Super short version (naughty you for not reading everything):
Note: For the purpose of this article, “information” means information that you collect or receive from your users, and that can potentially identify them personally. The law in most countries gives a very broad definition to “identifiable information”. For example, an email address is considered as such because it can tell where someone works. On the other hand, general statistic information, such as the country the user is from (on its own) is usually not considered personally identifiable information.
- Explain to your users which information you collect, the purpose you’re collecting this information, how you use and store it and who you share it with.
- Get their informed consent (once reading the Policy) to the above collection and use.
- Tell users how they can use their information or other user’s information.
- Help you comply with the law [see more on this in the next section].
How Private are you online?
Minimum Users’ age
It is crucial to know the age of your users because different age groups come with different legal obligations. For example, the legal obligations that apply to users 18 and above very much differ from those between 13 – 18, or those under 13. For example, for users under the age of 13 laws such as COPPA (the Children’s Online Privacy Protection Rule) in the United States may apply – in which case you would need to get parental consent + identifying information on the parents. Therefore, if your services are not specifically aimed at users under the age of 13, it is better and safer to limit the users’ age to 18 and upwards.
Age of your Users
What Information You Collect
You need to clearly specify what information you collect from your users. This includes information that the users provide when signing up / purchasing and when using your services, such as name, location, gender, email address etc. Many people forget to include information that they receive from third party platforms. For example, when a user signs up through his Facebook account, you usually get access to information about that user. Another way you may receive information about your users is through browser ‘Cookies’. ‘Cookies’ are packets of data collected and stored on the user’s Internet browser. If your platform collects information in another way, it is important to let your contract lawyer know.
How You Use the Information
You need to clearly let the user know how you intend to use the information that you collected and for what purpose. Common uses include “to deliver you the product”, “contact you”, “prevent illegal activities” and other examples. In Europe, under the GDPR, it is not enough to state general purposes (such as “to operate the website”) and the general rule is that you need to be specific in regard to each ‘piece’ of information. For example: “we collect you home address so that we can deliver you the products that we ordered”. It is important that your lawyer know if you plan to use the information in another way. For example, for connecting between users.
Sharing the Information with Third Parties (other sides)
You need to clearly list all the other parties (people, companies, organizations) with whom you will be sharing user information. For example, you might share the user’s information with the company that does the delivery of the products. Or perhaps your credit card processor. It is crucial that you share with your attorney all cases of sharing information as this is a very important section. This is especially true if you plan to sell the information.
Protecting the Information
You should describe how you intend to protect the information that you have collected about the user. Writing this section will also help you better understand how you actually protect your information – if you have not already done so.
What are the User’s Rights in regard to his information
Although you may have received the user’s consent to collect his or her information, the user still has certain rights in regard to that information (especially under the GDPR). For example, the user has the right to access the information (to see it), to ask you to correct it if something is inaccurate, and to ask that you delete it (in which case you may need or not need to comply).
Getting User Consent
We highly advise that you don’t just stick the policy somewhere on your website or mobile app. If you’ve already gone to the trouble of getting a policy, you may as well do it right. Proving that users have given their consent may be the difference between losing and winning in court. If you want to get user consent properly, we advise that you at least do the following:
- Add a link to the policy at the bottom of each page, or at least on the home page.
Different Privacy Rules for Different Countries
Each country has its own rules regarding privacy, with some being especially stringent and others being more lenient. Additionally, the rules are not only based on where you or your business is located, but on where your users are located. For example, if your business is in the US, but your users are from Europe, you may have to comply both with US privacy laws and the European ones (GDPR).
Ok, so the Policy seems important. Where do I get one?
3 key takeaways:
- Even if you don’t use my services – consult a lawyer (and don’t copy something from the internet. The price of a copyright lawsuit is about 100 times the price of the document itself).