SaaS Privacy Policy Differences: U.S. vs. UK

SaaS providers are legally required to maintain a Privacy Policy. But what you may not realize is that your location and that of your users significantly impacts the content of your Privacy Policy. This is because different regional privacy laws have different standards for the Privacy Policy of businesses under their jurisdiction.

This article will briefly discuss what a Privacy Policy is and why your SaaS app needs one. We'll then examine U.S. and UK Privacy Policy requirements and explore the differences in the content of a SaaS Privacy Policy in these regions.

What is a Privacy Policy?

A Privacy Policy is a legal document that describes your company's data processing practices. It typically informs users how you collect, use, manage, share, retain, and protect their personal information. It also explains what rights or controls users have over their personal information.

To clarify, personal information means any information that can be used to directly or indirectly identify an individual. Typical examples are as follows:

• Names
• Home or mailing addresses
• Email addresses
• Phone numbers
• Social media handles
• Financial details

Personal Information also comprises sensitive data such as genetic/biometric information, racial or ethnic origin, sexual orientation, and religious beliefs, to mention a few.

If your business collects any of the above categories of information, it's a best practice to publish and maintain a Privacy Policy.

When drafting your Privacy Policy, you must take care to write your clauses in simple, understandable language and ensure that they accurately reflect your company's privacy practices.

Why Does Your SaaS App Need a Privacy Policy?

If you collect personal information from your users, you legally need to have a Privacy Policy.

Running a SaaS business today without collecting some form of personal information is virtually impossible. For instance, to set up account plans or subscriptions, you'll need to collect email addresses and payment details which means you need to explain how you will use this information in a Privacy Policy.

That said, let's look at the main reasons your SaaS app needs a Privacy Policy.

It's Legally Required

Setting up a Privacy Policy is not only a best practice for any SaaS business that collects personal information, it's also mandated by law.

Depending on where you and your users reside, your business may be subject to international privacy laws that require you to publish a publicly accessible Privacy Policy on your website or app.

For example, suppose you operate in California but digitally offer products or services to users based in Europe. In this situation, your company might be subject to the data protection laws and Privacy Policy requirements of both California and Europe.

Note that failure to comply with applicable laws may result in enforcement actions and significant penalties.

It Demonstrates Credibility and Transparency

Privacy Policies are now one of the key indicators of a company's credibility. Customers expect to see this policy to understand how you collect and use their personal information.

A well-written Privacy Policy demonstrates to users that you value their privacy and want to be open about your practices.

Next, let's examine the Privacy Policy requirements for a SaaS provider in the U.S. and UK before we explore their differences.

Privacy Policy Requirements for SaaS Providers

The content of your SaaS Privacy Policy will depend on several key factors, including your business's unique practices, the third-party services you use, and, most importantly, the privacy laws that apply to you.

When it comes to the clauses of a Privacy Policy, the privacy laws in the United States and the United Kingdom have varying requirements for businesses under their respective jurisdictions.

Without further ado, let's go over these requirements.

Privacy Policy Requirements in the U.S.

At the time of this writing, the United States doesn't have a unified regulatory framework to oversee data protection for all its residents.

Instead, the U.S. has a patchwork of privacy laws that address specific consumer groups and data types. This complex framework is the result of several states taking action to protect the data privacy of their own residents.

As a result, the following state laws in the U.S. (with possibly more to come) specifically regulate consumer privacy and require applicable businesses to publish a Privacy Policy.

These laws are as follows:

• California Online Privacy Protection Act (CalOPPA)
• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Utah Consumer Privacy Act (UCPA)
• Connecticut Personal Data Privacy and Online Monitoring (CTDPA)

Although the above laws have very similar Privacy Policy requirements, some contain a few distinct provisions. Depending on which specific law(s) apply to your SaaS business, you may not need to include all the clauses listed below in your Privacy Policy.

In any case, here's the full list of clauses your SaaS business must address to comply with the U.S. privacy laws identified above:

• What personal or sensitive information you collect
• Your sources and purposes for collecting such information
• How you use personal or sensitive information
• Which third parties you share personal information with, and why
• How long you store personal or sensitive information
• How you protect personal or sensitive information
• Consumer privacy rights and how to exercise them
• Whether or not you sell users' personal information
• How users can opt out of the sale, processing, or sharing of their personal information
• Your use of cookies and similar technologies
• Your contact information for questions and requests
• How you handle business transfers
• The effective date of your Privacy Policy
• Notice of changes to your Privacy Policy
• Notice about automated decision-making or profiling (if applicable)
• A link to your "Do Not Sell or Share My Personal Information" page (if applicable)
• How your business responds to "Do Not Track" signals (if applicable)

For more information, check out our article: Privacy Policy for United States.

Privacy Policy Requirements in the UK

Unlike the United States, the United Kingdom has a unified regulatory framework in place to protect its residents' data privacy. This framework comprises two interconnected laws: the Data Protection Act 2018 (DPA) and the UK GDPR.

The European Union established the General Data Protection Regulation (GDPR) to protect consumers across its 28 member countries. Despite the Brexit transition, the UK incorporated the GDPR into its legal framework, modifying a few provisions to fit its unique system.

Consequently, the DPA and the UK GDPR have become the central privacy laws regulating consumer data protection in the UK.

The Privacy Policy requirements under the DPA/UK GDPR are notably more stringent than those of U.S. laws. To meet these requirements, your SaaS Privacy Policy must address the following clauses:

• Introduction and definitions
• What categories of personal data you collect and process
• How and why you collect and process personal data
• Your lawful basis for processing personal data
• The eight user rights under the GDPR
• Your data security practices
• How long you retain personal data
• Who you share personal data with
• How you use cookies and similar technologies
• How you manage business transfers
• Whether or not you conduct international data transfers and what safeguards you employ
• Whether or not you use personal data to make automated decisions
• Your Data Protection Officer (DPO) and contact information, if applicable
• Notice of changes to your Privacy Policy

Now that we've identified the SaaS Privacy Policy requirements for businesses in the U.S. and UK, let's examine the key distinctions between these clauses.

Most Significant SaaS Privacy Policy Differences in the U.S. vs. UK

Understanding the differences in the content of a Privacy Policy under U.S. and UK laws will be critical in helping your SaaS business comply appropriately. The most significant distinctions are as follows.

Consumer Rights

Under the UK GDPR, there are eight user rights that every SaaS company must observe and help facilitate upon a user's request. Your Privacy Policy must mention these rights and guide users on how to exercise them.

Briefly, these rights are as follows:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure/right to be forgotten
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing
8. Rights regarding automated decision-making and profiling

Although not all of these rights will likely apply to your business, you still need to be aware of them.

Here's how Staples addresses these rights in its Privacy Policy, including how users can exercise them:

Consumer rights in the U.S., however, differ slightly from those in the UK. Consider the CCPA and CPRA (aka the gold standards of U.S. privacy laws), for example.

CCPA consumer rights are as follows:

• The right to know
• The right to access
• The right to request deletion
• The right to opt out
• The right to opt in(for minors)
• The right to non-discrimination

The CPRA amends the CCPA and introduces several additional rights, including:

• The right to correction
• Access and opt-out rights relating to automated decision-making technology
• Rights regarding sensitive personal information

Here's how AlerisLife presents consumer rights in its California Privacy Policy:

As we can see, the rights under the GDPR in the United Kingdom and the CCPA/CPRA in the United States are nearly identical. However, minor distinctions between these rights do exist and must be addressed accordingly.

Lawful Basis

Under the UK GDPR, businesses must first establish at least one of six lawful bases before processing consumers' personal data. This obligation is notably absent from any US privacy law.

In other words, if your SaaS business falls under the UK GDPR's jurisdiction, your Privacy Policy must identify one or more of the six lawful bases for processing consumers' data.

For more information, see our article: Lawful Basis for Processing Under the GDPR.

Briefly, the lawful bases for processing a user's personal data are as follows:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

For example, here's how Atlassian displays its legal bases for processing consumers' data in its Privacy Policy:

"Do Not Sell or Share My Personal Information" Link

Under some U.S. privacy laws (specifically the CCPA and CPRA), businesses that sell or share consumers' information are required to include a link within their Privacy Policy that reads, "Do Not Sell or Share My Personal Information." This requirement is, however, not present under the UK GDPR.

Your "Do Not Sell or Share" link should direct users to a web page where they can opt out of having their personal information sold or shared with third parties.

Here's how Automattic includes this link in its Privacy Policy:

International Data Transfers

Under the UK GDPR, if your SaaS business sends consumer data from the UK to a foreign country, you must include an international data transfer clause in your Privacy Policy. In contrast, U.S. privacy laws do not directly require businesses to address this clause.

To put this in context, if you employ a data processor in Canada or use a web server in Australia, you will likely transfer data outside the UK and must therefore observe this requirement.

Your SaaS Privacy Policy must describe what safeguards you have in place to ensure an adequate level of protection for any transferred data.

Here's an example from IBM's Privacy Statement:

Data Protection Officer (DPO)

Unlike U.S. privacy laws, the UK GDPR requires businesses to appoint a Data Protection Officer (DPO) to oversee compliance with data privacy obligations. However, not every business has to appoint a DPO.

As a SaaS provider, you must appoint a DPO if you:

• Frequently and systematically monitor users on a large scale, or
• Process a considerable volume of sensitive data or data relating to criminal convictions and offenses

Your DPO's contact information must be displayed in your Privacy Policy like Freshworks does here:

Contact Information

Although both U.S. and UK privacy laws require businesses to provide contact information in their Privacy Policy, the actual standards differ slightly between the two countries.

Under the UK GDPR, your SaaS Privacy Policy must include the physical location where you store users' personal data. In contrast, U.S. laws do not demand that you provide a physical address in your policy. A simple email address or web form will work just fine.

Here's a good example from Geocaching:

Although Geocaching doesn't operate in the UK, it provides a physical address all the same. California consumers are, however, presented with a link to a web form.

Summary

For SaaS providers, publishing a Privacy Policy is not only a best practice to showcase credibility and transparency, it's the law.

As we've established, the content of a Privacy Policy will depend significantly on the location of the business and its customers. In particular, businesses in the U.S. and the UK must adhere to different standards when it comes to the content of their Privacy Policies.

It's worth noting that the UK imposes stricter requirements on businesses under the DPA/GDPR regime than any individual U.S. privacy law.

That said, if you're unsure about which clauses to include in your Privacy Policy under U.S. and UK privacy laws, the following list of key differences will help:

• Consumer privacy rights
• Lawful or legal basis
• "Do Not Sell or Share My Personal Information" link (under the CCPA and CPRA)
• Data Protection Officer (DPO)
• Contact Information