- 2.1. GDPR
- 2.2. PIPEDA
- 2.3. CalOPPA
- 3.1. Point of Download
- 3.2. Website Footer
- 3.3. Pop-Up Notification
- 4.1. Name & Business Contact Information
- 4.2. The Data Collected
- 4.3. Why You Collect the Data
- 4.4. Your Sharing Policies
- 4.5. Opt Out Information
- 5. Content Upgrades and Downloads Clauses
- 5.1. Analytics Clause
- 5.2. Point of Collection Clauses
- 5.3. Limitation of Liability
- 6. Example in Action
- 6.1. Apple App Store
- 7. Conclusion
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- Storing their data for future contact
- Collecting information about user behavior and how they navigate your site
- Processing personal data and sharing it with third parties
Personal information is any information which can identify someone, such as their:
- Home address
- Work address
- Email or IP address
- Telephone number
- Social security number
- Blood type
- Medical records
Otherwise known as the General Data Protection Regulation, this regulation demands that commercial companies should harvest the minimum possible personal data from their site users. It protects EU residents and those visiting websites from EU Member States. The GDPR says that commercial companies must:
- Tell users that they collect data
- Restrict the data they collect to necessary information; e.g. you don't need a home address to sign someone up for an email newsletter
- Give users the clear opportunity to withdraw their consent to data collection
The Canadian equivalent of the EU's GDPR, the Personal Information Protection and Electronic Documents Act (PIPEDA) controls how private sector businesses collect, store, and share data from those residing in Canada. If your business operates in Canada, chances are this law applies to you.
- Like the GDPR, PIPEDA gives individuals the freedom to decide what information businesses collect about them
- Businesses should ideally get express consent from individuals to data collection and storage
The California Online Privacy Protection Act (CalOPPA) applies to any online service, business, or website that collects personal data from users residing in California. This means that if you receive any business from users based in California, you're subject to this Act.
- It demands the safe handling and protection of personal data
- Like the other laws, CalOPPA states that you must give users the chance to turn off cookies
- Point of download
- Website footer
- In a pop-up notification
Let's briefly look at examples of these placements in turn.
Point of Download
Let's consider an example.
Origin is an online gaming platform where users download whatever games they feel like playing. Origin collects information about users to personalise their experience. A user's experience is personalized by showing them games similar to the ones they typically download and remembering their login details:
Name & Business Contact Information
The Data Collected
It then goes on to explain what information it collects in a simple, user-friendly, bulleted style:
Why You Collect the Data
Your Sharing Policies
Tell users who you share their data with. WhatsApp tells users that it shares their data with third party service providers to improve and market their services:
The company also specifies when the data sharing takes place; for example, when a user engages with a third party service through the Instagram platform:
Opt Out Information
Users must be able to opt out of cookie installation and data collection for marketing or analytics purposes. You should also explain what steps the user can take to do so and adjust their preferences.
MyProtein, for example, spells out the steps for opting out of marketing communications. You'll note that the steps are simple - all users must do is update their settings or contact the retailer:
Instagram's version of the opt out clause is equally straightforward. Again, it breaks down exactly what users can do to opt out of communications, and like MyProtein, it highlights that it's impossible to opt out of necessary emails that relate to the performance of the contract the users have with the platform:
Content Upgrades and Downloads Clauses
When users download or use your applications, you may want to collect personal information from them to check on the health of your products and their compatibility with various operating systems.
EA, for example, specifies that it collects data about a user's hardware, device, system interactions and usage statistics to help improve the safety and quality of its downloads.
This clause because it makes it easier for the platform to collect additional information, because this extra information is now essential to providing services:
Point of Collection Clauses
Limitation of Liability
You don't want to be responsible for everything that could go wrong if a user downloads content from your platform, or if they browse your website.
DeviantArt has a great clause for this. Although DeviantArt is responsible for its own content and for taking all reasonable steps to ensure the content's safety from, e.g., viruses, vulnerabilities are still inevitable:
The bottom line is, so long as you act reasonably as opposed to negligently, you can't be responsible for every possible security breach. This is a vital clause when, for example, you make content available for download, or you collect personally identifiable information (PII) and payment details.
Example in Action
Apple App Store
When users click this link, they land on a user-friendly, highly readable page which highlights Apple's values and dedication to providing a great customer experience with safe downloads:
The Policy highlights what personal information is:
Apple then highlights what information it collects and when - specifically, at the point of purchasing a product or downloading software:
Apple also has a clear third party sharing policy which emphasises that third parties providing content over their platform are responsible for ensuring personal data protection standards are maintained:
Users should know:
- What personal data you collect
- Why you collect it
- How you handle and share it
- What their marketing options are, and how to change them
- The scope of your liability and obligations to them