Privacy Policy if No Personal Data is Collected

Privacy Policy if No Personal Data is Collected

Do you need still need a Privacy Policy agreement if you don't collect any kind of personal data?

A Privacy Policy is a legal agreement that you use to disclose the way you gather, use and manage the personal information of your customers and clients.

Most online businesses would need this kind of agreement regardless of their business or what platform they use. For example, iOS apps require a Privacy Policy as well as Android or Windows apps.

Personal information can be anything that identifies an individual, including but not limited to name, address, date of birth, marital status, contact information, financial records and credit card information.

It's very important that your Privacy Policy informs users about whether their information stays confidential or will be shared with third parties (such as ones that you use to run your business, e.g. MailChimp to send email campaigns).

What to do if you don't collect any data

If you don't collect any kind of personal data, your Privacy Policy should simply mention this.

Even if you don't collect personal information and this legal agreement wouldn't be required in this case(since you're not collecting personal information), it's best to have a Privacy Policy to inform users that you're indeed not collecting any kind of data.

This is because it's very common for users to search for the Privacy Policy link in the footer of websites:

Facebook Footer is Unchanged

Here's a part of a very short legal agreement from Ecquire, named "The World's Greatest Privacy Policy":

We don't store your data, period.

If you continue to read Ecquire's Privacy Policy, it begins to detail why Ecquire doesn't collect any kind of personal information.

Ecquire, The Worlds Greatest Privacy Policy

Declare intermediaries

Even if you don't collect personal information from users, but you have a third party that stores the clients' details to process billings information, you should clearly communicate this.

What are the intermediaries (as a group) that you should declare in your Privacy Policy agreement? Here are a few examples:

  • MailChimp, Campaign Monitor, AWeber etc. if you collect email addresses directly from users via their pre-defined forms
  • Payment processors if users are required to pay via credit/debit card, or PayPal

Intermediaries can be any third parties that receive personal information from your users through you, even if you don't store that personal information yourself on your servers.

If any third party collects personal data from your users in your name, then it should be declared in your Privacy Policy.

Here's how a custom Privacy Policy that can be created through TermsFeed would mention this:

We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

These third parties have [...]

This kind of clause can cover the intermediaries that your website or mobile app are using to process some of your users' personal information.

If you operate a service that stores the data on users' private computers but still needs to collect users' email addresses to determine which account is which, you can split your Privacy Policy into two sections.

The first section should describe why your website doesn't collect data, e.g. that's our business model, all data collect is stored on your computer.

Privacy Policies shouldn't be confusing or too wordy, so be as concise about it as possible.

Here's how Ecquire explained why they don't collect information:

"We physically can't. We have nowhere to store it. We don't even have a server database to store it. So even if Justin Bieber asked nicely to see your data, we wouldn't have anything to show him.

That's why, with Ecquire, what happens on your computer stays on your computer.

Whenever you want to send your data to your CRM or MailChimp or Google Docs, "it only moves when you tell it to, and over their secure connections. No middleman."

The second section should explain that there is a billing party or an intermediary party involved for service to work. You have to let your users known that third parties are needed to gather this data (email address or a license key that's connected to an email address), in order for the service to work.

An email address is considered personal information.

You can clarify this kind of situation in your Privacy Policy by stating that while the tool you're developing doesn't collect any other personal information directly, it needs to store the email addresses of users for the purpose of identifying accounts when logging or process payments in your name (if it's a paid service).

If you're interested in the applicable laws on privacy, a short list is added below. This list is for businesses operating from the United States, but we've covered other countries applicable laws on this blog, such as PIPEDA in Canada, the Privacy Act of 1988 in Australia and the GDPR in the EU.

  • CalOPPA (the California Online Privacy Protection Act)
  • Sections 22575-22579 of the "California Business And Professions Code"
  • The Children's Online Privacy Protection Act or simply COPPA. This law covers websites collecting information from children below 13 years of age.
  • Gramm-Leach-Billey Act. Institutions that are heavily involved in financial activities should give "clear, conspicuous, and accurate statements" of their information-sharing practices. It also restricts use and sharing of financial data.
  • The Health Insurance Portability and Accountability Act (HIPAA). This law requires health care services to provide privacy practices in writing , even if the the health service is electronic.

Don't bury your Privacy Policy

Website and mobile app developers should let users know of any agreement to which they are to be bound to when signing up to your service.

When placing your legal agreements, use the click-wrap technique in strategic places such as during registration and log-in.

A click-wrap is the legal agreement to which a user must agree by clicking the "OK", "I Accept" or "I Agree" button on a dialog box before using your service (this can be your website, your mobile app, and so on).

Find more examples of "I agree" checkboxes.

This is a click-wrap agreement, where users are required to check the "I agree" checkbox before they continue:

EngineYard - I Agree To Terms of Service

Click-wrap seeks affirmative action from users to ensure that there is meaningful consent in binding them to an agreement. Should the user reject the terms in click-wrap, the user cannot use the service.

So, even if you legally don't need to have a Privacy Policy, it's a good idea to include one anyway. Simply state that you don't collect or use personal information, and provide a link to the agreement in your website footer. Your users will appreciate your transparency.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.