Former civil litigation attorney. Content legal strategist at TermsFeed.
On this page
- 1.1. The EU's GDPR
- 1.2. CalOPPA in the U.S.
- 1.3. COPPA in the U.S.
- 1.4. PIPEDA in Canada
- 1.5. DPA in the UK
- 1.6. Privacy Act in Australia
- 3. Review Data Collection and Use
- 4.1. What Information You Collect
- 4.2. How You Use the Information You Collect
- 4.3. Any Disclosure of Information to Third Parties
- 4.4. How You Protect Information You Collect
- 4.5. User Rights
- 4.7. Your Contact Information
We'll show you how.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Below are some of the main global privacy laws you must consider:
The EU's GDPR
The GDPR is currently one of the world's most strict and broadly-reaching privacy law. It affects businesses around the world that interact with or reach people in the EU.
CalOPPA in the U.S.
While the U.S. does not yet have a broad federal law that places privacy protection requirements on companies, California has a few state laws addressing privacy protection. Since California is a large population center in the U.S., it's essentially impossible to transact American business without involving customers living in California.
COPPA in the U.S.
COPPA (Child Online Privacy Protection Act) is a U.S. law that affects privacy practices for websites and apps directed at children under 13. It contains additional protections if you create online products for children.
Privacy Policies adapted for the COPPA law must be clearly posted and address the fact that you collect personal information from children under 13. It grants rights to parents to verify consent, review the information, make requests, and deny future access to the data.
COPPA Privacy Policies are more complex and go beyond the basic drafting instructions addressed in this guide. Many companies, like Tumblr, limit use of their apps to those age 17 and older in order to avoid COPPA requirements.
PIPEDA in Canada
If you're transacting business in Canada, you're held to the requirements of PIPEDA (Personal Information Protection and Electronic Documents Act).
The law affects all businesses (including foreign ones) that collect, use, and store personal information provided by customers.
PIPEDA requires that you:
- Collect personal information by fair and lawful means
- Secure consent before collecting personal data
DPA in the UK
In the UK, the Data Protection Act 1998 (DPA), addresses how business, the government, and organizations use personal information. Through its "Principles of Data Protection", the DPA law assures information is collected, used, and stored securely.
If you are transacting business in the U.K., you must assure:
- Collected information is used fairly and lawfully
- Data is used for limited and specific purposes
- Information is used only to the extent that it is adequate and not excessive
- The information you store is accurate
- No data is stored for longer than necessary
- Security for data in your possession
- Respect for users' rights including correcting data, denying future access or providing notification if there is a breach
- No data transfer to entities outside the U.K. without adequate levels of precautions
Privacy Act in Australia
Like the U.K. law, Australia's Privacy Act 1988 also contains privacy principles governing the collection and handling of personal data.
Under these principles, you must provide:
- Clear explanations on how personal data is collected and managed
- Anonymity or pseudonymity when requested
- A destruction process if you receive unsolicited personal information
- Notification to users if you collect personal information
- Disclosure of direct marketing efforts if your service includes it
- Limited distribution of data outside of Australia
- A way for users to access and correct personal information you collect
- Effective security procedures for protecting personal information
Unlike the other laws, this one only applies to Australian businesses and agencies. However, if you run a health service provider, it will apply to you even if you are a foreign business. When it comes to health information, the requirements are relevant to all entities who interact with Australian citizens.
Review Data Collection and Use
Before you start writing, it's necessary to take an inventory of what data you collect and what you use it for.
Take an honest assessment of the user data you collect (or wish to collect) and its necessity.
For example, if you're providing an app that allows users to track mental health symptoms, do you really need a medical record number, home address or primary care provider's name?
In this example, it's likely easier to request a username and email address at signup or allow the user to participate anonymously.
However, if your app alerts users to health test results, you actually require more personal information. In this case, you'll need to assure a good Privacy by Design approach to data security and keeping users informed.
Performing this audit makes compliance easier, too. The jurisdictions listed above encourage developers to only request as much personal data as necessary. A critical assessment of the minimum data you need for your website or app to work proves essential in this area.
After you have a good level of insight into your own business practices, you might want to take a look at examples of Privacy Policies on the websites of your competitors (or those you know do business in the same nations as you).
Note how Amazon places its Privacy Notice in the footer of its website:
- What kind of information is collected, and how
- How you use the information
- If/when you disclose the collected information to third parties
- How you protect the information you collect
- What rights users have regarding the collection and use of their information
- Your contact information for any questions users may want to ask
Let's take a look at some examples of each of these clauses.
What Information You Collect
The easiest way to address this section is with a list. You can use bold type, headings or a bulleted list - whatever you prefer.
There are Privacy Policies that crowd this information into a paragraph format. That is not easy for users to read. A list is easily digested and understood.
Also, the list acts as a checklist so you can be sure you did not miss anything. That also assists with compliance.
Here's how Amazon breaks this information down by category to readers, letting them know that it collects information automatically, as well as what the user provides and from other sources:
From within this section, the reader is linked to a more detailed list of specific types of information, which is very helpful:
Pandora offers a similar list using bold type and paragraphs to describe the information it collects. This is a sample of the types of data it collects and how it gathers it:
How You Use the Information You Collect
Like the section on type of information and how it is collected, these provisions also benefit from a bulleted list.
However, when it comes to the use of information, there's often a need to provide reassurance. If this is your situation, you can present those provisions after your bulleted list.
Pandora does just that in this informative list:
Your list should include how data collection benefits users but also your business model. This is not advertising your services but offering transparency. Even if you collect data to monitor patterns and satisfaction in order to develop new features, that still needs to be revealed to your users even if that effort never helps them.
Any Disclosure of Information to Third Parties
You could be ordered by a court to do so or provide the data to a hired consultant. There are likely situations where you would share this data that have not occurred to you.
That is why you need to address how you share information with third parties - even if you have never felt the need to do so.
You don't want to face liability because you shared data with third parties in order to better understand the performance of your website or app.
Here's how Pandora notes how information will be shared, with a section focused on third-party sharing, specifically:
How You Protect Information You Collect
This clause doesn't need to be long or detailed. You basically just need to state that you do have security measures and safeguards in place to protect the information.
Here's a basic but adequate example from Datadog:
This example from ABC Fitness shows a greater level of specifics and details, such as what steps employees take to increase data security:
If you can give your users specific information here without compromising your own security, do that. Common practices like SSL encryption and HTTPS access are worth mentioning and that detail will not compromise your proprietary interests. It will gain your users' confidence.
Many privacy laws, such as the GDPR, include specific rights you must give to users. Make sure you're familiar with these nuances when writing your User Rights clause or clauses.
Here's how Ancestry outlines what rights users have, and how the rights can be exercised:
Here's how Sony Pictures has a clause specifically addressing rights that California residents are given:
Errors may arise as you distribute your new app and run the next version of your website and you need the tools to address any errors you may have. One of these tools includes updating your agreements.
Your Contact Information
Good Privacy Policies end with contact information in case users have questions. You can provide this in any format you wish including email addresses, mailing addresses, telephone numbers or links to online forms.
These clauses tend to be very short and to the point, like Pandora's seen here:
If you handle especially sensitive information like medical history or home addresses, you may want to dedicate a separate email address for these questions. That allows for a timely response and better service to your users.
As with websites, remember that Privacy Policies help inspire engender trust between you and your app's users. They provide users with a sense of security and comfort, knowing that you care about their sensitive information and its security.
- Within the app store listing
- Whenever you ask for permission to use personal data, such as to access photos or a mobile device's microphone
- On an account sign-up and login page
- On a checkout or payment page
- In an About menu or legal page inside your app