Failure to disclose this information on your website can create significant issues for your company with domestic and international laws, in addition to upsetting various watch groups.
3. Why Do You Need One?
- You have/design apps: App stores like Google Play and Apple’s App Store require application developers to have policies placed on applications before the apps are approved for sale. App designers who fail to include these policies can face having their apps suspended from an app store. Privacy policies for mobile apps can be much different to those of websites.
- You use third-party service providers: There are a variety of third-party services that require privacy policies be placed on a company’s website, such as Amazon Associates, Google AdSense, and Google Analytics. Not only are you responsible for ensuring the third-party service providers you employ are appropriately handling data acquired through your site, but you are also obligated to disclose your use of these services to consumers, and how it may affect their data.
- You want to reassure users: A survey conducted by Pew Research Center found that over 90% of Americans value controlling the information that is collected from them. In some situations, a company might not collect or use personal information from site visitors or users, but might still decide to use one anyway. These types of policies will put users at ease, knowing that their personal information is safe.
Keeping your document compliant in the United States is difficult because there is no specific federal law dictating what a website policy needs to include, and the relevant state laws addressing these policies tend to differ between jurisdictions. Although there are no comprehensive laws in the United States regarding these website documents, there are various federal, state, and international laws that govern particular situations:
1. The General Data Protection Regulation (GDPR) applies to any business that targets consumers in the EU – including businesses located in the United States. Failure to comply with this regulation can result in lofty penalties, with potential infringement fines of up to 20 million euros or 4% of a company’s annual revenue. Under the GDPR, businesses must provide their users with clear, comprehensive privacy policies.
3. The California Online Privacy Act of 2003 (CalOPPA) requires any website that collects personally identifiable information from California consumers to clearly disclose their data collection methods in a policy on their homepage.
5. The Gramm-Leach-Bliley Act concerns institutions that are “significantly engaged” in financial activities and requires them to give “clear, conspicuous and accurate statements” regarding information collection and sharing practices.
6. The Health Insurance Portability and Accountability Act, better known as HIPAA, requires that any health care provider give notice in writing of the privacy practices used, especially when health information is shared electronically.
7. The Fair Credit Reporting Act (FCRA) limits the extent to which businesses can gather and disseminate a consumer’s credit reports.
Companies that participate in affiliate relationships such as the Amazon Associates program are also required to post comprehensive policies that detail their data collection methods and usages.
As previously mentioned, many states have their own laws that mandate businesses operating within that state or targeting users located in that state post privacy policies. For example, Pennsylvania has enacted laws to curb the use of misleading statements in website policies, as they constitute fraudulent business practices. Even if your business is not located in a one of the many states with such privacy laws, if you collect information from their residents, then you must comply with their regulations.
Check out the full list of state laws regarding privacy policies to ensure you are not in violation of any regulation.
For companies engaging in transatlantic commerce, the EU-US Privacy Shield was put in place as an agreement between the US and EU to ensure that data is safely transferred between the two. The shield is a joint program developed by American, European, and Swiss legislative bodies, and enforced by the International Trade Administration. Companies certified under the Shield are deemed as having adequate data protection laws in place to be able to transfer data between the US and EU – a necessary distinction to boast in order to comply with the GDPR.
Other Laws Outside of the U.S.
If you do business internationally, you must also be aware of the privacy laws in other countries. Unlike the United States, data protection laws in other countries are more unified and extensive. Here are some laws you may want to be aware of if you do business with any of the following areas:
1. Australia: Australia’s federal law on privacy is the Privacy Act of 1988. This act grants individuals a number of protected rights.
The act applies to government agencies, private organizations in contracts with Australia’s government, and companies that provide medical care.
Information is only permitted to be collected if it is relevant to the role of an organization. Australians are also required to know how the information in question is used and what parties will see the information.
2. Canada: There are various federal privacy laws in Canada that are laid out in Canada’s Personal Information and Electronic Documents Act.
This act dictates how personal information is disclosed to and used by commercial organizations. The act also established the Privacy Commission of Canada, an entity that is tasked with addressing any complaints that are filed against organizations for the violation of the act.
3. The European Union (EU): The aforementioned GDPR is the primary legislation regarding data protection and user privacy in the EU. This regulation outlines a broad set of requirements, including mandating that businesses thoroughly disclose their privacy practices through privacy notices, obtain user consent to those notices before collecting data, and allow users to take control of the data that is collected from them (through requests to view, edit, transfer, or delete their data).
5. Helpful Examples From Fortune 500s
Example #1 Google
Example #2 Shopify
What’s great about Shopify’s policy is that they clearly address the most common questions that users have in a way that’s easy to navigate and understand. As you can see in the image below, they break down their policy into easily-digestible sections to maximize readability:
Example #3 Facebook
While Facebook’s policy includes numerous pages describing the site’s unique approach towards security, there is a hub page that allows users to both navigate to their most pressing privacy questions and take action with their data and sharing preferences. As you can see below, Facebook’s privacy hub employs a menu which provides FAQs and data controls for users to navigate accordingly:
Example #4 Github
The Github site links to its “privacy statement” from the footer of its main page. Unlike many sites, Github includes a ‘short version’ for users who want a quick overview of the policy.
Example #5 Snapchat
6. Final Thoughts