Table Of Contents
The guide will answer these questions for you. Please note that this guide is for informational purposes only, and does not constitute legal advice.
Privacy policies are considered to be one of the most important pieces of information on a company’s website, because it references how users’ personal information collected on that website will be treated. People want to know that the information they enter on a website is going to be processed correctly and, once stored, it is going to be protected.
What is personal information? Personal information can be anything that can be used to identify an individual, not limited to but including:
- Date of birth
- Marital status
- Contact information (including telephone number or email address)
- Financial records
- Credit card information
- Medical history
Facebook, with its complex Privacy Settings, is asking for a first name, last name, email address, gender and birth date when you register for a new account. All of this is personal information.
For a website operator, the privacy page is where you should declare how you collect, store, and release personal information you receive from your users. The page needs to inform the user what specific information is being gathered, and whether it is kept confidential, shared with third parties and so on.
Users have the right to know how their information is being used. As a point of law, the website owner must provide his contact details, along with the purpose of processing, the recipients of the data and any other information that would be relevant to the user to know.
In 2012 Google launched the Good To Know campaign, which promotes privacy transparency and give users more details on how their information is being used across Google’s services.
In general, personal data can only be processed if the following circumstances are met:
- Users have given their consent for their personal information to be collected
- When processing of personal information is necessary for the performance of or for entering into a contract in order to fulfill legal obligations and compliance
- When processing is necessary for the purpose of protecting the interests of the user
- When processing is necessary for the pursuit of legitimate interests by the data controller (website owner) or by any third parties to whom the data are disclosed
- The user has the right to access the data about him and has the right to demand rectifications, deletion or blocking of data that is incomplete, inaccurate or isn’t being processed in compliance with the data privacy law.
It’s important to remember the personal data collected by a website owner can only legitimately be used for the action in which a user has given consent. It cannot be used in any other way, without the user’s permission.
Personal data can only be processed in an adequate and relevant way. It cannot be processed in an excessive manner of that which it was collected for.
The collected information needs to be accurate and kept up to date. Businesses must take reasonable steps to make sure that any data collected would not be inaccurate or, if it’s incomplete, to be erased or rectified.
Personal data must be kept in a confidential manner. Businesses must have appropriate safeguards for processing personal data.
1.3. Quick Facts
Privacy policies are necessary, required by law and also helpful for establishing users’ confidence when using your website.
In Aug 2013, The Office of the Australian Information Commissioner (OAIC) released the results of a “Privacy Sweep” report. The sweep was part of the first international Internet privacy sweep, an initiative of GPEN (Global privacy Enforcement Network).
For many online businesses, the need for collecting user information is a necessary part of doing business, but it is the company’s or the website owner’s legal obligation to take steps to properly secure (or dispose of) this data.
Financial data from online financial tools, personal information from children (under 13) and material derived from credit reports may need additional compliance considerations – as opposed to an online business with a business model that involves less personal information.
2.1. Requirements by Country
Since there are different laws for different countries with regard to what is needed to be in compliance with the law regarding the collection of personal data, here are the summaries on the main guidelines over data privacy laws for USA, Australia, Canada, United Kingdom, India, and the European Union.
2.1.1. United States of America (USA)
There are several federal and state laws that have provisions for data privacy in the US, such as:
- the Americans With Disability Act;
- the Cable Communications Policy Act of 1984;
- the Children’s Internet Protection Act of 2001;
- the Computer Fraud and Abuse Act of 1986;
- the Computer Security Act of 1997;
- the Consumer Credit Reporting Control Act;
- and several others.
In every aspect, an American’s privacy (in theory) is protected by more than one applicable federal and state law.
The Federal Trade Commission (commonly referred to as the FTC) is the government office that regulates data protection for consumers in the US.
The FTC issued a set of guidelines for companies to follow when writing their privacy policies:
- What information does the company collect and how does it do so?
- How does the company protect the information it collects?
- How does the company use the information it collects?
- Does the company share the information it collects with others, and if so, what is shared and with whom is the information shared
- Do customers have control over their personal data, and if so, what control do they have?
For instance, the Children’s Online Privacy Protection Act (COPPA) governs websites or online services that collect personal information from children under the age of 13. Some websites avoid these obligations by discouraging children from using their service altogether: The Tumblr app is now for only ages 17 & up in the iTunes store.
The Gramm-Leach-Bliley Act regulates the use and sharing of a person’s financial details by financial institutions, and the Health Insurance Portability and Accountability Act governs privacy in relation to health-care services.
Path, the personal sharing app, was fined $800,000 USD by the FTC for failing to comply with COPPA and because the app stored the names and numbers from the users’ phonebook without a proper disclosure.
The Privacy Act of 1988 is the law that governs Australia’s data privacy. The act includes several principles when dealing with personal information of individuals:
- 11 Information Privacy Principles that apply to public sector agencies
- 10 National Privacy Principles that apply to Australia-based businesses when they collect, use and store personal information from Australians
Information related to credit reports (such as credit reports or credit worthiness) is subject to other specific rules. The Act allows companies to opt-in to be covered by the Act.
We make every effort to maintain the highest standards in dealing with personal information in accordance with the Privacy Act 1998 (Cth) and the ADMA Code of Practice (“the Law”).
2.1.3. United Kingdom (UK)
The Data Protection Act 1998 (or, the DPA) is the governing law on data privacy in the United Kingdom.
The Data Protection Act controls how your personal information is used by organisations, businesses or the government – Data protection on GOV.UK
DPA contains strict rules (called principles of data protection) to make sure the data gathered by businesses is being collected, used and stored correctly.
You can find the full text of the law here. The GOV.UK website summaries these principles:
- information is used fairly and lawfully
- information is used for limited, specifically stated purposes
- information is used in a way that is adequate, relevant and not excessive
- information is accurate
- information is kept for no longer than is absolutely necessary
- information is handled according to people’s data protection rights
- information is kept safe and secure
- information is not transferred outside the UK without adequate protection.
Hungryhouse.com Ltd. complies with the principles of the ‘Data Protection Act, 1998’ and is registered with the Information Commissioner’s Office who oversee this act.
In Canada, the law that governs data privacy is called The Personal Information Protection and Electronic Documents Act (or, the PIPEDA). You can find the full text of the law here.
The Act applies to businesses that collect, use and store personal information from Canadians during a commercial activity. Exempt from PIPEDA are businesses that are subject to provincial legislation that is deemed substantially similar to PIPEDA “with respect to the collection, use or disclosure of personal information occurring within the respective province“.
Under the PIPEDA act, personal information is defined as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Under this law, active businesses in Canada are required to:
- get the user consent when collecting and using personal information
- collect personal information by fair and lawful means
The Information Technology Act 2000 (IT Act 2000) incorporates a few provisions regarding data protection in India. Outside this Act, there are no other dedicated data protection laws in India.
2.1.6. European Union (EU)
Countries in the European Union have their own national law that governs data privacy, but at a European Union level the Directive 95/46/EC or the Data Protection Directive aims to harmonise these data protection laws across the EU member states. You can find the full text of the directive here.
Under this directive, the personal information of users can be collected under strict rules and businesses must respect certain rights of the owners of the personal data.
The names of data privacy laws for various EU member states, per country:
- Switzerland: the Federal Law on Data Protection of 1992
- Denmark: the Act on Processing of Personal Data of 2000
- France: the Data Protection Act of 1978
- Germany: the Federal Data Protection Act of 2001
- Italy: the Data Protection Code of 2003
- Norway: the Personal Data Act of 2000
2.2. Requirements by Third Parties
To run a website, you sometimes use third parties for various purposes: Google Analytics for stats, MailChimp for sending marketing emails and many other tools.
If you use any advertising service from Google on a website or section of a website that is covered by the Children’s Online Privacy Protection Act (COPPA), you are required to notify Google of those specific websites or sections.
For a full list of websites covered by COPPA you can use the following tool finder: http://www.google.com/webmasters/tools/coppa
If you’re operating a mobile app with Android, use this link: http://developers.google.com/mobile-ads-sdk/docs/admob/best-practices.
This applies to running ads on Facebook as well, even if you do it through a third party like AdRoll. AdRoll is a Facebook Exchange official partner that you can use for retargeting on Facebook.
California Attorney General announced measures to improve privacy protections for consumers who access the Internet through mobile apps.
OPPA applies to any person or entity that owns a commercial Web site or an online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” such a website or online service.
- A list of the categories of personally identifiable information the operator collects;
- A list of the categories of third-parties with whom the operator may share such personally identifiable information;
- A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information collected by the operator;
It also needs to be written in larger type than the surrounding text, or contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
MailChimp groups their Privacy and Terms pages into one single link:
oDesk links their legal pages from a footer section called “Company Info” where you can find other links, such as About Us, Contact & Support and so on:
What clauses you need to include depends on the business you run and the governing law, but it also depends on what kind of personal information you collect and how you use that data.
4.1. Personal Information Collected
Remember that personal information is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
The abbreviation PII is widely accepted in the US context, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. They are not quite all the same and the use of which is dependent on the jurisdiction and the purpose for which the term is being used. In other countries with privacy protection laws derived from the OECD privacy principles, the term personal information is more usual. This can include broader definitions from place to place.
Personal information should be kept confidential and information is considered personal when it can be used to distinguish or trace an individual’s identity, such as name, social security number etc.
Cookie files are small pieces of data that are sent from websites and stored in a user’s web browser while the user is on the website. This means that every time a user is browsing a website, even if this is several times a day, cookies will be sent back and forth from the user’s computer to the website’s server.
There are different types of cookies, like third party tracking cookies and authentication cookies. Third party tracking cookies are commonly used as a way of tracking an individual’s long term browsing, which can be a potential privacy concern.
Authentication cookies are the most popular as they have essential functions to perform, like knowing whether a user is logged in or not.
4.3. Children Under 13
The Children’s Online Privacy Protection Act (COPPA) is a US law that applies to operators of commercial web sites and online services that collect personal information from children under the age of 13 and operators of general audience sites with knowledge that they are collecting information from children under the age of 13. It requires that companies establish and maintain procedures to protect the security and integrity of the personal information collected.
COPPA’s rules require those companies to provide the minor’s parents with a notice of their information practices, obtain verification of parental consent at the outset, before the minor has a chance to offer up any personal information about themselves. Parents need to be made aware that they have the right to request all the information that has been collected from the child at any time.
Parents also have the opportunity to prevent any future use of personal information that has already been collected by the website, and limit the amount of personal information allowed to be collected on games or other activities.
COPPA is specific for children under the age of 13, but the Federal Trade Commission in the USA suggests that websites who target teenagers should take on these principles as well.
Analyzing how other companies react when bugs are found that impact personal information can also provide a very good starting point for you.
A bug on Flickr turned all private photos to public. Flickr’s team fixed it by making all users’ photos private by default to prevent any privacy issues.
LinkedIn is a powerful tool that you can use to market yourself and your skills to the world. We offer a LinkedIn Guide that proves just how powerful the social network is (especially for users who take their profile very seriously and make their LinkedIn profile stand out)
Big icons help users guide through the privacy section easily: Introduction, Information Collected, Uses & Sharing of Personal Info, Your Choices & Obligations and Important Information.
An interesting detail from LinkedIn’s privacy page: they tell you that, if you are living in the United States, then the LinkedIn Corporation controls your information, but if you live outside the US, then LinkedIn Ireland controls your information.
500px is “the Premier Photo Community” where you can sign up to upload, share, and discover inspiring photos.
Similar to LinkedIn, they have a summary on the right column called “Basically”.
A “Details of data retention” section in their privacy page details what type of information is being collected, how it is retained and for what purposes.
Terms and Conditions include sections pertaining to user rights and responsibilities, definitions of key words and phrases found within the website, the definition of what the website considers to be proper use of their website, accountability for various online actions users can engage into, limitations of liability clarifying the websites position on damages and so on.
In this example, the website collects only one category of personal information from visitors, the email address, and then discloses how is it used: to improve the website or service provided to users.
What We Collect
[Business Name] collects the following information:
- Contact information, including email address
What We Do With The Information We Gather
[Business Name] requires this information to better understand your needs and provide you with a better service, and in particular for the following reasons:
- Internal record keeping;
- We may use the information to improve our products and services.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
A cookie is a small file that asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Links to Other Websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites and such sites are not governed by this privacy statement.
You should exercise caution and look at the privacy statement applicable to the website in question.
The Center for Democracy & Technology recently praised Apple for its new privacy settings in iOS 6, stating that:
Apple’s decision to incorporate these substantial pro-privacy elements into iOS 6, allowing users to finally control how their data gets shared with specific apps, and to more easily express a desire not to be tracked by marketers.
Best practices involving privacy policies have been agreed to have the following:
- Making sure a link to your privacy page is on the main page of your website.
- It should be offset in a different colour than the website background, so as to be easily identifiable.
- It should be concise and streamlined to the specific needs of the company.
Also remember to take note of how companies react to bugs that affect personal information of their user base.
It’s not helpful, nor recommended, to obscure text or try to be less than forthright about what your website does with personal information.