Last updated on 01 July 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
We'll show you how.
Below are some of the main global privacy laws you must consider:
The GDPR is currently one of the world's most strict and broadly-reaching privacy law. It affects businesses around the world that interact with or reach people in the EU.
While the U.S. does not yet have a broad federal law that places privacy protection requirements on companies, California has a few state laws addressing privacy protection. Since California is a large population center in the U.S., it's essentially impossible to transact American business without involving customers living in California.
COPPA (Child Online Privacy Protection Act) is a U.S. law that affects privacy practices for websites and apps directed at children under 13. It contains additional protections if you create online products for children.
Privacy Policies adapted for the COPPA law must be clearly posted and address the fact that you collect personal information from children under 13. It grants rights to parents to verify consent, review the information, make requests, and deny future access to the data.
COPPA Privacy Policies are more complex and go beyond the basic drafting instructions addressed in this guide. Many companies, like Tumblr, limit use of their apps to those age 17 and older in order to avoid COPPA requirements.
If you're transacting business in Canada, you're held to the requirements of PIPEDA (Personal Information Protection and Electronic Documents Act).
The law affects all businesses (including foreign ones) that collect, use, and store personal information provided by customers.
PIPEDA requires that you:
In the UK, the Data Protection Act 1998 (DPA), addresses how business, the government, and organizations use personal information. Through its "Principles of Data Protection", the DPA law assures information is collected, used, and stored securely.
If you are transacting business in the U.K., you must assure:
Like the U.K. law, Australia's Privacy Act 1988 also contains privacy principles governing the collection and handling of personal data.
Under these principles, you must provide:
Unlike the other laws, this one only applies to Australian businesses and agencies. However, if you run a health service provider, it will apply to you even if you are a foreign business. When it comes to health information, the requirements are relevant to all entities who interact with Australian citizens.
Before you start writing, it's necessary to take an inventory of what data you collect and what you use it for.
Take an honest assessment of the user data you collect (or wish to collect) and its necessity.
For example, if you're providing an app that allows users to track mental health symptoms, do you really need a medical record number, home address or primary care provider's name?
In this example, it's likely easier to request a username and email address at signup or allow the user to participate anonymously.
However, if your app alerts users to health test results, you actually require more personal information. In this case, you'll need to assure a good Privacy by Design approach to data security and keeping users informed.
Performing this audit makes compliance easier, too. The jurisdictions listed above encourage developers to only request as much personal data as necessary. A critical assessment of the minimum data you need for your website or app to work proves essential in this area.
After you have a good level of insight into your own business practices, you might want to take a look at examples of Privacy Policies on the websites of your competitors (or those you know do business in the same nations as you).
Note how Amazon places its Privacy Notice in the footer of its website:
Let's take a look at some examples of each of these clauses.
The easiest way to address this section is with a list. You can use bold type, headings or a bulleted list - whatever you prefer.
There are Privacy Policies that crowd this information into a paragraph format. That is not easy for users to read. A list is easily digested and understood.
Also, the list acts as a checklist so you can be sure you did not miss anything. That also assists with compliance.
Here's how Amazon breaks this information down by category to readers, letting them know that it collects information automatically, as well as what the user provides and from other sources:
From within this section, the reader is linked to a more detailed list of specific types of information, which is very helpful:
Pandora offers a similar list using bold type and paragraphs to describe the information it collects. This is a sample of the types of data it collects and how it gathers it:
Like the section on type of information and how it is collected, these provisions also benefit from a bulleted list.
However, when it comes to the use of information, there's often a need to provide reassurance. If this is your situation, you can present those provisions after your bulleted list.
Pandora does just that in this informative list:
Your list should include how data collection benefits users but also your business model. This is not advertising your services but offering transparency. Even if you collect data to monitor patterns and satisfaction in order to develop new features, that still needs to be revealed to your users even if that effort never helps them.
You could be ordered by a court to do so or provide the data to a hired consultant. There are likely situations where you would share this data that have not occurred to you.
That is why you need to address how you share information with third parties - even if you have never felt the need to do so.
You don't want to face liability because you shared data with third parties in order to better understand the performance of your website or app.
Here's how Pandora notes how information will be shared, with a section focused on third-party sharing, specifically:
This clause doesn't need to be long or detailed. You basically just need to state that you do have security measures and safeguards in place to protect the information.
Here's a basic but adequate example from Datadog:
This example from ABC Fitness shows a greater level of specifics and details, such as what steps employees take to increase data security:
If you can give your users specific information here without compromising your own security, do that. Common practices like SSL encryption and HTTPS access are worth mentioning and that detail will not compromise your proprietary interests. It will gain your users' confidence.
Many privacy laws, such as the GDPR, include specific rights you must give to users. Make sure you're familiar with these nuances when writing your User Rights clause or clauses.
Here's how Ancestry outlines what rights users have, and how the rights can be exercised:
Here's how Sony Pictures has a clause specifically addressing rights that California residents are given:
Errors may arise as you distribute your new app and run the next version of your website and you need the tools to address any errors you may have. One of these tools includes updating your agreements.
Good Privacy Policies end with contact information in case users have questions. You can provide this in any format you wish including email addresses, mailing addresses, telephone numbers or links to online forms.
These clauses tend to be very short and to the point, like Pandora's seen here:
If you handle especially sensitive information like medical history or home addresses, you may want to dedicate a separate email address for these questions. That allows for a timely response and better service to your users.
As with websites, remember that Privacy Policies help inspire engender trust between you and your app's users. They provide users with a sense of security and comfort, knowing that you care about their sensitive information and its security.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022