Generic Privacy Policy
A Privacy Policy is an essential part of any app or website. It lets users know what information is being collected, how that information is being used, and how it is being protected by the owner of the app or website.
A Privacy Policy also helps to protect the app or website owner by informing users of how their information is being used and their rights in regard to their data, making it their choice to continue using the app or website.
Lastly, a Privacy Policy is required by law in order to protect internet users from harmful or unfair information collection practices. For all of these reasons, your app or website needs a legitimate and up-to-date Privacy Policy.
Note that a Privacy Policy need not be called "Privacy Policy," but should include the word "Privacy."
What is a Privacy Policy?
According to businessdictionary.com, a Privacy Policy is a:
Statement that declares a firm's or website's policy on collecting and releasing information about a visitor. It usually declares what specific information is collected and whether it is kept confidential or shared with or sold to other firms, researchers or sellers.
This is a pretty good start as to the basic concept and objective of a Privacy Policy, but let's dig deeper in order to understand all of the facets of a proper Privacy Policy.
Personal Information You are Collecting
Perhaps the most important part of a Privacy Policy is letting users know what information is being collected from them.
For example, if your website simply checks to see which country the user is from in order to provide them with the most relevant information (such as prices in $ or £), then most users will not have any concerns about such non-specific information being collected.
On the other hand, if your website has the capability to store data about the user's name, address, and credit card information, it is your responsibility to let them know you are collecting and storing this data so they can decide if they want to provide you with that information or choose to not have it saved in your system.
Letting users know what information your app or website collects is not only a legal obligation, but it shows goodwill by being open and transparent about what your app or website is collecting and why.
By being clear about what information is being collected (and later, how collected information is used and kept safe) you empower users to make the decision of whether they want to use your services or not.
Some examples of information that is commonly collected and should be declared to users in your Privacy Policy are:
- Form data filled out at checkout, sign-up, account creation, etc. which may include:
- Name
- Address
- Age
- Gender
- Email address
- Payment information such as:
- Credit card information
- Billing address or ZIP code
- Bank account information
- Profile information that could include:
- Pictures
- Wish lists
- Friend lists
- Automatic information related to:
- Cookies
- Location
- IP address
- Device
While this list is extensive, it is not exhaustive. It is important to disclose all types of information that your app or website collects from users in order to comply with laws and be transparent with your customers.
If your app or website uses third-party analytics or other third-party functionality that may collect personal data from your users, it is important to point that out as well so they can consider those Privacy Policies which may differ from yours.
How You Use Personal Information
The second most important portion of a Privacy Policy is letting the user know how the information that has been collected is being used. There is a big difference between collecting information to improve user experience versus collecting information to be sold to a third-party.
In most cases, the information apps and websites collect is strictly for use by the app or website in order to improve functionality. By letting your users know that their information is only being used for their benefit, most people will gladly accept these policies.
If you are using this data for other means, however, it is important to let your users know what information is being used and how it is being used so that they can decide if they want to be involved. Not only is it your obligation from a legal standpoint, but it allows you to clarify what information is being compiled for what purposes and build trust with your users.
For example, tracking visits per country in a non-specific way probably would not be a concern for most of your visitors.
However, if you are storing data on the GPS location of visitors according to their mobile device, some users may not feel comfortable with that data being used. They can decide to turn off the GPS setting on their mobile device or decide not to use your app or website at all.
In the end, the user has the right to make this decision and it is your responsibility as the owner of the app or website to provide them with that choice.
How You Share or Sell Personal Information
As mentioned above, it is important to let your users know if their information is being sold or shared with anyone else.
Some websites use third-parties to enhance functionality to their website. An example may include sharing user-information with a third-party such as an analytics suite. It is your responsibility to let the user know that you share their information with a third party, and who that third party is, so the user can explore the Privacy Policy of that third-party and know what is happening with their personal data.
This is not only a legal obligation, but it helps protect you in the event that the third-party fails to secure user-information properly. In this event, the user was informed that their information may be shared with a third-party. Now, the responsibility falls on the user and that third-party to make sure the data is being managed securely.
If you sell any user information, you need to declare this to your users and let them know the specific information you are selling.
While general demographic information such as age and gender may not be an issue, specific information such as location, name, and email address may be more information than many users feel comfortable with you selling. They have the right to know that this information may be sold so that they can choose if they want to provide it.
Below is an example from Zappos.com:
How You Secure Personal Information
Breaches in security are an unfortunate reality in the digital age. The constant struggle between offense and defense in the cyber-realm means inevitably someone will find a way to exploit some security systems or find a way to circumvent them.
As such, it is your responsibility to not only secure the personal information of your users from these cyber-criminals, but to let them know how their information is being secured for their acceptance and peace of mind. This also helps build trust as you can show your customers and clients the measures that you are taking to protect their personal information. It shows that their privacy rights are important to you!
Below is an example from Amazon.com:
How Your Users Can Opt-out of Data Collection
The final part of most Privacy Policies contains information about the user's rights within the constraints of your policies. The most basic example of this is the option to simply not use your app or website if a user does not agree with your Privacy Policy.
If a user does not agree with the policies you have in place, they may choose to not use your website or download your app. However, if they decide to use your website or app, they are accepting the policies that you have in place.
You can find an example of this from Zappos.com below:
There are other aspects to this as well, such as settings and preferences you may offer to limit data collection or functionality on your app or website. This is a good place to inform your users of where they can find these options and how to use them.
For example, you can tell your users how to turn off location services, block or delete cookies, or opt out of an emailing list if they wish to do so. This will build trust with your users. Be sure to also let users know how these choices could affect their experience on your app or website if certain functionality is dependant on cookies or location services.
Privacy Policies are Required by Law
Depending on your location and the location of your users, there are a number of laws that set forth guidelines about Privacy Policies and information collection from visitors, clients, and customers.
You need to be sure that your app or website not only complies with local laws, but also complies with laws in the state or country where your users reside.
For example, the California Online Privacy Protection Act (CalOPPA) sets forth regulations for any website that collects data from residents of California. Even if you are not operating out of California, if your website collects data from residents of California, you will need to comply with these regulations.
There are similar rules in the EU, Canada and other countries.
Where to Place your Privacy Policy
Most Privacy Policy laws require the Privacy Policy to be easily accessible and conspicuously placed. Best practices usually result in a link to the Privacy Policy being placed on the homepage and within the footer of every page of the website, where possible.
Below is an example from Apple.com:
Links to the Privacy Policy are often also included on registration and purchase forms where customers or clients are prompted to input their personal information. This is for their convenience so that they can review your Privacy Policy before sharing their information with you.
If there is any doubt, it is better to make your Privacy Policy abundantly available rather than difficult to find. Place links in your FAQ, settings, Terms & Conditions, Disclaimer, or anywhere else that your users may be looking for it.
Below is an example from Amazon Web Services:
The various laws may provide specifics on where your Privacy Policy needs to be at a minimum, but having it easily accessible such as in a persistent footer ad on the homepage is the common best practice.
What to Include in your Privacy Policy
Cookies Clause
In addition to what needs to be included in a Privacy Policy about data collection and usage, it may also be helpful to include other relevant information such as use of cookies.
Below is an example of a Cookies Clause from Amazon.com:
Depending on the laws that apply to your website or app, information about cookies may or may not belong in your Privacy Policy.
For example, if you collect data from users in the EU, the EU Cookie Law requires that your website acquire consent to use cookies and has a section distinct and separate from your Privacy Policy that discusses your Cookies Policy.
Therefore, if you are based solely in the US and serve customers in the US exclusively, then it is common to include information about your website's cookie usage within the Privacy Policy.
However, if you serve customers from the EU or plan on expanding to the EU in the future, you will need to comply with the EU regulations.
Third Parties
Privacy Policies are also a good place to discuss any third-party software or third-party partnerships your app or website implements that may have different information collection and usage policies that you have not yet covered.
Below is an example from Buzzfeed.com:
For example, if your website utilizes tracking software for analytics purposes, you will want to let your users know that a third-party may be collecting data from your website outside of your data collection practices. You should let them know who the third-party is, why you are using them, and where users can find the Privacy Policy of that third-party.
This way, your users can further research the Privacy Policies of those third-party services to ensure they are comfortable with their policies that pertain to your website.
Effective Date of Your Privacy Policy
This is a minor but important inclusion.
Your Privacy Policy should state the date that it went into effect or the date of the most recent update.
An example from Amazon.com is below:
