- 2. What is Personal Data?
- 3. Privacy Policies and Legal Compliance
- 6.1. Introduction
- 6.2. Contact Details
- 6.3. Data Collection
- 6.4. Purpose of Collection
- 6.5. Data Use
- 6.6. Data Sharing
- 6.8. Consent Revocation
- 9. Conclusion
- California Consumer Privacy Act (CCPA) as amended by the CPRA
- Australian Privacy Act (APA)
- General Data Protection Regulation (GDPR)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
So, what's the big deal around Privacy Policies, anyway? Why should you bother drafting one if you don't collect personal data from anyone?
- How you plan on gathering personal data
- What you'll use the data for
- How long you'll store someone's personal data it
- Who you intend to share it with
- What rights the person has over their personal information
In other words, it's a professional document that both you and your visitors can rely on.
It's worth emphasizing that most companies, in some form or another, do handle or collect personal data, even if they receive it indirectly through third parties. So, let's be clear on what personal data is so you can be completely clear on whether you process it or you don't.
What is Personal Data?
Helpfully, privacy and data protection laws across the world are pretty consistent in how they define "personal data." It's basically any data that could be used to identify a specific individual.
In other words, personal data is any information that makes someone personally identifiable.
The clearest definition of personal data is in Article 4 of the EU's GDPR. The examples of personal information provided aren't exhaustive, but they give you the general idea of what information is "personal."
Personal data, then, includes:
- Full name
- Home address
- IP address
- Employment details
- Email address
- Social Security or Passport Number
It's always best to err on the side of caution. If you're not sure whether data is personal, assume that it is.
Here's an example of a simple personal data definition from Lululemon, in its "Collection of Personal Data" clause:
There are a few compelling reasons. Let's look at them in turn.
Privacy Policies and Legal Compliance
Why? Because it's arguable that, since privacy laws like the GDPR expect you to set out what personal information you collect, you still need to answer this question by saying "none."
- Accessing personal data that's already publicly available
- Receiving data from third parties such as analytics services
- Transferring data to third parties including payment processors
When you think about it, there's a very good chance that you receive some personal information about your site visitors, or other individuals, even if it's through third parties.
Take Green Alliance, for example. It declares that it doesn't collect personal data:
However the company may receive private information about individuals from third parties, such as analytics providers and corporate partners. This is specified in clause 1.2:
The principle of "better safe than sorry" clearly applies to Privacy Policies. It's better to have one and cover your bases than not draft one at all.
Think of it this way: If visitors can contact you in any way, whether it's over social media or email, they must provide at least a name and/or contact details. This is personal data.
If people can't see how you protect this data, why should they contact you?
- Privacy Policies are professional
- Authorities expect to see a privacy document, even if it's short
- Technically speaking, you're complying with the relevant legislation, even if it seems a little over-cautious
- There's a good chance you'll need one in the future, so draft it now
- There's an even greater chance you're already handling personal data in some way, so cover your bases
Here's an example from Disconnect. The introduction specifies that:
- The Policy came into force in February 2020
- The company cares about user privacy
- This is a document laying out how Disconnect collects, uses, and shares personal data
The bullet points and concise statements make this a highly readable and effective introduction:
Include some way for individuals to contact you for more information or with concerns.
It should be reiterated that the moment someone can contact you, whether they email, call you, or fill in an online form, you're collecting their personal data! This data must be properly safeguarded.
All you need to do is include an email address and/or telephone number to fulfill the requirement here, like Green Alliance:
However, like we've stressed before, if you capture so much as an email address, you need to declare this.
Here's an example from Disconnect. The company is quite clear that it doesn't collect personal information as standard. However, it does gather some data on occasion. This includes, for example, if a customer emails support.
The point is that Disconnect covers its bases and explicitly states that it collects personal data on occasion. It's also transparent about what non-personal data it captures.
This type of clause applies to most companies who only periodically capture personal information, so you should familiarize yourself with it:
Purpose of Collection
Specify your reasons for collecting any data that you do capture. This could be, for example, to fulfill a contract, to resolve a legal dispute or to communicate with a customer.
If you fall under the scope of the GDPR, you need to state your legal bases for collecting any data.
If you're not yet capturing personal data, keep this clause vague. Here's how Green Alliance covers reasons that may apply to data collection e.g. where users have consented to giving their personal data, or when it's necessary to complete an order.
The clause is a comprehensive way to cover the company's possible future needs, so there's no need to revise this clause any time soon:
Set out how you plan on using any personal data you do capture, whether it's to communicate with customers about orders, or simply to respond to individual enquiries.
What's important is that you're specific about how you use data so that people know exactly what's happening to any information shared across your platform.
Look at Ecquire for a great example. This clause is concise, clear, and specific about how Ecquire uses the limited data it captures:
You must specify if you share any personal data, even if it's just an email address, with third parties of any kind. It doesn't matter if you only share data once in a while, either. All sharing with third parties must be declared.
Here's an example from PBworks. The company doesn't share personally identifiable data and makes this very clear:
But, there's an exception: Third party data sharing. PBworks shares personal data with some external service providers when it's necessary e.g. to fulfill a contract or complete a transaction:
So, if you share data, or receive it from third parties, specify this.
Here's a brief example of such a clause from Disconnect:
Be clear that people can ask you to delete their personal data or modify their consent at any time. Even if you're not collecting personal data right now, it's good practice to just include a short, broadly worded clause so that you don't need to worry about it if you do start capturing private information.
Ecquire explains that visitors can contact the company at any time to modify the data stored on them. Ecquire will also delete relevant data at an individual's request:
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Privacy Policies, like any legal contract, are only valid if both parties have a chance to view and consent to them. In other words, you should post it somewhere visible on your website.
Because you're not collecting personal data, you're probably not using pop-up boxes such as newsletter sign-up forms, and you won't be capturing data through account registration. So, the best place to put a link is in your website footer, like Ecquire:
- Contact details and an introductory clause
- Details of what data you do collect, even periodically
- Information on what data people can choose to supply to you e.g. to contact you
- What happens to any data you capture
- Third party data sharing policies
- How people can revoke consent to data collection