Whether you run a website, have a mobile app, or have a desktop app, a Privacy Policy is very important. Without one, you may be violating the law.
Not sure what a good Privacy Policy does, what the law requires, or how you're supposed to create a proper one? Check out the answers to these frequently asked questions:
It's a statement that explains what kind of information you're collecting from your website visitors/app users, and what you actually do with that information.
You'll need to list all of the types of personal information that you collect like names, marital status, credit information, or IP addresses that show where your site visitors are located.
You'll also need to give details as to how you physically collect the information, how you store it, and whether or not the information will be kept confidential. If you plan on disclosing any of the information to a third-party, you'll need to include all of those details in your Privacy Policy, too.
In addition to it being required by law in several countries -- including the US, the UK, Canada, and Australia -- some third-party services will require a Privacy Policy before you can do business with them.
For example, if you want to run ads with Google AdWords, Lead Ads on Facebook, or Twitter Lead Generation Cards, you'll have to put a Privacy Policy on your website before you begin.
The same applies if you want to become an Amazon affiliate. And if you plan on using Google Analytics to collect, measure, and analyze data on your website, you'll have to set up a Privacy Policy.
If you have an email service provider, it may require you to have a Privacy Policy. MailChimp, Constant Contact, Campaign Monitor, MadMimi, Vertical Response, and Sendgrid all say that you need to have one in place before you can start sending out emails.
If you have an app, you'll need to create a Privacy Policy for your third-party services, too. If your app collects any kind of personal data from its users -- including their email address, their first and/or last name, or their billing or shipping information -- you will need to have a Privacy Policy in place before you can list the app in the Apple App Store or the Google Play store.
California was the first state in the US to require that websites and online services post a Privacy Policy.
CalOPPA protects every consumer/website visitor/app user in the state. However, the power of this law doesn't end there. If you run a website that's visited by people who live in California -- even if you've never set foot in California -- you're bound by this law.
Here's what lawmakers in the Golden State say:
"CalOPPA applies to any person or entity that owns or operates a commercial website or online service that "collects and maintains personally identifiable information from a consumer residing in California who uses or visits" said website or online service. CalOPPA does not apply to Internet service providers or similar entities that transmit or store personally identifiable information for a third party."
In 2012, CalOPPA was expanded to include apps that California residents were downloading. The app providers were given 30 days to begin adhering to CalOPPA, and the ones who didn't were fined $2,500 each time their app was downloaded.
The Federal Trade Commission (FTC) has made consumer privacy a priority since the 1970s. These days, the FTC takes legal action against companies that do not adhere to their privacy policies by charging business owners under Section 5 of the FTC Act.
Thanks to Section 5, the FTC has broad powers. Specifically, it can investigate unfair and deceptive acts and practices in or affecting commerce. Since "unfair" and "deceptive" are such broad terms, the FTC can bring all kinds of charges against website operators that are allegedly trying to deceive their site visitors and customers.
For example, in 2017, VIZIO agreed to pay $2.2 million after the FTC and the State of New Jersey went after the television manufacturer for collecting data from 11 million smart TV users without their knowledge or consent. In addition to the settlement, VIZIO was ordered to delete all of the data it collected before March 1, 2016.
A way around being deceptive is to have a Privacy Policy.
The Data Protection Act of 1998 has eight principles that regulate how personal data is handled. Above all else, any information that is collected needs to have "good data management." You will also need a Privacy Policy.
Furthermore, the Data Protection Act says that personal data cannot be transferred to any country or territory that does not fall under EU Directives, unless there is an "adequate protection for the rights and freedoms of data subjects" in the location in question.
In order to comply with a 2011 EU Directive, the UK created The Cookie Law, which gives website visitors a choice as to whether or not their personal data is collected. Even though it's named for cookies (the small data files that are placed on websites to collect visitors' information), the law also applies to Flash, HTML Local Storage, and other technology that operate similarly to cookies.
The Personal Information Protection and Electronic Documents Act (PIPEDA) affects website and app owners.
PIPEDA contains regulations for how data is collected and how it is used after that. Specifically, it states that you must tell your website visitors/app users exactly why you're collecting their personal data, which means post a Privacy Policy.
However, PIPEDA only applies to organizations that are engaged in commercial activity. So if you run a non-profit or a charity group website, you won't need to worry about complying with it.
If you own a website in Australia, you're bound by The Privacy Act 1988. Under this law, personal information is defined as:
"Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable."
The most common examples of this information are:
The Privacy Act contains 13 Australian Privacy Principles (APPs) that all government, private sector, and non-profit organizations have to follow. Included in these APPs are regulations that apply to how private information can be collected, used, and disclosed, how to make sure that the data is quality information, how people can access and correct their personal information, and how people have the right to act anonymously or under a pseudonym in certain situations.
One of the most important APPs requires organizations to have a Privacy Policy. That way, people can rest easy knowing how their data is being collected and managed.
In 2018, the General Data Protection Regulation (GDPR) went into effect and has strict requirements for anyone who collects any personal data from individuals located in the EU.
It requires a Privacy Policy that's written in easy-to-understand language and that discloses a number of specific things about how you collect, process, handle, secure and dispose of personal data. If you do business with or have contact with people in the EU, you will need to become familiar with and compliant with this robust law.
On websites, the most common way to display your Privacy Policy is in the footer. This is surely something you've seen on almost any website you've ever visited.
Other areas include in top or side menus or link lists.
On apps, you can add a link to your Privacy Policy in a menu such as a "Settings" or "Legal" menu within the app. You should also link it to your app's listing on any app stores it's distributed on. This is actually a requirement by app stores.
The best tip we can offer is to make yours easy to understand and well-organized.
You can add a linked table of contents if you want, which helps readers navigate your Policy easier. This is especially helpful if your Policy is very long.
Consider using bullet points, lists and lots of separate headings to break up the Policy text.
Write short, easy to read paragraphs that are written in simple, basic language.
Both are legal documents, but they have very different purposes. While a Privacy Policy spells out how you collect website visitor/app user data and what you do with it, Terms & Conditions are the rules, standards, and requirements that people have to follow if they want to use a specific website or app.
For example, a Terms & Conditions page might forbid users from abusing the website in any way, or it may say that a user's account will be deactivated if he does anything to violate the website's copyright.
Look at it this way -- a Privacy Policy tells you what rules the website/app owner is going to adhere to, and a Terms & Conditions page tells you what rules visitors/users need to adhere to.
Unlike Privacy Policies, you're not legally required to put a Terms & Conditions page on your website/app, but it's a good idea to do so. That way, everyone will know exactly what's expected of them.
A disclaimer is a warning. Simply put, disclaimers explain that the owners of the website/app are not responsible for the information they've published and what you do with it. It's designed to protect the website/app owner against liability, which makes it totally different from a Privacy Policy, which protects website visitors/app users.
Just like a Terms & Conditions page, you're not required to have a Disclaimer page, but you may feel more comfortable having one.