In the European Union, the pertinent legal framework regarding privacy, and thus and Privacy Policies, is the Data Protection Directive and the ePrivacy Directive.
The Data Protection Directive and ePrivacy Directive guidelines would apply to all EU member states, besides each member state specific laws on privacy: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
Learn what are the best practices for drafting your first Privacy Policy agreement and what to keep in mind in regards to privacy practices, if you're operating from Europe.
A Privacy Policy can be added anywhere:
- Websites
- E-commerce websites
- Mobile apps (iOS, Android, Windows)
- Desktop apps
- Facebook apps
- SaaS apps
- Embeddable widgets
- And so on
While a Privacy Policy is very commonly found in a website's footer, only 61.3% of the top 150 mobile applications provide a Privacy Policy.
On average, a user downloaded 37 applications on their smartphone device, but the user wasn't made fully aware of what personal information is being collected from his smartphone device.
As a mobile app developer (or as any business owner that must collect at least 1 category of personal data), if the business you're creating is not developed with the Data Protection principles and standards, you may expose users' private information.
If your application or website doesn't provide a proper Privacy Policy (or provide any Policy whatsoever) and users are not fully aware of your privacy practices, then users are giving you uninformed consent.
Uninformed consent is in direct conflict with the Data Protection Principle of gaining informed consent.
The principles outlined in the Data Protection Directive and the ePrivacy Directive apply to your business privacy practices and Privacy Policy regardless if you're developing and operating a website, a blog, a Facebook app, a SaaS app etc.
The Data Protection Directive
The Data Protection Directive broadly applies where the use of a website or a mobile application includes the use of personal data of individuals/users.
The party responsible for certifying compliance with EU Data Directive (as well as any additional member state laws) is the party that directly develops, operates or distributes the website/mobile app.
Here's an example:
Mobile Application Company Alpha (MACA) is developing a social network through a mobile application platform (iOS, Android or Windows) that's being made available to users in France.
The development of MACA's application is done in Spain.
The laws of Spain are the laws that control data processing because MACA processes personal information collected through the mobile app there, in Spain, despite the application being available to users in France.
Overlapping this Data Protection Directive is the ePrivacy Directive. This directive establishes a minimum for global businesses that wish to store or access information from a user's device within the European Economic Area (EEA).
If you're operating from out EU and have users from the EU, the first requirement you need comply with is the consent requirement.
The information storing or access to stored information in the equipment of a user (equipment can be smartphones or PCs used to browse the website) is only allowed once the purpose of the information processing is communicated to the user and express consent is given.
An example of express consent is ICO.co.uk. The website is placing cookies on users' computers and itÕs asking for consent before doing so:
The use of cookies is also mentioned in Privacy Policy of ICO where it informs users of its Cookies Policy:
The links to ICO's Privacy Policy and ICO's Cookies Policy are placed in the footer:
Rightmove doesn't seek express consent like ICO (clicking "I Agree") with its notification on cookies placing, but rather informed consent:
The consent requirement goes beyond what would be considered personal information (anything that can identify an individual) and applies to any type of information regardless of the nature of the data.
This consent requirement applies to all those living in the European Economic Area, regardless of the location of the service provider (the business.)
This means that a business developing and operating a website or mobile app from Asia must follow ePrivacy Directive if their users are from Europe. This means a Privacy Policy that's compliant with the ePrivacy Directive and Data Protection Directive.
Article 10 of the Data Protection Directive notes that every data subject (user, consumer, etc.) has a right to know who is processing their personal information.
The user has the right to know what kinds of information are being taken and what that personal information's intended use is.
At a minimum, you must inform users about:
- Who the processor of the information is. This includes the business' contact information.
- The categories of personal data the business will collect and process through its website or mobile app.
- Why is the personal information collected for.
- Whether the collected information will be disclosed to third parties.
- How the user may exercise their rights further in connection to deletion of information and withdrawal of consent.
This is critical. The only way for the consent of a user to be valid is if the user has been presented with this information.
This is done through the Privacy Policy. Your Privacy Policy should be freely available to all users, registered or not, on your website, mobile app and any platform your business uses to collect personal information from users.
MOO places its links to the legal agreements right in the footer:
In the Privacy Policy of Moo.com, the agreement informs users about disclosing personal information to third parties. Users are informed about this when they agree to MOO's Privacy Policy:
MOO is committed to protecting your personal information. We will not disclose your personally identifiable information to third parties without your consent except:
Disclosure for legal reasons
We reserve the right to communicate your personal information to third parties make a legally-compliant request for the disclosure of personal information.
Performance of our operations
The service is necessary for the performance of our operations: mail delivery, hosting services, protecting us from fraud, and payment of your account.
Changes in MOO Print Ltd.'s business
If the assets that MOO Print Ltd use to operate its business are acquired by a third party, we may transfer personal data we then hold to that party. If MOO Print Ltd buys or sells subsidiaries or business units then in such transactions customer information is one of the transferred assets, but would remain subject to the commitments made in any pre-existing Privacy Policy or equivalent.
Aggregate business analyses
MOO Print Ltd also provides analyses of our customers in the aggregate (basically, one big lump of data) to prospective partners, advertisers, and other third parties. We do this so that we, along with our business partners, can understand you better, and keep bringing you great services. We may also disclose, on an anonymous basis, literal statements made by our customers. At no time, however, will we disclose personal information about specific customers.
Linked websites are not under the control of MOO Print Ltd and we are not responsible for the conduct of companies linked to our website. Before disclosing your personal information on any other website, we advise you to examine their terms and conditions of use.
The ePrivacy Directive
According to the ePrivacy directive, personal information is data related to an individual who is either directly or indirectly identifiable to the controller or to a third party.
Examples can be any of the following:
- User's location
- Contacts
- A unique device identifier (which includes the mobile number)
- Identity of the data subject
- Identity of the phone (name of the device)
- Credit card and banking data
- Call logs
- Text messages or other forms of messaging
- Browsing history
- Pictures and videos
- Biometrics data
Consent prior to installation and processing of personal data is the ultimate mark for whether a business may process personal information.
For a mobile app to access a users' contacts, pictures, and other personal documents, Article 5(3) of the ePrivacy Directive requires freely given, informed, specific, consent from the user.
To be "freely given", the user must have had a choice of whether to accept or refuse and may not be presented with a single box stating, "I accept." Option to cancel must be available to users.
Airbnb is the perfect example for this. When Airbnb updated its mobile app, it presented users with a choice of accepting or not the new Terms of Service and Privacy Policy:
Airbnb presented two choices for users: Disagree or Agree.
If users agreed to the updated agreements, they had to perform 2 steps:
- Click I Agree to the updated Terms
- Then click Agree
Without checking the I Agree to the updated Terms checkbox, users couldn't use the updated version of Airbnb's mobile app.
To be "informed", the user must have the necessary information at their disposal to form an accurate judgment. To be "specific", the expression of consent must be related to the limited category of data being processed at that moment.
This can be the mobile app or the website asking for a user's geolocation data:
Consent given by a user for the use of phone numbers from their contacts directory does not correlate to consent to use other types of information from their mobile devices.
Besides basic consent, the fundamental principles underlying the Data Protection Direction are purpose limitation and data minimization.
Purpose limitation is:
Enabling of users to make a deliberate choice to trust a party with their personal data as they will learn how their data is being used, and will be able to rely on the limited description of purpose to understand for what purposes their data will be used.
Data minimization means that businesses must narrow the personal information they need to collect for their website or mobile app to function to a minimum to prevent excessive and potentially illicit data processing.
Another aspect that's required by the Data Protection Directive is security.
Parties who are involved with the transference or handling of personal information must certify that they are taking into account data protection principles to reduce risks.
In your Privacy Policy, inform users that the security of their personal information is important.
This is what Rightmove does in their Terms of Use and Privacy Policy agreement:
Security, storage and transfer of information
We follow strict security procedures to ensure that your personal information is not damaged, destroyed, or disclosed to a third party without your permission (unless they are providing services as outlined in the 'who has access to Your Information' section above) and to prevent unauthorized access to it. The computers that store the information are kept in a secure facility with restricted physical access and we use secure firewalls and other measures to restrict electronic access. If we are working with third parties we will require them to have in place similar measures to protect Your Information.
All of the information we collect or record is restricted to our offices. Only employees who need the information to perform a specific job are granted access to personally identifiable information. We will explicitly ask you when we need information to identify you. We may require you to co-operate with our security checks before we disclose information to you. You can update the personal information that you give us at any time by viewing your my details page.
As a business, you must ensure proper levels of security over data collected. Consider implementing the following:
- Choose appropriately secure places to store users' personal information.
- Checks to exclude data that could be compromised or stolen.
- Design the website and/or the mobile app in such a way as to prevent unauthorized access.
- Develop a clear policy procedure on how the website and/or the mobile app is to going to be developed and how users' personal information are collected and used.
All these practices reduce the risk regarding personal information of their users. Applying any of these methods means taking what personal information you need, when you need it and only for what you need it.
The Cookies law
EU online businesses must inform users about cookies and get their informed consent, according to the Cookies Law effective from 26 May 2012.
The Cookies Law was introduced via amendments to the ePrivacy directive and it requires websites and mobile apps to to get user consent for the use of tracking technologies.
You can place this kind of notification on your website using any of the most popular methods to do so:
- The fixed notification in the footer.This is what ICO does, placing a fixed notification about cookies on all pages until the user clicks "Don't show this message again":
- The top notification in the header.Another common place for this notification is at the top, like BBC does:
Sample Privacy Policy for EU
If your business is registered in the EU, make sure you're compliant with EU laws when you draft your first "Privacy Policy" agreement.
This checklist might help:
- Respect and comply with the obligations of being a data controller when you process data from and about your users. Read the The Data Protective Directive guidelines and the The ePrivacy Directive guidelines.
- Have the same level of compliance when you use third parties involving personal information.
- Ask for consent before the your website or mobile app retrieves or places data on users' mobile devices or PCs. This consent must be freely given and informed.Mirror will notify users about placing cookies:
- Be aware that consent doesn't allow for excessive or unreasonable data processing.Asking permissions from users to share geolocation data doesn't imply permission to contact them via email:
- Provide well-defined and comprehensible purposes of the data processing your business is doing.This must be given before the installation of the app, in the case of mobile apps. You can do this by making sure your Privacy Policy is linked from the App Store page:
The same best practice would apply for any other platform, such as Facebook:
- Respect the principles of data minimization and only collect the information needed to operate your business.If you ever need to collect more personal information, provide users with a notice about changes to your Privacy Policy.
- Provide a clear, concise and easily accessible Privacy Policy.Make sure your Privacy Policy is linked from the footer of your website:
And from the mobile app itself:
- Provide ways for users to exercise their rights when it comes to deletion of their personal information or withdrawal of consent.
The other guides: for United States, for Canada or for Australia
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.