21 July 2020
If you breach any applicable laws while using the service, HubSpot retains the right not only to suspend your access to the service without notice, but also review, edit or even delete your data without notice.
The General Data Protection Regulation (GDPR) is the newest set of European Union rules on data handling, and it may apply to you regardless of your location.
You'll need to comply with the GDPR if you collect or use any personal information from individuals physically located in the EU.
Note that the data processing itself doesn't have to physically take place within the EU.
The GDPR lays down a number of details that you must provide when you collect somebody's personal data. These details include why you are processing the data, whether you are passing on/sharing the data and how you use the data, just to name a few.
The GDPR requires you to disclose important details in a transparent manner.
You might incorrectly assume that the GDPR doesn't apply to you because it's HubSpot that is physically processing your customers' data. This is incorrect because the GDPR explicitly covers both processing and controlling data. Doing either is sufficient to be covered by the GDPR.
HubSpot makes it clear that it has no control over the information its customers (you) choose to collect or manage when using Analytics, and that the information is used, disclosed and protected according to its customers (your) Privacy Policies.
It reinforces this distinction through its Data Processing Agreement, which sets out its position and obligations under the GDPR.
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies when you collect, use or disclose personal information while carrying out commercial activity in Canada. The limited exceptions to this include activity by provincial or territorial governments.
In some provinces PIPEDA doesn't apply because similar local legislation is already in place. In such cases, PIPEDA still applies to interprovincial and international activity and to federally-regulated organizations.
The California Online Privacy Protection Act (CalOPPA) applies if you operate a website or other online service and collect personal data about somebody who lives in California and uses your site or service.
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
Remember the principle that you're trying to give users enough detail to make informed decisions about whether and how they use your services. Try to balance including the most important information without overwhelming the reader with so much text that they are deterred from reading it.
Let people know what data you collect about them. It's ok to simply list the general categories and types of information you collect as long as you aren't being misleading by leaving anything out.
Let people know how you will use the data you collect about them.
Avoid being either too vague or too detailed with these explanations. It's often a good idea to explain why you need to use the data in this way and establishing that you aren't using data unnecessarily.
This example from Privacy International helps reassure users about its motives by making it very clear what the purposes are for collecting the information and how it's used (to help users engage with content, to receive newsletters, to sign petitions, etc.):
The fact that data is collected by and used with Analytics services is also mentioned here, noting that the data is used to help the company report to board members and funders about content:
Let people know how they can opt out of you collecting or using their personal data. Give clear instructions about how they can do this, for example whether they need to tick a box in a printed or online form, or actively contact you with a request to opt out.
Be clear about the consequences of opting out, particularly if this means you'll be unable to provide the full service that you normally offer. Explain if and how somebody who has previously consented to having personal data collected and used can change their mind later on.
This example from the USGA includes clear instructions for how users can opt out of being contacted and having their information shared with third parties. It also explains the consequences and limitations of opting out of data collection:
Give clear details of how users can contact you with any questions about your data collection and use, including how they can access a copy of the data you have stored and how they can challenge or correct any information they consider inaccurate.
Where appropriate list the name of the person in your organization who oversees data handling issues. (This is a specific requirement under PIPEDA.) It can be useful to give an idea of how quickly somebody contacting you about data use can expect a response.
Clearly explain how and when you will share personal data with third parties. Remember to list any subsidiaries or sister companies even if you consider them part of your organization. This can be a legal requirement, but it's also good practice: your customers will often be unaware that the two companies are linked.
While somewhat on the detailed side, this example from The Drum discloses not only how but why it might share personal data:
Your policy must list the eight rights that users have under GDPR, as listed here:
Not every business will have to facilitate every right in all circumstances. There are exceptions and some limits that you should become familiar with.
Your policy must say if you transfer any data internationally, including for processing. You don't necessarily have to list specific countries: the important point is whether this changes the legal protections that apply to the data.
Here's how the USGA discloses that it may transfer data of EAA residents outside of the EEA and this data may then be under the jurisdiction of a law that isn't as comprehensive as those in the EEA (such as the GDPR):
Your policy must give the legal basis you have for processing the personal data. (This applies to you even though HubSpot is physically processing the data.)
This basis must be one of a list of six lawful bases set down by GDPR:
To be compliant with CalOPPA, your Policy must:
Here's a standard clause from Politico that discloses how it handles Do Not Track signals:
Here's how Greenpeace meets the second and third requirements by disclosing that its Policy may change from time to time and that any significant changes will be communicated "on the website or directly" to users. It also includes the date of the last update:
This means it doesn't matter what page a user arrives on when entering your site. Also, people tend to expect to find important links in website footers, so they'll know to look there.
A text link has to do at least one of the following:
If you do use an icon, make sure it has an alt-description tag so that people using screen readers can "read" the link.
You could also have the Policy available in login forms so your users will have access to it every single time they log in.
You can repeat this process on any page where users provide personal details. This can include pages for signing up to newsletters, checking out on an online shop, submitting a message to your customer service and so on.
Two ways to do this are to have a checkbox next to a statement saying the user has read and agreed with the policy, or to have a clearly marked button they must click or tap, displaying text such as "I agree."
The best approach is to make this an active confirmation, meaning the user must intentionally tick a box or click a button before proceeding.
Facebook explicitly explains to new users that clicking the "Sign Up" button counts as confirming agreement to its Data (Privacy) Policy:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.