Privacy Policies are Required by Law

Any website or app that collects personal user data is required by law to have a Privacy Policy. The laws that regulate these Privacy Policies pertain to any app or website that collects personal information from residents within the jurisdiction of that law.

For example, CalOPPA regulates any app or website that collects personal data from residents of California. As such, even a website based outside of California must comply with with the rules set forth by CalOPPA if they collect data from residents of California.

This article will discuss the main laws regarding Privacy Policies and how they may affect your app or website. It will also discuss rules set forth by popular third-party services.

CalOPPA

CalOPPA

The California Online Privacy Protection Act, or CalOPPA, is one of the first and most comprehensive sets of rules regarding Privacy Policies in the United States. CalOPPA has been used as a model across the world for other countries creating their own online privacy laws.

CalOPPA was one of the first laws to cover certain aspects of Privacy Policy requirements, such as needing to have a link to your Privacy Policy conspicuously placed.

CalOPPA also dictates that any website or app that collects data from residents of California must comply with certain guidelines. Chances are your app or website has users in the US, which means it probably also has users in California, which means being compliant with CalOPPA is a necessity for the vast majority of Privacy Policies.

Below is a list of regulations set forth by CalOPPA that you should comply with at a minimum:

  • Users should be able to visit your website anonymously
  • A link to your Privacy Policy should be on your homepage or first significant page
  • Your Privacy Policy link must include the word "privacy" and be easy to find
  • You must notify users of changes to your Privacy Policy
  • Users must be able to update and correct their personal information

These five factors do not encompass the entirety of the rules set forth by CalOPPA, but they are five of the key points that every website must have to be compliant. You should read the full law for a complete understanding and to ensure compliance with the latest amendments.

GDPR

GDPR

The General Data Protection Regulation, or GDPR, becomes enforceable in May of 2018. The GDPR effectively replaces the 1995 Data Protection Directive (Directive 95/46/EC) as the primary regulation regarding online privacy rights for residents of the EU.

The GDPR continues the effort to form a unified set of laws to protect all citizens across the EU. This will not only offer better protection to individuals, but also make it easier for companies to be compliant with a single set of rules rather than separate laws in each country.

Below are some key changes found in the GDPR:

  • The GDPR more clearly states that any company collecting data from residents of the EU must comply with the GDPR, whether or not the company is located in or the transaction handled in the EU
  • Maximum fines are increased to Ä20 million or 4% of annual global turnover
  • Consent must acquired using plain language that is easy to understand
  • It must be as easy to withdraw consent as it is to give it
  • Users must be notified of a data breach within 72 hours of discovery
  • Users have a right to a copy of their data and the knowledge of how it it being processed
  • Users have the right to have their data erased and no longer processed
  • Users data should be protected from the onset of services and only the data needed for a task should be processed
  • User data should only be accessible to those who need the data to complete a task
  • Data Protection Officers help alleviate some of the bureaucracy and notification procedures, lessening the burden on many companies

These key changes are important for any website with users in the EU. You must be compliant with all of these new changes by May 2018.

These key points do not represent all of the regulations covered by the GDPR, but rather the changes that will become enforceable in May 2018. Any website collecting data from users in the EU are required to be compliant with the entirety of the GDPR, which includes many of the rules set forth by previous privacy laws.

PIPEDA

PIPEDA

The Personal Information Protection and Electronic Documents Act, or PIPEDA, is the Canadian law that covers personal data and privacy. PIPEDA is in essence the Canadian equivalent of the EU's GDPR.

PIPEDA gives individuals the following rights:

  • To know why a company collects, uses, or shares their personal information
  • To have their data collected, used, or shared within reason and only for the purposes they have consented to
  • To know who is responsible for protecting their personal data
  • To have their data appropriately protected
  • To have their data be accurate, complete, and current
  • To have access to their personal data and be able to make corrections
  • To express grievances about how a company handles their personal data

PIPEDA requires companies to:

  • Acquire consent before collecting, using, or sharing personal data
  • Allow use of their services to individuals who refuse consent for data collection except when that information is necessary for the service
  • Make their Privacy Policy clear, understandable, and easy to find

These key points are the core aspects of PIPEDA, but this list is not meant to be complete or exhaustive. Canadian companies or websites that serve Canadian users should ensure they are compliant with all facets of PIPEDA, as well as other Canadian privacy laws that may apply.

Privacy Act 1988

Privacy Act 1988

Privacy Act 1988 is the primary Australian law covering online privacy. It regulates how personal data can be collected, when it can be collected, and who can collect it.

Privacy Act 1988 stipulates the following:

  • Individuals have the right to know why their personal data is being collected
  • Individuals have the right to know who has access to their personal data
  • Individuals have the right to access their personal data
  • Companies must secure personal data that they have collected
  • Companies must not exploit personal data they have collected
  • Individuals have the right to appeal to a Privacy Commissioner if they feel their privacy rights were compromised

As of an amendment in 2000, these regulations cover the private sector and the transfer of personal data out of Australia, as well.

In addition to Privacy Act 1988 and its amendments, there are state and territorial laws in some parts of Australia that also regulate online privacy. Ensure you are compliant with all relevant laws that pertain to your app or website, whether your company is physically located in Australia or simply has users there.

DPA

DPA

Data Protection Act 1998, or DPA, is a law in the UK that protects personal data stored in paper filing and computer systems. It follows after the EU Data Protection Directive 1995 which covers some aspects of processing, protection, and movement of personal data. DPA 1998 effectively supersedes the Data Protection Act 1984 and Access to Personal Files Act 1987.

DPA gives individuals certain rights in regard to controlling their personal data. These rights are outlined by eight principles:

Legislation.gov.uk's DPA 1988 List of 8 Principles

These principles form the backbone of DPA 1998, but you should read and understand the entirety of the law in order to guarantee compliance if you fall under the jurisdiction of these regulations.

Third-party requirements

Third-party requirements

In addition to laws, many third-party services also have their own sets of requirements that you must follow in order to utilize their services.

Some examples of third-party services that have their own Privacy Policy rules are Google Analytics, Google AdSense, the Google Play Store, the Apple App Store and MailChimp.

In this section, we will briefly go over the Privacy Policy requirements of these third-party services.

Google Analytics

Google Analytics is the most popular internet analytics tool. Google Analytics is used to track and report website traffic, as well as a host of other features. Google Analytics is important to Privacy Policies for two reasons.

First, by using third-party analytics software, you need to inform your users in your Privacy Policy that a third-party service is collecting data about them on your website. This is a basic clause you will find in many Privacy Policies.

Here's an example from Lukie Games:

Lukie Games Privacy Policy: Google Analytics and third parties clause

Second, Google Analytics has its own set of requirements for websites that utilize its services. If you use Google Analytics on your website, you will need to comply with the Terms and Conditions set forth by Google Analytics, including having an adequate Privacy Policy.

Google Analytics Terms of Service requires a Privacy Policy

Google AdSense

Google AdSense is a service that many websites use to generate revenue by advertisements that are selected and maintained by Google. In order to use this service, you must agree to the Terms and Conditions set forth by Google AdSense which include requirements regarding your website's Privacy Policy.

Below is a screenshot of the Google AdSense Program Policies section referencing the Privacy Policy requirement:

Google AdSense Terms and Conditions: Privacy Policy requirement clause

Google Play Store

If you have an Android app by itself or in addition to your website, you probably have it available through the Google Play Store. In order to protect its customers, the Google Play Store has a set of requirements for all applications offered through their service, including having an adequate Privacy Policy that is accessible before downloading your app.

This policy is enforced so that users can read your Privacy Policy prior to deciding whether or not they wish to download your app. The Privacy Policy should be accessible on the store page for your app.

Below is the statement from the Google Play Store regarding the need for a Privacy Policy::

Google Developer Guides: Privacy Policy Guidance

Apple App Store

The Apple App Store requires that apps made available via their service comply with all relevant privacy laws in addition to some guidelines set forth by the App Store itself.

You can find full details in their Review Guidelines, but below is a summary of the core guidelines pertaining to Privacy Policies for basic apps on the Apple App Store:

  • Comply with all applicable laws, the terms of the Apple Developer Program License Agreement, as well as customer expectations
  • Apps that collect user data must have a Privacy Policy and acquire consent to collect
  • Your app's description should inform users about what types of access are requested and what features will not work if consent is not given
  • Do not require unnecessary registration/login
  • Do not collect personal data unless needed for core app functionality
  • You may not share or compile user data without consent

Additional guidelines are given for apps related to health information, apps intended for kids, intellectual property concerns, gambling, and VPN services. Be sure you are compliant with all relevant laws in addition to the requirements set forth by the App Store.

MailChimp

MailChimp is another popular third-party service that enforces the need for an adequate Privacy Policy. In its Terms of Use, MailChimp sets forth the guidelines that you're required to follow in order to use the service.

MailChimp Terms of Use: Compliance with Laws full clause

Conclusion

Creating a Privacy Policy may seem like a daunting task, but there are many resources available to help you. Research the regulations that pertain to your app or website and take it one step at a time as you meet each requirement.