Legal papers are not everyone's favorite topic of discussion, especially amid the excitement of starting a new online business. Privacy Policies are, however, absolutely necessary for most any website or mobile application.
This article covers the basic facts about Privacy Policies - what they are, why you need them, and what should be included within them.
The What and the Why
- What personal information is collected about users
- How the information is collected and used
- How the information is managed and protected
- How a user can access and control that information
Personal information is defined as any data that may be used to identify someone, such as:
- Email address
- Phone number
- ID numbers
- Credit card numbers
Even anonymous information, like IP addresses and usernames, can be used in combination with other data to identify an individual, and so these are also considered personal information.
In short, any information at all that you collect from your users should be considered personal information and treated as such.
According to the FTC, ""we regard data as 'personally identifiable,' and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test."
Here are a few examples of privacy regulations that apply to most online businesses.
The US Federal Trade Commission maintains and regulates a wide range of private data protection. Although the regulations involved are intricate and vague, the FTC prohibits unfair or deceptive practices by online businesses. This translates to companies that:
- Fail to protect user data, leaving it vulnerable to hackers or cyber attacks
- Fail to provide proper notice when Privacy Policies are changed
- Fail to comply with posted Privacy Policies
The California Online Privacy Protection Act is a California state law that applies to any business that collects information from California residents.
Its basic requirements include the following:
Going into effect in May of 2018, the General Data Protection Regulation (GDPR) is a far-reaching set of directives enforced by the European Union. It applies to any organization that collects personal data from EU residents.
The GDPR includes a wide range of requirements regarding internet privacy, but at the most basic level, it stipulates that:
- You must provide full disclosure for all information gathered from users, including that information that is collected by cookies.
- You must request consent for the collection of information, including the placement of cookies.
- You must take all measures possible to protect personal information.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) seeks to protect the basic privacy rights of consumers with various regulations and requirements for online businesses. It applies to any organization collecting personal information from Canadian citizens.
The most notable of its requirements include the following:
- Collect and protect information in a fair and lawful manner.
- Obtain consent for the collection of personal information.
The Australian Information Commissioner maintains and enforces a broad set of Australian Privacy Principles (APPs) that apply to anyone collecting personal information from residents of Australia.
Among these guidelines are the following provisions regarding Privacy Policies:
- Inform users of what information is collected and how it is used.
- Provide users access to view and change their own personal data.
- Take reasonable measures to protect private information.
As you can see, no matter where you run your business, it is highly likely that you will be held accountable by one or all of the privacy laws outlined above. For the sake of limiting liability, it is recommended to follow the minimum privacy requirements of all of them, since the internet is an international framework.
Consumer Privacy Best Practices
Below is a list of best practices to follow when handling the personal information of your users:
- Educate the employees that handle customer data to ensure they are well-versed on privacy requirements.
- Do your due diligence in maintaining up-to-date internal security measures for data protection.
- Make sure consumers are given easy access to view, edit, or delete their own personal information.
1. What Information is Collected and How
United Airlines provides a clear list of each item of personal information they collect:
Make sure to be as thorough as possible to avoid any misunderstandings. Information you collect through cookies and third-party sources should also be included in the list.
Canva describes each type of information it collects, such a user-provided data, third-party data, and analytics data:
2. How Information is Used
Apple describes each way they use personal information and why it's necessary, complete with a few examples:
Full disclosure in this section will not only limit your liability under the law. It will also help to build trusting relationships with your customers.
AT&T also features a thorough bulleted list of all the ways they use customer information:
3. Third-Party Access
If your business shares user data with third-party software for taking orders, analytics, advertising, or any other reason, you'll need a third-party access to information clause.
Spotify explains the need for sharing information with third-parties:
In this section, it is necessary to list what types of third-party affiliates you share personal information with and why. This is a good place to mention services like Google Analytics or credit card processing software, with whom you would have to share user activity in order for the service to function properly.
CBS goes into great detail to ensure that users understand exactly who has access to their information:
GOV.UK created this chart of cookies within their Cookies Policy. Note how they explain what each cookie is for:
Even if you don't send marketing emails, it's important to let users know how you plan to communicate with them. If your system sends any emails, texts, phone calls, or other types of messages, let users know.
T-Mobile provides their visitors with a preference form to choose how they would prefer to be contacted:
Especially in the case of promotional messages, you'll also want to explain to customers how to opt-out if they wish.
Bed Bath & Beyond provides methods for opting out of promotional mailings for both email and standard post:
6. Data Handling
Although every business handles data differently, this section allows you to explain to users how their personal data is stored, accessed, protected, and managed.
A few things you can include in this clause are:
- Where information is stored
- How information is protected
- How users can view, edit, or delete their personal information
- When it is necessary to retain information after a user account has been closed
Adobe addresses all of the above points in a clear and concise way:
While you can describe how a user may delete his or her account, you may also mention that your company retains the right to delete user accounts as well, but that some information may be retained indefinitely for legal, transactional, or other purposes.
Facebook details how a user may make changes to account information and then goes on to explain why user data may need to be retained:
7. Business Transfers
Logitech explains a business transfer disclosure in one short paragraph:
Simply explain to users that in the event of a corporate acquisition or merger, the personal information of the customer database will also be transferred to the new owner. It is ideal to mention that your previous commitment to user privacy will be upheld throughout and after the transfer process.
Amazon describes the business transfer process while reminding consumers that all pre-existing agreements regarding privacy will be upheld:
8. Dispute Resolution
Here's an example from Eventbrite:
Here you will describe your company's process for dispute resolution and let consumers know how to initiate the process if they have any complaints.
eBay's dispute resolution clause is short and simple:
9. Children Under 13
The Walt Disney Company provides a good example here:
Here's an example from Whatsapp:
Don't let customers' questions and concerns over their privacy go unanswered. Give them an easy method of contacting you regarding privacy issues. If it's possible to provide a dedicated email or department to handle these issues, better still.
The USA Department of State provides two ways to make contact regarding privacy issues:
- Security - A short paragraph that reminds users that despite your best efforts, no security system is 100% guaranteed to protect information on the internet.
- Advertising choices - If your company uses remarketing software, it will be necessary to inform users of opt-out options.
- Compliance with laws and regulations - Let customers know that in the event of a legal dispute or subpoena, you may need to share personal information with government authorities.