Failure to disclose this information on your website can create significant issues for your company with domestic and international laws, in addition to upsetting various watch groups.
2. Why Do You Need One?
- You have/design apps: App stores like Google Play and Apple’s App Store require application developers to have policies placed on applications before the apps are approved for sale. App designers who fail to include these policies can face having their apps suspended from an app store. Privacy policies for mobile apps can be much different to those of websites.
- You use third-party service providers: There are a variety of third-party services that require privacy policies be placed on a company’s website, such as Amazon Associates, Google AdSense, and Google Analytics. Not only are you responsible for ensuring the third-party service providers you employ are appropriately handling data acquired through your site, but you are also obligated to disclose your use of these services to consumers, and how it may affect their data.
- You want to reassure users: A survey conducted by Pew Research Center found that over 90% of Americans value controlling the information that is collected from them. In some situations, a company might not collect or use personal information from site visitors or users, but might still decide to use one anyway. These types of policies will put users at ease, knowing that their personal information is safe.
Keeping your document compliant in the United States is difficult because there is no specific federal law dictating what a website policy needs to include, and the relevant state laws addressing these policies tend to differ between jurisdictions. Although there are no comprehensive laws in the United States regarding these website documents, there are various federal, state, and international laws that govern particular situations:
1. The General Data Protection Regulation (GDPR) applies to any business that targets consumers in the EU – including businesses located in the United States. Failure to comply with this regulation can result in lofty penalties, with potential infringement fines of up to 20 million euros or 4% of a company’s annual revenue. Under the GDPR, businesses must provide their users with clear, comprehensive privacy policies.
3. The California Online Privacy Act of 2003 (CalOPPA) requires any website that collects personally identifiable information from California consumers to clearly disclose their data collection methods in a policy on their homepage.
5. The Gramm-Leach-Bliley Act concerns institutions that are “significantly engaged” in financial activities and requires them to give “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
6. The Health Insurance Portability and Accountability Act, better known as HIPAA, requires that any health care provider give notice in writing of the privacy practices used, especially when health information is shared electronically.
7. The Fair Credit Reporting Act (FCRA) limits the extent to which businesses can gather and disseminate a consumer’s credit reports.
Companies that participate in affiliate relationships such as the Amazon Associates program are also required to post comprehensive policies that detail their data collection methods and usages.
As previously mentioned, many states have their own laws that mandate businesses operating within that state or targeting users located in that state post privacy policies. For example, Pennsylvania has enacted laws to curb the use of misleading statements in website policies, as they constitute fraudulent business practices. Even if your business is not located in a one of the many states with such privacy laws, if you collect information from their residents, then you must comply with their regulations.
Check out the full list of state laws regarding privacy policies to ensure you are not in violation of any regulation.
For companies engaging in transatlantic commerce, the EU-US Privacy Shield was put in place as an agreement between the US and EU to ensure that data is safely transferred between the two. The shield is a joint program developed by American, European, and Swiss legislative bodies, and enforced by the International Trade Administration. Companies certified under the Shield are deemed as having adequate data protection laws in place to be able to transfer data between the US and EU – a necessary distinction to boast in order to comply with the GDPR.
Other Laws Outside of the U.S.
If you do business internationally, you must also be aware of the privacy laws in other countries. Unlike the United States, data protection laws in other countries are more unified and extensive. Here are some laws you may want to be aware of if you do business with any of the following areas:
1. Australia: Australia’s federal law on privacy is the Privacy Act of 1988. This act grants individuals a number of protected rights.
The act applies to government agencies, private organizations in contracts with Australia’s government, and companies that provide medical care.
Information is only permitted to be collected if it is relevant to the role of an organization. Australians are also required to know how the information in question is used and what parties will see the information.
2. Canada: There are various federal privacy laws in Canada that are laid out in Canada’s Personal Information and Electronic Documents Act.
This act dictates how personal information is disclosed to and used by commercial organizations. The act also established the Privacy Commission of Canada, an entity that is tasked with addressing any complaints that are filed against organizations for the violation of the act.
3. The European Union (EU): The aforementioned GDPR is the primary legislation regarding data protection and user privacy in the EU. This regulation outlines a broad set of requirements, including mandating that businesses thoroughly disclose their privacy practices through privacy notices, obtain user consent to those notices before collecting data, and allow users to take control of the data that is collected from them (through requests to view, edit, transfer, or delete their data).
In order to be compliant with most of the previously-mentioned laws and regulations, valid policies must cover the following areas:
- Access: You must inform users or site visitors about how data gathered from the site can be accessed. Users must be given the opportunity to change or delete any information, if they desire to do so. Sample text:
To request to review, update, or delete your personal information, please submit a request form by clicking here.
- Accountability: You must include information about the steps that can be taken by users to correct inaccuracies in their personal information. It should also list contact details about the organization or people who are responsible for providing oversight of the policy and its implementation. In the event that a company has a compliance member or group, they must list the name, email address, phone number, and address of this entity. Sample text:
If you have questions or comments about this policy, you may contact our Data Protection Officer (DPO) at: [DPO Contact Information]
- Basic Details: You should include the address and contact information for the company, any descriptions of third parties with whom the company shares information (including banks, delivery services, and site hosting companies), and a clear reference of the state in which the business is physically located.
- Cookies: You should include a clear mention of whether the site includes any cookies. A cookie refers to a small piece of data that is sent from a website and stored on a user’s computer. Sample text:
- Consent: You must inform visitors that their data will not be sold or transferred in any way without first obtaining the prior consent of the user. There must be available options for users to opt out of providing information to third parties. Sample text:
We only share information with your consent, to comply with laws, to protect your rights, or to fulfill business obligations.
- Disclosure: You must list all the entities that will collect or receive the information that a user provides.
- Effective Date: You must clearly identify the effective dates for revisions or updates to the document itself.
- Links: You must inform users that some of the pages on the website will likely take the user away from the company’s website.
- Mailing List: Companies must disclose whether any information gathered from a site will be given to any mailing lists.
- Notice: Your policy must be posted on your company or organization’s website in an easy-to-find location. Many companies choose to utilize a direct link that is located in the footer of their website. This must be readily available to all visitors to the website rather than just to visitors who have already submitted information or had data collected.
- Personal Information: You must indicate what personal information will be gathered by the company’s website and how this information will be used. Personal information includes any data that can be used to identify a specific person, such as their name, address, email, date of birth, or financial and medical records. Sample text:
We collect personal information that you voluntarily provide to us when registering at the expressing an interest in obtaining information about us or our products and services, when participating in activities on the (such as posting messages in our online forums or entering competitions, contests or giveaways) or otherwise contacting us.
- Purpose: You must explain in detail why the company or organization collects certain data from its users. This section must explain why the data is needed and how it will be used. Sample text:
We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent.
- Security: You must address the data security concerns of site visitors. The site must unequivocally reveal a dedication to safeguarding information that is provided by its users. You should also include language that emphasizes that the company or organization will take all reasonable efforts to ensure that the security measures are upheld. Sample text:
We aim to protect your personal information through a system of organizational and technical security measures.
5. How Can You Make Your Policy User-Friendly?
If you want to make your policy more user-friendly, here are a few steps you can take:
- Implement a table of contents so users can easily navigate your policy
- Make your section headings clear – we recommend using an FAQ format so customers know what section to visit to get their most pressing questions answered
- Add section summaries – give users the tl;dr on each section of your policy so they don’t have to cut through the legal jargon on their own
- Use clear and plain language – loading up your policy with legalese could be harmful to your legal compliance efforts and your customer relations. Instead, use plain language and be as clear as possible.
6. Helpful Examples From Fortune 500s
Example #1 Google
Example #2 Shopify
What’s great about Shopify’s policy is that they clearly address the most common questions that users have in a way that’s easy to navigate and understand. As you can see in the image below, they break down their policy into easily-digestible sections to maximize readability:
Example #3 Facebook
While Facebook’s policy includes numerous pages describing the site’s unique approach towards security, there is a hub page that allows users to both navigate to their most pressing privacy questions and take action with their data and sharing preferences. As you can see below, Facebook’s privacy hub employs a menu which provides FAQs and data controls for users to navigate accordingly:
Example #4 Github
The Github site links to its “privacy statement” from the footer of its main page. Unlike many sites, Github includes a ‘short version’ for users who want a quick overview of the policy.
Example #5 Snapchat