Sweepstakes are a fun way to reach out to and engage with your users. You can use sweepstakes to learn something about your user base, encourage them to take action for you (such as liking or sharing your content), or just as a way to give back with prizes.
Usually, a sweepstakes trades information given by users for a chance to win a prize offered by the business.
But did you know that when running a sweepstakes you must have an adequate Privacy Policy for collecting personal information from your users?
Why you need a Privacy Policy
A Privacy Policy is a legal document and integral part of any website. It discloses to your users what information your app or website collects, how it uses that information, and how that personal information is kept safe.
Since sweepstakes need to collect personal information from those who enter to win, your Privacy Policy needs to reflect this. Even if you only require an email address to enter, that still qualifies as you collecting personal information and requires a compliant Privacy Policy.
For example, let's say you own a simple retail website and want to receive feedback about how you are doing. You could run a sweepstakes to win a gift card to your website in exchange for users filling out a quick survey. Let's assume the survey asks for some basic information such as name and email address, in addition to a few questions about what they like or dislike about your website.
By collecting the name and email address of your users, you are collecting personal information that falls under the jurisdiction of Privacy Policy laws. Therefore, your Privacy Policy must be adjusted in order to cover the information processed from the sweepstakes. This is the case even if you are simply collecting contact information to notify the winner.
In addition, if you plan on using the email addresses you collect from the sweepstakes for other purposes, such as to form a mailing list, you must address this in your Privacy Policy.
Privacy Policy laws
The most influential privacy laws today are the California Online Privacy Protection Act, or CalOPPA, of California, USA and the General Data Protection Regulation, or GDPR, which will be adopted by the European Union in May of 2018.
Other countries have been using CalOPPA as a model for their own privacy laws for over a decade, such as the EU, making amendments and new laws that follow the guidelines set forth by CalOPPA.
By this logic, it is sensible to comply with CalOPPA even if you do not currently have users in California as the laws governing your users are likely to move toward the regulations set forth by CalOPPA in the future.
However, it is more than likely that your app or website already does have users in the US or EU, therefore you are already probably (hopefully) compliant with one or both of these sets of privacy laws.
Most Privacy Policy laws (including CalOPPA and the GDPR) cover any collection of personal data from users within their jurisdiction. What that means is, if your sweepstakes is available to users in both the US and the EU, then your Privacy Policy must be compliant with both sets of laws. It would be a mistake to think you only need to be compliant with the laws in the jurisdiction where you or your company is located.
For example, CalOPPA regulates the collection of data from residents of California. Therefore, even if you are not located in California, but you have users in California, you must comply with the regulations set forth in CalOPPA.
The GDPR of the EU has a similar stipulation, meaning any collection of data from residents of the EU must follow the rules set forth in the GDPR.
So if your sweepstakes is only open to residents of the US, you do not need to comply with the guidelines of the GDPR. You will, however, need to comply with CalOPPA as you are likely to have users from California enter your sweepstakes, thus collecting their personal information.
Sample Privacy Policy clauses regarding sweepstakes
There are two ways you will most often find sweepstakes covered in a Privacy Policy:
- A distinct and separate section devoted solely to the policies of your sweepstakes
- A sentence or two about sweepstakes included among the other sections
The first method is most common as it is often added after the initial creation of the Privacy Policy.
For example, if the original Privacy Policy was created without sweepstakes being an expected part of the website, then it is easier to add a section about sweepstakes than to edit multiple sections elsewhere in the document.
On the other hand, if sweepstakes were predicted from the onset of the Privacy Policy, then the sections such as "What personal information is collected?" and "How is this information used?" may simply mention how sweepstakes affect these topics.
Here's how Happy Family Brands includes a separate, all-inclusive "Sweepstakes and Contests" clause in its Privacy Policy:
Here's how Coca-Cola mentions sweepstakes in its Privacy Policy within a clause that discusses sharing information with third party sponsors of the sweepstakes:
Here's how General Mills works sweepstakes information into its clause about how personal information may be used:
As you can see in the examples above, this information may be covered under the sections that discuss the collection and usage of personal information, or in a separate clause covering your sweepstakes policies.
While the collection and usage of data collected from sweepstakes may be similar to the methods you use elsewhere on your website, it is a good idea to add a distinct clause about your sweepstakes practices as they may differ from your standard Privacy Policy now or in the future.
This also lets your users know that you haven't overlooked your sweepstakes in your Privacy Policy, even if the methods used are the same as elsewhere.
You should also include a privacy statement along with the rules and conditions of your sweepstakes and anywhere that users can fill out forms to enter the sweepstakes so that they can easily refer to your policies.
No matter which method you use to cover sweepstakes in your Privacy Policy, at a minimum you should disclose how your sweepstakes collect personal data and how you use the data that is collected from your sweepstakes.
Sample sweepstakes clause for a Privacy Policy
Here's a sample clause that you can edit and use for your Privacy Policy.
Sweepstakes:
This website regularly runs sweepstakes that may request personal information from you including your:
This personal information may be accompanied by questions relating to your opinion of features on our website as well as our website as a whole. The personal information we collect is used to contact you in the event that you are selected to win a prize from the sweepstakes, in addition to sending you special offers and other marketing material. You have the option to opt-out of receiving special offers and marketing material by unchecking the appropriate box when registering for the sweepstakes. We do not sell or otherwise share the information you provide to us via sweepstakes. This information is only used internally to compile anonymous statistics about our user base and to create a contact list for sending special offers and marketing material. You can choose not to include some of the information requested, but some of it is required (usually name and email address as a minimum so that we can contact the winner). You have the right to not provide the information requested or can simply not enter our sweepstakes if you do not wish to provide us with your personal information. All data collected by our sweepstakes is protected by the same security measures and procedures as the rest of the data we collect and process on our website. If you have any questions or concerns, please contact us via the email address provided below. |
Sample Privacy Policy that discusses sweepstakes throughout
What information do we collect?
This website collects your name, phone number, and mailing address when you place an order. Your credit card transaction is handled by a third-party service and we do not collect or store this data in any way. We occasionally run sweepstakes on our website, and these events may require you to enter an email address that we can use to contact the winner or send special offers. |
How is this information used?
Your mailing address is only used to ship your order. We do not store or process this information beyond the need to mail you the products you have purchased. Your phone number is kept along with your name so that we may contact you in the event that there is an issue with your order. This often occurs when an erroneous mailing address is given, or if there is an issue with our stock or when your order is in transit. We will never call you about anything unrelated to an order you have placed. Email addresses collected via sweepstakes are used to create a mailing list that we use to send special offers to our customers. You may opt-out of this by unchecking the appropriate box when filling out the sweepstakes form. If you do not opt-out, you may receive emails about sales or special offers no more than once per week. You can also opt-out of these emails within the footer of each email. We also use this email address the contact the winner of the sweepstakes. |
Is this information sold or shared?
No, the information we collect is only used by us. |
How is this information secured?
The personal information we collect is secured behind SSL encryption and firewall technology where it is inaccessible to unauthorized parties. |
Comments about samples
As you can see, the first sample clause is designed to be a standalone section that could be added to an existing Privacy Policy without requiring significant alterations to the original document.
This is often the case with sweepstakes information is Privacy Policies as sweepstakes are not a major concern at the onset of a website when its Privacy Policy is first drafted.
This method, seen below from Kellogg's, is easy to add, modify, and locate which makes it a popular option.
The second sample has sentences about sweepstakes mixed in to the other sections of the Privacy Policy. This is often done when sweepstakes are foreseen at the creation of the website.
In this method, the information regarding the collection, usage, and selling or sharing of personal information can simply state whether the data that comes from sweepstakes is treated any differently than the data that comes from normal use of your website.
Oftentimes, the policies for sweepstakes data are the same as the policies for the rest of the website, meaning a simple sentence in each section can reinforce that the data collected from sweepstakes follows the same procedures. If not, simply point out any differences.
Here's how Coca-Cola lets users know that its sweepstakes may have additional rules with additional information about how personal information is used and disclosed:
Conclusion
If your business holds sweepstakes, you need to disclose this in your Privacy Policy.
You can do this by either:
- Adding a separate, all-inclusive sweepstakes clause to your Privacy Policy
- Adding information about sweepstakes throughout existing clauses in your Privacy Policy
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.