Privacy Policy Is Required by Law

You may be aware that if you're collecting some form of personal data from your customers, clients, or end users, then you're required by law to post a Privacy Policy on your site.

But why are you required to do so, and which specific laws require this?

In this article, we'll take a closer look at why Privacy Policies are required by law. We will look at various privacy laws within the US and around the world.

We'll also look at the agreements of some popular online services you may be using that require you to post a Privacy Policy as part of their Terms of Use.

Before we do that, let's quickly review what Privacy Policies are and why you need them

What Are Privacy Policies?

If you're collecting any kind of personal information from your users through your site or mobile app, you need a Privacy Policy. A Privacy Policy is an agreement that covers the ways a business collects, handles and uses (or intends on using) their users' personal information.

Privacy Policies are required by law because in collecting personal information from your visitors, users, customers, and clients, you assume responsibility for protecting their privacy.

But what kind of information is protected by law and what are your legal obligations?

Personally identifiable information is data that can identify a person, such as a government ID number, email address, phone number or billing details.

For this reason, a number of countries around the world have privacy laws that require you to have a Privacy Policy agreement if you collect personal information from their citizens.

Additionally, some third-party services - like Google Analytics - also require you to have a Privacy Policy because they collect personal information through your website when you use their services.

At minimum, your Privacy Policy agreement should include clauses that detail what personal or sensitive information you collect, how you collect it, how you intend to use that information, and whether you will disclose some or all of that information to any third parties.

Now that you have a solid overview of what a Privacy Policy is, the types of information it deals with, and why it's required by law, let's take a look at some different privacy laws from around the world that require you to have a Privacy Policy agreement.

Privacy Policies in the United States

In the United States, there isn't a federal law that requires businesses to have a Privacy Policy. Instead, a number of existing federal laws govern Privacy Policies for specific circumstances.

Let's look at a few of them.

  • Children's Online Privacy Protection Act (COPPA) - COPPA requires that websites that collect information from children have a Privacy Policy.

  • Walt Disney Children's Online Privacy Policy: COPPA clause

  • Gramm-Leach-Bliley Act - Institutions engaged in the financial sector are required by this act to provide accurate and clear statements about how they share information.
  • Health Insurance Portability and Accountability Act (HIPAA) - The rules of this act require health care service providers to give notice in writing of their privacy practices.

Some states have their own rules and regulations regarding Privacy Policies. For instance, in its Business and Professions Code, the California Online Privacy Protection Act (CalOPPA) requires commercial websites and online services to post a Privacy Policy if they're collecting any kind of personally identifiable information from California residents.

Simply put, the United States has several laws in place - at both the federal and state levels - that require you to have and enforce a Privacy Policy if you collect/use personal data. Many of these laws are regulated by the Federal Trade Commission (FTC) and require specific clauses and provisions for data privacy.

These laws regulate what information businesses must disclose in their Privacy Policies.

Generally speaking, your Privacy Policy should cover:

  • What information you collect and how it's collected
  • The measures you take to protect that information
  • How you use the information you collect
  • Whether you share that information with any third parties and if so, what you share and with which third parties
  • The consumers' rights regarding their personal data

Based on the nature of your business, the types of data you collect, and who you collect that data from, your Privacy Policy could be extensive.

However, according to the FTC's guidelines, it should be written in easy to understand language and not in confusing legalese.

Privacy Policies in the European Union

In the European Union, the Data Protection Directive oversees the processing of personal data and requires businesses operating from the European Union to post a Privacy Policy on their websites.

In January of 2012, the European Commission unveiled a draft of the European General Data Protection Regulation (GDPR) that supersedes the original Data Protection Directive. Its main purpose is to strengthen and unify the processes involving data collected from individuals within the European Union.

The GDPR became enforceable on May 25, 2018.

The Organization for Economic Cooperation and Development (OECD) issued guidelines for protecting consumers' personal data, which includes notifying users when their data is being collected, collecting data only for the stated purpose, not disclosing the data without the user's consent, and other ways to protect consumers.

Privacy Policies in Canada

The federal privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). Its main purpose is to govern the collection, use and disclosure of personal information collected from Canadian citizens.

By complying with the law, businesses agree to collect, use, and disclose the amount of information that a reasonable person would consider to be appropriate.

What this means is that PIPEDA requires companies to get their users' consent before they can collect, use, or disclose their personal information. Whatever information they do collect can only be used for the stated purposes it was collected for.

PIPEDA applies to businesses conducting commercial activities, including online transactions and selling services and membership plans.

What's more is that PIPEDA authorizes the Privacy Commissioner of Canada to handle any complaints that anyone (individual, institutional, or business) files against organizations that fail to comply with the act.

Privacy Policies in Australia

Australia's Privacy Act of 1988 establishes the legal framework for data privacy and requires companies operating in Australia to post a Privacy Policy on their websites.

The Privacy Act lays out several different privacy rights that govern what information is being collected, why it's being collected, how it will be stored, and with whom it can be disclosed.

According to the Privacy Act, only information that is relevant to the company's functions can be collected from consumers. When that information is collected, Australians have the right to know why it's being collected and who will see it.

Entities that are responsible for storing the information must ensure it isn't lost or exploited. Additionally, Australians are given the right to access their personal information unless it's specifically prohibited by law.

Altogether, Australia's Privacy Act contains 13 principles pertaining to user privacy that detail how covered organizations (organizations with an annual gross income of over $3 million) are required to handle personal information.

Privacy Policies in the United Kingdom

The Data Protection Act is a United Kingdom Act of Parliament designed to protect users' personal data whether it's stored on computers or paper filing systems. It follows closely in line with the European Union's Data Protection Directive.

The Data Protection Act is comprised of eight data protection principles:

  1. Personal data is processed fairly and lawfully.
  2. It is only obtained for specified, lawful purposes.
  3. The data is adequate, relevant, and not excessive for the purpose it was collected.
  4. The data is accurate and up to date.
  5. The data will not kept for longer than is necessary.
  6. Personal data is processed in compliance with the rights of the users.
  7. Appropriate measures are taken against unlawful data processing.
  8. The personal data cannot be transferred to a country outside the European Economic Area unless that country guarantees an adequate level of protection of personal data.

Privacy Policies Required by Third Parties

Privacy Policies aren't only required by federal, state, or country law. In some cases, third-party services you use to enhance your site or provide performance/analytical data will also require you to post a Privacy Policy on your website for their protection.

What this means is that if you're not required by law to have a Privacy Policy published on your site, for example, because you're not knowingly collecting any form of personal user data, third-party services may still require you to post one in order to use their services.

Google Analytics

Logo of Google Analytics

Google Analytics is a great example of a third-party website that requires you to have a Privacy Policy even if you're running a simple website that doesn't collect any personal data from users.

In its Terms of Service agreement, it says you will need to have an appropriate Privacy Policy and abide by it.

Google Analytics Terms of Service Privacy clause

It goes on to explain the different provisions your Policy should include, such as notifying visitors that you're using cookies to collect data and that you're using Google Analytics which collects and processes data on its own.

You're also required to provide clear information about how cookies and other information is stored and accessed on user devices in cases where the activity is related to the services offered by Google Analytics.

Furthermore, your visitors must give consent to let you store and access these cookies.

Google AdSense

Logo of Google AdSense

In the Google AdSense Terms of Service agreement, Google states that you're required to publish a clearly labeled and easily accessible Privacy Policy on your website at all times while using the AdSense services.

Google AdSense Terms of Service: Privacy clause updated for 2018

The Privacy Policy should contain information about how your site and Google AdSense uses:

  • Cookies
  • Device-specific information
  • Location information
  • Information stored on, accessed on, or collected from user's devices in relation to AdSense

In addition to this, Google also gives you the responsibility of making sure your visitors give consent to the storing and accessing of all of the above-mentioned data.

Apple App Store

Logo of Apple App Store

If your mobile app collects user data and you want to distribute the app in the Apple App Store, you'll need to have a Privacy Policy. Apple's App Store Review Guidelines contain a Data Collection and Storage clause that requires you to have a Privacy Policy.

Apple App Store Review Guidelines: Data Collection and Storage: Privacy Policies clause

Google Play

Logo of Google Play Store.jpg

The Google Play Developer Distribution Agreement requires you to protect the privacy and legal rights of users if you use Google Play to publish your app. This means that you're required to post a legally binding Privacy Policy that informs users of the information you're collecting and that protects their personal data.

Google Play Developer Distribution Agreement: Privacy Policy requirement clause

It also states that your app can only use the collected information for the purposes you stated at the time of securing the user's consent. As well, if you're storing any of the information that you collect through your app, you must store it securely and only for as long as you need it.

If your website/mobile app collects personal information from users, you need to be aware of:

  • Privacy laws and Privacy Policy requirements in your jurisdiction and others where you operate
  • Privacy Policy requirements of third-party services your website/app uses
  • Privacy Policy requirements of any app store you use to distribute your app

With all of these principles in mind, you should be ready to review your current Privacy Policy for needed updates, or create your first Privacy Policy for your website or mobile app.