- 1. Personal Data Explained
- 2. What it Means to Handle Data
- 3. Consequences if You Don't Comply
- 4. If You Don't Handle Personal Data
- 5.1. Statement of Data Collection
- 5.2. Types of Data Collected
- 5.3. Purpose of Data Collection
- 5.4. Your Data Sharing Policies
- 5.5. User Rights
- 5.6. Contact Details
- 6. Additional Global Privacy Requirements
- 6.1. The GDPR
- 6.2. The CCPA
- 6.3. NY SHIELD
- 8. Takeaway
- You should always handle data safely
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Secondly, from a safety perspective, personal or sensitive data must be encrypted during transmission. You can only transmit it over secure connections, like HTTPS.
When it comes to data, you should :
- Always encrypt the data you handle
- Transmit it securely
- Handle as little information as possible to minimize what you're transmitting
Personal Data Explained
When Google refers to "personal data," it's referring to any information that you can use to identify someone. Here are some examples:
- Birth names or account names
- Telephone number
- Email or home address
- Identification numbers e.g. passport numbers
- Bank account details
- Login credentials
What it Means to Handle Data
You handle data if you use, share, collect or transmit it in any way. Google offers a few examples to illustrate what this means in practice:
So, this could mean:
- A user supplying login details to access the extension
- Collecting details on the websites that a user visits while running your extension
- Gathering payment information
Consequences if You Don't Comply
If you don't comply with the Terms, Google can terminate your account and remove your extensions from the Web Store immediately. They don't need to tell you first.
If You Don't Handle Personal Data
Sure you don't handle any sensitive or personal data? Then you should explain this to your users. Otherwise, they might assume you do collect their data and just haven't disclosed it.
So, all you need is a simple clause telling people you don't handle their data.
Here's an example from the Global Drug Reference Online. It doesn't collect data unless someone voluntarily provides it:
- Confirmation of personal data handling
- The type of data you handle, and why you need it
- Data sharing policies and security
- What rights users have over the data you handle
- Your contact details
Statement of Data Collection
First, state that you handle personal or sensitive data. Like Snap, you only need a few lines confirming this. Just make sure you post this statement at the start of your Policy, and that it's easy to understand:
Types of Data Collected
Next, set out what personal data or sensitive information you collect. The goal is striking a balance between being too broad and too restrictive.
Here's an example from Screencastify that makes it quite clear what kind of data the company handles:
This example from Markd LTD uses more broad language, noting right at the beginning of the clause that the company may collect some or all of a list of information types:
Purpose of Data Collection
Users have a right to know why you need the data you collect. This is true for all privacy laws around the world. So, set out explicitly why you're collecting certain information.
Again, note how Screencastify finds a balance between too vague and too restrictive:
Here's an example from Snap that sets out a clear and detailed list of how personal data is used and why it is collected. This way, users know exactly what they can expect when they share their data.
What you'll also note is that, again, it's sufficiently broad for Snap to use the data for some purposes not specifically set out in the clause:
Your Data Sharing Policies
Here's how Screencastify sets this out:
It's especially important to declare if you sell the data, since you need permission to do this. You can also state if you don't sell data, like Screencastify. But if you change your policy on this, you need to update the document to reflect this and notify users.
Furthermore, you must specify how you protect data as it's transmitted to a third party.
Here's an example from Markd LTD:
Snap has a good example for this:
Screencastify titles this clause "Your Rights" to make it very clear what the clause is about:
You need to give people the chance to contact you if they want to discuss your Policy. The easiest way to do this is to include a clause with your contact details clearly set out.
There's no rule as to where you should put the contact details, but people often expect to find these details at the end of the document.
Here's an example from Weava:
It's best to provide as many different ways as possible for users to contact you, including an email address, a mailing address and a phone number if you have one to provide.
Additional Global Privacy Requirements
Let's run over them briefly.
As one of the strictest privacy laws in the world, the GDPR places additional requirements on you if you're processing data from EU residents. One of them is to disclose the rights that your EU users have.
Screencastify sets these rights out in a clause dedicated to EU residents. This is a good approach because then it's easy for EU residents to scroll straight to this clause:
Under the CCPA, someone can ask for one free copy of the data you hold on them per year. You're obliged to give them this.
Here's an example from Tim Hortons:
Collecting personal data from New York residents means implementing what's known as a data security program. Basically, this is just:
- Ensuring you have sufficient cybersecurity and safeguards in place to keep data safe
- Limiting employee access to personal data
- Creating a cybersecurity policy for your business and ensuring your team understands it
Here's an example from Rogue Fitness:
You'll see there's also a caveat to explain the company doesn't guarantee perfect security at all times. You should always include a disclaimer like this to protect your interests, because downtime is inevitable and you can't guarantee 100% safety.
It's best to put the link under the "Developer" heading in the "Additional Information" column. It's easy for people to find it there.
Here's an example from Bitmoji:
In some cases, you'll also need what's called a "prominent disclosure."
A prominent disclosure basically draws attention to the type of data you handle and what you use it for. You only need this if it's not obvious from the product page how you handle personal data.
An example makes this clearer, so let's stick with an app like Bitmoji. It collects personal data to let users send Bitmojis in Gmail. But if the developer decided to use the user's details for marketing purposes, they can't do this without posting a prominent disclosure.
- Post it somewhere obvious so the person sees it before they agree to anything
- Use a checkbox to get consent
- Place the disclosure in the product interface rather than just the Web Store description
Personal data is essentially anything you can use to identify a single individual. You handle it if you collect, use, transmit, or share it in any way at all.
- What data you collect, why you need it, and how it's used
- Who you share it with
- How people can contact you
- What rights people have around their personal data
- How you secure the data when it's in your possession
And finally remember, depending on your jurisdiction, you might need to comply with other privacy laws such as the GDPR and the CCPA.