Privacy Policies are Legally Required
- 2. Privacy Laws in the US
- 2.1. CalOPPA
- 2.1.2. Include a "Do Not Track" Clause
- 3. Privacy Laws in the EU
- 3.1. GDPR
- 4. Privacy Laws in Canada
- 5. Privacy Laws in Australia
- 6. Privacy Laws in the UK
- 7. Privacy Policies Required by Third-party Services
- 7.1. Google Analytics
- 7.2. Google Adsense
- 7.2.1. Additional Requirements for EU Businesses
- 7.2.2. Cookies Consent
- 8.1. Business Name and Contact Details
- 8.2. Types of Personal Data You Collect
- 8.3. Why You Collect Personal Data
- 8.4. How the Data is Used
- 8.5. How You Share Data with Third Parties
- 8.6. How to Opt Out of Data Collection
- 10. Remember
Examples of personal information might include:
- Dates of birth
- Email addresses
- Billing and shipping addresses
- Phone numbers
- Bank details
- Social security numbers
- The types of information collected by the website or app
- The purpose for collecting the data
- Data storage, security and access
- Details of data transfers
- Affiliated websites or organizations (third parties included)
A summary introduction like this is a good way to let readers know what exactly they can expect to find in the rest of the agreement.
Let's take a look at some specific laws and their requirements.
Privacy Laws in the US
CalOPPA is one of the strictest privacy laws in the US. It affects anyone who collects personal information from people residing in California, which means its reach goes far beyond state borders.
CalOPPA's purpose is to provide protection of personal data collected from California residents. While CalOPPA is a state law and not a federal law, it very likely affects your website regardless of where you operate from because of the chance your website will attract California residents.
CalOPPA classifies "personally identifiable information" as:
- First and last names
- Physical addresses
- Email addresses
- Telephone numbers
- Social Security numbers
- Any other contact information shared with a business either physically or online
- Details of physical appearance (height, weight, hair color)
- Any other information stored online that may identify an individual
- Details of exactly what types of personal data are collected through the website or app
- Any affiliated organizations this data may be shared with
- A clear explanation of how users can request amendments to any personal data that is collected
- What happens if a user makes a "Do Not Track" request
- Details of third parties who collect personal data through the website or app
Include a "Do Not Track" Clause
"Do Not Track" - DNT for short - is a setting that can be activated on certain browsers to block behavioral tracking from third party services like Google Adwords.
Under CalOPPA, it is not mandatory for a website or app to follow a DNT request. However, websites must inform users if their website or app will respond to a DNT request or not.
Here's how Whole Foods lets users know that DNT requests will not be honored and provides a link to additional information about the topic:
If you have to comply with CalOPPA, don't forget this clause.
- Be clearly visible and easily accessible for visitors to your website or users of your app
- Contain the word "privacy" in the display link
Here is an example from Amazon where a Privacy Notice is clearly linked in the website footer:
Privacy Laws in the EU
On May 25, 2018, the General Data Protection Regulation (GDPR) replaced the existing EU Data Protection Directive which had been enforced since 1995.
The EU Data Protection Directive regulated the gathering and handling of personal information in the EU and protects it from misuse.
The GDPR applies to both EU businesses as well as international businesses collecting personal data from users located within the EU.
The GDPR requires that:
- All personal data must be processed in an ethical manner.
- Data should be collected for predetermined reasons only, and the data must be used for these reasons alone.
- Data must be accurate and updated when requested.
- With the exception of specific circumstances, such as scientific research data, the user must be identified only for as long as needed.
- The business collecting data is responsible for monitoring its own adherence to GDPR regulation through the appointment of a Data Protection Officer, if applicable.
- The user must be able to contact the business collecting the data and its Data Protection Officer (if there is one).
- Users must be made aware of the reasons why their data is being gathered and the length of time that it will be stored.
- Users must be advised of their 8 rights under the GDPR including the right to access, update or request removal of their personal data.
- There will be a supervisory body to deal with users' complaints and the contact information for this body must be provided.
- Users must be informed if their data is to be shared with any third parties or affiliated organizations, or if it will be transferred outside of the EU.
- Any other information the user needs to know to ensure fair processing of their personal data.
Here's a good example of how IKEA gets consent to collect personal information. Users must check a box when creating a profile that says they agree to having their personal information saved:
The GDPR represents a big change for data protection. This is true for both EU-based and non-EU businesses that collect personal data from EU citizens.
The enforcement of the GDPR is much stricter than with previous regulations and carries greater penalties for non-compliance.
Privacy Laws in Canada
Privacy Laws in Australia
One of its key features is a list of 13 Privacy Principles that govern the gathering and processing of personal data.
Privacy Laws in the UK
Personal data is protected in the UK by the Data Protection Act (DPA). Like Australia's Privacy Act, at its heart are 8 Core Principles of Data Protection which all companies collecting personal data online in the UK must adhere to:
Privacy Policies Required by Third-party Services
Campaign Monitor's Terms of Service includes this clause covering personal information:
SendPilot discloses all the categories of third-party services that it may use to collect or process user as follows:
- State that you use Google Analytics to track user behavior
- Explain how data is collected and processed
Here's an example from the footer of the BBC's website:
Here's an example of a cookie banner from the University of Brighton:
The advertising features covered by these additional requirements include:
- Remarketing or retargeting
- Google Display Network Impression Reporting
- Google Analytics Demographics and Interest Reporting
The Google Analytics Advertising tools that you use, and how and why you use these features.
A notice that cookies are used by third-parties to display relevant advertising to the user.
Instructions on how users can opt-out of the Google Analytics Advertising features through Google's Ad Settings.
- Information on Google's DoubleClick cookies.
- Instructions on how users can opt-out of the use of DoubleClick cookies through Google's Ad Settings.
Additional Requirements for EU Businesses
The above points apply to all websites and apps that use Google AdSense. However, there are additional requirements for EU-based companies that use this service.
- The different types of cookies that are used
- Details of any cookies from third parties that may be used
- Why cookies are used and how they are placed on devices
As with other cookie alerts, this is usually done through a pop-up or banner that clearly explains that cookies are in use and directs the user to further information on this matter.
Consent to place cookies must be obtained from the user actively, meaning users must click a button or check or box or take some other action to confirm they consent.
Active consent, also called informed consent, involves requiring the user to confirm consent with a checkbox or an "I agree" button.
Here is an example of active consent for cookies from Wembley that includes a user-friendly explanation of the type of cookie used and why. The blue "I'm Happy With This" button is what distinguishes this type of consent from passive consent.
Passive consent to place cookies on a user's device is no longer allowed. Here is an example of passive consent for cookies from Calvin Klein's website:
Business Name and Contact Details
Here is an example from Whole Foods:
Types of Personal Data You Collect
You are required to disclose the various types of personal data you collect from users both directly and indirectly.
Budweiser provides a nice example:
Note that the clause lists how the data may be collected as well as examples of specifics like email addresses, zipcodes and "precise locations." Remember: the more thorough you are, the better.
Why You Collect Personal Data
Privacy laws require you to collect only the personal data you need, and to explain why you need it.
Here's an example from Nestle:
This chart format isn't necessary but it definitely helps with readability and organization. Note that it not only tells users why the information is used, but for what specific reason. It also addresses legitimate interests for using personal data, which helps with GDPR compliance.
How the Data is Used
Here's how Airbnb does this:
How You Share Data with Third Parties
Most websites use one or more third party tools to enhance site performance and user experience. Examples might include Google Analytics to understand website visitors, or AdSense for personalized advertising.
Take a look at how Instagram does this:
Breaking up the information into paragraphs to address separate types of third-party sharing, like advertising and analytics, is very helpful and makes the information easier to digest.
How to Opt Out of Data Collection
If you have multiple different ways that users can opt out of multiple different things (like email newsletters, text messages, conventional mail, etc.), make sure to include all the ways available.
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.