Table of Contents
- Why do you need one?
- What Should You Include?
- Sample Privacy Policies
There are several reasons why an individual, a company, or an organization might need one. Some of the most common reasons include the following:
- App Designers: App stores like Google Play and Apple’s App Store require application developers to have privacy policies placed on applications before the apps are approved for sale. App designers who fail to include these privacy policies can face having their apps suspended from an app store.
- Third-Party Service Providers: There are a variety of third-party services that might require that privacy policies be placed on a company’s website, such as Amazon Associates and Google AdSense.
Keeping your document compliant in the United States is difficult because there is no specific federal law dictating what privacy policies need to include, and the relevant state laws addressing these policies tend to differ between jurisdictions. Although there are no comprehensive laws in the United States regarding privacy policies, there are various federal and state laws that govern particular situations:
1. The Children’s Online Privacy Protection Act (COPPA) applies to websites that knowingly collect information about or target children under the age of 13. If a website collects such information, it is required by law to post privacy policies and is limited in its ability to share that information.
2. The Gramm-Leach-Bliley Act concerns institutions that are “significantly engaged” in financial activities and requires them to give “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
3. The Health Insurance Portability and Accountability Act, better known as HIPAA, requires that any health care provider give notice in writing of the privacy practices used, especially when health information is shared electronically.
4. The Fair Credit Reporting Act (FCRA) limits the extent to which businesses can gather and disseminate a consumer’s credit reports.
The Commonwealth of Pennsylvania has also enacted laws to curb the use of misleading statements in privacy policies because they constitute fraudulent business practices. Regardless of whether your company is located in either of these states, if you collect information from their residents, then you must comply with their regulations.
Check out the full list of state laws regarding privacy policies to ensure you are not in violation of any regulation.
For companies engaging in transatlantic commerce, the EU-U.S. Privacy Shield was put in place to ensure they are in compliance with privacy laws in all relevant countries. The privacy shield is a joint program developed by American, European, and Swiss legislative bodies, and enforced by the International Trade Administration.
Laws Outside of the U.S.
If you do business internationally, you must also be aware of the privacy laws in other countries. Unlike the United States, privacy laws in other countries are more unified and extensive. Some of these laws include:
1. Australia: Australia’s federal law on privacy is the Privacy Act of 1988. This act grants individuals a number of protected privacy rights.
The Privacy Act of 1988 applies to government agencies, private organizations in contracts with Australia’s government, and companies that provide medical care.
Information is only permitted to be collected if it is relevant to the role of an organization. Australians are also required to know how the information in question is used and what parties will see the information.
2. Canada: There are various federal privacy laws in Canada that are laid out in Canada’s Personal Information and Electronic Documents Act.
This Act dictates how personal information is disclosed to and used by commercial organizations. The act also established the Privacy Commission of Canada, an entity that is tasked with addressing any complaints that are filed against organizations for the violation of the act.
3. The European Union:The European Union’s Data Protection Directive was adopted in 1995 and regulates the processing of personal data within the European Union.
All members of the European Union similarly support the European Convention on Human Rights, which recognizes a right for one’s privacy. European privacy laws must be followed by companies that operate in the European Union as well as organizations that transfer personal information collected from citizens of the European Union.
5. What Should You Include?
In order to be compliant with most of the laws above, valid privacy policies must cover the following areas:
- Access: You must inform users or site visitors about how data gathered from the site can be accessed. Users must be given the opportunity to change or delete any information, if they desire to do so.
- Accountability: Privacy policies must include information about the steps that can be taken by users to correct inaccuracies in their personal information. It should also list contact details about the organization or people who are responsible for providing oversight of the policy and its implementation. In the event that a company has a compliance member or group, they must list the name, email address, phone number, and address of this entity.
- Basic Details: Privacy policies should include the address and contact information for the company, any descriptions of third parties with whom the company shares information (including banks, delivery services, and site hosting companies), and a clear reference of the state in which the business is physically located.
- Cookies: You should include a clear mention of whether the site includes any cookies. A cookie refers to a small piece of data that is sent from a website and stored on a user’s computer.
- Consent: Privacy policies must inform visitors that their data will not be sold or transferred in any way without first obtaining the prior consent of the user. There must be available options for users to opt out of providing information to third parties.
- Disclosure: Privacy policies must list all the entities that will collect or receive the information that a user provides.
- Effective Date: You must clearly identify the effective dates for revisions or updates to the document itself.
- Links: Privacy policies must inform users that some of the pages on the website will likely take the user away from the company’s website.
- Mailing List: Companies must disclose whether any information gathered from a site will be given to any mailing lists.
- Notice: Privacy policies must be posted on a company or organization’s website in an easy-to-find location. Many companies choose to utilize a direct link that is located in the footer of their website. This must be readily available to all visitors to the website rather than just to visitors who have already submitted information or had data collected.
- Personal Information: You must indicate what personal information will be gathered by the company’s website and how this information will be used. Personal information includes any data that can be used to identify a specific person, such as their name, address, email, date of birth, or financial and medical records.
- Purpose: You must explain in detail why the company or organization collects certain data from its users. This section must explain why the data is needed and how it will be used.
- Security: You must address the data security concerns of site visitors. The site must unequivocally reveal a dedication to safeguarding information that is provided by its users. Privacy policies should also include language that emphasizes that the company or organization will take all reasonable efforts to ensure that the security measures are upheld.
6. Sample Privacy Policies
There are almost as many different types of privacy policies as there are types of companies. Below are 6 sample privacy policies from some of the largest companies on the web:
Example #1. Google
Example #2. Shopify
While Shopify does not include a table of contents like Google, it does use a bullet point format to make it easy for visitors to scan through the agreement. What’s great about Shopify’s policy is that they clearly address the most common questions that users have. See the image below for an example:
Example #3. Dropbox
Example #4. Facebook
In 2011, the Federal Trade Commission found that Facebook had deceived its user base by informing individuals that information was private when in actuality data was exploited beyond the extent to what Facebook had informed users. As a result of this decision, Facebook has been required to undergo third-party reviews.
Example #5. Github
Example #6. SNAPCHAT