Your website and mobile app requires a Privacy Policy throughout most of the world.
You cannot avoid doing business in the U.S. without coming across the California Online Privacy Protection Act or the Child Online Privacy Protection Act.
The U.K., Canada, and Australia laws also require Privacy Policies.
- 1. Clause 1: Types of information collected
- 2. Clause 2: How information is collected
- 3. Clause 3: What you do with collected information
- 4. Clause 4: Cookies policy
- 5. Clause 5: Third party access to information
- 6. Clause 6: Dispute resolution
- 7. Clause 7: Business transfer clause
- 8. Clause 8: Changes to Privacy Policy
- 9. Clause 9: Email marketing
- 10. Clause 10: COPPA compliance
- 11. Clause 11: Data retention
- 12. Clause 12: Contact information
As a business, you're subject to these laws and your business must have a Privacy Policy agreement if you collect and use personal information from users:
- Names
- Email addresses
- Birth dates
- Job titles
- Or any other type of identifying information
Here are the essential clauses you need for your Privacy Policy agreement.
Clause 1: Types of information collected
Describing the information you collect from users is a good way to start your Privacy Policy agreement.
This kind of clause makes it clear to users what personal information you need for your website or mobile app to function properly and allows users to determine whether they are comfortable giving that information to you.
A "Types of information collected" clause protects your business from liability too because if you are forthright about the information required in your Privacy Policy, no one can claim you used that information without authorization.
Sometimes, a Privacy Policy describes what personal information is collected in simple definitions.
An example of this approach is offered by Trello in its Privacy Policy agreement:
Other Privacy Policies contain more detail. SurveyMonkey gives a complete list in its agreement:
The more sensitive the information you collect, the more detail you'll want to provide in your Privacy Policy.
A detailed but incomplete list of types information collected can work against your business more than broadly described information types.
Clause 2: How information is collected
All Privacy Policy agreements should include provisions on how personal information is collected by your company (through the website and/or through the mobile app).
Even if you only collect and use information users provide directly to you, your Privacy Policy should have provisions describing that.
Under its section "How We Collect Information", Trello explains that it collects information in two ways:
- The use of services
- And the information provided by users
Like the type of information collected, these are also detailed sections.
Clauses regarding information collected just by using the Trello app mention Google Analytics and IP addresses. The clause also clarifies that this collection usually collects non-identifying personal information:
Information provided directly by users could seem self-explanatory. After all, many businesses request names, email addresses, user names, and payment information.
Trello explains that it requires this information and failing to provide it could mean limited access to the app. Trello's Privacy Policy also indicates that data may be used to verify accounts, however permission from the user is secured first:
Clause 3: What you do with collected information
Explaining why you collect data and what you do with it also provides additional liability relief. Depending on your business, you may have several purposes for collecting information from users.
The "What we're doing with the collected information" section is best written in detail since you do not want to be accused of using personal data inappropriately.
SurveyMonkey explains the 9 uses for the data it collects. These are listed in detail in SurveyMonkey's Privacy Policy:
Clause 4: Cookies policy
When a website or a mobile app uses cookies frequently, it's a good idea to have a separate Cookies Policy.
In many cases, it's appropriate to include these provisions related to your Cookies Policy in the Privacy Policy agreement too.
Trello does not have a separate "Cookies Policy", but in its section on collecting information, it mentions cookies. It explains that cookies help with analytical data and users have an option to refuse them (but by doing so there's a likelihood that Trello may not work properly).
Kissmetrics dedicates an entire section to cookies in its Privacy Policy. It starts by explaining how cookies work and how the the Kissmetrics app benefits from using cookies.
The Privacy Policy of Kissmetrics also informs users about the option to refuse cookies before accessing the app. However, much like with Trello, this has the impact of limiting the scope of app to users who make that decision:
It's important that you cover cookies in your Privacy Policy or in a separate policy. The EU Cookies Directive, for example, requires disclosures on cookies for any EU-based company or any foreign company interacting with EU citizens.
Clause 5: Third party access to information
Advertisers, analytics apps, and social networking apps (Facebook, Twitter) are third parties who may access the collected data or collect data through your website or mobile app.
When you integrate these third parties on your website or app, you need to cover access to data by these third parties in your Privacy Policy.
Generally, the Privacy Policies of these parties control how they handle your users' information. But you still need to mention them in your Privacy Policy so users are informed that you allow this access.
You need to address third party use in your Privacy Policy even if the third parties have their own privacy practices and their own agreements.
AOL addresses this regarding advertisers but also third parties that help the AOL website function:
Clause 6: Dispute resolution
Unlike Terms & Conditions, Privacy Policies do not normally contain provisions on governing law.
That said, privacy is often a contentious issue and disputes can arise. For that reason, "Governing Law" provisions are replaced with clauses regarding dispute resolution.
Dropbox contains provisions for dispute resolution in its Privacy Policy:
Clause 7: Business transfer clause
If your company merges with another or is acquired by a larger entity, your users will likely feel concerned about the continued handling of their information.
You can protect yourself from liability and offer reassurance by adding a "Business Transfer" clause to your Privacy Policy.
A "Business Transfer" clause merely states that users' data will be protected as it was before under the previous Privacy Policy. Even if you don't anticipate a sale or transfer, market may change quickly and you never know when selling your business becomes a possibility.
Even Twitter covers this ground its Privacy Policy.
Clause 8: Changes to Privacy Policy
If your Privacy Policy changes, you must announce Privacy Policy changes to your users.
The method you chose for notifying your users about changes can be described by you in the agreement.
Twitter addresses this at the end of its Privacy Policy. Twitter indicates that change announcements are done through email and its own feed:
When you choose a method to inform users about Privacy Policy changes, choose one that works for you. It's important to only mention methods you plan to use.
Clause 9: Email marketing
Due to anti-spam laws in several nations, such as CAN-SPAM in the US, you need to be careful sending users unwanted email.
Microsoft includes a section to comply with CAN-SPAM in its "Privacy Statement":
When you include a section like this in your Privacy Policy, you can also provide a link to the opt-out page. You also need to provide this opt-out link in your emails so users have the option to opt-out from every email you send.
Clause 10: COPPA compliance
The Child Online Privacy Protection Act (COPPA) is a U.S. law that places additional requirements on web service providers who cater to children. COPPA applies to children under 13 who live in the U.S.
Websites or apps that are only available to adults or those over 13 generally include that there's no intention to collect information from those under 13.
Instagram offers a good example of this in its Privacy Policy:
If your website or app is for children under 13, you need to take a completely different approach to your privacy practices and Privacy Policy.
The Public Broadcasting Service (PBS) runs a "PBS Kids" page designed for children. A detailed COPPA page explains that data is only collected with the consent of parents or guardians and extra protection is taken in account:
You can mention that you don't collect data from the 13-and-under users or adapt your Privacy Policy to be COPPA compliant.
Clause 11: Data retention
Users can delete their accounts with you or you may act on your Terms & Conditions and deny access to a user who violated your rules.
This issue of deleting or suspending user accounts must also be addressed in the Privacy Policy. This content is found in a "Data Retention" clause like this one from Match.com in its "Privacy Statement":
The normal course of action is to retain personal information only as long as necessary and destroy at the end of that time period, but compliance requirements may compel you to keep it longer.
Clause 12: Contact information
Every Privacy Policy also needs a section letting users know how to get answers to questions about matters related to their data privacy.
Large companies generally afford to have separate departments for these inquiries, especially if the company takes a Privacy By Design approach.
Facebook guides users to an easy-to-read Privacy Basics page and also includes email and mailing addresses for questions. There's a separate contact information section based on where users live:
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
