25 July 2020
This agreement is required by law if you collect personal data. Personal data is any kind of data or information that can be considered personal (identifies an individual) such as:
In 1968, Council of Europe did studies on the threat of the Internet expansion as they were concerned with the effects of technology on human rights. This lead to the development of policies that were to be developed to protect personal data.
This agreement can also be known under these names:
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
The requirements for Privacy Policies may differ from one country to another depending on the legislation. However, most privacy laws identify the following critical points that a business must comply with when dealing with personal data:
In the US, privacy legislation may vary from one state to another. Certain federal laws govern users' data in some circumstances, such as in these examples:
In Canada, there's the Personal Information Protection and Electronic Documents Act (PIPEDA) generated by federal privacy laws.
This law established acceptable standards to limit and organize personal data gathering, usage, and disclosure by commercial institutions. This means that organizations may gather, use and disclose that percent of information for purposes that a reasonable person would consider fit in the circumstance.
The Privacy Commissioner of Canada stands for receiving and peacefully taking care of complaints against organizations. Its purpose is to solve privacy matters through compliance, not through enforcement. It reaches complaints, spreads the importance of awareness of and conducts studies about privacy issues.
Before you draft this agreement for your business, consider the basic requirements for most online businesses that deal with personal data from users (this includes SaaS apps or Facebook apps as well):
Users need to know exactly what kinds of personal data you collect from them.
Disclose if any third parties are involved in collecting personal information in your name, i.e. you use MailChimp to collect email addresses to send weekly updates to your members.
The Information Collection and Use section is the most important section of the entire agreement where you need to inform users what kind of personal information you collect and how you are using that information.
Here's how Asana, a project management tool, informs users that the tool collects personal information:
The policy goes on to inform users about what kinds of information they may provide and how (by becoming a member, by connecting through Facebook, Twitter etc.):
The intro also specifies four main reasons why the company collects personal information:
A Log Data disclosure section should inform users that certain data are collected automatically from the web browser users are using and through the web server you're using: IP addresses, browser types (Firefox, Chrome etc.), browser versions and various pages that users are visiting.
Buffer includes a sub-clause about log data in its clause about personal information that is automatically obtained from its users:
A Cookies disclosure should inform users that you may store cookies on their computers when they visit your website. This applies even if you use Google Analytics (which would store cookies) or any other third party that would store cookies.
A Security disclosure in the policy can give users assurance that their personal data is well protected, but you may also want to note that no method is 100% secure.
"The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security."
Example of trust elements can include SSL certificates. Definitely use SSL certificates if you have an ecommerce store.
Always use the clickwrap method to get your users to agree to your terms.
With clickwrap, a user is informed of the legal agreements and must take some action that demonstrates that they're clearly accepting the terms. Using checkboxes is a best practice, such as these on the Adobe ID sign-up page:
Here is a list of frequently asked questions that you may find useful.
Note that some privacy laws require additional information if you fall under the law's scope. Some of this additional information includes:
You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.
Let's take a look at some real Privacy Policies from real businesses.
GitHub links to its Privacy Statement from the footer of each web page:
The Privacy Statement includes a "short version" of what GitHub's privacy practices are.
Perhaps the most important part of GitHub's Privacy Statement is the Summary section. A link to each section is provided, as well as a short overview of what information will be found in that section:
In the example below from Dropbox, you can see how a user can navigate to the "Legal & Privacy" menu right from within the app:
Clicking this menu will take the user to another menu screen that shows the full list of legal agreements:
The same "Mobile Privacy and Legal Notice" agreement is embedded in eBay's iOS app:
This template available for download, for free, includes these sections:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.