Privacy Policy for Subscription Plans

Ecommerce and SaaS embrace the subscription plan as a way to make their products accessible to users. But the need for billing, shipping, and personal information to customize the experience makes these services more intrusive than others offered online.

If you wish to offer a subscription plan, your Privacy Policy must reflect the unique situation offered by these services. You will collect more personal information and need to take steps so users are informed and the data remains protected.

Here is how to approach a Privacy Policy for a subscription plan.

Relevant Laws

Privacy policies are required by law in most jurisdictions. These laws affect any company that collects personally identifiable information from its customers.

This type of information includes:

• Full names
• Email addresses
• Cities of residence
• Shipping addresses
• Identifying numbers like social security driver's license numbers
• Screen names.

If you collect any of the data above, you must have a Privacy Policy before selling your subscription service online.

This is true no matter where you operate since consumer privacy protection is universally embraced.

Even if there is no national law, do not assume you can proceed without a Privacy Policy.

The United States does not have a federal privacy law, but state law is catching up. California, Delaware, and Nevada all have their own privacy laws and Illinois has a privacy law specific to location tracking.

Australia, Canada, and the UK all enacted federal laws that require Privacy Policies as have India, Malaysia, and other nations.

Since subscription services are usually available across international lines, it is safe to assume that you cannot operate your business model with a Privacy Policy. Fortunately, the laws are similar in their requirements for a Privacy Policy.

These requirements include:

• A description of the type of data you collect
• How you collect it
• How you use it
• Third parties who may receive the data
• Protection mechanisms for personal data
• A clear link to the Privacy Policy on the website

This includes addressing any automatic data collection through cookies and tracking software.

The EU Cookie Directive requires EU member states to include a Cookie Policy in addition to their Privacy Policy. Even if you do not have to provide a Cookie Policy, your Privacy Policy must address cookies and tracking, even if it is voluntarily accepted by your users.

Subscription plans and privacy concerns

Due to the volume of information they collect, subscription plans are more invasive than other types of online services. These are the specific privacy concerns that arise from them.

Ecommerce issues

Ecommerce subscriptions cannot exist without collecting personal information. Otherwise, there is no way for a service to ship items to a consumer.

When a user signs up for a subscription service, they must submit their name, shipping address, and payment information. Subscriptions for clothing and beauty products also contain personal preferences. Some users may consider these details sensitive and they require reassurance as well as legal protection in case of a privacy breach.

Also, some subscription plans offer special rewards and incentives around a customer's birthday. While participation is usually voluntary, that is an additional piece of personal information that the service must keep safe.

Another unique aspect is that the subscription service uses this information every month. It is not a matter of a user submitting the data once and it remaining in storage for the future. The data is used each time the service makes payment charges and ships the product. This constant use can leave information vulnerable so companies must make an effort to keep personal data private and secure.

Software as a service (SaaS)

Subscriptions are available for software as a service (SaaS), too. Microsoft, DropBox, and Spotify all offer software products in addition to their monthly subscriptions.

Its attributes make a Privacy Policy vital to compliance but also transparency. Users need to be informed of the data being collected and how it is used for legal reasons but also so they know what to expect.

Ecommerce mainly requires this data for payment and shipment.

SaaS has additional concerns and will also collect:

• Location information in order to customize services. For example, Spotify records users' locations in order to inform of nearby concerts.
• Personal taste. While this is not technically personally identifiable information, some users may feel this is intrusive so developers inform them that these preferences are tracked.
• Social media, including photos, friend lists, and items that are favorited.
• Device information like operating systems, browser preferences, and email apps. This helps the service diagnose problems and improve.
• Cookies and tracking technology
• Third party apps. For example, DropBox may share with Google Docs so users can move material between the apps.

Subscription services of all types are vulnerable to privacy complaints by the sheer volume of information they collect. If you provide this service, you must assure particular provisions are clearly communicated in your Privacy Policy.

Examples

There is overlap in ecommerce and SaaS Privacy Policies, but these provisions are the most important for each type.

Ecommerce

As mentioned, ecommerce subscription plans focus on payment methods and shipping. Your ecommerce Privacy Policy provisions must list what is required for users to join your service as well as the other requirements for data protection and sharing.

Required information

Ecommerce services list the data collected but may divide it into two categories. One includes the data required to use the service and the other is any optional data if the user wants enhanced services.

Ipsy takes this approach. It starts with information required to join. This focuses on beauty preferences, email addresses, and date of birth:

If a user decides to start an Ipsy subscription, the service requests additional information, such as shipping addresses and billing information:

Cratejoy, a subscription service that offers monthly boxes for everything from clothing to board games, takes a similar approach. In plain language, it states that membership depends on users providing an email address and screen name. However, to enjoy additional services, users must provide billing information, addresses, and even telephone numbers:

Sephora started a new subscription called Sephora Play!. Its Privacy Policy uses a chart to show the type of information needed for each activity. It also guides users to additional policies that may affect them. This is very easy to read and leaves no doubt to consumers:

This section is where you need to spend the most time drafting your Privacy Policy. It also needs to be clear and understandable to your users. Consider using bullet points or a table so users understand which information is required for each action they complete online.

Social media

Some services require social media accounts for login and tracking. Not only do they need to inform users of the information they collect directly but also any data they find through users providing social media information.

Stitchfix allows users to link their social media accounts to the service to make sharing easier. It informs users that doing this allows the service to see what is posted:

Ipsy mentions social media with other third party service providers who may view or collect the information. Users may sever this link by disconnecting Ipsy from the third party application or social media platform:

Sephora makes it clear to users that it tracks Facebook "likes" and may adjust its suggestions based on them:

Consumers do not always welcome the interaction between their online services and social media accounts. Requiring them to link these accounts is not the best idea. Make this part of the service optional and explain the interaction very clearly in your Privacy Policy, as they do in these examples.

Affiliates and service providers

If your subscription service depends on other service providers, identify them in your Privacy Policy. This way, consumers know who else accesses their information:

Sephora names specific entities:

StitchFix outsources its payment collection. It identifies its service provider and also gives a link to that provider's Privacy Policy:

Since users provide so much sensitive data, it is best to name any service providers and third parties directly in your Privacy Policy. It is a good transparent practice.

Device information

Subscriptions are often customized to the user. To provide the most relevant products, that requires additional information collected through tracking.

This includes device information. Knowing the type of device used to access the site and how well the browser operates helps subscription services customize to customer interests and fix any website issues.

Stitchfix performs this tracking automatically and informs users in its Privacy Policy with a bold header and detailed information:

Cratejoy has the same practice and since it distributes an app for its services as well, the tracking information clause also indicates how that app functions:

This is a good reminder that even if you track data to provide a better customer service, you still need to inform users that this is your practice. It is a good habit since laws regarding tracking cookies are gaining traction worldwide.

SaaS

SaaS subscriptions address the same issues in their Privacy Policies but often with more detail. If you offer a SaaS subscription, include these provisions in your Privacy Policy.

Location information

Like personal tastes and browser preferences, location information is used to create a more personal experience for the user. However, laws like Illinois' Geolocation Privacy Protection Act, require that you inform consumers that you collect general location data and if you wish for more specificity, you secure users' consent or permission first.

Spotify demonstrates perfectly how to comply with this. It starts off with information needed to use the service. It refers to this as the first category and it includes non-specific location information:

Spotify mentions location information again in a second category of collected data. This is only collected if the user authorizes it:

In each category, Spotify explains why it collects this data. Not only does this assure legal compliance, but it helps consumers make informed decisions on whether they want a subscription to this service.

Personal Tastes

This is similar to consumer preference tracking with ecommerce sites. Rather than being based on product reviews or comments made on social media, these preferences are tracked within the SaaS website or app.

Even then, this practice must be disclosed to users. VHX Corporation developed Netflix and Vimeo, both being video subscription services that offer apps and software for watching videos on devices. It indicates in its Privacy Policy that it racks consumer tastes in videos so it can make suggestions:

Microsoft offers its Office products in a software package but also online through a subscription service paid for monthly or annually. It makes it clear in its Privacy Policy that it will track "interests and favorites:"

Sometimes, rather than mentioning preferences, a SaaS tracks use. That is what DropBox explains in its Privacy Policy:

Like device and location information, this is intended to improve a user's experience with your service. Since they involve personal information, you must disclose them in your Privacy Policy even if you believe users will appreciate the benefits.

Third parties

When third parties are involved in SaaS subscriptions, it's usually to extend services. This gives users more options when using the SaaS.

Allowing those options involves sharing personal data. For example, VHX Corporation works with Roku and iOS to run Vimeo and Netflix channels through their platforms. That is often how users watch these services on their television sets rather than a mobile device or computer:

This section may also work as it does with ecommerce subscriptions. In that case, this clause would disclose any affiliate partners or service providers.

Spotify broadly explains this in its Privacy Policy and gives users the option to request that their data remains private:

If you run a SaaS subscription, chances are you have affiliate relationships or work with other platforms. Reveal them by name, and consider including a link to their Privacy Policy in your agreement if possible.

Device information

SaaS subscriptions collect device information to see how their software works. This allows for improvements, and if a user requires technical support, the data helps them diagnose the problem.

You need to mention this data collection in your Privacy Policy.

VHX Corporation explains this under "Information We Collect" and adds that this is collected automatically:

Dropbox also addresses this issue:

Microsoft presents this information in a bulleted list. This is easy to read and helps users understand why it collects this information:

The detailed yet streamlined approach by Microsoft is likely the best way to present this section of your Privacy Policy. It enhances understanding by your users and also makes your practices very transparent.

It also makes it easier for you if your collection practices change. You can simply add or delete a list item.

Cookies and tracking

A Privacy Policy will address cookies and tracking in most jurisdictions. If you operate from an EU member state, you also need to add a Cookie Policy as well as placing this language in your Privacy Policy.

Most of these provisions explain how the cookies operate and the information they collect. Dropbox summarizes this briefly:

Microsoft also uses plain language and explains cookies well. If users want additional details, they only need to click on the "read more" link:

Many users appreciate the convenience and variety of subscription plans. They often expect to reveal more personal information to enjoy these services and will be ok with that. However, it is still your responsibility to protect that information and never collect more than you need. This keeps you in compliance with current privacy laws and enhances goodwill between you and your users.