This article has been provided by iubenda to helps businesses (from small to enterprise) craft privacy policies and other legal documents for their websites and apps.
What are the Legal Requirements?
The United States, for example, doesn’t have a federal law that designates country-wide rules regarding privacy policies, however, some states have their own regulations in place. Occurrences like handling the data of minors, using third-party processors and cookie consent often have their own special rules as well. The fact is, you need to follow the laws of the regions where you do business or aim your services to.
- Site / app owner details.
- Disclosures related to third-party access to the data.
- What data is being collected, how and why.
- Disclosure of your process for notifying users of changes/ updates to your policy.
- Effective date of policy.
It’s important to note that something this basic would only apply to local businesses that SOLELY sell to and processes data from local users, and even then, the policy will still be subject to state laws which might require you to include or disclose additional details.
It's worth highlighting that simply adhering to requirements this basic can be hugely problematic as they may not meet the requirements of third-parties and in some cases can even leave you open to potential lawsuits or fines. Instead, it's advisable to start with the strictest regulations in mind and remove clauses where they aren’t applicable.
- The process by which users can review and edit their Personally Identifiable Information (if any such process exists).
- Disclosure related to how you handle the “Do Not Track” requests of users.
- A list of categories of personally identifiable information collected.
Also included in the Act are rules on special care regarding children. If your products or services also target children you must comply with the Children’s Online Privacy Protection Act (COPPA), which requires that operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13: must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
The General Data Protection Regulation (GDPR) is an excellent example of a very robust data protection legislation. At its most basic, it specifies how user data should be collected, used, protected or interacted with in general. As the biggest change to data protection in the region in 20 years, it's intended to bolster and centralize personal data protection for all EU residents. Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. As mentioned earlier in this post, there are pretty hefty fines for noncompliance, so it's important to be ready.
- Disclosures related to any data processors if different from the site owner. This includes all parties having access to or involved in processing user data. These include 3rd party apps, widgets, social buttons, ad service integrations etc.
- Rights of users: Under the new EU regulations, it's mandatory users be able to request, view, transfer and erase their data (where some conditions are met) * Note, these regulations are applicable to ALL business (including non-profits), regardless of location, that accesses data or offers goods or services to people in the EU.
Other related requirements are
- It should be easily accessible
- Your policy may not use overly complicated or indecipherable language (no legalese and unnecessary jargon).
The GDPR applies to all organizations (including non-profits) that accesses the data of EU residents. The GDPR applies whether your organisation is located in the EU or not. This effectively covers almost all companies (including US based ones). As a matter of fact, a PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.
- Hiring a lawyer. If you can afford it, this is a good option as it ensures that you have access to a professionally contracted and personalized policy. You'd want to make sure that you find a lawyer with experience in international data protection law and check that the person being hired is up-to-date with requirements. Important aspects to consider when using this method are upfront AND ongoing costs. Fees for hiring a lawyer can be substantial and you may incur additional costs for translations and updates to the policy.
- Using an online generator. This option is particularly interesting in that its usefulness heavily depends on the quality of the generator being used. Many online generators simply regurgitate the same generic clauses easily found in online templates, leaving you open to the same risks mentioned above. I would say that the key when using a generator, is to find a service that offers custom options backed by verifiable legal expertise.
*This is where iubenda can help. It's affordable, available in several languages, lawyer crafted, customizable and self-updating. There's even a free limited version available to try out so that you can have an in-depth look at what it offers. We believe that it's the next best thing to actually hiring a lawyer as it's prepared by our lawyers in accordance with the strictest international legislation. Furthermore, together with our Cookie Solution and Terms and Conditions generator, we aim to facilitate overall regulatory compliance by providing a 360° solution for your website or app.
If you wrote the policy yourself or had it drafted externally by a lawyer, you will need to create a page on your website, then copy the policy to it. If using a CMS, you'll need to go to the backend dashboard and select the option to create a new page, paste the policy, edit the page title and publish the page.
You'll then need to head to your main or footer menu and add the new page as a clearly visible text link (you can also add a button, but the process is a bit more complicated). In order to meet requirements, you'll need to make sure that the link is visible on every page.
Alternately, if you used a generator, you will most likely have various options to export a snippet of code. After exporting, you will then need to copy and paste the code into your website either via a text widget or by enabling your Global Footer and adding the code snippet to it. The process may be similar to the one found here.
If you used the iubenda generator, you can easily install either:
- A button with a modal window
- A direct link (for App Stores for example)
It's a pretty straightforward process as the iubenda generator takes care of most of the hard work for you. You simply copy and paste into your site; the policy will be visible on every page and you even have customization options to ensure that the look matches your branding. If you need any assistance along the way, there are video tutorials and a pretty responsive customer service team available to help. You can find out more about iubenda's integration process here.
- Privacy policies are in most cases, required by law.
- Non-compliance with regional regulations can lead to serious repercussions (including hefty fines).
- Website integration mostly depends on the method chosen for creating the policy, however, in most cases it involves placing a code snippet into your website that links to the policy. The link (or button) should be clear, prominent and accessible from every page of your website.
Want to learn more? Join iubenda on Tuesday, March 13th, 2018 for a Webinar on How to easily make your website/app compliant with US law. To join the Webinar, click here.