You may be aware that if you're collecting some form of personal data from your customers, clients, or end users, then you're required by law to post a Privacy Policy on your site.
But why are you required to do so, and which specific laws require this?
In this article, we'll take a closer look at why Privacy Policies are required by law. We will look at various privacy laws within the US and around the world.
We'll also look at the agreements of some popular online services you may be using that require you to post a Privacy Policy as part of their Terms of Use.
Before we do that, let's quickly review what Privacy Policies are and why you need them
If you're collecting any kind of personal information from your users through your site or mobile app, you need a Privacy Policy. A Privacy Policy is an agreement that covers the ways a business collects, handles and uses (or intends on using) their users' personal information.
Privacy Policies are required by law because in collecting personal information from your visitors, users, customers, and clients, you assume responsibility for protecting their privacy.
But what kind of information is protected by law and what are your legal obligations?
Personally identifiable information is data that can identify a person, such as a government ID number, email address, phone number or billing details.
For this reason, a number of countries around the world have privacy laws that require you to have a Privacy Policy agreement if you collect personal information from their citizens.
Additionally, some third-party services - like Google Analytics - also require you to have a Privacy Policy because they collect personal information through your website when you use their services.
At minimum, your Privacy Policy agreement should include clauses that detail what personal or sensitive information you collect, how you collect it, how you intend to use that information, and whether you will disclose some or all of that information to any third parties.
Now that you have a solid overview of what a Privacy Policy is, the types of information it deals with, and why it's required by law, let's take a look at some different privacy laws from around the world that require you to have a Privacy Policy agreement.
In the United States, there isn't a federal law that requires businesses to have a Privacy Policy. Instead, a number of existing federal laws govern Privacy Policies for specific circumstances.
Let's look at a few of them.
Children's Online Privacy Protection Act (COPPA) - COPPA requires that websites that collect information from children have a Privacy Policy.
Some states have their own rules and regulations regarding Privacy Policies. For instance, in its Business and Professions Code, the California Online Privacy Protection Act (CalOPPA) requires commercial websites and online services to post a Privacy Policy if they're collecting any kind of personally identifiable information from California residents.
Simply put, the United States has several laws in place - at both the federal and state levels - that require you to have and enforce a Privacy Policy if you collect/use personal data. Many of these laws are regulated by the Federal Trade Commission (FTC) and require specific clauses and provisions for data privacy.
These laws regulate what information businesses must disclose in their Privacy Policies.
Generally speaking, your Privacy Policy should cover:
Based on the nature of your business, the types of data you collect, and who you collect that data from, your Privacy Policy could be extensive.
However, according to the FTC's guidelines, it should be written in easy to understand language and not in confusing legalese.
In the European Union, the Data Protection Directive oversees the processing of personal data and requires businesses operating from the European Union to post a Privacy Policy on their websites.
In January of 2012, the European Commission unveiled a draft of the European General Data Protection Regulation (GDPR) that supersedes the original Data Protection Directive. Its main purpose is to strengthen and unify the processes involving data collected from individuals within the European Union.
The GDPR became enforceable on May 25, 2018.
The Organization for Economic Cooperation and Development (OECD) issued guidelines for protecting consumers' personal data, which includes notifying users when their data is being collected, collecting data only for the stated purpose, not disclosing the data without the user's consent, and other ways to protect consumers.
The federal privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). Its main purpose is to govern the collection, use and disclosure of personal information collected from Canadian citizens.
By complying with the law, businesses agree to collect, use, and disclose the amount of information that a reasonable person would consider to be appropriate.
What this means is that PIPEDA requires companies to get their users' consent before they can collect, use, or disclose their personal information. Whatever information they do collect can only be used for the stated purposes it was collected for.
PIPEDA applies to businesses conducting commercial activities, including online transactions and selling services and membership plans.
What's more is that PIPEDA authorizes the Privacy Commissioner of Canada to handle any complaints that anyone (individual, institutional, or business) files against organizations that fail to comply with the act.
Australia's Privacy Act of 1988 establishes the legal framework for data privacy and requires companies operating in Australia to post a Privacy Policy on their websites.
The Privacy Act lays out several different privacy rights that govern what information is being collected, why it's being collected, how it will be stored, and with whom it can be disclosed.
According to the Privacy Act, only information that is relevant to the company's functions can be collected from consumers. When that information is collected, Australians have the right to know why it's being collected and who will see it.
Entities that are responsible for storing the information must ensure it isn't lost or exploited. Additionally, Australians are given the right to access their personal information unless it's specifically prohibited by law.
Altogether, Australia's Privacy Act contains 13 principles pertaining to user privacy that detail how covered organizations (organizations with an annual gross income of over $3 million) are required to handle personal information.
The Data Protection Act is a United Kingdom Act of Parliament designed to protect users' personal data whether it's stored on computers or paper filing systems. It follows closely in line with the European Union's Data Protection Directive.
The Data Protection Act is comprised of eight data protection principles:
Privacy Policies aren't only required by federal, state, or country law. In some cases, third-party services you use to enhance your site or provide performance/analytical data will also require you to post a Privacy Policy on your website for their protection.
What this means is that if you're not required by law to have a Privacy Policy published on your site, for example, because you're not knowingly collecting any form of personal user data, third-party services may still require you to post one in order to use their services.
Google Analytics is a great example of a third-party website that requires you to have a Privacy Policy even if you're running a simple website that doesn't collect any personal data from users.
In its Terms of Service agreement, it says you will need to have an appropriate Privacy Policy and abide by it.
It goes on to explain the different provisions your Policy should include, such as notifying visitors that you're using cookies to collect data and that you're using Google Analytics which collects and processes data on its own.
You're also required to provide clear information about how cookies and other information is stored and accessed on user devices in cases where the activity is related to the services offered by Google Analytics.
Furthermore, your visitors must give consent to let you store and access these cookies.
In the Google AdSense Terms of Service agreement, Google states that you're required to publish a clearly labeled and easily accessible Privacy Policy on your website at all times while using the AdSense services.
The Privacy Policy should contain information about how your site and Google AdSense uses:
In addition to this, Google also gives you the responsibility of making sure your visitors give consent to the storing and accessing of all of the above-mentioned data.
If your mobile app collects user data and you want to distribute the app in the Apple App Store, you'll need to have a Privacy Policy. Apple's App Store Review Guidelines contain a Data Collection and Storage clause that requires you to have a Privacy Policy.
The Google Play Developer Distribution Agreement requires you to protect the privacy and legal rights of users if you use Google Play to publish your app. This means that you're required to post a legally binding Privacy Policy that informs users of the information you're collecting and that protects their personal data.
It also states that your app can only use the collected information for the purposes you stated at the time of securing the user's consent. As well, if you're storing any of the information that you collect through your app, you must store it securely and only for as long as you need it.
If your website/mobile app collects personal information from users, you need to be aware of:
With all of these principles in mind, you should be ready to review your current Privacy Policy for needed updates, or create your first Privacy Policy for your website or mobile app.