1. How to Write a Privacy Policy

    Information about your users allows you to improve your website or app, but what information you collect and how you collect it and use it is increasingly regulated by privacy law. Since your users drive the success of your service, and since they generally care about what information they give out, it’s crucial to establish a relationship of trust with them by drafting a good privacy policy and abiding by it. Let’s take a look at the current privacy rules, where they are heading, and some existing privacy policies that you can use as a starting point in writing yours.

    Privacy Policy or Terms of Service?

    First, it’s important to note that your privacy policy and your terms of service are not the same thing. Terms of Service set out the rules that users have to follow when using a website or app. A privacy policy relates only to how a service provider collects and uses information (data) about its users, and should be a statement separate from terms of service. However, a best practice for when you have both is to refer to and explicitly attach the privacy policy in the Terms of Service.

    Know the law

    Online and mobile privacy is increasingly regulated both within the United States and internationally. The general message can be simplified in 3 main points:

    1. your privacy policy should be easily accessible and clearly displayed,
    2. you should be honest about what information you collect and how you use it,
    3. the document should always reflect your actual practices.

    While there is currently no inclusive federal privacy law in the U.S., there are a number of federal and state regulations dealing with different areas of privacy:

    • The FTC Unfair and Deceptive Trade Practices: the federal government, through the FTC, broadly prohibits the use of unfair and deceptive trade practices by businesses in order to protect consumers. Within the context of privacy, this means that your policy should be honest, should accurately reflect your current data practices, and shouldn’t be difficult for users to find or read (it shouldn’t be buried at the end of a lengthy policy, something that Sears found out the hard way). If the FTC becomes suspicious that you’re trying to sneak something past users, they may investigate you.

    • COPPA: The Children’s Online Privacy Protection Act applies to service providers whose website or app is “directed to” children younger than 13 or who actually know that children younger than 13 are using their service. If this is your case, you have to have a privacy policy and to obtain verifiable parental consent before they collect any personally-identifiable information from children younger than 13. That’s why a lot of Terms of Service make users certify they are at least 13 years-old.

    • State laws: Several states, most notably California (OPPA), have passed statutes requiring privacy policies and compliance with them. Even if these are state laws, they apply to services from all over the country. It’s recent news that California’s Attorney General warned various companies without a compliant privacy policy.

    • Other privacy laws that apply to the federal government, financial institutions, and healthcare providers.1

    Internationally, both the EU (Data Protection Directive) and Canada (PIPEDA) mandate privacy policies and require, among other things, both notice and consent as to the use of personal information.

    Drafting Your Privacy Policy

    Let’s go through everything you should include in your privacy policy, using Docracy’s own Privacy Policy as a template that you can customize to the specifics of your service and turn into your own. Docracy’s Privacy Policy contains four headings that address the essential concerns that any complete privacy policy should address. We will examine each in turn, and we’ll refer to the corresponding parts of Google’s Privacy Policy and Facebook’s Data Use Policy to see some examples of what different companies include in their privacy policies based on the services they provide. It’s important to keep in mind that the way your privacy policy is written will depend on the type of service you provide and the types of user data you collect.

    Data Collected

    Start your privacy policy by describing, clearly and in detail:

    1. What types of data you collect

      • Docracy: web requests, IP addresses, and browser types, etc. anonymously from visitors of its website and names and email addresses from users of its service
      • Google: device information, log information, location information and unique application numbers
      1. Whether the data you collect is anonymous or personal (e.g. Docracy collects anonymous information from visitors of its website and specific personal information like name and email address from registered users of its service)

      2. How you collect it and what technologies you use (e.g., Google uses local storage, cookies, and anonymous identifiers, and since the average user may not understand what those are, it provides links to further information).

      3. Who you collect it from (e.g. Facebook collects information directly from each user, from other users or “friends”, and from third parties and advertising partners)

      4. How much control users have over what information is collected about them (e.g. in its “Transparency and choice” clause Google provides users with examples of ways they can review and control what information they make available)

      Use of the Data

      Users have the right to know how you use their data. You should explain them:

      1. Why you collect data — the amount of data you collect should be reasonable and proportionate to its purpose:

        Docracy: [T]o monitor traffic and fix bugs… to save your profile and the documents and comments associated with it

        Google: We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.

      2. How do you ensure that user data remains private and secure — e.g. Docracy:

        With respect to any documents you may choose to upload to Docracy, we take the privacy and confidentiality of such documents seriously. We encrypt all documents, and permanently delete any redacted edits you make to documents… We employ industry standard techniques to protect against unauthorized access of data about you that we store, including personal information.

      3. Where data is processed (e.g. Docracy operates in the U.S.; Google and Facebook operate in multiple countries and each country is subject to different privacy laws)

      Sharing of Data

      This is the most sensitive section, and should explain:

      1. Who you share data with, what kind of data you share, and whether it is anonymized or persona (e. g. Docracy shares anonymous data with Google Analytics, such as browser type, demographics, language settings, page views, and time/date, and personal data with Mailchimp, specifically names and email addresses);

      2. Whether and when user consent is required (sometimes this mandated by European and Canadian privacy laws, as noted above, and in cases of personally-identifiable information of children younger than 13 through COPPA)

      3. In what cases you may share data without users’ consent — e.g. Google:

        A good faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: meet any applicable law, regulation, legal process or enforceable governmental request; enforce applicable Terms of Service, including investigation of potential violations; detect, prevent, or otherwise address fraud, security or technical issues; protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

      4. Whether you share data with outside contractors and how you protect user privacy if/when you do — e.g. Docracy:

        Unless we tell you differently, our Agents do not have any right to use Personal Information or other information we share with them beyond what is necessary to assist us. You hereby consent to our sharing of Personal Information with our Agents.

      5. What will happen if ownership of data is transferred — e.g. Google:

        If Google is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.

      Changes to the Privacy Policy

      Your privacy policy should reflect your actual practices and should change as your practices change. For example, if you decide to collect telephone numbers from your users, you should update the policy ASAP. A periodic review is also a good idea, to make sure there are no obsolete clauses and/or to comply with new regulations. According to best practices, you should let users know:

      1. What version of your privacy policy applies at what time, keeping in mind that retroactive changes are possible but not welcomed by users — e.g. Docracy:

        Use of information we collect now is subject to the Privacy Policy in effect at the time such information is used.

      2. Whether and how you will notify users of any changes to your privacy policy

        Google: We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of privacy policy changes)

        Facebook: posting on the Facebook Site Governance Page, and “additional, prominent notice” if “the changes are material”

      3. How users can contact you with questions they may have about your privacy policy.

      Conclusion

      You should now have a clearer idea on what should go in a privacy policy. Docracy’s policy is open source so feel free to borrow language — always making sure it applies to your service. Last but not least, always place a link to your privacy policy in every page of the website (usually the footer) and in your mobile app. It’s also a good idea to have your policy reviewed by an attorney who is knowledgeable in national and international privacy regulations and can make sure you comply with them.


      1. Industry-Specific Privacy Laws:

        • Gramm-Leach-Bliley Act applies to financial institutions and requires that users be given the ability to opt out of information sharing practices.
        • HIPAA applies to healthcare providers and requires them to give individuals notice of how their health information will be collected and used.
        • The Privacy Act of 1974 applies to the federal government and mandates it to notify individuals of online collection of personal information and its purpose.

Notes

  1. pod313 reblogged this from docracy
  2. cdweeden reblogged this from docracy
  3. docracy posted this