In the early 2000s, Yahoo was one of the most popular sites on the internet, combining one of the first widely-used search engines along with free email service. But after Google entered the scene, Yahoo’s dominance began to wane until the crushing blow in 2014 when anywhere from 1.5-3 million Yahoo accounts were compromised. The event still stands as the largest digital data breach in history and led to the end of Yahoo’s dominance.
As high profile data breaches become more common, internet users have understandably grown more discerning of how websites handle their personal information. According to a 2019 Pew Research survey, 79% of Americans were at least “somewhat concerned” with how much of their data was collected by companies, while 7 in 10 American feel that their data is less secure than it was five years ago.
While large-scale data breaches capture the headlines, even a small breach can destroy your reputation for years to come. Here’s what you need to know about your user’s privacy.
Enter Privacy Policies
- Email address
- Phone number
- ID numbers
- Credit card numbers
- IP Addresses
Over the past decade, a series of regulations were adopted in the US, EU, and Canada regarding data security, making privacy policies a legal requirement for sites operating in these regions. These regulations include the General Data Protection Regulation (GDPR), a broad regulatory framework for EU users, and the California Consumer Protection Act (CCPA), the most wide-ranging digital privacy law in the US. Visit this blog to learn more about these particular laws.
In general, websites can stay on the right side of regulation by explaining the 5 W’s of data collection. These include:
- What data is being collected
- Why the data is being collected
- Who the data is being shared with
- Where the data is being stored
- When the data is removed and how it is retained
What Personal Information is Collected
It’s not enough to tell users that you collect personal information; websites must share what information is being collected. This includes names, addresses, and financial information, along with other methods of collection such as forms or surveys.
Data given or received from third parties should also be described. This is especially the case with credit card processing and Google Analytics, which require disclosures in order to use the service. Google Analytics also provides an opt-out browser add-on to allow users avoid having their data collected for Analytics.
Along with sharing what information is collected, sites should also explain why they collect data. This helps build trust with an audience by explaining how data collection can enhance the user experience.
“Help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.”
With data breaches becoming commonplace, users need to know that you’re keeping the personal information in a safe place. Along with knowing what, how, and why you collect information, users also have the right to know where you store their data.
A Data Handling section explains to visitors how you store, access, protect, and manage their personal data. This section can include:
- Where information is stored
- How information is protected
- How users can manage their personal information
- If closed accounts are retained and how they are used
A great example of Data Handling policy comes from Adobe, who states:
“We understand that the security of your personal information is important. We provide reasonable administrative, technical, and physical security controls to protect your personal information. However, despite our best efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information.”
Notice how Adobe leaves a bit of a carve-out in the case of a data breach, which can never be completely prevented. The page goes on to describe the types of protection Adobe employs, such as storing data on personal servers, along with a notice of transferring data across national borders.
Changes to Policy
Once created, privacy policies aren’t set in stone. Websites are free to change their policies over time, but they are required to inform users of these changes.
Including a Changes to Policy section informs users that the policy is subject to change for any reason, at any time, and that they have the right to decline if they wish.
This section keeps websites out of any potential legal hot water if they decide down the line that they need to make a change regarding data collection. This policy change notice from CBS provides a good example that also explains how they will contact users in the event of a policy change:
Minors Under 13
In recent years, users have become more concerned over inappropriate material getting into the hands of children.The Children’s Online Privacy Protection Rule (COPPA) was instituted in order to allay these fears by ensuring that websites are keeping inappropriate material away from children.
For sites not intended for children, it’s necessary to include a disclaimer indicating that the site is not meant for use by those under the age of 13. For example, Instagram’s policy states that:
“Instagram does not knowingly collect or solicit any information from anyone under the age of 13 or knowingly allow such persons to register for the Service. The Service and its content are not directed at children under the age of 13. In the event that we learn that we have collected personal information from a child under age 13 without parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us.”
- Provide the name and contact details for all operations that collect or maintain children’s information
- Describe what information you collect
- Denote whether you allow children to make personal information publicly available
- Identify how you use the information
- State whether you disclose or share the information
- Provide parents with the right to review or request the deletion of their child’s information
- Provide rights to prevent further collection of the information if requested
The page then features drop-down menus explaining each aspect of data collection, along with contact information in case of any privacy concerns. Disney also prominently features a COPPA Safe Harbor Certification badge, another sign showing that they take children’s information seriously.
Business Transfer Clause
Sure, visitors may trust you with their personal information, but what if the site is sold? Users need to be assured that no matter who owns the site, their data will be kept safe.
A Business Transfer Clause explains how a change of ownership will affect the site’s policies, if at all. The clause should explain that, in the case of a sale, user information will be transferred to the new owner, but that information will continue to be handled with the same responsibility and care.
Here’s a sample Amazon’s Business Transfer Clause:
“As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice.”
Privacy policies are a two-way street in that users need to agree with the policy in order to use the service. As a result, websites need to provide users with a means to opt-out if they don’t agree with the policy.
For sites operating in the EU, GDPR regulations require that visitors opt-in to a policy rather than opting out. Likewise, for any sites collecting data from SMS messages and geolocation need to use an opt-in format.
Furthermore, sites need to provide a method of contact in case visitors have a privacy concern. Typically, the best route would be assigning a separate email for privacy inquiries, such as firstname.lastname@example.org.
Also known as the “right to erasure,” the right to be forgotten gives EU citizens the right to demand that their data be deleted. EU citizens can invoke this right when:
Personal data is no longer necessary for the purpose of an organization
The individual objects to an organization processing personal data for direct marketing purposes
An organization processes an individual’s data unlawfully
You can find the complete list of rules regarding the right to be forgotten here, where it lists a number of exemptions and additional conditions.
Be sure that the policy is clear and concise, while providing all the detail necessary to avoid any misunderstandings. Once the policy is created, it should be posted in a conspicuous, and consistent, section of the website, such as the footer. To ensure that everyone sees the policy, websites may consider a pop-up when visitors enter the site.
Trust the Policy
For those interested in furthering their user trust, consider getting your trust score from DigitalTrust, which analyzes your site for over 50 trust factors in the areas of usability, safety, transparency, and reputation, including the quality of policy pages. You can also qualify for a free trustmark, which shows off your site’s trustworthiness to visitors.