Privacy Policies are where you disclose your practices when it comes to your collection, use and handling of the personal data of your users. They provide information and transparency.
Anonymous data (that doesn't include personal data) can also be classified as "personally identifiable information" if used in connection with another type of data that can result in identifying an individual. For example, some types of IP addresses are legally protected personal information under modern privacy laws.
*Editor's note: The video above has outdated content regarding EU laws. The article content is updated as of July 16, 2019. We apologize for any inconvenience this may cause.
In the United States
There are several laws, including federal and state laws, that have provisions on data privacy. The FTC (Federal Trade Commission) regulates data protection for all consumers in the USA, and the following laws all have privacy implications:
The Americans With Disability Act
The Cable Communications Policy Act of 1984
The Children's Online Privacy Protection Act (COPPA)
The Computer Fraud and Abuse Act of 1986
The Computer Security Act of 1997
The Consumer Credit Reporting Control Act
The California Online Privacy Protection Act (CalOPPA)
Beginning on January 1, 2020, the CCPA will affect what certain businesses that reach California residents will have to disclose in their Privacy Policies. Transparency is key here, as is granting extra rights to users when it comes to controlling what happens with their personal information.
Companies that must comply with UK's DPA act must follow the 8 principles, condensed here:
Any kind of personal data from users must be collected in a specified and lawful way. The data also cannot be processed in any way that's incompatible with that purpose.
The personal data you collect should be adequate, relevant and not excessive in relation to the purpose for which you're collecting the personal data.
The personal data should be kept up to date and accurate.
Any kind of personal data collected from users should not be kept longer than is necessary for the purpose which it was collected for.
What personal information you collect, and under what specific lawful purpose
How you use the data in accordance with such a purpose
What rights users have and how they can exert them
How long you keep data, generally
How you keep collected data safe and secure
PIPEDA, the Personal Information Protection and Electronic Documents Act, is the law of Canada for protecting user data.
Under PIPEDA, personal information means:
any identifiable information about an individual whether recorded or not and it applies to the collection, use, and disclosure of personal information by organizations during commercial activities.
Any business that falls under PIPEDA's scope is required to make information available to the public about the way it handles personal information.
Be very clear and specific about what your business actually does. Make sure your readers can understand what you disclose, and that you aren't just disclosing generalities. Don't use legalese, and keep it simple.
Disclose any choices you offer when it comes to user's controlling how their personal information is used. For example, if you allow opt-outs for personal marketing, make it clear you offer this and how a user can actually opt out.
Make it clear how users can access what personal information you have about them, and how they can request corrections or deletions of the data.
Keep your Policy updated so it always accurately reflects your actual practices.
Make it easy to contact you with questions.
In the European Union (EU)
The General Data Protection Regulation (GDPR) regulates the processing of personal data within the European Union. This regulation has strict, global requirements for companies who have users located within the EU.
Consent is huge under the GDPR, so if this regulation applies to you you'll want to get familiar with how your consent requirements will change.
In Singapore, Malaysia, South Korea and Vietnam
In Singapore it's the Personal Data Protection Act 2012 (PDPA).
It's also called the Personal Data Protection Act (PDPA) in Malaysia. Malaysia's PDPA Act came into force in November 2013.
In South Korea it's called Personal Information Protection Act and it came into force in 2012.
In Vietnam, it's Article 21 of the Law on Information Technology
Because these laws aren't quite as robust as some from the EU and the United States at the moment, you can pretty much ensure you're complying with them by making sure you comply with the requirements of the GDPR or CalOPPA.