Why did it pop up?
“So what’s this thing actually?”, you may ask.
It’s basically a document or statement that discloses how the website operator handles data of the client, visitor of your page or user of your web application - it outlines the use of personal data.
Data means personal information - anything that can be used to identify an individual.
Yes, in the case of a business webpage, it needs to be specified what client information is collected and yes, it can be even traded or sold to other companies or enterprises. Privacy policies typically only inform the visitor generally what may happen with his data.
Here’s its definition in wikipedia.
To be fair, what exactly is permitted depends upon the applicable law in different countries, as they have their own legislation. For example, EU data protection laws cover the private as well as the public sector, in the US, that is not the case.
Do I need one?
Let’s say you are going to publish your brand new webpage, do you think you need it?
Well, if you won’t collect ANY data from users (visitors) on your page, you probably don’t need it.
So the answer is most of the time Yes, you will need to have one, as it’s a legal requirement by global privacy laws.
Since several different regulatory systems exist, one or all of them may apply to your webpage.
So depending where your business is located and if your webpage or application is accessible in other countries, you might need to comply with all of them. This applies whether you have a business presence there or not.
The most relevant in the western culture are:
- In the EU(European Union), the General Data Protection Regulation(GDPR),
- In the US(United States of America), the Children's Online Privacy Protection Act (COPPA),
- Moreover in California, the California Online Privacy Protection Act(CalOPPA),
- In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA),
- In UK(United Kingdom), The GDPR, Privacy in Electronic Communications Regulations (PECRs) and Data Protection Act 2018.
This type of text often falls into the TL:DR category. Too long, didn’t read: as you may imagine, not everybody is keen to spend their time reading legal documents. Imagine every time you hit some interesting link, you’re supposed to read several hundred pages of legal jibber jabber which nobody but lawyers understand. These documents tend to be hard to read for the general public, and are read therefore infrequently.
So this is an opportunity to create an environment of trust between you and your user by being honest and transparent.
Don't ask for more information than is necessary from a user - if it's not required in order to provide your services to a user, you shouldn't ask for it.
What is Personal Information
As we already explained, this part can be a bit of a grey area, as it depends by definition of the law in each country.
Personal information can be anything that can be used to identify an individual, not limited to the person's name, but also data such as
- phone number, calls, SMS info,
- date or place of birth,
- marital status,
- contact information, billing or shipping addresses,
- ID number, social security numbers,
- financial records, bank derails
- credit or payment information,
- medical history, physical appearance,
- authentication information,
- microphone or camera data or device usage data,
- It may be a signature, IP address, analytics data etc.
What should be included?
It's important to inform anyone involved what type of data will be collected and with as much details as possible.
Generally we also can cover the purpose of collecting this data.
Next, to comply with different requirements of different countries' laws, we will try to include information that must be included.
Inform how you will collect, store, protect, and utilize personal data provided by its users - the methods used could be contact forms filled by users, but also invisibly collected information like IP addresses.
Contact information, and if you operate a business - official name, the ways users can reach you. That goes both ways, if you're planning to contact your users, write how and why you would do it.
If you share data with third parties, you need to mention it.
If cookies are being used on the site, how can be done to opt-out and what it means for the user experience.
How to opt-out of data sharing, if the user chooses to later.
Another very important part is to let users know how you use collected data. This could be to notify users about updates, to improve the content, to display services tailored to user or advertising purposes or analytics.
If your site is meant for adults, a statement that your website is not intended for children under 13 years of age and that they shouldn’t provide any information to you should be enough. This comes into play if there is a possibility that your page will be visited by a US child, which is under protection of COPPA.
Information what steps the user needs to take, if he wants to remove some of the information you store (Opt-out).
A dispute resolution clause can be included to describe the measures you're willing to take to resolve future issues.
To sum it up we need :
- Contact information
- Which information is collected
- Collection method
- Explain how you collect, use and share user data
- Data usage
- Opt-out user data
Another solution would be you pay for it, if the nature of your business needs it, but for starting web developers this is often not feasible, and we wouldn't be learning how to do it ourselves now would be?
How to write it
The technical details and specifics should be written without using jargon.
If you will be modifying later the personal information you’d collect, you must inform about it.
The golden rule is to let people decide when they come to your website if they want to share their personal information (Opt-in) and not collect information and let people ask you to delete it (Opt-out).
I aint no lawyer
These sites also helps you with choosing the best one.
Next time we write about HTTP Cookies and Terms of Service.
Images by :