19 June 2020
Legal papers are not everyone's favorite topic of discussion, especially amid the excitement of starting a new online business. Privacy Policies are, however, absolutely necessary for most any website or mobile application.
This article covers the basic facts about Privacy Policies - what they are, why you need them, and what should be included within them.
Personal information is defined as any data that may be used to identify someone, such as:
Even anonymous information, like IP addresses and usernames, can be used in combination with other data to identify an individual, and so these are also considered personal information.
In short, any information at all that you collect from your users should be considered personal information and treated as such.
According to the FTC, ""we regard data as 'personally identifiable,' and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test."
Here are a few examples of privacy regulations that apply to most online businesses.
The US Federal Trade Commission maintains and regulates a wide range of private data protection. Although the regulations involved are intricate and vague, the FTC prohibits unfair or deceptive practices by online businesses. This translates to companies that:
The California Online Privacy Protection Act is a California state law that applies to any business that collects information from California residents.
Its basic requirements include the following:
Going into effect in May of 2018, the General Data Protection Regulation (GDPR) is a far-reaching set of directives enforced by the European Union. It applies to any organization that collects personal data from EU residents.
The GDPR includes a wide range of requirements regarding internet privacy, but at the most basic level, it stipulates that:
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) seeks to protect the basic privacy rights of consumers with various regulations and requirements for online businesses. It applies to any organization collecting personal information from Canadian citizens.
The most notable of its requirements include the following:
The Australian Information Commissioner maintains and enforces a broad set of Australian Privacy Principles (APPs) that apply to anyone collecting personal information from residents of Australia.
Among these guidelines are the following provisions regarding Privacy Policies:
As you can see, no matter where you run your business, it is highly likely that you will be held accountable by one or all of the privacy laws outlined above. For the sake of limiting liability, it is recommended to follow the minimum privacy requirements of all of them, since the internet is an international framework.
Below is a list of best practices to follow when handling the personal information of your users:
United Airlines provides a clear list of each item of personal information they collect:
Make sure to be as thorough as possible to avoid any misunderstandings. Information you collect through cookies and third-party sources should also be included in the list.
Canva describes each type of information it collects, such a user-provided data, third-party data, and analytics data:
Apple describes each way they use personal information and why it's necessary, complete with a few examples:
Full disclosure in this section will not only limit your liability under the law. It will also help to build trusting relationships with your customers.
AT&T also features a thorough bulleted list of all the ways they use customer information:
If your business shares user data with third-party software for taking orders, analytics, advertising, or any other reason, you'll need a third-party access to information clause.
Spotify explains the need for sharing information with third-parties:
In this section, it is necessary to list what types of third-party affiliates you share personal information with and why. This is a good place to mention services like Google Analytics or credit card processing software, with whom you would have to share user activity in order for the service to function properly.
CBS goes into great detail to ensure that users understand exactly who has access to their information:
GOV.UK created this chart of cookies within their Cookies Policy. Note how they explain what each cookie is for:
Even if you don't send marketing emails, it's important to let users know how you plan to communicate with them. If your system sends any emails, texts, phone calls, or other types of messages, let users know.
T-Mobile provides their visitors with a preference form to choose how they would prefer to be contacted:
Especially in the case of promotional messages, you'll also want to explain to customers how to opt-out if they wish.
Bed Bath & Beyond provides methods for opting out of promotional mailings for both email and standard post:
Although every business handles data differently, this section allows you to explain to users how their personal data is stored, accessed, protected, and managed.
A few things you can include in this clause are:
Adobe addresses all of the above points in a clear and concise way:
While you can describe how a user may delete his or her account, you may also mention that your company retains the right to delete user accounts as well, but that some information may be retained indefinitely for legal, transactional, or other purposes.
Facebook details how a user may make changes to account information and then goes on to explain why user data may need to be retained:
Logitech explains a business transfer disclosure in one short paragraph:
Simply explain to users that in the event of a corporate acquisition or merger, the personal information of the customer database will also be transferred to the new owner. It is ideal to mention that your previous commitment to user privacy will be upheld throughout and after the transfer process.
Amazon describes the business transfer process while reminding consumers that all pre-existing agreements regarding privacy will be upheld:
Here's an example from Eventbrite:
Here you will describe your company's process for dispute resolution and let consumers know how to initiate the process if they have any complaints.
eBay's dispute resolution clause is short and simple:
The Walt Disney Company provides a good example here:
Here's an example from Whatsapp:
Don't let customers' questions and concerns over their privacy go unanswered. Give them an easy method of contacting you regarding privacy issues. If it's possible to provide a dedicated email or department to handle these issues, better still.
The USA Department of State provides two ways to make contact regarding privacy issues:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.