Privacy is a fundamental right and has become a hot topic with the rise of the digital age, with people knowingly, and sometimes unknowingly, sharing a large quantity of personal information online.
Regulating privacy is a challenge, with new websites popping up every day and customers located all over the globe, where privacy laws may vary from country to country.
Table of Contents
The exact definition of personal information will vary depending on the piece of legislation but, generally, the following are included:
- Dates of birth
- Addresses (postal and email)
- Payment details (credit card numbers)
- Location (IP address, geolocalization)
- Social Insurance Numbers
In addition to outlining how the company will use the information, it also includes how it will meet its legal obligations, and how those sharing their data can seek recourse should the company fail to meet those responsibilities.
Some of the most notable privacy laws include the following:
The European Union is known for having some of the strictest privacy laws in the world. The cornerstone of privacy legislation, the General Data Protection Regulation (GDPR) provides detailed information in articles 12, 13, and 14 in regard to privacy policies and the importance of facilitating the exercise of the rights that your users have over their data.
While there is, to date, no privacy legislation at the federal level in the United States, the state of California has enacted its own in order to protect its constituents’ privacy.
In addition, the California Consumer Privacy Act (CCPA) came into force in 2020 to supplement the CalOPPA. While its scope of application is more limited – as it is notably targeted to businesses that either have annual gross revenue of more than $25 million, make at least half of their revenue selling personal data of its users, or that sell, buy, share or receive personal information from at least 50,000 households, consumers or devices annually – it should still be taken into consideration.
Australia regulates how businesses should handle personal information through its Privacy Act of 1988.
These examples are solely used to show you what some countries across the globe require when it comes to collecting personal information from their residents but many other privacy laws and regulations exist and they each have their own particularities.
It is imperative that you make sure you are complying with the sets of laws and regulations applicable to your website before you start collecting and processing any kind of personal information.
It’s Required by Third-Party Services
It Helps You be Transparent
A website that does not inform its users that it collects data or that hides its policy may look untrustworthy – don’t let this be the reason why you lose business to your competitor.
What are the Penalties for Non-compliance?
To help you understand how important complying with such laws is, here are some of the penalties that come with non-compliance that you should be aware of:
California Online Privacy Protection Act seeks to oversee the collection of data and private information in the United States. Violations will incur a penalty of $2,500 each.
General Data Protection Regulation (EU)
Failure to comply with this will result in two tiers of fines. The first tier will have you surrender 2% of your company’s annual turnover or 10 Million Euros, whichever is higher.
For a tier 2 violation, you’ll have to surrender 4% of your company’s annual turnover or 20 Million Euros, whichever is higher. In both cases, you’ll definitely lose out financially if you fail to comply with this law.
EU Cookies Directive
The penalty for violating this law includes monetary fines that can reach up to £500,000. Smaller penalties include notices and enforcement being sent to your company to alert you of your violation.
The Personal Information Protection and Electronic Documents Act is pretty straightforward, but the fines that come with this are not cheap. Companies that knowingly breach PIPEDA requirements can be fined up to $100,000 for each violation.
However, some terms are fairly standard and can be found in most privacy policies.
If you are collecting data that you consider essential for your users to be able to use your website, mention it so that they can make an informed decision in regards to what information if any, they wish to share with you.
You should be transparent and explain how you intend to collect personal data from your users. If you are collecting usage data, tracking geographical location, or using any third-party services, for advertising and retargeting purposes, for example, you should mention it, as your users may not realize that you are collecting data in the background.
At this point, your users know that you will be collecting their personal information but what will you be doing with it?
If you are operating an eCommerce website, for example, you should specify that personal information will be used to process payments and ship products to customers. In that case, there is a good chance that their personal information may be processed by a third party: an online payment processing service provider or your shipping partner, for example. This should all be disclosed to your customers.
You should let your users know how you intend to protect their personal information from unauthorized access, which you could do by explaining your processes and where the information is stored.
You may wish to include a statement that confirms that, while you use your best efforts to safeguard your users’ data, you cannot guarantee that your website will not be subject to malware or unauthorized access and that there is always a risk when storing and sharing personal information.
Storage & Sharing
Your users should know where you will be storing their data, for how long it will be retained, and if it will be transferred internationally (this could be the case if your servers are located abroad, for example).
Along the same lines, you should be transparent about whom you share the user data that you have complied with and for what purpose. If you use analytics or advertising services, for example, you should make this clear and link to these third-party companies’ respective privacy policies.
Opting Out & Data Subject Rights
You should explain that sharing personal information is not mandatory and that users can limit what they share, opt out, or revoke their consent at any time. If this would affect their experience with your product or website, then you may wish to explain how.
This section should detail all the rights that users hold over their data, which can be country or region-specific, under the GDPR, for example, users have the right to request a copy of all the data that has been collected about them.
In addition to including a link to it in your website footer, it is good practice to remind your users that it exists at various steps in their journey.
You could, for example, mention it and request their acceptance when they first create an account on your website and again during the checkout process, if you operate a transactional website.
That information includes location data, notably for fraud prevention purposes, and usage and device data in order to provide a better user experience and to aid in the targeted advertising of its services on other platforms.
Robinhood also warns its customers that it obtains personal information from other sources and third parties, which it combines with the data that it has already collected from its users. In other words, this gives the company a pretty good portrait of its customers:
The company goes on to explain how it uses that information using easy-to-read bullet points and specifies under which circumstances it would share personal data with third parties, all while specifying that it does not sell or rent personal information.
Holiday rental platform Airbnb operates all over the globe and has customers located in various jurisdictions.
How Airbnb shares personal data is very specific to the nature of its business. Indeed, the policy states that information may be shared between members of the platform in order to facilitate booking and interactions.
Online furniture retailer, Wayfair, operates one of the biggest eCommerce websites on the Internet, shipping furniture to customers across the United States and internationally.
- Scope of application
- Information collected and how it is used
- Information automatically collected by using the website or application
- Information collected from third parties (linked social media accounts, for example)
- Sharing of information
- Direct marketing and behavioral advertising practices
- Security measures
- Data storage
- Children’s privacy
- Information specific to California residents and visitors from outside of the United States
- Contact information
It also warns customers that changes to the policy may be made periodically and as needed, with customers given notice of significant changes that could affect their information through the website, app, or by email.
Feel free to download it in your preferred format and personalize it to suit your needs. Don’t forget to add any clauses that may be required depending on where you’re located, your audience, and other factors discussed in this article.
It’ll automatically put together all the required elements based on your needs and requirements and keep it up to date with the ever-changing laws so you won’t have to worry about it yourself.
Step 2: Answer some questions about your business and how you operate.