What is a privacy policy?
A privacy policy is a legal agreement that details what kinds of personal information a website/app gathers from its visitors, how the information is used, and how it’s kept safe.
Examples of personal information include:
- Name
- Date of birth
- Email address
- Billing and shipping address
- Phone number
- Bank details
- Social security number
There are two main reasons for companies to include a privacy policy on their website:
(1) Ensure consumer awareness of privacy
(2) Legal regulation
Now that we have established, the what and the why of privacy policies, we’ll take a look at some specific laws and their requirements.
Privacy laws in the US
The California Online Privacy Protection Act (CalOPPA) is one of the strictest privacy laws currently active in the US and will be until the CCPA goes into effect on January 1, 2020. The CalOPPA affects anyone who collects personal information from California residents, which impacts parties far beyond state borders.
While CalOPPA is strict, it isn’t overly complicated to comply with. Though having a privacy policy is its key requirement.
CalOPPA has standard requirements for privacy policies including:
- Hosting a privacy policy on the company website
- Informing users of what types of information is collected about them
- Details regarding third parties with which personal information is shared
- Stating changes made to a privacy policy
- Explaining how the business responds to “do not track” signals from IP addresses or web browsers
Posting a public privacy policy on a website/app and making it conspicuous and easy to find
CCPA Requirements
The CCPA takes effect on January 1, 2020, and impacts the privacy policy requirements for companies who do business in or with California and its residents.
The CCPA requires that companies, “Disclose the following information in its online privacy policy… and update that information at least once every 12 months: (A) A description of a consumer’s rights pursuant to three sections of the CCPA and one or more designated methods for submitting requests… and a list of the categories of personal information it has collected about consumers in the preceding 12 months.”
At a minimum, the companies impacted by the CCPA will need to include the following information in their privacy policy:
- Consumer rights and choices — how to exercise them
- Description of the method for submitting Data Subject Requests (DSR) for access or deletion
- A link to an opt-out page (for marketing and other communication)
Want to find out more about specific CCPA requirements, including DSARs, information that must be available for users, and other consumer rights? Check out our recent post by privacy expert Sue Poremba on Preparing for CCPA’s Section 2 – Consumer Rights.
GDPR
The GDPR applies to both EU businesses as well as international businesses collecting personal data from users located within the EU. Further, it requires all companies operating in the EU as well as foreign companies that handle the personal data of EU residents to have a privacy policy. This is part of its goal to ensure that personal information is both obtained and processed with respect to user privacy.
If affected by the GDPR, a privacy policy needs to be easily accessible and active consent must be obtained from users before collecting any of their personal data.
The enforcement of the GDPR is much stricter than with previous regulations and carries greater penalties for non-compliance, including fines of up to €20,000,000 or 4% of global revenue.
What to include in a privacy policy?
The content of privacy policies varies from one business to another. However, if a website collects and manages information, there are many standard requirements. A users’ location can impact the company’s privacy policy because of international laws protecting global consumers. As a result, some companies choose to have multiple privacy policies for different regions to cover multiple laws while maintaining a concise policy.
A privacy policy should cover the following points:
- Business name and contact details
- How to opt out of data collection
- The types of information collected by the website/app
- Customer Communication
- Account Information
- Log Files
- Cookies
- User Data
- The purpose of collecting the data
- How the data is processed, shared, or used
- Data storage, security, and access
- Authentication for access to user data
- How long data is stored by the company
- If and how users can access their data (GDPR/CCPA requirements)
- Details of data transfers
- Use of cookies
- Changes to the privacy policy
- Affiliated websites/organizations and subprocessors (optional)
For more information and examples of Privacy Policies, check out our Sweet Sixteen Privacy Policies.