In 1968, Council of Europe did studies on the threat of the Internet expansion as they were concerned with the effects of technology on human rights. This lead to the development of policies that were to be developed to protect personal data.
This agreement can also be known under these names:
- Privacy Statement
- Privacy Notice
- Privacy Information
- Privacy Page
The requirements for Privacy Policies may differ from one country to another depending on the legislation. However, most privacy laws identify the following critical points that a business must comply with when dealing with personal data:
- Notice – Data collectors must clearly disclose what they are doing with the personal information from users before collecting it.
- Choice – The companies collecting the data must respect the choices of users on what information they choose to provide.
- Access – Users should be able to view, update or request the removal of personal data collected by the company.
- Security – Companies are entirely responsible for the accuracy and security (keeping it properly away from unauthorized eyes and hands) of the collected personal information.
In the US, privacy legislation may vary from one state to another. Certain federal laws govern users’ data in some circumstances, such as in these examples:
- The Gramm-Leach-Bliley Act – This act obliges organizations to offer clear and accurate statements about their information collecting practices and it also limits usage and sharing of financial data.
- COPPA – This act is especially for businesses that collect information about children under 13 years of age.
- Health Insurance Portability and Accountability Act – This act applies to online health services as well.
- California Online Privacy Protection Act (CalOPPA) – California’s privacy law affects anyone collecting personal information from residents of California.
- SOPIPA – This act applies if you collect personal data from students.
- Content Eraser law – This law applies if you collect data from minors (under the age of 18).
In Canada, there’s the Personal Information Protection and Electronic Documents Act (PIPEDA)generated by federal privacy laws.
This law established acceptable standards to limit and organize personal data gathering, usage, and disclosure by commercial institutions. This means that organizations may gather, use and disclose that percent of information for purposes that a reasonable person would consider fit in the circumstance.
The Privacy Commissioner of Canada stands for receiving and peacefully taking care of complaints against organizations. Its purpose is to solve privacy matters through compliance, not through enforcement. It reaches complaints, spreads the importance of awareness of and conducts studies about privacy issues.
Before you draft this agreement for your business, consider the basic requirements for most online businesses that deal with personal data from users (this includes SaaS apps or Facebook apps as well):
- That the privacy of your users is protected.
- That you take full responsibility to protect the privacy of your users.
- That you comply with active privacy laws.
Users need to know exactly what kinds of personal data you collect from them.
- To help develop new services or improve your existing services
- To send users emails about special offers, new services or other information they may be interested in
- To personalize their sessions on your website in order to better fit their interests, such as offering them relevant, individually tailored content
Disclose if any third parties are involved in collecting personal information in your name, i.e. you use MailChimp to collect email addresses to send weekly updates to your members.
The Information Collection and Use section is the most important section of the entire agreement where you need to inform users what kind of personal information you collect and how you are using that information.
Here’s how Asana, a project management tool, informs users that the tool collects personal information:
The policy goes on to inform users about what kinds of information they may provide and how (by becoming a member, by connecting through Facebook, Twitter etc.):