This article explores everything you need to know about privacy policies and the laws you must comply with in writing your own.
Privacy policies should also contain information about why you collect personal information and how they can opt-out of giving their personal information.
You will also need to state how and when you or your users can delete their personal information.
Your privacy policies must be written in clear language that anyone can understand and should be easily accessible to everyone visiting your website or app.
Privacy policies are required for online businesses, especially if you collect personal information, regardless of its nature.
So if your website is also working with other third-party services and tools, like Google Analytics suites, payment processing tools, advertising services, etc., those have different requirements for privacy policies.
Additionally, suppose your company website collects sensitive or personal information from anyone under 13 years old.
In that case, you will be asked to comply with more requirements before you are allowed to collect that information.
What needs to be included in your website’s data privacy policies will depend on the nature of your website, the type of information collected, the third-party services and tools you use, and more.
How Do Privacy Policies Work in the United States?
In the U.S., no single data protection act or federal law governs how online services should handle how they collect data.
Instead, it depends on the nature of the personal data collected and the nature of your website.
You will follow a mix of applicable laws regulated by the Federal trade commission that is appropriate for your specific circumstances.
Let’s look at some privacy laws in place:
- Health Insurance Portability and Accountability Act (HIPAA) – It is what healthcare service providers need to comply with. It protects sensitive information about patient health from leaking without the patient’s consent.
- Children’s Online Privacy Protection Rule (COPPA) – This limits the collection of personal data from children under 13 years old.
- Gramm-Leach-Bliley Act (GLBA) – This privacy act requires financial institutions to disclose how they use the data they collect from their users.
There are also some other state laws you might have to be subject to, depending on your location.
For instance, California’s privacy law, the California Online Consumer Protection Act of 2003, is a more comprehensive privacy act similar to the EU’s GDRP.
It is a privacy law that requires businesses to have privacy policies on their website if it collects personal information from California residents.
So you will have to comply with its additional legal obligations if your website has visitors from California.
How Do Privacy Policies Work in the European Union?
The European Union also has its privacy laws, the General Data Protection Regulation (GDPR).
It requires companies involved with collecting data to ask their users to provide explicit consent to give out their personally identifiable information.
Then, it also gives the user their right to access, delete, or control how the e-commerce store uses or processes data.
Compared to what we use in the U.S., which is a mix of different laws depending on the nature of the data collection, the GDPR is a single law that covers all user privacy data.
The GDPR also covers the privacy laws of all the citizens of the EU.
This means that if your website or app collects personal information from any EU citizen.
Your website has to comply with the GDPR privacy laws, even if your website or business does not operate in the EU.
The GDPR privacy law has much more comprehensive protection for personally identifiable information than the U.S. has on data protection.
It is known to set the global standard of privacy laws.
How Do Privacy Policies Work in Other Countries?
Let’s take a look at how Australia and Canada do it and how it’s different:
Australia’s privacy act still follows the Privacy Act of 1988, which covers the handling and collecting personal information of the personal data of individuals.
This Privacy Act governs both private businesses and the federal public.
Recently, they have reviewed and revised it to include the online privacy protection act to strengthen the existing Privacy Act.
It is what governs social media and other online services and introduces stronger legal protections and increased penalties for non-compliance.
According to Australia’s Privacy Act, businesses can only collect information that is relevant to them.
Users have the right to know exactly what information is being collected, why it is being collected, and who will be able to access that information.
Individuals are also given the right to access their data, and businesses are prohibited from losing or exploiting the collected personal data.
In Canada, businesses follow the Personal Information Protection and Electronic Documents Act (PIPEDA) enforced by the Privacy Commissioner of Canada.
It governs how businesses are handling and collecting personal information from individuals.
Like the GDRP, the PIPEDA requires businesses to ask their users for consent before giving out their data, and the website can only use the collected data for the purposes it was collected for.
It governs private and federally-regulated businesses to ensure that all personal data they collect is processed fairly.
Additionally, the PIPEDA allows Canadian citizens to file complaints about businesses and websites that fail to comply with the said accountability act to the Privacy Commissioner of Canada.
Additionally, suppose your website does not collect personal information, but you use tools that involve third parties that gather personal data.
In that case, you will need to inform your users of the details of data transfers and how these third parties will use their data.
Third parties like Google Analytics, Google AdSense, and payment processing apps collect personal data, so you must communicate that to your users to avoid legal issues.
Meanwhile, if your website does not work with third parties that gather personal data, you will need to state and explain this through a privacy notice.
- Name of your business and owner contact information – If there is anything your users want to know about the data you gather about them, they need to be able to contact you.
- What data is being collected, and how do you collect it? – Does it include their phone numbers, physical address, and IP addresses? Do you collect this data when they comment on your blog, purchase an item, or sign up for your newsletter? All the methods you use to collect their data should also be disclosed.
- Why do you collect their data, and what do you use it for? – Of course, you must also tell your users WHY you collect their data and how you will use it. Is it for personalized advertising? For you to deliver their purchase through their shipping address? Is it to respond to their inquiries through text messages?
- How can you notify them of updates or changes in your data protection policy? – Will you email them or send them a message? You will need to disclose this process as well.
- Third-party sharing – Your data protection policy should also explain how you share your user’s information with third-party services and app stores like Google Analytics, Google Adsense, etc.
- Third-party requirements – Apps and plugins like Google analytics usually have their own on what you need to include in your privacy policies, so you need to check the plugins you use on your website one by one and take their third-party requirements into account when you make your own.
- How can users opt out of getting their data collected? – You will also need to explain the process of how they can do this. The process also needs to be an easy one, something that’s not too much of a hassle to do, like hitting the unsubscribe button on their email newsletters.
- In obtaining your user’s consent to gather their personal information, avoid using pre-ticked boxes that default consent. It MUST require an active, positive opt-in.
In short, you need to state in your data protection policy what kind of information you collect, how you obtain it, what you do with it, and to whom you send it.
Additionally, what those third-party services do with it, and how they can correct or remove it from your database.
How Can You Make Good Privacy Policies?
As mentioned earlier, good privacy policies must be written in clear language and easy to read format that anyone visiting your website can understand.
This means no legalese or overly complicated words!
Here are the basics:
- Limit data collection – Ensure that you are only taking the information you need from your users, nothing more. Additionally, the less personal information you have on your users, the less your scope of compliance is.
- Always be transparent – Consumers have the right to know what data you are gathering from them and what you will do with it, so make sure they are always up to date with this information. Being transparent also builds consumer trust, boosting your company’s branding.
- Maintain data inventory – To ensure that all the data you collect is handled and stored properly, you need to have a system of classifying and storing that data. This makes installing the necessary security measures and ensuring data protection easier.
Frequently Asked Questions (FAQs)
More questions about the privacy policies before you make your own? We’ve got your back!
Yes, you can even make one without a lawyer!
Can I Copy Someone Else’s Privacy Policies?
Additionally, you will probably have different privacy practices like your competitors, even if you all belong to the same field, no matter how similar you are.
What the law requires of them may not apply to you.
However, different state and international laws will require you to do so if any of their residents interact with your website or app.
Privacy policies are usually placed in the footer of websites, on the same webpage where consumers submit their personal information to be collected.
And that’s all we have for privacy policies!
Whether you collect personal information, privacy policies are essential for every website or app.
The U.S. has no single federal law governing privacy policies.
Instead, we have a patchwork of different acts depending on the nature of the data you collect, so you need to write your own that works for you.
And if any EU citizen interacts with your website, you will also be subject to compliance with their GDRP.
And by writing a thoroughly detailed, easy-to-read, accessible policy, you’ll have no problems complying with all the necessary privacy laws!