But first, let's take it back to basics.
- 2. Legal Requirements for Privacy Policies
- 2.1. CalOPPA
- 2.2. GDPR
- 4.1. Clause 1: The type of information you collect.
- 4.2. Clause 2: How you collect the information.
- 4.3. Clause 3: What you do with the information you collect
- 4.4. Clause 4: Your Cookies policy
- 4.5. Clause 5: Any third party access to collected information
- 4.6. Clause 6: Resolution of disputes
- 4.7. Clause 7: Potential transfer of business
- 4.8. Clause 8: Policy changes
- 4.9. Clause 9: Email marketing and other communications.
- 4.10. Clause 10: Child Online Privacy Protection Act (COPPA) compliance.
- 4.11. Clause 11: Data retention
- 4.12. Clause 12: Contact information
This applies to any information collected from website visitors or customers that could be deemed personal and could potentially be used to identify them as individuals. Personal information includes things like:
- First and last names
- Email addresses
- Phone numbers
- Credit card information
- Social Security numbers
- Home and/or business addresses
- Sensitive information (regarding an individual's race, ethnicity, religious beliefs, political opinion, sexual orientation or criminal record)
Consumers have a basic right to be given detailed knowledge of the ways a company intends to use any personal data collected from or about them.
While this has the potential to impact their decision to share certain information, the rise in worldwide online data sharing has created a much more dire need for transparency between consumer and company.
Misuse of consumer personal data can lead to a number of security concerns, such as personal identity theft, banking and financial theft, credit card scams and more. Keeping consumer data safeguarded against risks such as these has become a legal mandate.
Privacy Policies are a great way to protect both your users and your company from any security concerns. They also provide a solid reason for consumers to feel like they can trust your company, which is an essential aspect of online business.
Legal Requirements for Privacy Policies
Privacy Policies are a legal requirement mandated by various laws such as the California Online Privacy Protection Act (CalOPPA) in the USA and the General Data Protection Regulation (GDPR) created by the European Union.
Globally, there is no single legal requirement that protects consumers in every country, but CalOPPA and GDPR have been designed in such a way that they impact businesses and website owners around the world.
CalOPPA applies to everything from websites and Software-as-a-Service (SaaS) applications to mobile applications, Facebook applications and more.
- The kind of personal information you collect from your customers such as contact details to create a user account, shipping addresses if they purchase something, and payment details for processing a purchase.
- Whether you share collected personal information with any other third party like a marketing company, an analytics service, payments processors, or any subsidiaries/affiliates of your company.
- How a user can see the personal information you've collected from them, and how they can edit or delete this information.
- How your company responds to "Do Not Track" requests from browsers.
The General Data Protection Regulation (GDPR) went into effect on the 25th of May, 2018. It was created by the European Union in order to better protect its residents when they divulge their personal data online. The GDPR sets a strong standard for data protection.
The GDPR defines "personal information" broadly and applies it to everything from cookie data and IP addresses to names and credit card information. It's applicable across all of the EU, and to your business if you cater to any EU citizens, regardless of where your business is located.
The GDPR protects various types of personal data, such as:
- First and last names
- Shipping addresses
- Email addresses
- IP addresses
- Biometric data
- Easy to access
- Free to access (with no login requirements)
- Written in a way that's clear, transparent and easy to understand members of the general public
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
If you don't know where to begin with your policy, check out the below steps to help get you started.
Clause 1: The type of information you collect.
The purpose of this clause is to make it clear to all users and visitors to your website/mobile app the kind of information they're required to give to your site in order to enjoy the full functions you intend to provide.
Clause 2: How you collect the information.
This clause details how a user's data will be collected, such as through the user's use of your website/app, or through direct user input. This information can include a wide number of things, from email addresses, phone numbers and passwords, to billing addresses, credit card information and shipping details.
Here's how LogMeIn discloses this information in a clause:
Clause 3: What you do with the information you collect
It might seem like this clause could be included in the second, but it's important to have a separate paragraph to specify the intended purpose behind collection. What's more, it's important to ensure you write it in detail so there can be no misunderstandings about it.
A great example of this is Trello, which breaks down descriptions of the ways they use customer personal information:
Clause 4: Your Cookies policy
Clause 5: Any third party access to collected information
It's common to integrate various third party services with your website or app for various purposes like social networking (Facebook, Twitter etc), marketing and advertising, or for data analytics services (like Google Analytics).
PayPal goes into a high level of detail about third-party services in their policy, covering all their bases and ensuring they're fully compliant with legislation.
Clause 6: Resolution of disputes
A dispute resolution clause is written to specify how two parties will handle a dispute that comes up between them. This can include you, as the business owner, and your customers and/or users of your website.
Popular ecommerce store, Etsy, includes a link to their third-party dispute resolution service:
Clause 7: Potential transfer of business
In the event that your business is bought by another entity or merges with a separate company, it's important to let your users know what will happen to any data they've given you in the past.
Here's how Amazon covers this topic in a short, informative clause:
Clause 8: Policy changes
Amazon includes the last updated date as well as a link to specifics of what has changed at the very top of its Privacy Notice:
Clause 9: Email marketing and other communications.
Let people know if you'll use their email addresses for communications purposes. Also let people know how they can opt out of this if they want to.
The recipe site, Yummly, includes a paragraph detailing its use of email marketing and communications. The paragraph includes information for opting out of emails.
Clause 10: Child Online Privacy Protection Act (COPPA) compliance.
COPPA is a US law that applies to the data collection of children under 13 years of age. It came into effect in April, 2000, and is a very important clause to include in your policy.
Clause 11: Data retention
Clause 12: Contact information
- Through your own website, or
- Through a third-party that hosts it for you
Any publicly accessible site, like Google, Google Docs or GitHub, acts as a suitable third-party for hosting.
There are benefits to doing it this way, but the common school of thought is that it's better to host your policy on your own site. Doing so gives you complete control over it.
Furthermore, you're covering the two most important aspects of hosting a legal agreement online: easy user access and proper association with your company.
Whether you're running a SaaS platform, ecommerce store or simple blogging website, anyone should be able to access and view your policy (and any other legal agreements) without being required to log in or sign up to do so.
You also have to ensure your policy is clearly associated with your company and your website/s. So, when you're drafting your policy, make sure to mention the company name and any affiliated mobile apps and/or product references. That way, even if you do host it on a third-party service, it will be in clear relation to your organization and not the third party.
Most website footers showcase links to legal agreements. It's a conspicuous place that's available on every page of the site, and users know to look here for important links.
You should always:
- Include a link to the policy within the app. The best place to put it is usually in the Settings or Account areas, and you can easily embed it within the app or simply include a link to the outside URL.
From within the app itself, users can navigate through an Options menu to find the Data Policy:
You can also include the URL when a user is about to complete a purchase through your app.
Provide a static way to access the URL at all times through a footer link or menu.