Know the law
Online and mobile privacy is increasingly regulated both within the United States and internationally. The general message can be simplified in 3 main points:
- you should be honest about what information you collect and how you use it,
- the document should always reflect your actual practices.
While there is currently no inclusive federal privacy law in the U.S., there are a number of federal and state regulations dealing with different areas of privacy:
The FTC Unfair and Deceptive Trade Practices: the federal government, through the FTC, broadly prohibits the use of unfair and deceptive trade practices by businesses in order to protect consumers. Within the context of privacy, this means that your policy should be honest, should accurately reflect your current data practices, and shouldn’t be difficult for users to find or read (it shouldn’t be buried at the end of a lengthy policy, something that Sears found out the hard way). If the FTC becomes suspicious that you’re trying to sneak something past users, they may investigate you.
Other privacy laws that apply to the federal government, financial institutions, and healthcare providers.1
What types of data you collect
- Docracy: web requests, IP addresses, and browser types, etc. anonymously from visitors of its website and names and email addresses from users of its service
- Google: device information, log information, location information and unique application numbers
Whether the data you collect is anonymous or personal (e.g. Docracy collects anonymous information from visitors of its website and specific personal information like name and email address from registered users of its service)
How you collect it and what technologies you use (e.g., Google uses local storage, cookies, and anonymous identifiers, and since the average user may not understand what those are, it provides links to further information).
Who you collect it from (e.g. Facebook collects information directly from each user, from other users or “friends”, and from third parties and advertising partners)
How much control users have over what information is collected about them (e.g. in its “Transparency and choice” clause Google provides users with examples of ways they can review and control what information they make available)
Use of the Data
Users have the right to know how you use their data. You should explain them:
Why you collect data — the amount of data you collect should be reasonable and proportionate to its purpose:
Docracy: [T]o monitor traffic and fix bugs… to save your profile and the documents and comments associated with it
Google: We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.
How do you ensure that user data remains private and secure — e.g. Docracy:
With respect to any documents you may choose to upload to Docracy, we take the privacy and confidentiality of such documents seriously. We encrypt all documents, and permanently delete any redacted edits you make to documents… We employ industry standard techniques to protect against unauthorized access of data about you that we store, including personal information.
Where data is processed (e.g. Docracy operates in the U.S.; Google and Facebook operate in multiple countries and each country is subject to different privacy laws)
Sharing of Data
This is the most sensitive section, and should explain:
Who you share data with, what kind of data you share, and whether it is anonymized or persona (e. g. Docracy shares anonymous data with Google Analytics, such as browser type, demographics, language settings, page views, and time/date, and personal data with Mailchimp, specifically names and email addresses);
Whether and when user consent is required (sometimes this mandated by European and Canadian privacy laws, as noted above, and in cases of personally-identifiable information of children younger than 13 through COPPA)
In what cases you may share data without users’ consent — e.g. Google:
A good faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: meet any applicable law, regulation, legal process or enforceable governmental request; enforce applicable Terms of Service, including investigation of potential violations; detect, prevent, or otherwise address fraud, security or technical issues; protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.
Whether you share data with outside contractors and how you protect user privacy if/when you do — e.g. Docracy:
Unless we tell you differently, our Agents do not have any right to use Personal Information or other information we share with them beyond what is necessary to assist us. You hereby consent to our sharing of Personal Information with our Agents.
What will happen if ownership of data is transferred — e.g. Google:
Facebook: posting on the Facebook Site Governance Page, and “additional, prominent notice” if “the changes are material”
Industry-Specific Privacy Laws:
- Gramm-Leach-Bliley Act applies to financial institutions and requires that users be given the ability to opt out of information sharing practices.
- HIPAA applies to healthcare providers and requires them to give individuals notice of how their health information will be collected and used.
- The Privacy Act of 1974 applies to the federal government and mandates it to notify individuals of online collection of personal information and its purpose.