Privacy is very important to users, and staying in line with the law is crucial in protecting customer data as well as building trust with your users.
This is especially true for SaaS apps.
When comparing the differences of SaaS apps in the US and in the UK, and their Privacy Policies, there are critical differences in the local laws that you need to be aware of.
Let's take a look at the law in the US and the UK, and what this means for this type of legal agreement.
First, we'll look at UK law.
UK law is currently covered in the Data Protection Act 1998. This law is informed by and related to the EU Data Protection Directive, which sets out data protection principles that EU countries should follow.
The UK data protection law puts this EU Directive into force in the UK by setting out that data collectors in the UK must abide by the following principles:
In contrast, US law is patchy at best, with no overarching data privacy law at a federal level.
The US has legislation covering children's privacy online (The Children's Online Privacy Protection Act), and the privacy and protection of health information (The Health Insurance Portability and Accountability Act), but the most comprehensive general data protection law in the US is a state law.
This law is called the California Online Privacy Protection Act (CalOPPA) (Business and Professions Code 22575-22579).
OPPA requires that you tell your users:
CalOPPA also requires that this legal agreement must be displayed prominently.
In the US, CalOPPA applies to operators of commercial websites or online services that collect "personally identifiable information through the Internet about individual consumers residing in California".
An "online service" can be anything that collects personal information from online users:
This means that if there's a possibility you could have customers from California using the SaaS app you're developing, you should take care to comply with CalOPPA.
You may also need to include a California Privacy Notice on your website. Here's an example from Disney of how this notice should look like:
Now let's take a look at the UK.
The UK Data Protection Act 1998 applies to "data controllers" established in the UK.
"Established" includes individuals, body corporates, partnerships, or businesses that have an office, branch, or regular practice in the UK.
Data controllers are those people who determine which personal data will be processed and for what purpose (i.e. you, the SaaS app developer, determining that certain personal data will be collected and processed by your app).
This means that if you are "established" in the UK, you will need to comply with the Data Protection Act principles.
Some of the key clauses that you will need in this type of legal agreement are displayed in this example from BBC:
Many apps use links within the app for users to find the legal agreement. This is called browsewrap.
Browsewrap has been held by most courts as not legally enforceable, unless the link to the legal agreement is displayed prominently and frequently.
Your users must have "actual or constructive knowledge", which means you can't hide it away somewhere. They must both know that it exists and agree to it clearly.
Here's an example of what a typical browse-wrap approach might look like in a SaaS app, from YouTube's iOS app:
It can be difficult to display the links to your legal documents clearly and easily on a small screen, without sacrificing important design features of the app.
The best way (both from a design perspective and a legal perspective) is to include a legal agreement pop-up or stage of installation when the user first opens the app. This is called click-wrap, which has long been held to be legally enforceable.
When you create that pop up for your SaaS app, include check boxes or buttons where users can tick or click an "I agree" check box or button, and ensure that each agreement is linked to or displayed in full in the pop-up.
Here's a great example of what this should look like, from Samsung:
Here's another example, from Apple ID:
Here's how Airbnb displayed its Terms of Service in full text on their mobile app when this legal agreement was updated by the company:
The main difference between UK and US law is that the UK law is based on EU regulations, which are stricter and more extensive. US law is significantly weaker but has specific requirements for California.
Even if you only have a branch office in the UK, remember that you will need to comply with the UK Data Protection Act.