This frightens some people. It might even frighten you, particularly if you’ve had personal information stolen online (or if you’re watching the new season of Westworld). But don’t go off the grid just yet! Instead, let’s talk about privacy policies, how they can help users take back control of their information, and what you need to do to create one for your business.
They also help protect your business from fines or lawsuits. Certain regulations actually require privacy policies. Here are the major ones, with links to a guide for each courtesy of PrivacyPolicies.com:
- COPPA, the Children’s Online Privacy Protection Act (U.S.)
- CalOPPA, the California Online Privacy Protection Act
- PIPEDA, the Personal Information Protection and Electronic Documents Act (Canada)
- GDPR, the General Data Protection Regulation (E.U.)
- Clear, concise, and easy to understand, keeping technical and legal jargon to a minimum.
- Updated every time the use of personal information is changed, and users are directly informed of these updates.
- Strictly implemented by you and your staff. A policy is only as strong as its implementation. Don’t set it and forget it!
Where Do I Start?
First, tell your readers why you’re all here. Clearly spell out who you’re referring to in the policy: who your company is and who the users are. Explain what’s in the policy and what services or aspects of your business it covers. This is what ours looks like:
You can read the rest of our policy here.
Now you’ll need to identify the reasons you’re writing it – namely, what information you’re collecting from your website’s users. Here are two categories you can split that information into, as well as some examples of what that information might be:
Information provided indirectly
- Browser name
- Computer type and operating system
- Internet service provider
- IP address
- Access date and time
Information provided directly
- Phone number
- E-mail address
- Date of birth
- Ethnicity and genetic information
- Political affiliation
- Sexual orientation
What Purpose Does This Information Serve?
Next, disclose how you’re collecting this information. Your list might look like this:
- Cookies (these are used to track information about a user’s activity on a website, like virtual ID cards)
- Web forms
- Registrations and sign-up sheets
- Order placement (including credit card information)
Now that you’ve let your users know what you’re collecting and how, tell them why. What are you doing with their information? Is it relevant to the service you’re providing when you collect it? If not, why are you collecting it? This is a good time to determine whether you need to continue to do so. In fact, the GDPR mandates that you have a good, legal justification for processing your users’ personal information.
Here are ways you might be using information:
- Verifying identity
- Compiling reviews
- Sending newsletters or emails
- Improving customer service
- Allowing users to create personalized profiles
- Improving website performance and logging errors
- Completing transactions
Lastly, give your legal basis for collecting this information. Do you have the consent of your users to collect it? Usually, by using your services, users are giving you consent. Is your data collection a legal obligation, a public task, a contract, or a vital interest? This rounds out the why of your data collection.
Who Am I Sharing Data With?
You’ve shared what data you’re collecting and how and why you’re doing it; now you need to let users know how you’re going to protect it. What kinds of computer safeguards are in place and does your company utilize secured files or physical access controls?
Even if you’re not planning on selling your company, you should still include a business transfer clause. This lets users know that if your company merges or is sold, their information may be passed to a new owner.
How Do I Communicate with My Users About Their Data?
Remember, users have a right to their data and they can communicate with you regarding it. Be clear as to how they can do so and make the process as easy as possible by making sure your contact information is updated. Inform users of who or what department they need to contact with questions about their data or to take any actions concerning it.
Tell your users when and how you plan to contact them, be it for these policy updates, everyday marketing notifications, or transaction information. Some websites inform their users of changes when they visit the site. Others send an email stating that policies have been updated. Find a method that suits your company and the service you provide. You can also take this opportunity to explain how to opt out of marketing communications. Giving your users this option is something they’ll appreciate, plus it will help you comply with anti-spam regulations.