Privacy has become a hot topic with the increase in data that is collected and stored by businesses. Protecting privacy is important and new laws are popping up to regulate privacy.
As a site or app owner that collects personal information, you must do your part by providing a detailed privacy policy that is easy to access online.
What is a Privacy Policy?
A privacy policy is a document housed on your website or mobile app that explains how a website will collect, store, protect, and utilize personal information provided by its users.
The definition of personal information will vary depending on the different pieces of legislation but, generally, the following are included:
- Name
- Date of birth
- Addresses (postal and email)
- Payment details (credit card numbers)
- Location (IP address, geo-location)
- Social Insurance Number
In addition to outlining how the company will use the information, it must also include how it will be compliant with legislation. It should also provide information related to consumer recourse if the company is not compliant and shares data.
Why do You Need to Have a Privacy Policy?
It is the law – and fines for non-compliance are hefty! There is an added layer of complexity because it doesn’t matter where you are located – it matters where your site visitors are from. You can be required to follow multiple different privacy laws. Let’s look at them:
European Union
The European Union has some of the strictest privacy laws in the world. The General Data Protection Regulation (GDPR) provides detailed information in regards to the privacy policies. Regardless of where your company is located, if you operate in Europe or process the personal information of users located in Europe, you must comply with the GDPR. You also have to ensure that you have your users’ unambiguous and affirmative consent before you start collecting any personal information.
To be found GDPR-compliant, a privacy policy must contain specific elements. Unlike some other privacy laws, the GDPR is actively being enforced and the costs are high for businesses that choose not to comply.
United States (California)
There is currently no privacy legislation at the federal level in the United States. California does have one to protect California residents. The California Online Privacy Protection Act (CalOPPA) requires that any commercial website that collects or uses personal information from Californian residents must have a privacy policy that details how data is collected, used, and shared.
The California Consumer Privacy Act (CCPA) also came into effect in 2020 to supplement the CalOPPA. It’s scope is more limited – as it is targeted to businesses that either have an annual gross revenue of more than $25 million, make at least half of their revenue selling personal data of its users, or that sell, buy, share or receive personal information from at least 50,000 households, consumers or devices annually.
This legislation encourages transparency and requires that businesses serve users with a notice at the time of collection or before the time that it starts collecting personal information. That notice at collection should link to a privacy policy that is to be updated at least every year.
Australia
Australia regulates how businesses handle personal information through its Privacy Act of 1988. Businesses need to have an up-to-date and clearly expressed privacy policy that is available free of charge, that contains all the information required under this Act. Consult a lawyer for more specific details on the requirements.
Please note that these examples are not comprehensive of all privacy guidelines across the globe. Please consult with a lawyer to make sure you are compliant with the guidelines that you are required to abide by.
In addition to the legal requirements outlined above, many third-party services used on sites or apps, require that you have a valid privacy policy in place in order to comply with their terms of service.
It may also help build trust with your site visitors, creating transparency and making them feel comfortable.
Do you have to use a lawyer to draft or review your agreement?
While you don’t have to, there are clear benefits to doing so. The first benefit is that you know the document would be specific to your site/apps and business practices, so there is little a lower risk that anything would be overlooked. A lawyer will also look to the future and think about how to protect your business as it develops.
A lawyer would know to ask if your site/app requires users to provide personal information. If so, Personal Information Protection and Electronic Documents Act (PIPEDA) would be relevant to you.
If your business practices are complex, it’s even more important to involve a lawyer. The devil is in the details.
The cost of not being compliant is so high, it’s not worth the risk. A lawyer should at least review the documentation. In a perfect world, a lawyer would draft the agreement. Lack of knowledge or understanding is not a defense, if you are found to be non-compliant for any reason, you will face potentially hefty fines.
- Do you collect a large amount of personal information from your users?
- Do you transfer data to or from third parties?
- Do you do any ecommerce?
- Do you have users in multiple countries or legal jurisdictions?
The more personal data you collect and the extent of your marketing efforts will dictate how large your user base is. In turn, this will determine how complex your Privacy Policy (and privacy practices) will need to be.
Not Sure How Much Data You Collect?
If you have a Blog or site that offers a newsletter to keep people up to date, you are not collecting much data. If you run an ecommerce store that collects financial information, mailing addresses, phone numbers and uses retargeting cookies to advertise to customers after they leave the site, you data collection and level of risk are much greater.. The amount of data you collect directly impacts the length and complexity of your privacy policy.
Are Children Part of Your Audience/Site Visitors?
California’s Children’s Online Privacy Protection Act (COPPA) is relevant if you have children from California visiting your site.
The pro for gathering info online or using the cheapest document generator is the cost savings. The con is the lack of assurance that you have everything you need in place to protect you.
Few things are as important as protecting a business that you are investing time and money in, to grow.
This material is for general information purposes only. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. No one should act, or refrain from acting, based solely upon the materials provided on this website, any hypertext links or other general information without first seeking appropriate legal or other professional advice. The information is provided for your convenience only. These materials may have no evidentiary value and should be checked against official sources before they are used for professional or commercial purposes. It is your responsibility to determine whether these materials are admissible in a given judicial or administrative proceeding and whether there are any other evidentiary or filing requirements. Your use of these materials is at your own risk.
