A Privacy Policy is a legal document where you specify if you collect personal data from your users, what kind of personal data you collect, what you do with that data, and other important information about your privacy practices.
In this article we'll discuss a few of the laws that require Privacy Policies, as well as what content you'll need to put in a Privacy Policy when creating one.
A Privacy Policy is required by law if you collect personal data. Personal data is any kind of data or information that can be considered personal (identifies an individual), such as:
- Email address
- First and last name
- Billing and shipping address
- Credit card information
What is a Privacy Policy
A Privacy Policy is a legal statement that specifies what the business owner does with the personal data collected from users, along with how the data is processed and for what purposes.
In 1968, Council of Europe did studies on the threat of the Internet expansion as they were concerned with the effects of technology on human rights. This lead to the development of policies that were to be developed to protect personal data.
This marks the start of what we know now as a "Privacy Policy." While the name "Privacy Policy" refers to the legal agreement, the concept of privacy and protecting user data is closely related.
This agreement can also be known under these names:
- Privacy Statement
- Privacy Notice
- Privacy Information
- Privacy Page
A Privacy Policy can be used for both your website and mobile app if it's adapted to include the platforms your business operates on.
The requirements for Privacy Policies may differ from one country to another depending on the legislation. However, most privacy laws identify the following critical points that a business must comply with when dealing with personal data:
- Notice - Data collectors must clearly disclose what they are doing with the personal information from users before collecting it.
- Choice - The companies collecting the data must respect the choices of users on what information they choose to provide.
- Access - Users should be able to view, update or request the removal of personal data collected by the company.
- Security - Companies are entirely responsible for the accuracy and security (keeping it properly away from unauthorized eyes and hands) of the collected personal information.
Who Needs a Privacy Policy
Any entity (company or individual) that collects or uses personal information from users will need a Privacy Policy.
A Privacy Policy is required regardless of the type of platform your business operates on or what kind of industry you are in:
- Websites
- WordPress blogs, or any other platforms: Joomla!, Drupal etc.
- Ecommerce stores
- PMobile apps - Not having a Privacy Policy can be a reason for rejection of your app from app stores. For example, a Privacy Policy is required for all iOS apps.
- Facebook apps - Facebook requires all pages, groups and events that collect user data to have a Privacy Policy
- Desktop apps
- All SaaS apps must have a Privacy Policy
- Digital products
- If you use Google AdSense, you need a Privacy Policy
The Basics of a Privacy Policy
In the EU, the GDPR requires companies dealing with EU citizens to have a Privacy Policy.
This law became enforceable in early 2018 and has affected businesses around the world. Not only does it require a Privacy Policy, but it has requirements for what must go into a Privacy Policy and how it must be written and displayed.
As a general rule, if you're compliant with Privacy Policy requirements of the GDPR, you'll by default end up complying with most other privacy laws around the world. That's because the GDPR is so robust and comes with stringent requirements.
In the U.S., privacy legislation varies from one state to another. Certain federal laws govern users' data in some circumstances.
Here are some examples of privacy laws in the U.S.:
- The Gramm-Leach-Bliley Act - This act obliges organizations to offer clear and accurate statements about their information collecting practices and it also limits usage and sharing of financial data.
- Children's Online Privacy Protection Act (COPPA) - This act is especially for businesses that collect information about children under 13 years of age.
- Health Insurance Portability and Accountability Act (HIPAA) - This act applies to online health services as well.
- California Online Privacy Protection Act (CalOPPA) - This privacy law affects anyone collecting personal information from residents of California.
- Student Online Personal Information Protection Act (SOPIPA) - This act applies if you collect personal data from students.
- Content Eraser law - This law applies if you collect data from minors (under the age of 18).
Note that there are a number of other privacy laws in the United States, so become familiar with the laws in your particular state and the state/s in which you do business.
What to Include in your Privacy Policy
Users need to know exactly what kinds of personal data you collect from them.
Your Privacy Policy must also disclose why you collect this kind of data. Some common examples of uses of data include:
- To help develop new services or improve your existing services
- To send users emails about special offers, new services or other information they may be interested in
- To personalize their sessions on your website in order to better fit their interests, such as offering them relevant, individually tailored content
Here are a few examples of common sections of a Privacy Policy:
- The Information Collection and Use section is the most important section of the entire agreement where you need to inform users what kind of personal information you collect and how you are using that information.
The intro also specifies four main reasons why the company collects personal information:
- A Log Data disclosure section should inform users that certain data are collected automatically from the web browser users are using and through the web server you're using: IP addresses, browser types (Firefox, Chrome etc.), browser versions and various pages that users are visiting.
- A Cookies disclosure should inform users that you may store cookies on their computers when they visit your website. This applies even if you use Google Analytics (which would store cookies) or any other third party that would store cookies.
- A Links to Other Sites section should disclose that your website may link to other websites outside your control or ownership, i.e. linking to a news website, and that users are advised to read the Privacy Policies of each website they visit.
- A Do Not Track clause.
- A Security disclosure in the policy can give users assurance that their personal data is well protected, but you may also want to note that no method is 100% secure.
Here's a list of questions that can guide you when drafting your own Privacy Policy:
- What kind of personal information do you collect?
- What kind of personal information is collected automatically, e.g. via the web server (Apache, nginx etc.)?
- What kind of third parties are collecting personal information from your users?
- How are you using that personal information?
- Do you send promotional emails (newsletters)? If yes, can users opt-out? If so, how?
If you already have a Privacy Policy for your website and you're now launching a mobile app, you need to first consider what new types of personal data you'll be collecting through the mobile app. Then, update your agreement to include the new changes: what you collect from the website and from the mobile app.
You should always inform users about any updates or changes to your Privacy Policy.
Disclose if any third parties are involved in collecting personal information in your name, i.e. you use MailChimp to collect email addresses to send weekly updates to your members.
How to enforce a Privacy Policy
Always use the clickwrap method to get your users to agree to your terms.