Privacy Policy Generator

A Privacy Policy is an agreement between you and a user regarding how you'll handle the user's personal data. The Privacy Policy describes the type of data you collect, how you collect it, and if you share any of that personal information with other parties.

Privacy Policy agreements also describe how you protect the collected data and the remedies if there's a security breach, including any notification procedures.

Many Privacy Policies describe how the business stores the collect data and if they use cookies and other tracking technology. Other companies even describe what happens to the data if they go out of business or are acquired by another company.

The general definition of "personal information" includes names, email addresses, street addresses, telephone numbers, and any other data that can be used to identify or contact a user.

Credit card numbers and other payment information, if you run a subscription service, definitely fall under this definition as well.

Canada, the U.K., and Australia, plus most countries around the world, all require a Privacy Policy.

The U.S. does not have a general federal law requiring a Privacy Policy, but the state of California has a law requiring them called CalOPPA.

The U.S. federal laws (COPPA) address children's privacy, so you need to be aware of that if you distribute children's games and apps in the U.S.

You need to be aware of the following laws:

• California Online Privacy Protection Act (CalOPPA).

  Even though the U.S. lacks a federal law regarding privacy policies and protection, California is one of the most populated states and if you do business in the U.S., you most likely have users from California.

  CalOPPA requires a Privacy Policy if you operate a commercial website, online service, or mobile app.

• Children's Online Privacy Protection Act (COPPA).

  COPPA is the only federal law regarding privacy in the U.S. regarding privacy of children.

  So, your product or service is designed for children under 13, you need to take extra caution with data handling. This law is not limited to U.S. companies and also applies to foreign businesses with users from the U.S.

• Personal Information Protection and Electronic Documents Act (PIPEDA).

  A Canadian law relevant only to Canadian companies, it requires online and brick-and-mortar businesses to publish a Privacy Policy if they handle personal information.

  The law defines 'personal information' as names, birthdays, income statistics, race or ethnic origin, employee data and other private data.

• Data Protection Act of 1998 (DPA).

  The U.K. law is only relevant to businesses from the UK.

  Any business that collects, stores, and uses personal information must follow data processing requirements and limit the amount of personal information collected to only what's necessary.

  Email addresses, full names, identifying numbers, and birth dates all fall under personal information.

• Australia Privacy Act of 1998.

  The Australian law generally addresses companies handling personal information.

  Using a list of privacy principles, it describes acceptable data collection, use, and storage policies that are well-covered if you have a Privacy By Design approach in your company. While the law predates mobile apps and many cloud software services, it's interpreted as being applicable to them.

You must be aware of not only local and federal laws in your jurisdiction but also those of where your website, app or service will be available.

Many legal issues occur with companies because they violated the laws of a country where they are not incorporated but perform transactions.

That's not a recommended course of action. Email addresses fall under personal information in current legislation on user data, all which require a Privacy Policy for collecting email addresses.

Also, you open yourself up to liability when you request information without a Privacy Policy because there are no terms stating that's permissible.

Even if it's obvious that your website or app cannot operate without a user's email address, you still need to describe how you use it, store it, and share it in a Privacy Policy.

That's the only way to control or avoid liability.

Options for posting your Privacy Policy include:

• Within your website footer section.

  The browsewrap method means that a user accepts the terms just by using the website or service. This method isn't very reliable to enforce the terms of your Privacy Policy.

  Dropbox follows this approach on its own website footer:

  

• Clickwrap.

  Clickwrap gives users a chance to review the Privacy Policy at signup and accept the agreement through a checkbox.

  Hubspot offers a good example of this approach when creating a new account:

  

• Clickwrap, but with a notice.

  Other companies do not provide a checkbox but give notice of a Privacy Policy and indicate that registering for the service means accepting those terms.

  Box, a file sharing platform, adopted that method:

  

All of these methods meet legal requirements. Your choice will depend on your level of risk adversity.

As a bottom line, the more sensitive information you handle, the more visible you should make your Privacy Policy.

The best way to assure acceptance of the Privacy Policy is through clickwrap as it's the most direct and active approach.

Even with clickwrap, you need to provide a link to the Privacy Policy.

All of the examples above give users a chance to click the link and see privacy practices before they move ahead with accepting the policy.

All Privacy Policies must contain two essential pieces of material:

• A description of the type of information you collect
• The purpose of that collection

If your company practices remarketing and targeted advertisements, that must also be within your Privacy Policy.

Privacy Policies available online take many structures including formal legal agreement, plain language descriptions, and even an FAQ structure.

Dropbox offers a good example of a Privacy Policy in plain language as opposed to unclear legal terms.

The Amazon Privacy Notice not only features plain language but also an easy-to-read FAQ format.

Disclaimers address specific types of liability and are usually present in the Terms and Conditions agreement. Occasionally, a Disclaimer can also be posted as a separate document.

The purpose of a disclaimer is to avoid liability due to a user's misunderstanding.

For example, WebMD has a Disclaimer in its Terms & Conditions agreement indicating that while the WebMD website provides medical information, that does not comprise medical advice.

Users are encouraged to see their health professional regarding symptoms rather than act on what they discover online.

Disclaiming liability is one function of a Privacy Policy but that's not its sole purpose. It also informs and gives notice of the type of personal information collected and how it is used.

Disclaimers exist solely to avoid liability and are not necessarily there to give users details on how data helps their use of the app or service.

A Terms & Conditions Agreement (T&C) explains rules, conditions, and requirements regarding the use of your website or app. The Terms & Conditions addresses items like copyright protection, no tolerance policies against abuse and harassment, and non-payment of subscription fees.

It's not required to have a Terms and Conditions under any laws. However, having a Terms & Conditions will help you enforce any rules and preserve a cause to terminate when a user quits paying fees. It's the only way you can enforce these requirements.

Some Terms & Conditions agreements contain language related to user privacy in their terms, but there's almost always a reference to the main and separate Privacy Policy agreement.

Any time you develop a website and/or app that collects and shares personal information, you cannot rely on the Terms & Conditions agreement alone. You'll likely violate the laws and make it difficult to argue that your privacy statement was conspicuous.

Here's an example of a Terms & Conditions with a brief reference to user privacy and a link to the Privacy Policy is shown here, from Twitter: