Table of Contents
- Why do you need one?
- Are there any related laws?
- What Should You Include?
- Helpful Examples & Samples From Fortune 500s
Failure to disclose this information on your website can create significant issues for a company with state and federal regulators, in addition to upsetting various watch groups. Some companies falsely believe that simply because the company does not collect information from users, this policy is not needed. The website’s visitors will not be aware of this, however, unless the company informs them that their information is not being collected by way of an easily visible and accessible document.
2. Why Do You Need One?
There are several reasons why an individual, a company, or an organization might need one. Some of the most common reasons include the following:
- App Designers: App stores like Google Play and Apple’s App Store require application developers to have policies placed on applications before the apps are approved for sale. App designers who fail to include these policies can face having their apps suspended from an app store. Privacy policies for mobile apps can be much different to those of websites.
- Third-Party Service Providers: There are a variety of third-party services that might require that privacy policies be placed on a company’s website, such as Amazon Associates and Google AdSense.
- Reassure Users: A survey conducted by Pew Research Center found that over 90% of Americans value controlling the information that is collected from them. In some situations, a company might not collect or use personal information from site visitors or users, but might still decide to use one anyway. These types of policies will put users at ease, knowing that their personal information is safe.
3. Are there any related laws?
Keeping your document compliant in the United States is difficult because there is no specific federal law dictating what a website policy needs to include, and the relevant state laws addressing these policies tend to differ between jurisdictions. Although there are no comprehensive laws in the United States regarding these website documents, there are various federal and state laws that govern particular situations:
1. The Children’s Online Privacy Protection Act (COPPA) applies to websites that knowingly collect information about or target children under the age of 13. If a website collects such information, it is required by law to post privacy policies and is limited in its ability to share that information.
2. The Gramm-Leach-Bliley Act concerns institutions that are “significantly engaged” in financial activities and requires them to give “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
3. The Health Insurance Portability and Accountability Act, better known as HIPAA, requires that any health care provider give notice in writing of the privacy practices used, especially when health information is shared electronically.
4. The Fair Credit Reporting Act (FCRA) limits the extent to which businesses can gather and disseminate a consumer’s credit reports.
Even if your business does not fall under the jurisdiction of the above federal laws, you still might be subject to some state regulations. For example, the California Online Privacy Act of 2003 (CalOPPA), requires any website that collects personally identifiable information from California consumers to clearly disclose their data collection methods in a policy on their homepage.
The Commonwealth of Pennsylvania has also enacted laws to curb the use of misleading statements in website policies because they constitute fraudulent business practices. Regardless of whether your company is located in either of these states, if you collect information from their residents, then you must comply with their regulations.
Check out the full list of state laws regarding privacy policies to ensure you are not in violation of any regulation.
For companies engaging in transatlantic commerce, the EU-U.S. Privacy Shield was put in place to ensure they are in compliance with privacy laws in all relevant countries. The shield is a joint program developed by American, European, and Swiss legislative bodies, and enforced by the International Trade Administration.
Laws Outside of the U.S.
If you do business internationally, you must also be aware of the privacy laws in other countries. Unlike the United States, data protection laws in other countries are more unified and extensive. Some of these laws include:
1. Australia: Australia’s federal law on privacy is the Privacy Act of 1988. This act grants individuals a number of protected rights.
The act applies to government agencies, private organizations in contracts with Australia’s government, and companies that provide medical care.
Information is only permitted to be collected if it is relevant to the role of an organization. Australians are also required to know how the information in question is used and what parties will see the information.
2. Canada: There are various federal privacy laws in Canada that are laid out in Canada’s Personal Information and Electronic Documents Act.
This Act dictates how personal information is disclosed to and used by commercial organizations. The act also established the Privacy Commission of Canada, an entity that is tasked with addressing any complaints that are filed against organizations for the violation of the act.
3. The European Union:The European Union’s Data Protection Directive was adopted in 1995 and regulates the processing of personal data within the European Union. However, since then the EU has harmonized its data protection laws with the passing of the General Data Protection Regulation (GDPR). If your business collects data from European citizens — even if you are not located in the EU — you must comply with the new regulation by May 25th, 2018.
All members of the European Union similarly support the European Convention on Human Rights, which recognizes a right for one’s privacy. European laws must be followed by companies that operate in the European Union as well as organizations that transfer personal information collected from citizens of the European Union.
4. What Should You Include?
In order to be compliant with most of the laws above, valid policies must cover the following areas:
- Access: You must inform users or site visitors about how data gathered from the site can be accessed. Users must be given the opportunity to change or delete any information, if they desire to do so.
- Accountability: You must include information about the steps that can be taken by users to correct inaccuracies in their personal information. It should also list contact details about the organization or people who are responsible for providing oversight of the policy and its implementation. In the event that a company has a compliance member or group, they must list the name, email address, phone number, and address of this entity.
- Basic Details: You should include the address and contact information for the company, any descriptions of third parties with whom the company shares information (including banks, delivery services, and site hosting companies), and a clear reference of the state in which the business is physically located.
- Cookies: You should include a clear mention of whether the site includes any cookies. A cookie refers to a small piece of data that is sent from a website and stored on a user’s computer.
- Consent: You must inform visitors that their data will not be sold or transferred in any way without first obtaining the prior consent of the user. There must be available options for users to opt out of providing information to third parties.
- Disclosure: You must list all the entities that will collect or receive the information that a user provides.
- Effective Date: You must clearly identify the effective dates for revisions or updates to the document itself.
- Links: You must inform users that some of the pages on the website will likely take the user away from the company’s website.
- Mailing List: Companies must disclose whether any information gathered from a site will be given to any mailing lists.
- Notice: You must be posted on a company or organization’s website in an easy-to-find location. Many companies choose to utilize a direct link that is located in the footer of their website. This must be readily available to all visitors to the website rather than just to visitors who have already submitted information or had data collected.
- Personal Information: You must indicate what personal information will be gathered by the company’s website and how this information will be used. Personal information includes any data that can be used to identify a specific person, such as their name, address, email, date of birth, or financial and medical records.
- Purpose: You must explain in detail why the company or organization collects certain data from its users. This section must explain why the data is needed and how it will be used.
- Security: You must address the data security concerns of site visitors. The site must unequivocally reveal a dedication to safeguarding information that is provided by its users. You should also include language that emphasizes that the company or organization will take all reasonable efforts to ensure that the security measures are upheld.
5. Helpful Examples & Samples From Fortune 500s
There are almost as many different types of privacy documents as there are types of companies. Below are 6 privacy policies examples from some of the largest companies on the web:
Example #1. Google
Example #2. Shopify
While Shopify does not include a table of contents like Google, it does use a bullet point format to make it easy for visitors to scan through the agreement. What’s great about Shopify’s policy is that they clearly address the most common questions that users have. See the image below for an example:
Example #3. Dropbox
Example #4. Facebook
In 2011, the Federal Trade Commission found that Facebook had deceived its user base by informing individuals that information was private when in actuality data was exploited beyond the extent to what Facebook had informed users. As a result of this decision, Facebook has been required to undergo third-party reviews.
Example #5. Github
The Github site links to its “privacy statement” from the footer of its main page. Github’s policy explains that users can opt out of providing their email addresses and that Github will only use the email addresses to send information that is relevant to the site’s purpose. Unlike other sites, Github includes a ‘short version’ for users who want a quick overview of the policy.
Example #6. SNAPCHAT
What separates Snapchat’s policy from others is that it includes an entire section on the various actions that users can take to protect their data, including revoking permissions, removing advertising preferences, and changing personal information. See the sample below: