There are so many different methods of building a website these days. With numerous platforms to use and so many components to address, it can be difficult for business owners to remember everything they need to do - especially when it comes to the legal stuff.
When you sign up with WordPress to run your site, part of the registration process is your agreeance with the Terms of Service of Automattic, WordPress' parent company.
Here's part of the Terms of Service that requires you to comply with all applicable laws, including privacy laws:
Personal information might seem like a broad term, but it will usually apply to things like contact names, email addresses, credit card or bank details and even cookie-collected location data.
Here's an example of the type of personal information Evernote collects, which is a great reference for what you may need to include in your own policy. Does your business collect similar information? If so, include it in your policy.
- What information you collect from your users and site visitors (such as names, email addresses and contact details)
- The ways you collect this information (for example, registration forms, user comments and cookies)
- Whether you collect information from minors, and/or whether parental supervision is required for those under a certain age
- Information about your cookies usage, and a link to the separate Cookies Policy (if you have one)
- Make clear reference to any third-party software or companies that will also collect this information, such as Google Adsense, Amazon Associates, Infolinks and Adsterra
- The ways users can block cookies from tracking their activity on your site and opt-out of third-party advertising
- Links to Privacy Policies of third-party software you're affiliated with
- Your contact information (so your users can easily connect with you if they have any issues, queries or questions)
Regulations You Need to Know About and How to Comply
These regulations include the California Online Privacy Protection Act (CalOPPA) in the US, which is a broad-reaching set of regulations that aims to protect online users and their personal information, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the General Data Protection Regulation (GDPR) in the EU, and the Privacy Act of 1988 in Australia.
CalOPPA is a U.S. state law from California that protects online users and the personal information they give out on websites. When this law came into effect in 2004 (and was amended again in 2013), some businesses struggled to figure out whether it affected them or not - especially if they weren't located in the US.
Under CalOPPA law, personal information applies to things like first and last names, street addresses, email addresses and/or mobile phone and landline numbers, birthdates, IP addresses and other identifying pieces of personal information.
This link needs to be conspicuous, meaning it should stand out from the background and the rest of the text around it, and it should also include the word "privacy."
- The various types of personal information you collect from users
- Any third-parties who may also gain access to that information
- Whether your users can review and edit/delete their own previously collected information
- The way you'll inform your users about any changes to your policy
- Whether or not you follow Do Not Track (DNT) requests
- A notice regarding any collection of personal information from minors
You might be surprised at how many businesses accidentally stray from their written policy, so it's important to keep in mind.
These California disclosures are required by CalOPPA.
The GDPR was created by the EU Parliament and came into effect on the 25th of May, 2018. It aims to give online users higher levels of control over the data they share online, as well as providing users with enhanced rights when it comes to their data.
These additional points are:
- How long you keep user data
- How secure the collected data will be when it's in your possession.
- A reiteration of your user's rights
- Contact details of your Data Controllers, Processors and DPO if applicable
Here's a basic rundown of how to approach Privacy Policies for your WordPress site/s:
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.