Privacy Policies are Mandatory by Law

Why is a Privacy Policy mandatory by law while a Terms and Conditions or a Terms of Use agreement is not?

Before we answer this question, let's define what a Privacy Policy is:

Privacy Policies are where you disclose your practices when it comes to your collection, use and handling of the personal data of your users. They provide information and transparency.

Privacy Policy agreements are mandatory if you're collecting data that can be used to identify an individual because this data is legally protected by a number of important laws around the world that require a Privacy Policy in such cases.

What kind of personal data is personal enough to identify an individual? There's a lot that can fall into that category, and here are just a few examples:

• Email addresses
• First and last names
• Shipping or billing addresses. Most ecommerce stores will need a Privacy Policy as each transaction data of a purchase will involve personal data from users.
• Social security numbers
• Birthdates
• Social media handles and profile images

Anonymous data (that doesn't include personal data) can also be classified as "personally identifiable information" if used in connection with another type of data that can result in identifying an individual. For example, some types of IP addresses are legally protected personal information under modern privacy laws.

Privacy Laws That Require a Privacy Policy

*Editor's note: The video above has outdated content regarding EU laws. The article content is updated as of July 16, 2019. We apologize for any inconvenience this may cause.

In the United States

There are several laws, including federal and state laws, that have provisions on data privacy. The FTC (Federal Trade Commission) regulates data protection for all consumers in the USA, and the following laws all have privacy implications:

• The Americans With Disability Act
• The Cable Communications Policy Act of 1984
• The Children’s Online Privacy Protection Act (COPPA)
• The Computer Fraud and Abuse Act of 1986
• The Computer Security Act of 1997
• The Consumer Credit Reporting Control Act
• The California Online Privacy Protection Act (CalOPPA)
• The California Consumer Privacy Act (CCPA)

The Consumer Federation of California's Education Foundation makes it clear that under CalOPPA, any operator of a commercial website or online service that collects personally identifiable information through the internet about individual consumers residing in California must have a Privacy Policy on its website:

Beginning on January 1, 2020, the CCPA will affect what certain businesses that reach California residents will have to disclose in their Privacy Policies. Transparency is key here, as is granting extra rights to users when it comes to controlling what happens with their personal information.

Under the CCPA, a business must disclose what types of personal information it collects and how it will be using each type. It must make this disclosure before collecting any personal information. This can be done by having an informative Privacy Policy.

The rights that consumers have under the CCPA must also be disclosed in a Privacy Policy of any business that falls under the scope of the CCPA.

Similarly to CalOPPA, it doesn’t matter if your business is incorporated or located in California when it comes to whether the CCPA applies. If your company reaches residents of California - which it likely does - you must have a Privacy Policy that discloses your privacy practices.

In Australia

In Australia, the Privacy Act 1988 is the law that governs data privacy. The same Privacy Act requires companies from Australia to have a Privacy Policy.

This Act regulates the handling of personal information of individuals and mentions the collection, use, storage and disclosure of personal information.

It groups 13 Privacy Principles that each company that's required to comply with the Privacy Act should follow.

The first Privacy Principle is to have a Privacy Policy and for the Policy to be kept up-to-date.

To be compliant, the Privacy Policy must be in a format that’s easy to ready, free of charge and include the following information:

• What kinds of personal information the business collects and holds
• How this information is collected and held
• Why this information is collected, held and (if applicable) disclosed to third parties
• How individuals can access and correct any personal information held about them
• How individual can complain about a breach of the Australian Privacy Principles or other binding code, and how complaints will be handled
• Whether the business is likely to disclose personal information to any overseas recipients, and if so, the countries where these recipients are likely to be located, if practical

In the UK

The Data Protection Act 1998 (or DPA) is the law on privacy in the United Kingdom.

Companies that must comply with UK's DPA act must follow the 8 principles, condensed here:

• Any kind of personal data from users must be collected in a specified and lawful way. The data also cannot be processed in any way that's incompatible with that purpose.
• The personal data you collect should be adequate, relevant and not excessive in relation to the purpose for which you're collecting the personal data.
• The personal data should be kept up to date and accurate.
• Any kind of personal data collected from users should not be kept longer than is necessary for the purpose which it was collected for.

One of the most important rights the DPA grants to residents of the UK is the right to be informed about how their data is used. This is where a Privacy Policy becomes a crucial requirement. Without it, you’re violating the rights of your customers by not being informative and transparent.

If you do business in the UK, make sure you create an informative Privacy Policy that discloses at minimum:

• What personal information you collect, and under what specific lawful purpose
• How you use the data in accordance with such a purpose
• What rights users have and how they can exert them
• How long you keep data, generally
• How you keep collected data safe and secure

In Canada

PIPEDA, the Personal Information Protection and Electronic Documents Act, is the law of Canada for protecting user data.

The law requires companies from Canada to have a Privacy Policy and that policy must be easy to read and understand. That means no legal jargon and overly-complicated clauses.

Under PIPEDA, personal information means:

any identifiable information about an individual whether recorded or not and it applies to the collection, use, and disclosure of personal information by organizations during commercial activities.

Any business that falls under PIPEDA’s scope is required to make information available to the public about the way it handles personal information.

According to the Office of the Privacy Commissioner of Canada, having a good Privacy Policy in place is one of the most important ways a business can meet this obligation and in turn build public trust and gain customer loyalty.

Some Privacy Policy tips offered by the Privacy Commissioner include the following:

• Be very clear and specific about what your business actually does. Make sure your readers can understand what you disclose, and that you aren’t just disclosing generalities. Don’t use legalese, and keep it simple.
• Disclose any choices you offer when it comes to user’s controlling how their personal information is used. For example, if you allow opt-outs for personal marketing, make it clear you offer this and how a user can actually opt out.
• Make it clear how users can access what personal information you have about them, and how they can request corrections or deletions of the data.
• Keep your Policy updated so it always accurately reflects your actual practices.
• Make it easy to contact you with questions.
• Make your Privacy Policy easy to find and access.

In the European Union (EU)

The General Data Protection Regulation (GDPR) regulates the processing of personal data within the European Union. This regulation has strict, global requirements for companies who have users located within the EU.

One of the main requirements of the GDPR is that you have a Privacy Policy that's easy to access and understand.

One of the main requirements of the GDPR is that you have a Privacy Policy that’s easy to access and understand.

Your GDPR-compliant Privacy Policy will need to include at minimum the following information:

• What types of personal information you process
• How you process it
• Your legal basisfor processing it
• How long you retain it for and what happens after the retention period
• Whether or not you share personal information with third parties
• Whether you transfer personal information overseas and if so, what safeguards you have in place
• The 8 User Rightsyour users have and how they can exert them
• Contact information for at least your company as well as your DPOor EU representativewhere applicable

Consent is huge under the GDPR, so if this regulation applies to you you’ll want to get familiar with how your consent requirements will change.

In Singapore, Malaysia, South Korea and Vietnam

In Southeast Asia, various national laws require companies to have a Privacy Policy agreement. Some of these laws include the following:

• In Singapore it's the Personal Data Protection Act 2012 (PDPA).
• It's also called the Personal Data Protection Act (PDPA) in Malaysia. Malaysia's PDPA Act came into force in November 2013.
• In South Korea it's called Personal Information Protection Act and it came into force in 2012.
• In Vietnam, it's Article 21 of the Law on Information Technology

Because these laws aren't quite as robust as some from the EU and the United States at the moment, you can pretty much ensure you're complying with them by making sure you comply with the requirements of the GDPR or CalOPPA.

*Editor's note: The presentation above has outdated content regarding EU laws. The article content is updated as of July 16, 2019. We apologize for any inconvenience this may cause.

Requirements From Third Parties

Besides national laws that require you to have a Privacy Policy if you deal with personal information, third parties also often require a Privacy Policy.

For example, if your app collects personal information, the following third-party privacy requirements will apply:

All iOS apps need a Privacy Policy. Apple's App Store Review Guidelines explicitly states this:

Android Apps have the same requirement. The Developer Distribution Agreement from the Google Play Store requires you to have privacy procedures and notices in place:

Even if you operate a simple website and only use Google Analytics, you'll still need a Privacy Policy. The Google Analytics Terms of Service requires all users of Analytics to have a Privacy Policy in place:

Facebook's Platform Policy for Developers requires you to have a Privacy Policy for Facebook apps you may develop:

If you use Login with Amazon, Amazon's Developer Guide for Websites requires that you have a Privacy Policy available before you can use the sign-in functionality:

If a third party service doesn’t explicitly require you to have a Privacy Policy in order to use the service, you can be sure that there’s some sort of clause in place in the Terms of Use that requires you to follow all applicable laws when using the service.

If your website or app collects personal information and triggers one of the privacy laws out there that require a Privacy Policy, that clause will require you to follow that law in order to use the service. It’s a roundabout but effective way to demand compliance.

In some cases, even if you don’t collect any personal information, a third-party service may still require you to include a Privacy Policy that states this fact, just for transparency.

You need to become aware of the laws that protect your users, wherever they’re located. Make sure to read and review any Terms and Conditions or Terms of Use agreements to find out any third-party requirements for the services your website or app may utilize.