- 5.1. What information do you collect?
- 5.2. What do you do with the information you collect?
- 5.3. How is collected information kept safe?
- 5.4. Do users under the age of 13 use your website?
- 5.5. Do you handle medical data?
- 5.6. Do you handle financial or credit data?
- 5.7. Does your website or app utilize third-party services?
- 7.1. The New York Times
- 7.2. The National Review
In fact, privacy laws are in place in many countries around the world, including the following:
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- The California Online Privacy Protection Act (CalOPPA)
- The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
- Europe's General Data Protection Regulation (GDPR)
- Australia's Privacy Act
- The UK's Data Protection Act
You should provide clauses detailing how you use third-party services, APIs and SDKs.
- Google Analytics
- Google AdSense
- Google AdWords
- Amazon Associates
- Twitter Lead Generation
- Facebook Pages, Stores and Apps
- Google Play Store
- Apple's App Store
Trust is essential for companies whose business models are based on sensitive customer data. Users feel secure knowing they have control over their personal information under the terms they signed up for.
It should be structured to make it easy for the reader to understand essential information. You can achieve this by using well-structured, clearly written clauses that are clearly identified with descriptive headlines.
What information do you collect?
For instance, a website could use a registration form to collect an individual's email address, which the company then adds to its mailing list. This is very different from an app that collects all kinds of personal data, such as name, address, payment information, and location.
The point here is that there is a worldwide consensus that users have the right to know exactly what kind of data you collect.
Here's an example of a clause that lets users know what kinds of information it uses and collects:
You must also keep in mind that privacy laws generally stipulate that you may only collect personal information if necessary to offer the services you provide.
What do you do with the information you collect?
This clause informs the user about what happens to their personal data after it is collected.
A website might collect information such as a user's address and name in order to ship products purchased online. This information is essential and is not collected more than necessary. This is very different from a website that collects users' names and addresses and then sells it to a third party for marketing purposes.
Both websites collect the same information, but it is vital that you disclose how this information is used once it has been collected.
Here's an example of how to disclose what is done with the information a business collects:
How is collected information kept safe?
Personal data that is collected from an individual must be kept secure and only accessible by authorized personnel. You must implement appropriate security measures if you are trusted with handling personal data about users.
For example, to prevent unauthorized people from stealing or hacking your customer's credit card information, you need to secure it behind firewalls.
Data breaches have been affecting millions of internet users over the last few years. Many of those affected faced severe legal and financial consequences. You are responsible to make sure that personal information is not lost or misused if you store it.
Here's an example of how you can disclose how data is secured:
Do users under the age of 13 use your website?
This clause is only applicable to specific websites and apps. It is regulated primarily under COPPA (the Children's Online Privacy Protection Act). COPPA imposes special requirements on apps and websites that collect data about children. It is vital to protect the privacy of all people, but it is crucial for minors.
You must comply with COPPA regulations if young people use your app or website.
Here's an example of a clause addressing children's personal information:
Do you handle medical data?
Extra-sensitive information such as medical information is subject to additional regulation. The main law that covers additional measures for apps and websites that contain medical and health information is HIPAA (the Health Insurance Portability and Accountability Act of 1996).
If your website or app collects health or medical information, you must comply with HIPAA regulations. Note how the health insurance company Kaiser Permanente provides a link to its HIPAA privacy notice within its main Privacy Statement:
Do you handle financial or credit data?
For obvious reasons, financial information requires greater privacy protections than usual. Because financial information and credit are more sensitive than usual, several laws govern what steps must be taken by companies to protect their users from identity theft and fraud.
You must comply with all laws governing financial information and credit information that you offer on your website or app. Kaiser Permanente has a simple statement on this subject.
Does your website or app utilize third-party services?
Privacy Policies often disclose information about third-party services used by websites. It is important to disclose information about third-party usage because the Privacy Policies of third parties may differ from yours. Users need to know who has access and what their own unique policies are, since this may affect their data.
A website might use a third-party credit card processor to process transactions. Although the website does not store or handle this transaction information, users need to be able to see who has access to their credit card information and what they do with it.
Here is an example of this type of clause:
Here is a list of frequently asked questions that you may find useful.
- What personal information you collect
- How you collect it
- Why you collect it/How you use it
- How long you keep the personal information
- How you secure it
- Whether or not you share it with any third parties
- Any rights your users have when it comes to your collection, use or retention of their personal information
- Your contact information
Note that some privacy laws require additional information if you fall under the law's scope. Some of this additional information includes:
- How you handle personal information of minors/children
- If you transfer data to other countries
- Whether you sell personal information, and how users can opt out of this
- How users can exercise their rights under specific laws
- Email newsletter sign-up forms
- Contact forms
- Account sign-up forms
- Ecommerce checkout pages
You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.
- Collect new types of personal information that you didn't used to collect
- Collect personal information in a new way
- Start using personal information in a way you didn't previously use it
- Change how long you retain personal information
- Start sharing personal information with a new third party
Let's look at some Privacy Policies on popular news websites.
The New York Times
- What Information Do We Gather About You?
- What Do We Do With the Information We Collect About You?
- With Whom Do We Share the Information We Gather?
- What Are Your Rights?
- What About Sensitive Personal Information?
- How Long Do You Retain Data?
- How Do You Protect My Information?
- Are There Guidelines for Children?
- How Is Information Transferred Internationally?
- What Is Our Legal Basis?
- What About Links to Third Party Services?
- How Can You Contact Us?
- Who is the Controller of Your Personal Information?
This list is a great place to start for most Privacy Policies.
The National Review
- General Statement About Data Collection & Targeted Advertising
- The Information We Collect
- How We Use The Information We Collect
- Information Sharing
- Third-Party Services
- Your Account
- Confidentiality & Security
- Additional Information for California Residents
Or when they sign up to receive marketing emails from you:
It should be accurate and up-to-date with any changes in policy or practices so that you don't run into problems down the line.
Be sure to include sections on:
- What information you collect
- What you do with that information
- How you keep that information safe
- How you handle data of individuals under 13 years of age
- How you handle medical data
- How you handle financial or credit data
- How your app or website utilizes third-party services
But is that time better spent growing your business or creating cobbling together a Frankenpolicy?
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- Links to Other Websites
- Contact Information
More specific Privacy Templates are available on our blog.