SaaS in the US vs UK

Privacy is very important to users, and staying in line with the law is crucial in protecting customer data as well as building trust with your users.

This is especially true for SaaS apps.

However, there will be major differences in what you need to cover in your Privacy Policy agreement, depending on where you are based and where your customers are based.

When comparing the differences of SaaS apps in the US and in the UK, and their Privacy Policies, there are critical differences in the local laws that you need to be aware of.

What's the law

Let's take a look at the law in the US and the UK, and what this means for this type of legal agreement.

UK law

First, we'll look at UK law.

UK law is currently covered in the Data Protection Act 1998. This law is informed by and related to the EU Data Protection Directive, which sets out data protection principles that EU countries should follow.

The UK data protection law puts this EU Directive into force in the UK by setting out that data collectors in the UK must abide by the following principles:

Personal data shall be processed fairly and lawfully
Personal data shall be obtained only for specified and lawful purposes
Personal data shall be adequate, relevant and not excessive in relation to the purpose
Personal data shall be accurate and kept up to date
Personal data shall not be kept for longer than is necessary
Appropriate technical and organizational measures shall be taken to protect the data
Personal data shall not be transferred outside the European Economic Area unless the country it is being transferred to ensures an adequate level of protection for the rights of data subjects in relation to the processing of the data.

US law

In contrast, US law is patchy at best, with no overarching data privacy law at a federal level.

The US has legislation covering children's privacy online (The Children's Online Privacy Protection Act), and the privacy and protection of health information (The Health Insurance Portability and Accountability Act), but the most comprehensive general data protection law in the US is a state law.

This law is called the California Online Privacy Protection Act (CalOPPA) (Business and Professions Code 22575-22579).

OPPA requires that you tell your users:

The kinds of information your website or online marketing tactics collect
How the information may be shared
The process your customers can follow to review and change the information you have on them
The policy's effective date and a description of any changes since then

CalOPPA also requires that this legal agreement must be displayed prominently.

The legal agreement for SaaS apps

A Privacy Policy is required by law. The content of your Privacy Policy agreement for your SaaS app will depend on what countries your users are from and where you are based.

In the US, CalOPPA applies to operators of commercial websites or online services that collect "personally identifiable information through the Internet about individual consumers residing in California".

An "online service" can be anything that collects personal information from online users:

Websites
Ecommerce websites
Mobile apps (iOS, Android, Windows)
Desktop apps (Windows, Mac OS X)
Facebook apps
Including SaaS apps!

This means that if there's a possibility you could have customers from California using the SaaS app you're developing, you should take care to comply with CalOPPA.

You may also need to include a California Privacy Notice on your website. Here's an example from Disney of how this notice should look like:

Disney: Your California Privacy Rights Notice

The full Privacy Policy agreement of Disney covers more of the requirements of CalOPPA:

Screenshot of Disney Privacy Policy

Now let's take a look at the UK.

The UK Data Protection Act 1998 applies to "data controllers" established in the UK.

"Established" includes individuals, body corporates, partnerships, or businesses that have an office, branch, or regular practice in the UK.

Data controllers are those people who determine which personal data will be processed and for what purpose (i.e. you, the SaaS app developer, determining that certain personal data will be collected and processed by your app).

This means that if you are "established" in the UK, you will need to comply with the Data Protection Act principles.

Given that UK and EU law is more rigorous, the Privacy Policy agreement for your SaaS app will need to include a wider range of information, including:

The fact that you are collecting personal information about your users
What type of information you are collecting
Where the information will be used for and how
Who you may share that information with
How the user can update and change their information
How long the information may be kept for
A section covering amendments to the Privacy Policy

Some of the key clauses that you will need in this type of legal agreement are displayed in this example from BBC:

BBC: How we use your information

You can see more clauses covered in the full Privacy Policy agreement of BBC.

Similarities between US and UK

Despite these major differences, there are similarities in how your legal agreement should be dealt with in either jurisdiction. The main similarity between jurisdictions is not what's in your Privacy Policy, but how you gain agreement to it.

For SaaS apps (but it applies to mobile apps, simple websites, and so on), you need to ensure that your Privacy Policy agreement is actively agreed to by your customers.

Many apps use links within the app for users to find the legal agreement. This is called browsewrap.

Browsewrap has been held by most courts as not legally enforceable, unless the link to the legal agreement is displayed prominently and frequently.

Your users must have "actual or constructive knowledge", which means you can't hide it away somewhere. They must both know that it exists and agree to it clearly.

Here's an example of what a typical browse-wrap approach might look like in a SaaS app, from YouTube's iOS app:

YouTube iOS App: Full Screen Showing Privacy Section

You can see that the Privacy Policy of Google link is at the bottom of the menu, within the "Settings" menu. So the user has to browse the app to find the agreement and read it.

It can be difficult to display the links to your legal documents clearly and easily on a small screen, without sacrificing important design features of the app.

The best way (both from a design perspective and a legal perspective) is to include a legal agreement pop-up or stage of installation when the user first opens the app. This is called click-wrap, which has long been held to be legally enforceable.

When you create that pop up for your SaaS app, include check boxes or buttons where users can tick or click an "I agree" check box or button, and ensure that each agreement is linked to or displayed in full in the pop-up.

Here's a great example of what this should look like, from Samsung:

Mobile App of Samsung Account: Accept or Decline Terms & Conditions

Here's another example, from Apple ID:

iOS: Agree to Terms and Conditions by Apple

Here, the examples of how the pop-up is used and how the "Agree" button is used, are a good start for a clickwrap method best practice. What's missing, however, is that the Terms and Conditions and the Privacy Policy agreement should have ben hyperlinked within the pop-up, or displayed in full text.

Here's how Airbnb displayed its Terms of Service in full text on their mobile app when this legal agreement was updated by the company:

AirBnb Updates Terms on iOS App

The main difference between UK and US law is that the UK law is based on EU regulations, which are stricter and more extensive. US law is significantly weaker but has specific requirements for California.

They are overall very different, but if you are based in the UK and have customers from the US, you will need to cover both jurisdiction's requirements in your Privacy Policy.

Even if you only have a branch office in the UK, remember that you will need to comply with the UK Data Protection Act.