In the era of consumer tracking and data breaches, individuals have become more and more concerned about who has their data and what is being done with it. A privacy statement gives them that information. Its an explanation, posted on a website or app that explains how shared personally identifiable information will be collected, used, disclosed, and managed.
So what exactly is personally identifiable information, or PII? It’s a lot more than you might think. It’s not just a social security number or a name coupled with an address. It’s anything that could be used to identify someone: e-mail address, phone number, date of birth, personal preferences, location data, even a pet’s name. If the information could be used to identify, contact or locate a single person, they have a right to know what you’ll be doing with that information, even if the answer is nothing at all.
A privacy policy should provide readable, understandable and easily accessible information to inform users about a variety of topics including:
- Your Identity: who you are and contact details
- Data Collected: what specific types of personal data will be collected
- Choice: what options (if any) the customer has about how/whether data is collected or used
- Access: how a customer can see what data has been collected and how they can change/correct/remove such data
- Security: how data will be stored/protected
- Storage Justification: why the data processing is necessary
- Disclosure: Whether the data will be disclosed to third parties
- Do Not Track Policies: how the operator responds to “do not track” signals and whether information is collected across websites and devices
- Redress: what a customer can do if privacy policy is not met
- Updates: how changes or updates will be communicated
- Effective Date: the date the policy was last amended
It is important to keep in mind that a particular app might be subject to additional or more specific requirements for jurisdictional or sector specific reasons. In addition, this is a rapidly evolving regulatory environment. As additional states, the federal government, and even app stores weigh in with new requirements, the app developer will want to make sure the content of its privacy policy continues to comply with its legal obligations and market expectations.
We all know real estate is precious on a handheld device. So where should one place the privacy policy? It is always best to put it where users can easily find and access it. If your app is collecting PII, it is also advisable to ask your users to accept your privacy policy (and, for that matter, your Terms of Use). The timing of acceptance may be determined on a case-by-case basis but in general, it is best to have users agree to terms at the time they sign up for a service or product. For example, if your user is purchasing a product, a good time would be before an order is confirmed and payment is accepted. If your user is signing up for a membership, right before the membership application is submitted might be the right time.
Once you have posted your privacy policy, it is crucial that your business adheres to it. An online service provider that doesn’t follow its privacy policy may violate state and federal consumer protection laws, and Section 5 of the Federal Trade Commission Act.
So, do you need a privacy policy? If you’re collecting personal data, the answer is yes. It doesn’t have to be long. It doesn’t have to be complicated. Above all, consumers want to know what is happening with their data. Make sure you let them know. With that simple premise a privacy policy will meet everyone’s expectations.
Leave a Reply