In the early 2000s, Yahoo was one of the most popular sites on the internet, combining one of the first widely-used search engines along with free email service. But after Google entered the scene, Yahoo’s dominance began to wane until the crushing blow in 2014 when anywhere from 1.5-3 million Yahoo accounts were compromised. The event still stands as the largest digital data breach in history and led to the end of Yahoo’s dominance.
As high profile data breaches become more common, internet users have understandably grown more discerning of how websites handle their personal information. According to a 2019 Pew Research survey, 79% of Americans were at least “somewhat concerned” with how much of their data was collected by companies, while 7 in 10 American feel that their data is less secure than it was five years ago.
While large-scale data breaches capture the headlines, even a small breach can destroy your reputation for years to come. Here’s what you need to know about your user’s privacy.
Enter Privacy Policies
As a result of the cultural shift on digital privacy, websites consistently feature privacy policies to put their users’ fears to rest. A privacy policy is a legal document explaining the types of personal information a website gathers. Personal information can include:
- Name
- Email address
- Phone number
- Address
- ID numbers
- Credit card numbers
- IP Addresses
- Usernames
Over the past decade, a series of regulations were adopted in the US, EU, and Canada regarding data security, making privacy policies a legal requirement for sites operating in these regions. These regulations include the General Data Protection Regulation (GDPR), a broad regulatory framework for EU users, and the California Consumer Protection Act (CCPA), the most wide-ranging digital privacy law in the US. Visit this blog to learn more about these particular laws.
In general, websites can stay on the right side of regulation by explaining the 5 W’s of data collection. These include:
- What data is being collected
- Why the data is being collected
- Who the data is being shared with
- Where the data is being stored
- When the data is removed and how it is retained
Beyond the legal requirements, a privacy policy shows visitors that the site takes their data seriously by being transparent about how user data is collected and why. Being open and honest with visitors helps develop a trusting relationship, making them more confident in using the site’s services.
But what kind of information do visitors want or need to know? Read on to learn what you should include in your privacy policy to get you on the right side of the law, and your users.
What Personal Information is Collected
It’s not enough to tell users that you collect personal information; websites must share what information is being collected. This includes names, addresses, and financial information, along with other methods of collection such as forms or surveys.
In addition to user-submitted data, websites should also include data that is passively collected, such as cookies. While it’s recommended to create a separate cookie policy (and legally required under EU law), it’s worth including a statement in the general policy explaining the site’s cookie collection practices.
Data given or received from third parties should also be described. This is especially the case with credit card processing and Google Analytics, which require disclosures in order to use the service. Google Analytics also provides an opt-out browser add-on to allow users avoid having their data collected for Analytics.
Along with sharing what information is collected, sites should also explain why they collect data. This helps build trust with an audience by explaining how data collection can enhance the user experience.
For example, Apple’s privacy policy explains that they use personal information to:
“Help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.”
Data Handling
With data breaches becoming commonplace, users need to know that you’re keeping the personal information in a safe place. Along with knowing what, how, and why you collect information, users also have the right to know where you store their data.
A Data Handling section explains to visitors how you store, access, protect, and manage their personal data. This section can include:
- Where information is stored
- How information is protected
- How users can manage their personal information
- If closed accounts are retained and how they are used
A great example of Data Handling policy comes from Adobe, who states:
“We understand that the security of your personal information is important. We provide reasonable administrative, technical, and physical security controls to protect your personal information. However, despite our best efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information.”
Notice how Adobe leaves a bit of a carve-out in the case of a data breach, which can never be completely prevented. The page goes on to describe the types of protection Adobe employs, such as storing data on personal servers, along with a notice of transferring data across national borders.
Changes to Policy
Once created, privacy policies aren’t set in stone. Websites are free to change their policies over time, but they are required to inform users of these changes.
Including a Changes to Policy section informs users that the policy is subject to change for any reason, at any time, and that they have the right to decline if they wish.
This section keeps websites out of any potential legal hot water if they decide down the line that they need to make a change regarding data collection. This policy change notice from CBS provides a good example that also explains how they will contact users in the event of a policy change:
“We may update this Privacy Policy to reflect changes in our practices and service offerings. If we modify our Privacy Policy, we will update the “Last Modified Date” and such changes will be effective upon posting. If we make any material changes in the way we use your information, we will notify you by email through the email address you most recently provided to us or by prominently posting a prominent notice of the changes on the CBS Interactive Services.”
Minors Under 13
In recent years, users have become more concerned over inappropriate material getting into the hands of children.The Children’s Online Privacy Protection Rule (COPPA) was instituted in order to allay these fears by ensuring that websites are keeping inappropriate material away from children.
For sites not intended for children, it’s necessary to include a disclaimer indicating that the site is not meant for use by those under the age of 13. For example, Instagram’s policy states that:
“Instagram does not knowingly collect or solicit any information from anyone under the age of 13 or knowingly allow such persons to register for the Service. The Service and its content are not directed at children under the age of 13. In the event that we learn that we have collected personal information from a child under age 13 without parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us.”
If a site is intended for children under 13, owners will need to include a separate Children’s Privacy Policy that complies with COPPA. Regulations under COPPA require that a site’s policy:
- Provide the name and contact details for all operations that collect or maintain children’s information
- Describe what information you collect
- Denote whether you allow children to make personal information publicly available
- Identify how you use the information
- State whether you disclose or share the information
- Provide parents with the right to review or request the deletion of their child’s information
- Provide rights to prevent further collection of the information if requested
Disney provides an outstanding example of a detailed Children’s Privacy Policy, stating that:
“The Walt Disney Family of Companies is committed to protecting the privacy of children who use our sites and applications. This Children’s Online Privacy Policy explains our information collection, disclosure, and parental consent practices with respect to information provided by children under the age of 13 and uses terms that are defined in our general privacy policy.”
The page then features drop-down menus explaining each aspect of data collection, along with contact information in case of any privacy concerns. Disney also prominently features a COPPA Safe Harbor Certification badge, another sign showing that they take children’s information seriously.
Business Transfer Clause
Sure, visitors may trust you with their personal information, but what if the site is sold? Users need to be assured that no matter who owns the site, their data will be kept safe.
A Business Transfer Clause explains how a change of ownership will affect the site’s policies, if at all. The clause should explain that, in the case of a sale, user information will be transferred to the new owner, but that information will continue to be handled with the same responsibility and care.
Here’s a sample Amazon’s Business Transfer Clause:
“As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice.”
User Rights
Privacy policies are a two-way street in that users need to agree with the policy in order to use the service. As a result, websites need to provide users with a means to opt-out if they don’t agree with the policy.
For sites operating in the EU, GDPR regulations require that visitors opt-in to a policy rather than opting out. Likewise, for any sites collecting data from SMS messages and geolocation need to use an opt-in format.
Furthermore, sites need to provide a method of contact in case visitors have a privacy concern. Typically, the best route would be assigning a separate email for privacy inquiries, such as privacy@yourbusiness.com.
Also known as the “right to erasure,” the right to be forgotten gives EU citizens the right to demand that their data be deleted. EU citizens can invoke this right when:
Personal data is no longer necessary for the purpose of an organization
The individual objects to an organization processing personal data for direct marketing purposes
An organization processes an individual’s data unlawfully
You can find the complete list of rules regarding the right to be forgotten here, where it lists a number of exemptions and additional conditions.
How to Create a Privacy Policy
There are a number of online resources that help websites create a comprehensive privacy policy that fits their particular business. Rocketlawyer and Termsfeed are just two examples of services offering website owners the ability to create free, customized privacy policies. These tools allow you to tailor the policy to meet the requirements of regulatory frameworks like GDPR, CalOPPA, CCPA, and more.
Be sure that the policy is clear and concise, while providing all the detail necessary to avoid any misunderstandings. Once the policy is created, it should be posted in a conspicuous, and consistent, section of the website, such as the footer. To ensure that everyone sees the policy, websites may consider a pop-up when visitors enter the site.
Trust the Policy
A privacy policy is an important tool to quickly build trust with your audience by immediately being transparent about your collection practices. By explaining what, how, and why you collect information, websites show that they have nothing to hide.
While data collection is important for the user experience and your analytics, it’s best to only collect information necessary for your business’ needs. The more information collected, the more chance there is for a potential headache down the line. Even before starting on a privacy policy, consider how you can incorporate elements of privacy into the site’s design.
For those interested in furthering their user trust, consider getting your trust score from DigitalTrust, which analyzes your site for over 50 trust factors in the areas of usability, safety, transparency, and reputation, including the quality of policy pages. You can also qualify for a free trustmark, which shows off your site’s trustworthiness to visitors.
