Quick Overview of Privacy Policies
- Dates of birth
- Email addresses
- Postal addresses
- Purchase activity
- IP addresses
- Payment details such as credit or debit card numbers
- Social security or social insurance numbers
Privacy policies also need to include the reasons an organization collects personal information, details about the rights users have over their data and more.
Read on to learn about some of the laws that aim to protect an individual’s data rights.
One of the most well-known data privacy laws is the General Data Protection Regulation (GDPR), enacted in 2018. The European Union (EU) implemented the GDPR to provide internet users rights over their data.
This set of regulations gives users more rights over how and when their data is collected. It also instills a “Privacy by Design” model in which businesses are required to consider users’ data privacy when designing their business practices, systems, and processes.
The GDPR applies to websites and apps that target European Economic Area (EEA) residents — regardless of where the website or app is located. This law has become the blueprint for many other modern data privacy laws.
Another landmark data protection law is the California Consumer Privacy Act (CCPA), which was also enacted in 2018. The CCPA is the first comprehensive data privacy law passed by a US state. It was designed to give users living in the state of California more control over the information that businesses collect on them.
The CCPA is similar to the GDPR but is generally considered to be less restrictive. For example, both laws give users more control over the collection and processing of their data, but the GDPR has stricter rules over cookie use and user consent. You should check out our cool infographic that displays the differences between the CCPA and GDPR.
ePrivacy Directive & Regulation
Before the CCPA and GDPR, the ePrivacy Directive — also known as the EU cookie law — was the main regulator of EU internet privacy. It made sure websites obtained user consent to place non-essential cookies in their browsers. The directive is being modified so that it can become the ePrivacy Regulation (ePr), which will work in conjunction with the GDPR. However, the EU Commission hasn’t agreed upon a final text and has postponed the effort indefinitely.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law. It provides Canadian internet users with the right to consent to the collection of their data as well as the right to access their information and dispute its accuracy. According to PIPEDA, personal data from individuals may only be used for the purpose for which it was collected.
The fundamental principles of this law are increased accountability, identified purpose for data collection, adequate use of consent, and limits over the collection of sensitive or personal data.
Additionally, it aims to restrict the use, disclosure, and retention of personal information. The data must be safe, accurate, and should allow for individual access. Moreover, individuals must be able to challenge an organization that does not comply.
Fundamentals of Privacy Policies
Privacy policies are based on by-laws established by the U.S. Federal Trade Commission in 1998. Also known as fair information practice principles, or FIPPs, these by-laws note that privacy policies must include five fundamental aspects. They are:
- Notice: Consumers must be notified of an app or website’s practices regarding personal information before the information is collected from them.
- Choice: Consumers should be able to have a choice about personal data collection and use. Examples of this include being able to opt out of certain cookies, set cookie preferences, or decline newsletter subscriptions.
- Enforcement: Enforcement measures on how these principles will be implemented must be clear. Companies must also explain how they will adhere to the aforementioned clauses and how violations of these clauses may be addressed and fixed.
If you want to learn how to write a policy, this section will provide a framework for the essential clauses that are generally included in these documents. Keep in mind that you may need to include additional clauses based on the type of business or organization you’re running.
Section 1: List all of the personal information that you collect
You may need to review your website or app so that you understand how, when, and where user information is collected. An audit of your site will help you identify every place where you collect data.
Section 2: Explain how the personal information collected will be used
Section 3: Address privacy issues concerning children age 13 and younger
Whether your website or app is targeted towards children or not, a clause that addresses child privacy must be included in your privacy statement.
According to the Children’s Online Privacy Protection Act (COPPA), it may be illegal for your website or app to collect data from children age 13 and younger without following COPPA guidelines.
If your app targets adults, then a simple statement in your policy could suffice. But if you target children or teenagers, you likely need more information to comply with COPPA.
Section 4: How personal data is protected
The kind of security measures that you should implement depends on how sensitive the data is and how much of it is collected. Banking and payment information, for instance, is highly sensitive and may require additional protection.
As an example, Visa’s social security number policy and sensitive personal information statement explains how the financial service company safeguards customer information.
Section 5: Do you share data with third parties?
Violating GDPR’s rules on processing personal data collected via analytical tools may cost a company up to 4% of its revenue annually.
Section 7: How users can access and control their data
Section 8: Policy changes
The eighth section of Instagram’s data policy, for example, lets users know it will notify them before changes are made, allowing them to review the changes and decide if they want to keep using the platform and its products.
In addition to the eight sections we just discussed, you may also want to include additional clauses. These could include the following:
- A communications clause. Specify and explain all the ways that your website visitors or app users can contact you. If your website has a chatbox, for example, let your visitors know that contact information includes personal information, like their name and an email address, that will be collected as part of the communication process.
- A business transfer clause. As a preventative measure, it may be a good idea to add a business clause to reduce your liabilities in case you ever decide to sell your company. This lets website visitors and app users know that their personal data may be forwarded to a new owner if this happens.
Include a table of contents
Make section headings clear
Use clear and plain language
Use relevant resources
Most companies tend to include a link or button to their legal policies in their website’s footer. You should make sure the font is clear and easy to distinguish from the background.
6. Final Words