Table of Contents
- Why Do You Need One?
- Are There Any Related Laws?
- What Should You Include?
- Helpful Examples & Samples From Fortune 500s
1. What is a Privacy Notice?
Failure to disclose this information on your website can create significant issues for a company with regulators in the EU, in addition to upsetting various watch groups. Some companies falsely believe that simply because the company does not collect information from users, this policy is not needed.
The website’s visitors will not be aware of this, however, unless the company informs them that their information is not being collected by way of an easily visible and accessible document.
2. Why Do You Need One?
There are several reasons why an individual, a company, or an organisation might need one. Some of the most common reasons include the following:
In the EU, information can be divided into Personal Data and Sensitive Personal Data. Personal data includes any data that can be used to identify a specific person, such as their name, address, email, or date of birth. Sensitive Personal Data is any information that reveals a person’s race/ethnic origin, political stance, religious beliefs, health, sexual orientation, or genetic makeup.
B. App Designers: App stores like Google Play and Apple’s App Store require application developers to have policies placed on applications before the apps are approved for sale. App designers who fail to include these policies can face having their apps suspended from an app store. Privacy policies for mobile apps can be much different to those of websites.
C. Third-Party Service Providers: There are a variety of third-party services that might require that privacy policies be placed on a company’s website, such as Amazon Associates and Google AdSense.
D. Reassure Users: A survey conducted by the Direct Marketing Association found that over 40 % of consumers in the UK believe trust in an organisation is the most important factor when considering to share their personal information.A clear privacy notice can go a long way to help build that trust with consumers.
In some situations, a company might not collect or use personal information from site visitors or users, but might still decide to use one anyway. These types of policies will put users at ease, knowing that their personal information is safe.
3. Are there any related laws?
In August 2017, the UK government announced that they intend to update its privacy legislation with a new Data Protection Bill. The aim of this new bill is to align the UK’s privacy law with the upcoming General Data Protection Regulation (GDPR).
The GDPR is the EU’s newest legal framework for the protection of digital privacy and requires any business that collects data from European citizens — even if it’s not located in the EU — to comply by May 25th, 2018. It harmonises data protection laws of all member countries into a unified set of guidelines.
The key requirements of the GDPR — such as stricter consent guidelines, appointing a data protection officer, and Data Privacy Impact Assessments — will require online businesses to make costly adjustments in their operations. With Brexit on the horizon, the UK wants to ensure that there are no interruptions in the data flow between the UK and the EU. After all, 75% of the UK’s data transfers are done through the EU.
With regards to privacy policies, there are several changes that the new Data Protection Bill and the GDPR will require business owners to make, including:
- Summarising user rights
- Outlining retention of personal information
- Adding contact details of DPO
- Simplifying the legalese
- Describing data transfers
- Providing the legal basis of data collection
To learn more about these requirements and how to comply with the GDPR, visit our GDPR compliance guide.
Laws Outside of the UK
If you do business internationally, you must also be aware of the privacy laws in other countries.
1. The United States: Keeping your document compliant in the United States is difficult because there is no specific federal law dictating what a website policy needs to include, and the relevant state laws addressing these policies tend to differ between jurisdictions.
Although there are no comprehensive laws in the United States regarding these website documents, there are various federal and state laws that govern particular situations:
The Children’s Online Privacy Protection Act (COPPA) applies to websites that knowingly collect information about or target children under the age of 13. If a website collects such information, it is required by law to post privacy policies and is limited in its ability to share that information.
The Gramm-Leach-Bliley Act concerns institutions that are “significantly engaged” in financial activities and requires them to give “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
The Health Insurance Portability and Accountability Act, better known as HIPAA, requires that any health care provider give notice in writing of the privacy practices used, especially when health information is shared electronically.
The Fair Credit Reporting Act (FCRA) limits the extent to which businesses can gather and disseminate a consumer’s credit reports.
Even if your business does not fall under the jurisdiction of the above federal laws, you still might be subject to some state regulations. For example, the California Online Privacy Act of 2003 (CalOPPA), requires any website that collects personally identifiable information from California consumers to clearly disclose their data collection methods in a policy on their homepage.
Affiliate relationships such as the Amazon Associates program are also required to post comprehensive policies that detail their data collection methods and usages.
The Commonwealth of Pennsylvania has also enacted laws to curb the use of misleading statements in website policies because they constitute fraudulent business practices. Regardless of whether your company is located in either of these states, if you collect information from their residents, then you must comply with their regulations.
2. Canada: There are various federal privacy laws in Canada that are laid out in Canada’s Personal Information and Electronic Documents Act.
This Act dictates how personal information is disclosed to and used by commercial organisations. The act also established the Privacy Commission of Canada, an entity that is tasked with addressing any complaints that are filed against organisations for the violation of the act.
3. Australia: Australia’s federal law on privacy is the Privacy Act of 1988. This act grants individuals a number of protected rights.
The act applies to government agencies, private organisations in contracts with Australia’s government, and companies that provide medical care.
Information is only permitted to be collected if it is relevant to the role of an organisation. Australians are also required to know how the information in question is used and what parties will see the information.
4. What Should You Include?
In order to be compliant with most of the laws above, valid policies must cover the following areas:
Basic Details: You should include the address and contact information for the company, any descriptions of third parties with whom the company shares information (including banks, delivery services, and site hosting companies), and a clear reference of the state in which the business is physically located.
Personal Information: You must indicate what personal information will be gathered by the company’s website, how this information will be used, the legal basis for this data collection, and how long you will retain this data. You must explain in detail why the company or organisation collects certain data from its users.
Disclosure: You must list all the entities that will collect or receive the information that a user provides. Additionally, you must also provide the reasoning behind each category of disclosure.
Cookies: You should include a clear mention of whether the site includes any cookies, web beacons, or other tracking technologies. This section should outline the types of cookies you use and what they are used for.
Security: You must address the data security concerns of site visitors. The site must unequivocally reveal a dedication to safeguarding information that is provided by its users. You should also include language that emphasises that the company or organisation will take all reasonable efforts to ensure that the security measures are upheld.
Consent: You must inform visitors that their data will not be sold or transferred in any way without first obtaining the prior consent of the user. There must be available options for users to opt out of providing information to third parties. Depending on whether you collect personal or sensitive personal data, you may be required to get explicit consent before you can process user information.
User Rights: You must inform users and site visitors of their rights under the GDPR and the processes they can take to exercise these rights. These rights include:
- The right to be informed: it should be crystal clear as to how user data is processed
- The right to access: users can access the information collected from them
- The right of rectification: users have the right to fix inaccurate or incomplete data collected from them
- The right to erasure: users have the right to request that their data be deleted
- The right to restrict: users must have the option to block the processing of certain pieces of data
- The right to data portability: users have the right to object to the collecting of their data
Accountability: You must include information about the steps that can be taken by users to correct inaccuracies in their personal information. It should also list contact details about the organisation or people who are responsible for providing oversight of the policy and its implementation. In the event that a company has a compliance member or group, they must list the name, email address, phone number, and address of this entity.
DPO Contact Details: If your business is required to appoint a data protection officer under the GDPR, make sure you include their name and contact details.
Effective Date: You must clearly identify the effective dates for revisions or updates to the document itself.
5. Helpful Examples & Samples From Fortune 500s
There are almost as many different types of privacy documents as there are types of companies. Below are 6 privacy policies examples from some of the largest companies on the web:
Example #1. Google
Example #2. Shopify
While Shopify does not include a table of contents like Google, it does use a bullet point format to make it easy for visitors to scan through the agreement. What’s great about Shopify’s policy is that they clearly address the most common questions that users have. See the image below for an example:
Example #3. Dropbox
Example #4. Facebook
In 2011, the Federal Trade Commission found that Facebook had deceived its user base by informing individuals that information was private when in actuality data was exploited beyond the extent to what Facebook had informed users. As a result of this decision, Facebook has been required to undergo third-party reviews.
Example #5. Github
The Github site links to its “privacy statement” from the footer of its main page. Github’s policy explains that users can opt out of providing their email addresses and that Github will only use the email addresses to send information that is relevant to the site’s purpose. Unlike other sites, Github includes a ‘short version’ for users who want a quick overview of the policy.
Example #6. SNAPCHAT
What separates Snapchat’s policy from others is that it includes an entire section on the various actions that users can take to protect their data, including revoking permissions, removing advertising preferences, and changing personal information. See the sample below: