Let’s get this out of the way right here – in the United States, Canada, the United Kingdom and in many other countries, privacy policies that cover online personal data collection are required by law.
However, there are numerous federal and state regulations that have provisions on data privacy. These regulations have specific rules and requirements, as well as instructions on how companies must communicate to consumers how their personal data is being handled.
- The Americans With Disability Act (1990) – The ADA is a civil rights law that prohibits discrimination against individuals with disabilitiesin all areas of public life, including jobs, schools, transportation, and all public and private places that are open to the general public.
- The Cable Communications Policy Act of 1984 – The purpose of the CCPA is to promote competition and deregulate the cabletelevision industry.
- The Children’s Internet Protection Act (2000) – requires K–12 schools and libraries in the United States to use Internet filters and implement other measures to protect children from harmful online content as a condition for federal funding
- The Computer Fraud and Abuse Act (1986) – CFAA was enacted by Congress as an amendment to existing computer fraudlaw which had been included in the Comprehensive Crime Control Act of 1984.
- The Computer Security Act (1997) – a federal law intended to improve the securityand privacy of sensitive information in federal computer systems and to establish minimally acceptable security practices for such systems.
- The Consumer Credit Reporting Control Act (1970) – S. federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies.
- Plus other laws
- Identify the personal information that’s collected – “Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.”
- If you have a process in place, provide a description for users to make changes to their personal data – “If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.”
- Identify its effective date.
- Describe how the website responds to “do not track” – “Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
- Describe 3rd-party relationships related to user data collection – “Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
Did you know that the Federal Trade Commission (“FTC”) has enforced the law against numerous companies that are not in compliance with federal regulations related to consumers’ privacy? Since 2002, the FTC has brought multiple enforcement actions against many companies, addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile.
The following guidelines from the FTC should be considered by every company that has or intends to build a website or app:
- Build privacy considerations in from the start. The FTC calls this “privacy by design.” What does it mean? Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need. Apply these principles in selecting the default settings for your app and make the default settings consistent with what people would expect based on the kind of app you’re selling. For any collection or sharing of information that’s not apparent, get users’ express agreement. That way your customers aren’t unwittingly disclosing information they didn’t mean to share.
- Be transparent about your data practices. Even if you need to collect or share data so your app can operate, be clear to users about your practices. Explain what information your app collects from users or their devices and what you do with their data. For example, if you share information with another company, tell your users and give them information about that company’s data practices.
- Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared. It’s good business to apply the “clear and conspicuous” standard to these choice mechanisms, too. Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.
- Protect kids’ privacy. If your website or app is designed for children under 13 and collects personal information, you have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. But COPPA compliance doesn’t end there. Regardless of the kind of website or app you sell, if you know you’re collecting personal information from children under 13 — or if you know you’re collecting personal information from another website or online service (including another app) that’s designed for kids under 13 — COPPA applies, too.
- What does COPPA require? Under COPPA, you have to clearly explain your information practices, provide direct notice to parents about those practices, and get parental consent before collecting personal information from kids. These obligations apply to you when third parties (like ad networks or plug-ins) collect personal information through your app. COPPA also requires that you keep “personal information” collected from children confidential and secure. The rule defines that term to include a first and last name, an address, a telephone number, online contact information, a screen name or user name that functions like online contact information, geolocation information, or a persistent identifier that can be used to recognize a user over time and across different websites or online services (such as device identifier, cookie identifier, serial number, or IP address). Visit the FTC’s COPPA site for compliance advice.
- Collect sensitive information only with consent. Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information. It’s a mistake to assume they won’t mind.
- Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information? Under the law, you still have to take reasonable steps to keep sensitive data secure.
- One way to make that task easier: If you don’t have a specific need for the information, don’t collect it in the first place.
- The wisest policy is to:
- collect only the data you need;
- secure the data you keep by taking reasonable precautions against well-known security risks;
- limit access to a need-to-know basis; and
- safely dispose of data you no longer need.
These principles apply both to information you ask users to give you and to any information your software collects. If you work with contractors, make sure they abide by the same high standards.
As stated in Section 7 of the Google Analytics Terms of Service, related specifically to Privacy:
- If you want to use Login with Amazon, Amazon is also requiring you have this agreement ready and published online before you can use the sign-in functionality.
- What is a commercial website?
- Simply put, any website that buys, sells or offers a service of any kind is a commercial website.
CalOPPA applies to all websites that may serve California residents. CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to internet service providers (“ISPs”) or similar entities that transmit or store personally identifiable information for a third party.
In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded.
- If your business is aimed at children under the age of 13, you need to comply with the Children’s Online Privacy Protection Rule (COPPA). COPPA is a federal law which requires websites to have a parent’s permission before collecting any personal information from children under 13.
A: Yes, if you’re collecting any kind of personally identifiable information about your users or customers, such as name, email etc.
2. eCommerce – Does your site have a shopping or payment feature? Do you accept credit cards? For example: Google’s “Buy” button, Paypal, Shopify, Stripe etc. Include language in your policy that covers transferring data to third-party vendors if applicable.
3. Sign-up or Download Forms – Will your site have a way for users to reach you, download or subscribe? For example, will you have a newsletter sign up form? If so, what information will you collect from users in order for them to sign up? For example: name, e-mail address, etc.
4. What kind of information will you collect and store? What type of personally identifiable information will you be collecting and storing from website users (from credit cards, forms or login areas)? List each type of attribute and make certain you know how this information will be secured. This may include: email, first name, last name, address, etc.
Facebook Data Policy – after some initial false starts from Facebook, the leading social network finally came up with a really robust approach to explaining how it collects and uses information from its users. This is one of the most comprehensive explanations we’ve seen online with regard to consumer data and privacy. For a simpler view, take a look at Facebook’s Privacy Basics.
Thomson Reuters Privacy Statement – comprehensive and available in multiple languages and with a large banner in the footer notifying users that the privacy statement has been updated and should be read.
Forbes Privacy Statement – checks all the boxes for privacy requirements including describing how the site tracks its visitors, opt-out mechanisms, children’s privacy and how users are notified if the statement is updated.
- When creating a new business website
- Redesigning or adding functionality to an existing business website
- Becoming active on a social network such as Facebook or Linkedin
- Building an app with the intention of distributing it via an app store
- Changing how customer or personal information will be collected, stored, used or shared with others
- Adding Google Analytics to measure your website traffic
- Commercial/Promotional websites (e.g. promoting a business, organization, non-profit)
- Websites that utilize cookies, website analytics tools etc. to track users (e.g. Google analytics snippet)
- Websites that allow users to subscribe to a newsletter (e.g. collecting name and/or email address)
- May have a client login area for document sharing, uploads etc.
- May collect certain types of customer data when user completes a form on the website (e.g. contact form, download form)
- May use 3rd party systems for payment processing or to collect donations (e.g. PayPal, Event.com, Active.com)
- May collect or use user-generated content (e.g. reviews, testimonials etc.)
- May collect or use imagery that is non-stock photography (e.g. images of customers etc.)
- Websites aimed at children < 13 years of age (e.g. website selling children’s toys or books)
- Websites that directly collect, use or store credit-card information from the user
- Transactional or other custom website applications/systems