Countless people surf the internet all over the world at any given time. It’s not really surprising considering that the internet has become such a huge part of our lives already. Today, the internet has made it easier for us to work with various people located in different parts of the world, to do everything from shopping at online stores that are based in different countries, or even just to say hello to a childhood friend or family member who lives across the globe.
With the astronomical rise of the people using the internet on a daily basis, one important aspect that has received much attention is data privacy. Websites and apps that people use every day can collect, monitor, or use data and information from its visitors. While internet data privacy may not have been given a lot of focus early on, it has become very important today.
This is the reason why the term “privacy policy” is something that has become essential for websites or mobile apps nowadays. But what exactly is a privacy policy and why is it important for a website to have one? This article will explain why privacy policies are mandatory by law.
Table of Contents
In a nutshell, a privacy policy is a statement in a website or mobile app that states some or all of the ways that a website operator or app developer collects, uses, discloses, and manages a user’s data. It is important for websites to have this because many countries all over the world have passed data privacy laws that provide certain requirements for websites that collect the data or information of their citizens. One of the common requirements for operators is that they should have a privacy policy in place if their website or mobile app collects data or information which can be utilized to identify a person.
These kinds of information, which are also referred to as “Personally Identifiable Information” or PII, are not only limited to first and last names of persons. PII likewise extends to any other information or data that can be used to identify a user. A few examples are the following:
- Telephone Numbers
- Email Addresses
- Shipping Addresses
- Billing Addresses
- Birth Dates
- Social Security Numbers
- Social Media User Details
Other types of anonymous data can even fall under the definition of “Personally Identifiable Information” if such information is used together with other data that would result in being able to identify a person. This can include certain kinds of IP addresses, for example, that are protected as personal information under the privacy laws in place today.
Now that you know what a privacy policy is, let us now take a closer look at some of the data privacy legislation of major countries across the globe and see just how they differ from one another and how websites can make sure that they are complying with them.
UNITED STATES
In the United States, there are both federal and state laws that are focused on data privacy. Some of the US laws which have an impact on data privacy are the following:
- The California Online Privacy Protection Act (CalOPPA)
- The California Consumer Privacy Act (CCPA)
- The Children’s Online Privacy Protection Act (COPPA)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The Cable Communications Policy Act of 1984
Among these data privacy laws are two state laws from California, the CalOPPA and the CCPA. The CalOPPA was the first state law in the United States to require operators of commercial websites which collect Personally Identifiable Information of users who are residents of California to have a privacy policy that must be posted conspicuously on their website. Conspicuously posting a privacy policy is not as simple as it may seem though, as the CalOPPA explicitly provides specific conditions on how to meet these criteria. Under the law, conspicuously posting a privacy policy on a website can be done in any of the following ways:
- It is posted on the homepage or the first significant page after accessing the website.
- An icon on the homepage which hyperlinks to the page where the privacy policy is actually posted. The icon must contain the word “privacy” and be in a color that contrasts with the color of the background of the web page.
- A text link on the homepage that takes visitors to the webpage where the privacy policy is actually posted. The link must either:
- contain the word “privacy”;
- be written in capital letters or be equal to or greater in size than the other surrounding text on the page; or
- written in a larger type than the surrounding text, or uses a type, font or color that is in contrast with the surrounding text, or is clearly distinguishable from the surrounding text of the same size by way of symbols or other similar means.
AUSTRALIA
In the land down under, the primary law that governs data privacy is the Privacy Act of 1988. This law includes thirteen (13) Australian Privacy Principles or APP’s that businesses would need to follow in order to comply with the Privacy Act. While the Privacy Act was initially limited to cover Australian government agencies only, its coverage was expanded in the year 2000 to include entities or businesses with a gross income of more than AUD 3 Million.
The Privacy Act’s first Privacy Principle is for businesses to have a privacy policy and to ensure that such policy is kept up to date. In order to comply with this, a covered entity’s privacy policy should be easy to read and comprehend and it must also be free of charge. It should likewise contain the following details:
- What specific types of personal information are being collected and stored
- The process of how the entity collects and stores this information
- The reason why the data or information is collected, held and disclosed to third parties if the latter is applicable
- The process of how users can access or correct personal data about them
- The process of how a user can complain about any breach of the Privacy Act’s Privacy Principles or other binding codes as well as how such complaints are going to be handled
- Whether or not the entity is likely to disclose users’ information to an overseas recipient. If the answer is yes, the countries where such recipients are likely to be located should also be stated, if the same is practical.
UNITED KINGDOM (UK)
The law regarding data privacy for residents in the United Kingdom, on the other hand, is the Data Protection Act of 1998 or the DPA. The DPA mandates how business entities may legally use and handle personal data or information from its users.
In order to comply with the provisions of the DPA, businesses would need to comply with the following guidelines:
- Any personal information or data from users must be collected lawfully and in a specified manner.
- The collected information cannot be processed in a manner that is not compatible with the stated purpose.
- The data being collected should not be excessive when considering the purpose for which a user’s personal information is being collected. It should also be relevant and adequate.
- The user’s personal information must be accurate and up to date.
- The personal data or information being collected must not be kept or stored for a period that is longer than what is necessary for the stated purpose.
A significant right that the DPA grants to UK residents is the right to be informed on how their data is being used, which is why an adequate and compliant privacy policy is essential. Otherwise, a business entity would be in violation of this right. Businesses covered by the DPA should ensure that they have a privacy policy that contains the following essential details at the minimum:
- What kind of personal data is being collected from users
- What lawful purpose is the data being collected for
- How is the collected data being used in relation to the stated purpose
- How long the data will be stored as well as how it will be kept safe and secure
- The rights that users have and how they can exercise them
CANADA
In Canada, the foremost privacy law that is geared towards the protection of any information of its citizens is the Personal Information Protection and Electronic Documents Act or PIPEDA. Organizations or individuals engaged in any commercial activity are those covered by PIPEDA. The law defines commercial activity as any particular transaction, act, or conduct or any regular course of conduct that is of a commercial character. This includes selling, bartering or leasing of donor, membership, or other fundraising lists.
The PIPEDA requires that covered entities that operate in Canada get the consent of users when collecting, using or disclosing their personal information. In addition to that, any personal information collected from users may only be used by the covered entity for the express purpose for which the said data was collected. Any use of the data by the entity other than the original purpose would require further consent from their users. Furthermore, the users should be assured that the entity collecting the data will reasonably protect such data or information.
Under the PIPEDA, the term personal information refers to “any identifiable information about an individual whether recorded or not and it applies to the collection, use, and disclosure of personal information by organizations during commercial activities.”
PIPEDA revolves around ten “fair information principles” which covered entities must comply with. These principles are:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Given these requirements of PIPEDA, having a good privacy policy is one of the best ways to ensure that covered businesses are compliant with the law’s provisions.
EUROPEAN UNION (EU)
In countries belonging to the European Union or the EU, the primary data legislation is the General Data Protection Regulation or the GDPR. This law took effect in May 2018 and it is considered by many as one of the world’s toughest data privacy laws.
Two of the basic goals of the GDPR are informing users about how their data and information are being used and transparency. The GDPR is commonly described as an important step toward giving citizens and residents of the EU more control over how their information or data are used by businesses and organizations.
If your website or app handles personal information of persons who are in the EU, compliance with the GDPR is required. This is regardless of where your business or company is actually be based. Complying with the GDPR is something that covered entities should really focus on as violations of its provisions can carry very hefty penalties.
One basic requirement for covered entities under the GDPR is that they must have a privacy policy or a privacy notice which can easily be accessed and simple to understand. At the minimum, a privacy policy should contain the following details for it to be compliant with the GDPR:
- The kinds of personal information being processed
- How such personal information is processed
- The legal basis for the processing of personal data
- The period of time the covered entity will retain the personal data for and what occurs after the said retention period
- Whether the website will share personal information with third parties
- Whether the covered entity will transfer the collected personal information overseas. If such is the case, what safeguards are in place for it.
- The 8 User Rights that the website’s users have and the process of how they can exercise them
- The Contact information at least of the covered entity as well as its Data Protection Officer or EU representative if applicable.
