What Makes a Good Privacy Policy

What Makes a Good Privacy Policy

Sometimes it's challenging to know exactly what makes a good Privacy Policy - One that informs your users and protects you from liability.

This article will explain what Privacy Policies are, their essential elements, and the best ways to inform users of their terms and when you make changes.

A good Privacy Policy depends on understanding these matters - showing that this is not an agreement to take for granted.


Why you need a Privacy Policy

Why you need a Privacy Policy

Your Privacy Policy explains to your users how you will collect and transmit their personal information.

Personal information is any information that can identify an individual including names, addresses, email addresses, and any other data that can be used to contact or locate someone.

Privacy Policies inform users of the risks and the expectations arising from sharing their information with you, the developer. However, your Privacy Policy also protects you from liability should a user claim that you misused their information without their consent.

Having a conspicuous legal agreement that users can easily accept shows that you did not proceed with using information without being authorized by the user first.

Since privacy is understandably a delicate matter, there are two main reasons why you want to communicate clearly to users about your policies and procedures on protecting user data.

Transparency is the first reason. If a user can see your Privacy Policy before signing up for your service, it's assumed the decision is an informed one and they entered into the transaction knowing the risks.

The second reason why you need a Privacy Policy is law. If you distribute apps or without a clear Privacy Policy that users can access, you risk being held liable for mishandling personal information and violating privacy laws.

Some of these laws requiring a Privacy Policy include:

  • California Online Privacy Protection Act (CalOPPA): There are no federal laws in the U.S. requiring a Privacy Policy.However, if you distribute apps and online services in the U.S., you're likely to have customers who are California residents.

    This law requires that a website operator conspicuously places a Privacy Policy on the website if the operator handles personal information.

  • Personal Information Protection and Electronic Documents Act (PIPEDA): The Canadian law requires that companies from Canada publish a Privacy Policy.

    It includes online businesses as well as the bricks-and-mortar ones.PIPEDA requires the protection of personally identifiable information, which it defines as being names, ages, income, ethnic origin, employee records, and other private data that is listed extensively in the act.

  • Data Protection Act of 1998 (DPA): Relevant to developers in the UK, you must follow this act if you collect, store, and use information about users or employees.

    Information can include email addresses, full name, social security numbers, date of birth, and other private data.You're required to process data lawfully and limit that processing to specific purposes. Also, you must never collect more data than what you need and must keep it updated.

  • Privacy Act of 1988: The Australia act regulates the handling of personal information. While it predates mobile apps and online services, it has been interpreted to apply to electronic information.
  • Children's Online Privacy Protection Act (COPPA): If you are in the U.S. and you handle the personal data that belongs to kids, you have additional requirements to follow.

    Unlike the laws in Canada, the UK, and Australia that only applies to businesses within the borders of those countries, COPPA applies to foreign and U.S. businesses alike if they collect information from children under age 13 who reside in the U.S.If this is the case for you, your app or service cannot collect personal information about children under 13 without the consent of a parent or guardian.

It's a good practice to not only be aware of the privacy laws in your own jurisdiction but also those from places where you plan to make your website/mobile app available. That will assure your Privacy Policy is in compliance no matter where you bring your business.

Creating the best Privacy Policy

Creating the best Privacy Policy

Since you're now aware that you need a Privacy Policy, it's likely you want to know how to create the best one.

Specific content depends on the information you collect and why. However, there are general principles that apply no matter your trade and industry.

The best Privacy Policies contain:

  1. Essential clauses,
  2. A means for users to accept the terms of the agreement, and
  3. A system for keeping users updated when there are changes.

Essential clauses for the Privacy Policy

Essential clauses for the Privacy Policy

There are two essential clauses that are present in every good Privacy Policy:

  • One describes the type of personal data that is collected
  • And the the other describes the purpose of the collection

Sometimes these clauses blend together in a simple format.

LemonStand provides ecommerce platforms to make buying and selling goods easier. Since it does not collect as much personal information, it tends to stay general although descriptive in its Privacy Policy:

Screenshot of LemonStand Privacy Policy

Other online services may collect more information and because of this the short-and-sweet route adopted by LemonStand will not work.

Airbnb collects personal information in order to help people book accommodations but also allow the hosts to evaluate their tenants. Airbnb's Privacy Policy is much more detailed.

Airbnb Privacy Policy: Types of information gathered from users

It describes the information users are expected to supply but also the data the app or website collects automatically:

Airbnb Privacy Policy: Information collected automatically

If you engage in remarketing, you'll also need to address that in a Privacy Policy. This practice involves using targeted advertisements towards your users. In order for that to work, the app or website will collect data on viewing habits and interests.

The Airbnb Privacy Policy addresses that above under "Cookies and Other Tracking Technology."

Pinterest also lets users know that there is an exchange of information between the app and advertisers in its Privacy Policy:

Pinterest Privacy Policy: Information shared with Partners and Advertisers

Besides these essential clauses, there's an additional drafting tip to keep in mind.

Anytime you reference another agreement (like a Terms of Service), place a link to that agreement in your Privacy Policy.

You likely also notice in these examples that there are email and contact links for users to make inquiries. Providing this information and way to contact you is also a good practice.

Acceptance of Privacy Policy

Acceptance of Privacy Policy

Once you have the Privacy Policy drafted, you need to keep it accessible.

Most Privacy Policies are placed as a link in the footer of the website.

Relying only on this placement without taking more active steps to make sure users notice your Privacy Policy is known as browsewrap.

This method of acceptance claims that the presence of the Privacy Policy on the website in a conspicuous place means that the users accept those terms just by using the website:

Example of website footer with links to legal pages

As you can imagine, that often feels too vague for most developers.

That is why while browsewrap is still used and Privacy Policy links remain accessible on every webpage's footer in most cases, clickwrap is often preferable for both websites and mobile apps.

The clickwrap method requires that users actively and actually confirm that they read the Privacy Policy and indicate so with an I agree" or "I accept" when they sign up for your website or mobile app.

Evernote makes creating an account an acceptance of the Terms of Service and Privacy Policy. Notice that each mention of the agreement also contains a link to the document itself.

Evernote Create Account Form: By clicking, you agree to

Quora, a questions and answers app and website, takes the same approach. This works even with its multiple account creation options including email and password, Google or Facebook.

Quora Create Account Form: By clicking, you agree to

LemonStand was general with its Privacy Policy but when it comes to accepting these documents, it specifically requires a checkbox to indicate that users have read and agreed to the Terms and Conditions.

The Terms and Conditions of LemonStand incorporates the Privacy Policy of LemonStand:

LemonStand Create Account Form: I agree to Terms and Conditions

If your website or app requires the acceptance of multiple documents, checkboxes prove handy for that purpose, too.

2Checkout offers payment platforms. Its Privacy Policy and Terms of Use are important but so is its Prohibited Products Policy that users are required to agree to via checkbox.

2checkout Create Account: I agree to Terms, Privacy and Prohibited policy

If you have a website and you link to your legal pages you already use browsewrap.

While this is often enough to meet some requirements, the advantage of clickwrap is that brings more attention to your Privacy Policy.

Keep users informed of Privacy Policy changes

Keep users informed of Privacy Policy changes

While technically not part of the Privacy Policy, keeping users updated on changes in that agreement is still an important consideration. This is often part of your compliance requirements but also maintains a relationship of good faith with your users.

Your options for informing them can include email, banner notifications, and clickwrap acceptance of changes.

Email

If you have the email addresses of your users, use it as a direct way to inform them of changes in your Privacy Policy.

To be effective these emails require the following:

  • A clear subject line like "We are changing our Privacy Policy" or "Privacy Policy Updates."
  • A description of why the update is needed, for example, you have new features that share more information with advertisers.
  • Summary of changes and why they were required.
  • Links to the new Privacy Policy
  • Effective dates
  • Links to previous versions or a comparison of the old and new Privacy Policies

While this may seem to be a lot, these emails are often very concise.

Medium, a service that distributes articles, explained that it wished to simplify its Terms of Service and Privacy Policy. It followed this structure with needed details and links to the agreements.

Medium Legal Team email: Changes to Terms of Service and Privacy Policy

You likely can get away with keeping users informed by email only. However, it's a good idea to also add notifications on your websites and mobile apps.

Banner notifications are also effective. Users normally have to click the notification or close it, meaning they at least acknowledge that changes took place.

Twitter employed this method when it changed its Privacy Policy. It not only informed uses of changes through this banner announcement but also made it clear that by continuing to use the service, users accepted the terms. The notification also includes links to the new agreement and to an email address in case there are any questions.

Twitter Privacy Policy page: Changes to this policy

Clickwrap for Privacy Policy changes is largely limited to mobile apps, but this option is available to websites as well. Rather than just announcing changes, adding clickwrap to an announcement requires that users actively accept the new terms.

Just as with general clickwrap, you would require a user to check an "I agree" box in order to accept the new terms. This can come up in a pop-up on a website or be a required screen if your user opens the app.

Airbnb used this method when it made changes to its agreements, including its Privacy Policy. While this was only done on its mobile app, it made it clear to users that they needed to accept these terms before they could continue using the app:

AirBnb Updates Terms on iOS App

Go beyond: business policies

Besides having a complete Privacy Policy, you need the business policies to back it up.

If you are claiming to collect data and keep it safe, you also need to take precautions in order to protect your company from liability.

When you draft a Privacy Policy or make changes to a previous one, take that as an opportunity to audit your information security.

If you're collecting data that's more sensitive or have new products that distribute it more, you will want to have the right protection. Encrypted passwords and SSL security is a good start. Confidentiality policies within your company are also mandatory.

A good Privacy Policy depends on the content within it but also your practices surrounding it.

You not only want to keep users informed and update them on changes, but you need to make information security a priority as well. This will not only enhance your compliance with current laws but your reputation among users, too.

Jocelyn M.

Jocelyn M.

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.