You know your business. Whether it be baking donuts, creating software, or breeding hedgehogs, you are the end-all expert in that field. What you may not know are the legal intricacies of managing your business online.
- 2.1. Types of Information Collected
- 2.2. How Information Is Collected and Used
- 2.3. A Cookies Clause
- 2.4. Children Under 13
- 2.5. Third Party Access to Information
- 2.6. Communications Clause
- 2.7. Business Transfer Clause
- 2.8. Dispute Resolution
- 2.9. Data Retention
- 2.11. Contact Information
It's the law. Throughout the United States, Europe, and most of the developed world, many laws exist to protect the privacy of internet consumers.
In the United States in particular, there is a complicated network of laws and guidelines that make it easy for agencies like the Federal Trade Commission to enforce penalties on any business that seems to be abusing the privacy rights of its users.
An excerpt from the Federal Trade Commission website:
"The FTC has brought legal actions against organizations that have violated consumers' privacy rights, or misled them by failing to maintain security for sensitive consumer information. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce."
It establishes trust with users. Providing privacy and transparency for your customers goes a long way with earning their trust and confidence.
It's also considered to be a standard best practice for any online business. In short, it's the right thing to do.
And many businesses have already been hit with fines for violating different aspects of the GDPR since its inception in 2018.
Types of Information Collected
First and foremost, you must clearly identify which types of personal information are being collected through your website or mobile app.
Personal information is any data that can be used to contact, identify, or locate an individual. This may include:
- Email address
- First and last name
- City or town plus country
- Shipping or billing address
- Social security number
- IP address
- Profile picture
- Credit card number
- Telephone number
As you can see, even seemingly anonymous information may be used in combination with other data to identify an individual and so is also defined as personal information. Any such information must remain confidential and protected.
Be as clear and detailed as possible so that your users actually can understand exactly what information you're collecting from them. Transparency and readability are key here.
How Information Is Collected and Used
The first step is a simple description of how you are collecting the information. Some data may be provided directly by the user while other information is gathered automatically by website software on the backend.
Here's a good example from Iberia Airlines of how this can be laid out:
The examples provided here make it easier for a user to really understand how and why the data is collected.
The ways in which personal information is used may differ greatly depending on the type of business and website you are setting up. An e-commerce website will have different uses for personal information than a financial advisory institution, for example.
Make sure you lay out this summary carefully, for liability's sake. You'll want to be very thorough in this section to ensure that you cannot be accused of using the personal information of your users improperly.
Let users know how their information is protected, and if the data is being shared with a third party, explain why.
Here's an example from WebMD:
Note how it discloses that the information collected may in some cases be shared with some third parties for customized advertising purposes.
A Cookies Clause
While there are many different types of cookies and functions for them to perform, they are all stored in the browsers of your users.
It's important to explain to your users why the cookies are there and how they are being used.
Cookies can be tricky because many third-party software plugins use them to track each individual's browsing, which could present privacy issues in the long term.
Make sure you know exactly what kind of cookies are being used by your website or mobile app, as well as any third-party software that is installed.
You'll need to describe each type of cookie and its function within your Cookies Clause, or even create and link to a separate Cookies Policy.
Include a brief, easy to understand explanation and description of what each type of cookie does that would be comprehensible to someone with little to no familiarity with the topic.
Children Under 13
The guidelines for collecting information from minors may differ from one country to another, but in the United States there are specific laws that apply to the personal information of children under the age of 13.
These laws fall under the Children's Online Privacy Protection Act (COPPA) and seek to protect the privacy and rights of minors.
However, if your website or mobile app is targeted to teens or children, you may need to do far more to protect their privacy and perhaps even obtain parental consent in order to collect information from minors.
Note how it has separate sections that address parental consent and parental control of how personal information is collected from children.
Third Party Access to Information
Many websites and applications use third-party software and plugins to perform various functions throughout the site. Some of these include:
- Analytics providers
- Social networks
These third-party providers will need to collect user data from your site in order to function correctly, but you are required to inform your users of their existence.
Although many third-party providers feature Privacy Policies on their own respective websites, it still remains your responsibility to inform users of their existence.
It helps to include a brief explanation of why third-party access is necessary to ease the privacy concerns of your users.
If you plan to send any communications to your users by way of their personal contact information, it's necessary to include a communications clause.
Even if your messages are not promotional in nature, you are required to inform users of any personal communications, such as:
- Company emails
- Promotional emails or messages
- Phone calls
- Texts or other forms of messaging
Many countries, including the USA, exercise anti-spam laws that prohibit unwanted email marketing. For this reason, it is also important to let users know how they can opt-out of promotional messaging and email campaigns.
List all the different ways your users can unsubscribe, from sending emails, clicking on specific links and sending postal mail, if applicable. Whatever methods you allow, make sure to disclose them all here.
Business Transfer Clause
Business acquisitions and transfers often occur quickly and unexpectedly. The unauthorized transfer of users' personal data to a new business owner may cause legal issues.
Here's an example from Lush Cosmetics:
In addition to avoiding liability, clauses such as these offer reassurances to your users that their privacy is a high priority, no matter what happens to the business.
Despite your best intentions and privacy best practices, legal disputes may occur. Laws and regulations regarding internet privacy are convoluted and vague at times, opening up potential opportunities for unforeseen and unavoidable debates regarding user privacy and other business aspects.
A dispute resolution clause is a useful addition to the arbitration and limitation of liability clauses that will appear in your Terms and Conditions. This clause will simply provide provisions for future dispute resolution measures.
Here's an example from Citrix:
Of course, a more thorough explanation of governing law, arbitration and liability issues can be included in your Terms & Conditions, if needed.
Users will delete their accounts on your site or app from time to time. It happens. You should let them know that even if they do delete their accounts, some personal information may need to be retained in your database.
Here's an example of a clause that does just this from DocuSign:
Not only does it inform users how to go about deleting an account, but it lists the specific reasons why data may be retained even after an account is closed.
Here's an example from Automattic:
Users may have questions about their privacy. Provide them with a means to communicate with your business directly regarding any concerns over privacy.
If you have the capability to set up a specific email address or department to manage these inquiries, even better.
Here's an example from Facebook:
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.