But why are you required to do so, and which specific laws require this?
In this article, we'll take a closer look at why Privacy Policies are required by law. We will look at various privacy laws within the US and around the world.
Before we do that, let's quickly review what Privacy Policies are and why you need them
Privacy Policies are required by law because in collecting personal information from your visitors, users, customers, and clients, you assume responsibility for protecting their privacy.
But what kind of information is protected by law and what are your legal obligations?
Personally identifiable information is data that can identify a person, such as a government ID number, email address, phone number or billing details.
Let's look at a few of them.
These laws regulate what information businesses must disclose in their Privacy Policies.
However, according to the FTC's guidelines, it should be written in easy to understand language and not in confusing legalese.
In January of 2012, the European Commission unveiled a draft of the European General Data Protection Regulation (GDPR) that supersedes the original Data Protection Directive. Its main purpose is to strengthen and unify the processes involving data collected from individuals within the European Union.
The GDPR became enforceable on May 25, 2018.
The Organization for Economic Cooperation and Development (OECD) issued guidelines for protecting consumers' personal data, which includes notifying users when their data is being collected, collecting data only for the stated purpose, not disclosing the data without the user's consent, and other ways to protect consumers.
The federal privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). Its main purpose is to govern the collection, use and disclosure of personal information collected from Canadian citizens.
By complying with the law, businesses agree to collect, use, and disclose the amount of information that a reasonable person would consider to be appropriate.
What this means is that PIPEDA requires companies to get their users' consent before they can collect, use, or disclose their personal information. Whatever information they do collect can only be used for the stated purposes it was collected for.
PIPEDA applies to businesses conducting commercial activities, including online transactions and selling services and membership plans.
What's more is that PIPEDA authorizes the Privacy Commissioner of Canada to handle any complaints that anyone (individual, institutional, or business) files against organizations that fail to comply with the act.
The Privacy Act lays out several different privacy rights that govern what information is being collected, why it's being collected, how it will be stored, and with whom it can be disclosed.
According to the Privacy Act, only information that is relevant to the company's functions can be collected from consumers. When that information is collected, Australians have the right to know why it's being collected and who will see it.
Entities that are responsible for storing the information must ensure it isn't lost or exploited. Additionally, Australians are given the right to access their personal information unless it's specifically prohibited by law.
Altogether, Australia's Privacy Act contains 13 principles pertaining to user privacy that detail how covered organizations (organizations with an annual gross income of over $3 million) are required to handle personal information.
The Data Protection Act is a United Kingdom Act of Parliament designed to protect users' personal data whether it's stored on computers or paper filing systems. It follows closely in line with the European Union's Data Protection Directive.
The Data Protection Act is comprised of eight data protection principles:
It goes on to explain the different provisions your Policy should include, such as notifying visitors that you're using cookies to collect data and that you're using Google Analytics which collects and processes data on its own.
You're also required to provide clear information about how cookies and other information is stored and accessed on user devices in cases where the activity is related to the services offered by Google Analytics.
Furthermore, your visitors must give consent to let you store and access these cookies.
In addition to this, Google also gives you the responsibility of making sure your visitors give consent to the storing and accessing of all of the above-mentioned data.
It also states that your app can only use the collected information for the purposes you stated at the time of securing the user's consent. As well, if you're storing any of the information that you collect through your app, you must store it securely and only for as long as you need it.
If your website/mobile app collects personal information from users, you need to be aware of: