Everything you need to know about a Privacy Policy for Websites and Mobile Apps
In the below article we’ll explain why you need a Privacy Policy for Websites or Mobile Apps, what it is, and what are the key issues.
Super short version (naughty you for not reading everything):
A Privacy Policy tells your users what information you’re collecting about them, how you plan to use it, and for how long you’ll store it. It also explains the user’s rights in regard to their information. You need a Privacy Policy for Websites and Mobile App because (a) it’s required by law in many countries, (b) it can help protect you and (c) it’s good business practice.
Note: For the purpose of this article, “information” means information that you collect or receive from your users, and that can potentially identify them personally. The law in most countries gives a very broad definition to “identifiable information”. For example, an email address is considered as such because it can tell where someone works. On the other hand, general statistic information, such as the country the user is from (on its own) is usually not considered personally identifiable information.
What is a Privacy Policy?
In short, a privacy policy is a legal agreement between you (the website owner or service provider) and your users or customers. The agreement is published on your website or mobile application. It usually tells your users how you use, collect, and store their information. The policy should be confirmed by the user before using your services (see more on ‘Getting User Consent’ here below).
The Privacy Policy has four main purposes:
- Explain to your users which information you collect, the purpose you’re collecting this information, how you use and store it and who you share it with.
- Get their informed consent (once reading the Policy) to the above collection and use.
- Tell users how they can use their information or other user’s information.
- Help you comply with the law [see more on this in the next section].
How Private are you online?
Why do I need a Privacy Policy?
These are the main reasons why you should have a Privacy Policy for Websites and Mobile Apps:
- It is legally mandatory in many countries. In the United States it is required under the Children’s Online Privacy Protection Act and the California Consumer Privacy Act (with more states seemingly soon to follow). In the European Union it is required under the General Data Protection Regulation (GDPR), and under other specific laws in most other countries around the world. Even if the document itself is not specifically required, you ARE required to receive the user’s informed consent to the use and storage of their information. And to do so ,they first need to understand what information you are collecting, and how you plan to use/store it – all of which is usually explained in the Privacy Policy. So, collecting private information from users from these countries may be illegal without having a Privacy Policy.
- It’s good business practice. Opposed to popular belief, people do care about their privacy. According to the Harvard Business Review, awareness to privacy is growing. Therefore, having a clear privacy policy helps create trust between you and your users. Perhaps more importantly, it helps you understand the dos and dont’s of using user’s information.
- Many other platforms (such as Google, Apple, and more) require that you have a privacy policy if you want to use their services. For example, you cannot upload a mobile app to the app store without a A Privacy Policy.
- Having a privacy policy helps you minimize your risk of claims against misuse of personal information. This means one less thing to worry about.
The key issues in a Privacy Policy
Below are the main subjects that you need to cover in your privacy policy. Please note that these are not all of the issues – just the main ones.
Minimum Users’ age
It is crucial to know the age of your users because different age groups come with different legal obligations. For example, the legal obligations that apply to users 18 and above very much differ from those between 13 – 18, or those under 13. For example, for users under the age of 13 laws such as COPPA (the Children’s Online Privacy Protection Rule) in the United States may apply – in which case you would need to get parental consent + identifying information on the parents. Therefore, if your services are not specifically aimed at users under the age of 13, it is better and safer to limit the users’ age to 18 and upwards.
Age of your Users
What Information You Collect
You need to clearly specify what information you collect from your users. This includes information that the users provide when signing up / purchasing and when using your services, such as name, location, gender, email address etc. Many people forget to include information that they receive from third party platforms. For example, when a user signs up through his Facebook account, you usually get access to information about that user. Another way you may receive information about your users is through browser ‘Cookies’. ‘Cookies’ are packets of data collected and stored on the user’s Internet browser. If your platform collects information in another way, it is important to let your contract lawyer know.
How You Use the Information
You need to clearly let the user know how you intend to use the information that you collected and for what purpose. Common uses include “to deliver you the product”, “contact you”, “prevent illegal activities” and other examples. In Europe, under the GDPR, it is not enough to state general purposes (such as “to operate the website”) and the general rule is that you need to be specific in regard to each ‘piece’ of information. For example: “we collect you home address so that we can deliver you the products that we ordered”. It is important that your lawyer know if you plan to use the information in another way. For example, for connecting between users.
Sharing the Information with Third Parties (other sides)
You need to clearly list all the other parties (people, companies, organizations) with whom you will be sharing user information. For example, you might share the user’s information with the company that does the delivery of the products. Or perhaps your credit card processor. It is crucial that you share with your attorney all cases of sharing information as this is a very important section. This is especially true if you plan to sell the information.
Protecting the Information
You should describe how you intend to protect the information that you have collected about the user. Writing this section will also help you better understand how you actually protect your information – if you have not already done so.
What are the User’s Rights in regard to his information
Although you may have received the user’s consent to collect his or her information, the user still has certain rights in regard to that information (especially under the GDPR). For example, the user has the right to access the information (to see it), to ask you to correct it if something is inaccurate, and to ask that you delete it (in which case you may need or not need to comply).
Getting User Consent
We highly advise that you don’t just stick the policy somewhere on your website or mobile app. If you’ve already gone to the trouble of getting a policy, you may as well do it right. Proving that users have given their consent may be the difference between losing and winning in court. If you want to get user consent properly, we advise that you at least do the following:
- Add a link to the policy at the bottom of each page, or at least on the home page.
- During the sign up process, add a tick (V) box. Next to it, add a sentence that indicates their consent. For example: “I hereby confirm reading the Terms of Use and Privacy Policy”. Make sure that users need to tick the box before continuing with sign up. Also, add a link on the words “Privacy Policy” which leads to the Privacy Policy. This way they can read through the policy if they want to.
There are additional (important) methods which help strengthen user consent. If you reached out to an attorney and they don’t mention the above – they may not specialize in the field of privacy. Or perhaps they don’t specialize in Privacy Policy for Websites and Mobile Apps. This is something we specialize in, and we’re happy to help.
Privacy Policy and Email Marketing + Spam
It’s important to note that even if user’s consent to the privacy policy, this is not enough for marketing emails. To send marketing emails (sometimes known as SPAM), you need to get specific consent. This can be done in a similar way to the methods mentioned in the above section (“User Consent”).
Different Privacy Rules for Different Countries
Each country has its own rules regarding privacy, with some being especially stringent and others being more lenient. Additionally, the rules are not only based on where you or your business is located, but on where your users are located. For example, if your business is in the US, but your users are from Europe, you may have to comply both with US privacy laws and the European ones (GDPR).
Ok, so the Policy seems important. Where do I get one?
Firstly, it’s important to remember that the privacy policies on other websites and mobile apps are owned by others. Meaning that you can’t just copy them (you can, but if you get caught you’ll be sued). Secondly, since it’s a legal document that requires knowledge of the relevant laws, it’s recommended to use the services of a high-tech lawyer. Such a lawyer can help you tailor the Privacy Policy to your specific needs. Can you do it on your own? Perhaps, but there is a high chance that it will not be done properly. Can you find something on the internet? You could probably find something fairly cheap on the internet, and it may be good enough in the beginning. Nevertheless, in the long run, make sure to use a tailor-made version that’s adjusted to what your company does.
3 key takeaways:
- The Privacy Policy is mandatory by law in many countries + it’s good business practice.
- Make sure that you actually do what your Privacy Policy says you do.
- Even if you don’t use my services – consult a lawyer (and don’t copy something from the internet. The price of a copyright lawsuit is about 100 times the price of the document itself).