31 January 2020
This article will explain what Privacy Policies are, their essential elements, and the best ways to inform users of their terms and when you make changes.
Personal information is any information that can identify an individual including names, addresses, email addresses, and any other data that can be used to contact or locate someone.
Having a conspicuous legal agreement that users can easily accept shows that you did not proceed with using information without being authorized by the user first.
Since privacy is understandably a delicate matter, there are two main reasons why you want to communicate clearly to users about your policies and procedures on protecting user data.
It includes online businesses as well as the bricks-and-mortar ones.PIPEDA requires the protection of personally identifiable information, which it defines as being names, ages, income, ethnic origin, employee records, and other private data that is listed extensively in the act.
Data Protection Act of 1998 (DPA): Relevant to developers in the UK, you must follow this act if you collect, store, and use information about users or employees.
Information can include email addresses, full name, social security numbers, date of birth, and other private data.You're required to process data lawfully and limit that processing to specific purposes. Also, you must never collect more data than what you need and must keep it updated.
Children's Online Privacy Protection Act (COPPA): If you are in the U.S. and you handle the personal data that belongs to kids, you have additional requirements to follow.
Unlike the laws in Canada, the UK, and Australia that only applies to businesses within the borders of those countries, COPPA applies to foreign and U.S. businesses alike if they collect information from children under age 13 who reside in the U.S.If this is the case for you, your app or service cannot collect personal information about children under 13 without the consent of a parent or guardian.
Specific content depends on the information you collect and why. However, there are general principles that apply no matter your trade and industry.
The best Privacy Policies contain:
Sometimes these clauses blend together in a simple format.
Other online services may collect more information and because of this the short-and-sweet route adopted by LemonStand will not work.
It describes the information users are expected to supply but also the data the app or website collects automatically:
Besides these essential clauses, there's an additional drafting tip to keep in mind.
You likely also notice in these examples that there are email and contact links for users to make inquiries. Providing this information and way to contact you is also a good practice.
Most Privacy Policies are placed as a link in the footer of the website.
As you can imagine, that often feels too vague for most developers.
Quora, a questions and answers app and website, takes the same approach. This works even with its multiple account creation options including email and password, Google or Facebook.
If your website or app requires the acceptance of multiple documents, checkboxes prove handy for that purpose, too.
If you have a website and you link to your legal pages you already use browsewrap.
Your options for informing them can include email, banner notifications, and clickwrap acceptance of changes.
To be effective these emails require the following:
While this may seem to be a lot, these emails are often very concise.
You likely can get away with keeping users informed by email only. However, it's a good idea to also add notifications on your websites and mobile apps.
Banner notifications are also effective. Users normally have to click the notification or close it, meaning they at least acknowledge that changes took place.
Just as with general clickwrap, you would require a user to check an "I agree" box in order to accept the new terms. This can come up in a pop-up on a website or be a required screen if your user opens the app.
If you are claiming to collect data and keep it safe, you also need to take precautions in order to protect your company from liability.
If you're collecting data that's more sensitive or have new products that distribute it more, you will want to have the right protection. Encrypted passwords and SSL security is a good start. Confidentiality policies within your company are also mandatory.
You not only want to keep users informed and update them on changes, but you need to make information security a priority as well. This will not only enhance your compliance with current laws but your reputation among users, too.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.