A Privacy Policy is probably one of the most important legal agreement for your online business, regardless how or where you operate: website, mobile app, desktop app and so on.
There are a number of reasons why you should always have one in place. Here are our top 4 reasons why you definitely need a Privacy Policy agreement.
Reason 1: It's required by law if you collect personal information from users
Perhaps the most important reason why you need a Privacy Policy is because you actually probably do need it. It's required by law.
In the US, the California Online Privacy Protection Act (CalOPPA) dictates that if you collect any personal information from any California-based users, such as email addresses, GPS location, phone numbers, or mailing addresses, you are required to have a legal statement available for users to review that discloses the privacy practices of your business.
Due to the wide-reaching nature of internet and technology, the CalOPPA Act in effect means that if you collect any kind of personal information, even if it's only an email address, you should have that legal statement as required by CalOPPA in place because California residents are likely to be using your websites or apps.
Canada, Australia or Europe aren't different in this regard.
For example, the EU Directive is not limited to EU countries only, but works on a global level as it affects any business that collects personal information from any user in the EU or transfers personal information to or from an EU country.
While there are a number of other laws put in place in other countries, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and the Privacy Act of 1988 in Australia, CalOPPA and the EU Directive are far-reaching and influential laws that sum up global requirements in privacy matters, especially for online businesses.
Reason 2: It's required by third-party services you may use
Many third-party services that are designed to enhance your website or app, such as Google AdWords or Google Analytics, are actively requiring you to have a Privacy Policy that contains certain information about your use of their services, plugins, SDKs, and so on.
Google Analytics requires a Privacy Policy because is stores cookies on a user's PC, which are then used to collect data about the user. Because of this, both CalOPPA and the EU Cookies Directive would require you to disclose your usage of Google Analytics and its cookies usage.
You disclose this in the Privacy Policy with a new section called "Cookies" or through a separate Cookies Policy.
To make sure that this happens, Google Analytics includes that requirement in its Terms and Conditions. Their legal agreement states that any business who sign-ups and uses their Analytics service must have a Privacy Policy available to users and that discloses the business' use of their service:
Google AdWords can be used as a very effective remarketing tool. But remarketing campaigns are using cookies to track users' activity online and show customized advertisements.
If you use AdWords, Google requires you to update your Privacy Policy to inform your users that:
- You use remarketing to advertise your product or service through Google AdWords' platform
- Google is showing your ads to users on websites that they visit after visiting your website, and
- How a user can opt out of this remarketing campaign
Another example of a third party service that requires you to have a Privacy Policy is Twitter through its Lead Generation Card.
The Data Use Policy of Twitter states that:
When using Twitter's Lead Generation card feature, you must include a link to your Privacy Policy directly in your card. You can add this link through the Campaign User Interface. Pages where users are asked to enter private and confidential information must use a secure processing server (https://). Examples of private and confidential information include: credit card numbers, bank information, and social security numbers. Providing users with your Privacy Policy, as well as secure server when collecting their private and confidential information will allow users to understand the conditions under which they share their information. Specifically, they should know who is collecting their information, how it will be used, and what steps will be taken to ensure it is secure and not misused.
Twitter requires you to enter the URL for your legal statement in order to be able to sign up for the Lead Generation Card service:
Facebook does it too.
Developers of Facebook apps are required by Facebook to have a Privacy Policy.
According to the Platform Policy of Facebook, a "publicly available and easily accessible privacy policy that explains what data you are collecting and how you will use that data" is required:
If your mobile app will be available on an app store, such as the Apple App Store or the Google Play Store for Android devices, you're most likely to be required to have this legal statement either by the law (if you collect personal data) and by the terms of the app stores' legal agreements (even if you don't collect personal data).
Apple requires a Privacy Policy for all iOS apps through the following legal agreements you agree to as a developer: Apple's App Store Review Guidelines, Apple's Program License Agreement (PLA) and iOS Developer Program License.
Apple's App Store has a more blunt requirement for this type of legal statement in their "App Store Review Guidelines". Section 17 deals with "Privacy" and essentially makes it a requirement for app developers to have this statement if an app uses any personal information. As a result, most iOS app developers should have a Privacy Policy ready and posted online before their apps will be submitted for review on the Apple App Store:
While the Google Play Store does not explicitly require that you have this kind of statement in place for your Android app, Google requires that "privacy procedures and notices [be] in place" when a developer or app distributor is signing up for a Google Play account.
The Distribution Agreement of Google Play, which you must agree to as a developer, states that a Privacy Policy is required for all Android apps:
If the users provide you with, or your Product accesses or uses, user names, passwords, or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide a legally adequate privacy notice and protection for those users.
A "legally adequate privacy notice" would be the Privacy Policy agreement. This type of notice should disclose all legally-required information about the use of a user's personal information by your Android app.
In sum, if you have any interactions or relationships with third-party apps or services, or are a developer of apps across platforms that collect or use personal information, it's very likely that a Privacy Policy will be required in order for you to use the service.
Reason 3: Users are interested in their privacy
People care a lot about their privacy, especially when it comes to the use of their personal information online. Most users want to feel secure before providing private information, such as the home address.
A Privacy Policy is not only the legally required document to disclose your practices on protecting personal information, but it's also great way to show users that you can be trusted, and that you have procedures in place to handle their personal information with care.
Use this legally required statement as a way to showcase how you handle a user's personal information and provide as much clear, accurate, and thorough information as possible to really make your users feel comfortable and informed.
Here's how eBay has formatted its Privacy Policy for the iOS app. Notice the use of blank space, and the clear headings for each section. Users are able to quickly get quick answers to most privacy questions they may have when glancing at this screen from their mobile devices:
Reason 4: It's ubiquitous
Even if you don't collect any personal information from users, you should consider creating a Privacy Policy page regardless. Even if all it says is that you don't collect any information.
Consider Ecquire's Privacy Policy, which they have maybe appropriately named "The World's Greatest Privacy Policy".
It's short, sweet, and tells everything that needs to be told in just a few sentences:
Also, don't disregard common practices on how to make this kind of legal statement available to users.
Users look for links to Privacy Policies in the footer of a website. You should always include visible links to your legal agreements across all pages of your websites - even if that's a landing page - so users can review these agreements.
If you're developing a mobile app, most mobile apps can include a link to their Privacy Policies in an easily-accessible menu screen.
Evernote includes a "Legal" screen within its "Settings" screen where the Privacy Policy of Evernote and the other legal agreements from Evernote are made available right within the app itself:
You can also be more active in informing users about your practice practices. To get users actively involved in acknowledging your legal agreements, consider having an "I agree" checkbox presented to your users when they first sign up for an account on your website or app.
This is an active way to let users know that you a legal agreement they need to agree to, but it can also have the benefit of putting users at ease when it comes to the security of their data when they first sign-up. It shows that you take their privacy seriously.
Below is an example of how YouTube presents its Privacy Policy agreement to users with an "I agree" checkbox when you need to create an account:
This type of active method of informing users also protects you as a business because you will be able to more easily enforce the terms in your Privacy Policy document against users.
By following this type of active method, you'd be making sure that your users are bound by the legal agreements you've linked to since you'll be obtaining active consent from users: users must check the "I agree" checkbox before continuing.
Here an example of this from The Weather Channel. It lets users know that "by selecting" the checkbox, a user is agreeing to the linked legal agreements:
Even mobile apps can use the example of checkboxes by requiring a user to tap the checkbox.
Airbnb app requires a user to tap a checkbox and then tap the "Accept" button:
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.