Legal requirements for collecting personal data

Legal requirements for collecting personal data

Once you've collected a good portion of user data, you are no doubt planning your next steps for using the data to give your business a marketing boost.

Before you dive in, it's important to consider whether you've taken the appropriate legal steps to protect yourself and your business when you begin to start leveraging the data that you've collected from your users.

First, let's look at the types of data that you have probably collected.

First, what kind of data do you have?

All web pages (including landing pages) collect some data about your users, even if your page is click-through only. Some examples of the types of data that a landing page collects are:

  • internet domain
  • IP address
  • when your website was accessed
  • type of browser and operating system used
  • pages visited
  • what site the user came from

Web forms will also be collecting user data, and if you use something like Google Analytics, even more data will be gathered behind the scenes.

So, how can you comply with the law when you do this?

Steps to take

How to comply with the law

If you are collecting any user data, the first thing to make sure you have in place is a Privacy Policy. Most of the major jurisdictions around the world require that you have this kind of legal agreement and that it must contain certain clauses.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

Californian law requires that your Privacy Policy must be displayed as a standalone document, and must detail what kind of information you collect, what you will do with that information, and who it will be shared with (if anyone).

The UK and Europe are all party to what is called the EU Data Protection Directive 1995. This Directive set out seven principles of data collection:

  • Notice: users should be given notice when their data is being collected
  • Purpose: data should only be used for what you say you will use it for
  • Consent: user data should not be shared without your users' consent
  • Security: collected data should be kept secure
  • Disclosure: users should be informed about who is collecting their data
  • Access: users should be allowed to access their data and make corrections to any inaccurate data
  • Accountability: users should have a method available to them to hold data collectors accountable for not following the above principles

If you are based in Europe, the UK, Canada, or the US, or collect data from customers internationally, you need to comply with these laws and reflect these principles in your Privacy Policy.

The second aspect of complying with the law is making sure that your users are bound by your legal agreement.

Learn how to display the Privacy Policy:

The most common method that websites use to display their Privacy Policies is to include a link down the bottom of their landing page in small writing. Sometimes the link is even very low contrast which makes it difficult to see:

Unesco.org Privacy Policy Link In Footer

This is not enough for your users to be bound by your Privacy Policy. This type of method is called browsewrap.

Browsewrap means that your users need to browse your website to find the terms and be bound by them. Most courts have said that this is not enough.

If you do want to use a browsewrap method you need to make sure you display your Privacy Policy in an easy to find a place, make it prominent, and display it frequently.

A better way to display your Privacy Policy is called clickwrap. Clickwrap is where your users actually have to click "I Agree" or indicate their agreement directly, rather than just being assumed to agree.

Most courts have held that clickwrap is a better way to have your users agree to your Privacy Policy or Terms of Use, and they will be legally bound by it.

To implement a clickwrap method, there are three main ways that you can do it.

First, if you are are collecting user data through a mobile app, you can use a pop up when they first open the app which asks them to agree to your Privacy Policy.

Here's an example from Apple:

iOS: Agree to Terms and Conditions by Apple

If you are using a website to collect the data, either use a checkbox on your web forms or include a statement saying something like "By clicking 'Submit' you agree to be bound by our Privacy Policy".

Here's an example from YouTube of what the checkbox might look like:

YouTube Check-box: I Agree To Terms Of Service and Privacy Policy

If you don't like the idea of using the checkbox, you can also use a statement alongside your "Submit" button:

Lawyal: By submitting you agree to our Terms and Privacy Policy

Now that you've created your Privacy Policy and put good measures in place to ensure that your users are bound by it, let's think about the ways in which you might be using the data you've collected.

Using the collected personal data

Most likely you are using the data you've collected to more effectively market to your customers, determine business strategy, and review results of campaigns or outreaches to particular groups.

To reach these aims, you may be building case studies, sharing graphs and charts with your teams, planning new customer approaches, or discussing marketing strategies with external companies. To do these things, however, you need to let your customers know what you are doing with their data, particularly if you are sharing their data with a third party.

To reduce the problems that may arise with using the data you collect (as well as security) make sure that you keep your web forms short, and only ask for the data that you really need. Long web forms not only collect unnecessary data that you then have to store and protect, but they also turn your customers away.

If at any point you change anything that you are using the data for, or share it with a new third party, make sure that you update your Privacy Policy to reflect these changes.

The next thing to consider is how you will keep the user data secure.

Put security measures in place

When you are holding onto user data, you need to make sure that you are keeping it secure and protected from leaks. Losing the credit card data of your users could be devastating to your business image, and you may also face legal action.

There are two primary ways in which you can keep the data secure: technical security measures, and organizational security measures.

Technical Security Measures

One of the technical ways in which you can protect information is through SSL encryption. SSL means that the connection between your website and the user's browser is secure.

Make sure that you select the option to have SSL encryption turned on wherever possible.

Use SSL

Another way to protect user information is to make sure that your web forms do not allow code to be sent to your database through the form.

When you receive data through the form make sure that anything that looks like it could be computer code is treated as plain 'text' rather than computer code by your server. That way it won't be run as code on your server, and won't be able to take data from your database.

Organizational Security Measures

The second way of protecting user data is by implementing "need to know" measures within your company.

The only people that should have access to user data are those people who need to see it for their work. You can implement passwords and categories of user data through your CRM software to make sure that sensitive user data is protected.

The first step toward legally leveraging user data is ensuring that you collect the data legally, and make sure that your users agree to a clear and thorough Privacy Policy agreement. Display this legal agreement using a clickwrap method, so that your users are legally bound by it.

Finally, keep data secure and ensure that it is used only for the purposes stated, and not shared with third parties who don't need to see it.

Leah H.

Leah H.

Qualified Solicitor. Writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.