This agreement is required by law if you collect personal data. Personal data is any kind of data or information that can be considered personal (identifies an individual):
- Email address
- First and last name
- Billing and shipping address
- Credit card information
- And so on
In 1968, Council of Europe did studies on the threat of the Internet expansion as they were concerned with the effects of technology on human rights. This lead to the development of policies that were to be developed to protect personal data.
This agreement can also be known under these names:
- Privacy Statement
- Privacy Notice
- Privacy Information
- Privacy Page
- Notice. Data collectors (meaning, you or your company) must make clear what they are doing with the personal information from users before gathering it.
- Choice. The companies collecting the data must respect the choices of users on what information to provide and how personal that provided information will be.
- Access. Users should be able to view or contest the accuracy of personal data collected by the company.
- Security. The companies are entirely responsible for the accuracy and security (keeping it properly away from unauthorized eyes and hands) of the collected personal information.
- Web sites
- WordPress blogs, or any other platforms: Joomla!, Drupal etc.
- E-commerce stores
- Desktop apps
- Digital products.
The “Data Protective Directive” applies to websites or mobile apps that include the use of personal data of users, while the “ePrivacy Directive” applies whenever users’ data is directly or indirectly identifiable to a controller or to a third party.
There are differences between EU’s legislation regarding data safety and other states’ data privacy laws.
They are applicable only to businesses legally operating within the EU territory and to any other organization or company that collects personal data from EU citizens or data that concerns them. There are agreements between the EU and the US to ensure legal compliance with their law differences, such as Safe Harbor.
In the US, there are no overall laws. The U.S. privacy legislation may vary from one state to another. Certain federal laws that govern users’ data in some circumstances, such as in these examples:
- The Gramm-Leach-Bliley Act. The obliges organizations to offer clear and accurate statements about their information collecting practices and it also limits usage and sharing of financial data
- COPPA law. The act is especially for web sites that gather information about children under 13 – any site of this category is legally obliged to adhere to the restrictions implemented by the act.
- Health Insurance Portability and Accountability Act. The act applies to online health services too.
- California Online Privacy Protection Act.
- SOPIPA law. This act applies if you collect personal data from students.
- Content Eraser law. This law applies if you collect data from minors (under the age of 18).
In Canada, there’s the Personal Information Protection and Electronic Documents Act (PIPEDA)generated by federal privacy laws.
This law established acceptable standards to limit and organize personal data gathering, usage, and disclosure by commercial institutions. This means that organizations may gather, use and disclose that percent of information for purposes that a reasonable person would consider fit in the circumstance.
The Privacy Commissioner of Canada stands for receiving and peacefully taking care of complaints against organizations. Its purpose is to solve privacy matters through compliance, not through enforcement. It reaches complaints, spreads the importance of awareness of and conducts studies about privacy issues.
Before you draft this agreement for your business, consider the basic requirements for most online businesses that deal with personal data from users (this includes SaaS apps or Facebook apps as well).
- That the privacy of your users is protected
- That you take full responsibility to protect the privacy of your users
- That you comply with active privacy laws.
- What information you collect from users. “Information” means “personal information”: any kind of information that has the potential to identify a user.
- What will you do with the collected personal information
- With whom you share the collected personal information, i.e. with third-parties
Users need to know what kind personal data you collect from them. It’s best to tell users exactly what data you collect from them and why:
- Contact information, such as email address
- Name, profession and date of birth
- Preferences and interests
- And so on
Your agreement should mention why you collect this kind of data. Generally, the only purpose for collecting personal data from users is to use it and do what’s best for your company and users as well:
- You may use the data gathered to help towards development of new services or improve your existing services
- You may send users emails about special offers, new services or other information that may be interesting for them
- You may use their data to get in touch with them in order to invite them to participate in market research
- Nonetheless, their personal information may be used to personalize their sessions on your website in order to better fit their interests, such as offering them relevant, individually tailored content
If you already have the agreement for your website and you’re now launching a mobile app, you need to first consider what kind of new personal data you collect through the mobile app. Then update your agreement to include the new changes: what you collect from the website and from the mobile app.
You’ll need to disclose if any third parties are involved collecting personal information in your name, i.e. you use MailChimp to collect email addresses to send weekly updates to your members.
A few examples:
- The Information Collection And Use section is the most important section of the entire agreement where you need to inform users what kind of personal information you collect and how you are using that information.
- A Log Data disclosure section should inform users that certain data are collected automatically from the web browser users are using and through the web server you’re using: IP addresses, browser types (Firefox, Chrome etc.), browser versions and various pages that users are visiting.
- A Cookies disclosure should inform users that you may store cookies on your their computers when they visit the pages of your website.This applies even if you use Google Analytics (which would store cookies) or any other third party that would store cookies.It’s best to do this through a separate Cookies Policy.
- A Security disclosure in the policy can give users assurance that their personal data is well protected, but you may also want to note that no method is 100% secure.
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.