But why are you required to do so, and which specific laws require this?
In this article, we'll take a closer look at why Privacy Policies are required by law. We will look at various privacy laws within the US and around the world.
Before we do that, let's quickly review what Privacy Policies are and why you need them.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. What Are Privacy Policies?
- 1.1. Privacy Policies in the United States
- 1.2. Privacy Policies in the European Union
- 1.3. Privacy Policies in Canada
- 1.4. Privacy Policies in Australia
- 1.5. Privacy Policies in the United Kingdom
- 2. Privacy Policies Required by Third Parties
- 2.1. Google Analytics
- 2.2. Google AdSense
- 2.3. Apple App Store
- 2.4. Google Play
What Are Privacy Policies?
Privacy Policies are required by law because in collecting personal information from your visitors, users, customers, and clients, you assume responsibility for protecting their privacy.
But what kind of information is protected by law and what are your legal obligations?
Personally identifiable information is data that can identify a person, such as a government ID number, email address, phone number or billing details.
Privacy Policies in the United States
Let's look at a few of them.
- Gramm-Leach-Bliley Act - Institutions engaged in the financial sector are required by this act to provide accurate and clear statements about how they share information.
- Health Insurance Portability and Accountability Act (HIPAA) - The rules of this act require health care service providers to give notice in writing of their privacy practices.
These laws regulate what information businesses must disclose in their Privacy Policies.
- What information you collect and how it's collected
- The measures you take to protect that information
- How you use the information you collect
- Whether you share that information with any third parties and if so, what you share and with which third parties
- The consumers' rights regarding their personal data
However, according to the FTC's guidelines, it should be written in easy to understand language and not in confusing legalese.
Privacy Policies in the European Union
In January of 2012, the European Commission unveiled a draft of the European General Data Protection Regulation (GDPR) that supersedes the original Data Protection Directive. Its main purpose is to strengthen and unify the processes involving data collected from individuals within the European Union.
The GDPR became enforceable on May 25, 2018.
The Organization for Economic Cooperation and Development (OECD) issued guidelines for protecting consumers' personal data, which includes notifying users when their data is being collected, collecting data only for the stated purpose, not disclosing the data without the user's consent, and other ways to protect consumers.
Privacy Policies in Canada
The federal privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). Its main purpose is to govern the collection, use and disclosure of personal information collected from Canadian citizens.
By complying with the law, businesses agree to collect, use, and disclose the amount of information that a reasonable person would consider to be appropriate.
What this means is that PIPEDA requires companies to get their users' consent before they can collect, use, or disclose their personal information. Whatever information they do collect can only be used for the stated purposes it was collected for.
PIPEDA applies to businesses conducting commercial activities, including online transactions and selling services and membership plans.
What's more is that PIPEDA authorizes the Privacy Commissioner of Canada to handle any complaints that anyone (individual, institutional, or business) files against organizations that fail to comply with the act.
Privacy Policies in Australia
The Privacy Act lays out several different privacy rights that govern what information is being collected, why it's being collected, how it will be stored, and with whom it can be disclosed.
According to the Privacy Act, only information that is relevant to the company's functions can be collected from consumers. When that information is collected, Australians have the right to know why it's being collected and who will see it.
Entities that are responsible for storing the information must ensure it isn't lost or exploited. Additionally, Australians are given the right to access their personal information unless it's specifically prohibited by law.
Altogether, Australia's Privacy Act contains 13 principles pertaining to user privacy that detail how covered organizations (organizations with an annual gross income of over $3 million) are required to handle personal information.
Privacy Policies in the United Kingdom
The Data Protection Act is a United Kingdom Act of Parliament designed to protect users' personal data whether it's stored on computers or paper filing systems. It follows closely in line with the European Union's Data Protection Directive.
The Data Protection Act is comprised of eight data protection principles:
- Personal data is processed fairly and lawfully.
- It is only obtained for specified, lawful purposes.
- The data is adequate, relevant, and not excessive for the purpose it was collected.
- The data is accurate and up to date.
- The data will not kept for longer than is necessary.
- Personal data is processed in compliance with the rights of the users.
- Appropriate measures are taken against unlawful data processing.
- The personal data cannot be transferred to a country outside the European Economic Area unless that country guarantees an adequate level of protection of personal data.
Privacy Policies Required by Third Parties
It goes on to explain the different provisions your Policy should include, such as notifying visitors that you're using cookies to collect data and that you're using Google Analytics which collects and processes data on its own.
You're also required to provide clear information about how cookies and other information is stored and accessed on user devices in cases where the activity is related to the services offered by Google Analytics.
Furthermore, your visitors must give consent to let you store and access these cookies.
- Device-specific information
- Location information
- Information stored on, accessed on, or collected from user's devices in relation to AdSense
In addition to this, Google also gives you the responsibility of making sure your visitors give consent to the storing and accessing of all of the above-mentioned data.
Apple App Store
It also states that your app can only use the collected information for the purposes you stated at the time of securing the user's consent. As well, if you're storing any of the information that you collect through your app, you must store it securely and only for as long as you need it.
If your website/mobile app collects personal information from users, you need to be aware of: