Keep reading to find out more about these important legal agreements.
- 2.1. It's required by law
- 2.2. It's often required by third-party services
- 2.3. Users care about their privacy
- 2.4. Privacy Policies are everywhere
- 3.1. The United States
- 3.2. Canada
- 3.3. Australia
- 3.4. The UK
- 3.5. The European Union (EU)
- The types of information collected by the website or app
- The purpose of this data collection
- Data storage, security and access
- Details of data transfers
- Affiliated websites or organizations
Examples of personal information your website or app might collect include:
- Dates of birth
- Email addresses
- Billing/ shipping addresses
- Phone numbers
- Bank details
- Social security numbers
It's required by law
If you are based in the US, but not in California, it's still important that your website or app complies with CalOPPA because a resident of California could still access and use your services.
Similar privacy laws exist in Canada, Australia and across Europe. The next section looks at privacy laws by country in more detail.
It's often required by third-party services
Even seemingly anonymous data, like what web browser someone uses, is considered personally identifiable information because it can be used in combination with another type of data to identify an individual.
Google Analytics' Terms of Service dictate that any business who uses their services must:
Facebook's Platform Policy states that you must:
Users care about their privacy
People want to feel safe when they are giving out their personal information and it is your responsibility as a website or app owner to facilitate this.
It's about building trust with your users and reassuring them that you are going to handle their personal information in a safe and ethical manner.
Privacy Policies are everywhere
Doing something just because everyone else does is not always recommended, but in the case of Privacy Policies, it absolutely is. This is because they help the user to feel safe and secure using your services.
The United States
The United States has a number of federal and state laws that deal with Privacy, but two of the most important ones to date that affect the most businesses and individuals are:
"Organizations" referred to in the Act include both brick-and-mortar businesses and e-commerce or online ventures.
The Privacy Act contains a list of 13 Privacy Principles for the collection and handling of personal data that you'll need to become familiar with if this law applies to you.
The United Kingdom's Data Protection Act 1998 (DPA) protects personal data in the UK.
It has 8 Core Principles of Data Protection to which companies in the UK must comply:
The European Union (EU)
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
This includes collecting email addresses through an online sign-up form for an email newsletter.
Mailchimp has specific and strict requirements for users located in the European Economic Area (EEA) or those who send emails to anyone in that area. This is because the privacy laws of this area are very strict.
There are, however, some basic legal requirements as well as a few things to consider in terms of usability and good practice.
Here is an example from the BBC's website:
Other good places are at checkout for ecommerce platforms and account sign-up or login screens for websites and apps that have such a feature.
Within the app as part of a menu.
On the app store listing page as a link so that users can view the Policy before downloading the app.
- In the footer of the accompanying website, if you have one, as seen in the previous section regarding website link placement.
- Your identity and contact details
- Exactly what personal data you collect and record through your website or app
- For what purpose this data is collected and processed
- How the data is processed
- Specific details of any disclosure of information to third parties (who and why)
- A list of privacy laws with which you are compliant
- An explanation of how users can opt-out or request for their data to be deleted
The best approach is to structure it in a way that makes sense for both your business activities and your audience.
It's separated into different activities that are clearly signposted with icons.
Consider adding an anchor-linked table of contents as well to help users quickly and easily navigate to sections they may wish to read without needing to scroll through the entire policy to find the relevant section.
A Disclaimer is a statement or short paragraph that makes it clear that the website or app owner is not legally responsible for such things as the accuracy of any information or what the user chooses to do with this information.
There are a number of different types of disclaimers, including affiliate disclaimers, medical disclaimers and disclaimers of warranties.
Here's an example of a fairly standard Disclaimer from the New York Times:
"NYT does not represent or endorse the accuracy or reliability of any advice, opinion, statement, or other information displayed, uploaded, or distributed through the Services by any user, information provider or any person or entity. You acknowledge that any reliance upon any such opinion, advice, statement memorandum, or information shall be at your sole risk."
Terms and Conditions typically include information on:
- Copyrights and intellectual property
- Prohibited activities
- Consequences of engaging in prohibited activities
- Applicable warranties and disclaimers
To demonstrate, here's the table of contents from Spotify's Terms and Conditions:
You can see by the titles of the sections that each agreement covers and addresses completely different types of information and serves different purposes for the users.
For example, in the UK there are several penalties for breaching privacy laws such as the GDPR.
Some penalties of GDPR non-compliance include:
- Monetary fines of up to Â£500,000
- Prosecutions and prison sentences for severe and deliberate breaches
- Mandated actions to prove compliance and to avoid further prosecution
- Compulsory auditing
Privacy is considered to be a fundamental human right and violations of this right are taken extremely seriously around the world.
This method requires that your users click something that shows they're agreeing to your Policy. It's a legally-compliant method that's accepted and recommended around the world because it lets you get really clear, undoubted agreement from your users.
Common places are during account registration, online checkout or wherever a user may submit information to you.
Here's an example:
Here's an example from Pinterest: