, advised in 2012 that Google's policy might not conform to the European Data Protection Directive. The Party delivered guidance for Google to make sure that Google's Privacy Policy will be compliant with EU data protection laws.

The good news for your business is that you can use this guidance as a framework to ensure that your own Privacy Policy agreement for your website or mobile app is compliant with EU Laws.

ICO Logo

UK's ICO also found Google's Privacy Policy to not comply with the UK's Data Protection Act.

ICO was concerned about the absence of readily available information explaining how and why Google was processing users' data. It found the descriptions available were too ambiguous, particularly in regards to the improvement of services, the development of new services and the grouping of data over different services.

Google agreed to carry out several changes:

  • Improve its Privacy Policy accessibility and content
  • Deliver clear, unambiguous and complete information about its data processing. This should include a full list of all of the types of data which are processed by Google and how that data is used.
  • All language in the Privacy Policy to be clear and distinct.
  • Make it certain to have continual assessment of changes to data processing in the future which may impact privacy which may not be within the reasonable expectations of users so that users can be informed with satisfactory notice of these changes.
  • Constantly review the content of its Privacy Policy and associated web content so that users are always informed of changes to the ways their data may be processed.

This formal undertaking entered into by Google is useful for your business as it shows the kind of factors that will be considered by EU data protection authorities when reviewing your legal agreement regarding the privacy of your users.

The key point to take away: a high degree of specificity is expected by data protection authorities for Privacy Policies.

If the disclosures you add are too generic or open-ended, your Privacy Policy is more likely to come under extensive examination.

The Article 29 Working Party Guidance advised Google to ensure that their Privacy Policy was immediately visible without scrolling, accessible with one click and to make sure that it applied to every type of device: desktop or a mobile.

The guidance also suggests that Google should create some kind of dashboard where users can manage their personal data across all Google services easily and that its Privacy Policy should reflect a fair and proportional retention of the data period.

This guidance for Google and the undertaking made by Google can be used to fine-tune your own agreement. Here are some of the key points of information you should take from Google's case and apply to your business:

  • Make sure your Privacy Policy can be easily seen and accessed.

    This means that users should be able to access the agreement with one single click. They shouldn't have to go through many pages to find it.

    The most popular way to meet this requirement (but only the first step in doing so) is to add a link in your website's footer:

    Bigcommerce Footer

    Then make sure it's on your mobile app as well, if you have one:

    Dropbox iOS App: Click on Legal & Privacy

  • Your Privacy Policy should be properly structured so that the information about what data you collect and process is clear.

    It's important to include a list of the personal information that you collect.

    Here's how eBay shows its Privacy Policy on the iOS mobile app:

    eBay Privacy Policy Embedded on Mobile App

    It's also very important to be extremely specific about the information you collect and use. Twitter does this at the "Information Collection and Use" section.

    When reading Google's Privacy Policy page, you can see they have two separate linking headings: "Information we collect" and "How we use the information we collect."

    Google Privacy Policy and Terms Screenshot

    At the "Information we collect" section, Google specifically lists what information they collect: names, credit card details, telephone numbers and email addresses.

    Apple's Privacy Policy page mentions what kind of data Apple collects and how it uses the collected information.

    This is divided into two subheadings similar to Google's: "What personal information we collect" and "How we use your personal information."

    Screenshot of Apple Privacy Policy on Personal Data

    Apple specifically lists what information they will be collecting: name, mailing address, phone number, email address, contact preferences and credit card information.

  • You should identify yourself so that your users know who you are.

    For example, Google identifies itself as the controller of YouTube:

    Google is Controller of YouTube

  • You should inform users which third parties you are allowing to collect personal data in your name and how that data will be used.

    Here's how Shopify does it:

    Shopify Third-Party Privacy Policy

  • You should make sure that your users know about your Privacy Policy and policies you have over data collection and their consent should be obtained.

    To meet this kind of requirement, make sure the link is always visible on your website and users are always aware that they can read your agreement.

    Here's how Digital Ocean provides notification about its Privacy Policy and Terms of Service changes to its users through the dashboard:

    DigitalOcean Notice on Terms of Service updated (Jan 2014)

    Because the dashboard used by DigitalOcean is most likely to be read by its users, it makes perfect sense to add this kind of notification in the dashboard.

  • Use simple language in your legal agreements.
  • You should ensure your employees know to get users' consent whenever new features are launched or services that require new personal information from users.
  • You should have the same legal agreement for every device used, e.g. mobile phone, tablet, PC.

    Dropbox's Privacy Policy page is the same on its website as it is on its iOS mobile app:

    Dropbox iOS App: Click on Legal & Privacy

  • Your Privacy Policy should be drafted with a multi-layer approach, first stating the general policy and then later going into specifics.

    Here's how eBay iOS app implements this: their mobile app's Privacy Policy agreement is summarized, which provides a good starting point for users to learn about the data collected by eBay's mobile app, but its full agreement goes into more details.

    eBay Privacy Policy Embedded on Mobile App

  • You could consider providing tools for users to manage their personal data, especially if your business is a SaaS application.

    If you have a dashboard implement, users should have the ability to consent to, object to, and remove certain personal data.

  • Your default settings must be privacy friendly.
  • If the dashboard is only available to registered accounts, you should also have a dashboard for non-registered accounts so non-registered users can still view how you collect and manage data.
  • Consent must always be asked for before you begin collecting and processing data.

    This is especially important for the most sensitive type of personal data, such as geolocation data. Here's how an iOS app asks for geolocation data:

    Location Permission from Google Maps App

  • If you offer multiple services, e.g. like Google's YouTube and Gmail, you should have multiple cookies which allow your users to have more control over the data collected.

    Here's how Facebook specifies what kind of cookies they store on users' PCs in the Cookies Policy agreement:

    Facebook shows type of cookies store

    You must inform or ask for consent from users to store and use cookies if you target EU users to comply with the EU Cookies Law:

    Mirror UK: Notification on website cookies

  • The Data Protection Directive (EU) also advises that data retention must be reasonable and proportional. The data must also be properly anonymized.

Specificity in your Privacy Policy agreement is important. Use the above key points taken from the guidance given to Google to draft a better agreement for your website or mobile app.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.