Privacy Policy (Cookie Policy included) For both Website and Mobile-Ultimate Review Guide-US Law and GDPR Focused

This Ultimate Practical Guide offers an essential roadmap for reviewing and refining privacy policies for websites and mobile applications with the focus of US law. We cover the following topic:

What is Privacy Policy and When you need it

A Privacy Policy is a legal statement that specifies how a company collects, uses, discloses, and safeguards the personal information of its customers or clients. As a critical legal requirement, it plays a pivotal role in protecting consumer privacy. This document should be readily accessible and understandable to the average person, articulating the methods and rationale behind data handling practices.

👉 **If your businesses:**

1. Collect personal or identifiable information related to consumers, computers, or mobile devices.

  1. Fall under specific state laws mandating a privacy notice.

  2. Engage in online behavioral advertising.

  3. Operate in sensitive sectors including finance, healthcare, education, services targeting children, or those collecting data from minors under 13 years of age, along with other regulated industries.

You MUST have and maintain a good Privacy Policy.

Legal Risks of Inadequate Privacy Policies

Failing to have or properly maintain a good Privacy Policy can expose businesses to significant legal risks, including:

  1. Government Fines: Non-compliance with privacy laws such as the EU's General Data Protection Regulation (GDPR), California's Online Privacy Protection Act (CalOPPA), or the Children's Online Privacy Protection Act (COPPA) can result in substantial fines. For instance, GDPR violations can lead to penalties up to €20 million or 4% of the company's global turnover, whichever is higher.
  2. Legal Liability and Lawsuits: If consumers believe their privacy rights are violated due to inadequate privacy practices, they may initiate legal action against the company. Such lawsuits can be costly and damage the company's reputation.
  3. Regulatory Scrutiny: Businesses that neglect their privacy policy obligations may attract unwanted attention from regulatory bodies like the Federal Trade Commission (FTC) in the U.S. or data protection authorities in the EU, leading to investigations and potential enforcement actions.
  4. Loss of Consumer Trust: A well-maintained Privacy Policy can enhance consumer trust. Conversely, failure to uphold privacy standards can erode this trust, impacting customer relationships and brand reputation.

Step-by-Step Guide to review a Privacy Policy

Step 1: Check how you display Your Privacy Policy

  1. Website Placement: Position your privacy policy prominently on your website, not just relegated to sections like “About Us”. Ideally, include a link to the policy on every webpage, with particular emphasis on the homepage. This ensures users don’t miss it.
  2. Accessibility and Visibility: Place the link to the privacy policy in a spot that’s relative to your website’s format. For instance, if your homepage requires significant scrolling, placing the link at the bottom might not be sufficiently accessible. However, for pages without extensive scrolling, a bottom placement can be adequate. Enhance visibility by using a larger or differently colored typeface for the link.
  3. Mobile Application Accessibility: For mobile applications, include a link to the privacy policy in the app store listing. This allows users to review it before downloading the app. Additionally, ensure that the policy is accessible within the app itself, perhaps within the app's settings or menu.

Step 2: Display Your Privacy Policy at the time of “first communication”

Under GDPR Article 13(1), when you collect personal data directly from the data subject, it's essential to provide them with specific information at or before the time you collect their data. Therefore, the information must be provided to the data subject either at the moment of data collection or before it. This ensures that individuals are fully informed about the processing of their data as it happens.

Step 3: Review the Revision Date

Ensure that the Privacy Policy explicitly state the date on which the current version was last modified. This date should be prominently displayed, typically at the beginning or end of the document, to avoid any ambiguity about which version a user is agreeing to. Some applicable laws also specifically require it, for example, Cal. Code Regs. tit. 11, § 7011(c)(7) and Cal. Bus. & Prof. Code § 22575(b)(4)

Step 4: Review the Introduction Part

👉 The introduction of your Privacy Policy is not just a formality; it's a crucial component that outlines the scope of your data practices.

You need to:

  1. Identify the Responsible Party and Digital Platform: Explicitly name your business or organization and the specific app or website that the policy governs. This step clarifies who is managing the data and the digital platform to which the policy applies. If your business or organization has EU representative, you should also state it and its contact details.
  2. Clarify Information Collection Practices: You need to detail the scope of your information practices.

If it's an app, include:

  • Data processed in emails and text messages sent through the app.
  • Information collected via a developer's website accessed via the app.

For a website, be sure to specify:

  • Data gathered through emails, texts, and other electronic communications related to the site.
  • Information collected by both proprietary and third-party hosted non-browser applications.
  • Data from offline activities and communications.
  1. Exclusions of Third-Party Data Collection: Clearly articulate that your policy does not encompass data collection by third parties. This includes data from other websites, content, or applications that might link to or be accessible from your app or website.

Step 5: Information related to Children

For Children Under 13

When reviewing your privacy policy for compliance with the Children's Online Privacy Protection Act (COPPA), focus on these key areas:

  1. Scope of Application: Determine if your website or app is directed to children under 13, or if it's a general audience platform that could inadvertently collect their data.
  2. Content and Data Practices: Avoid content that appeals to under-13s. If your platform gathers age information or contains child-attractive content, implement age verification to prevent data collection from users identifying themselves as under 13.
  3. Broad Definition of Personal Information: Remember, COPPA includes geolocation data, images, audio, and persistent identifiers like IP addresses in its definition of personal information.
👉 If your website or app falls under COPPA, you should replace the relevant privacy policy section with a [COPPA-compliant notice](https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa).

CCPA Provisions for Children Under 16

In your privacy policy review for compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), consider the following:

  1. Age Verification: Ensure mechanisms are in place to verify the age of users, particularly distinguishing between those under 13 and those between 13 and 16.
  2. Opt-in Consent: Be clear on obtaining affirmative consent from users aged 13 to 16, and from parents or legal guardians for users under 13.
  3. Sale and Sharing of Data: Strictly avoid selling or sharing personal information of users under 16 without proper consent.

Step 6: Regarding the Information We Collect About You and How We Collect It

You should:

  1. Disclosure of Information Types: Clearly list all types of information your app or website collects from users. This transparency is not only a best practice but also a legal requirement under laws like the CCPA and CalOPPA. Include both direct data collection methods (like registration forms) and indirect methods (such as tracking user navigation on your site or app).
  2. Detailed Description of Data Categories: After outlining the broad categories, delve into specifics. For example, detail the circumstances under which you collect email addresses, track visit times and dates, or gather content from public comments and postings.
  3. Indication of Optional Information: Make it clear on your forms which fields are optional. Avoid collecting excessive information unrelated to your service. Follow FTC guidelines, recommending that sensitive personal data should only be collected for legitimate business needs and retained only as long as necessary.
  4. Third-Party Data Collection: If you collect user information from third-party sources, this must be explicitly stated. Describe in detail the nature of this data and how it's obtained.
  5. Personal Information Definition: Tailor your definition of personal information to align with applicable laws. While CalOPPA has a narrower definition, the CCPA encompasses a broader range of data. You may want to include a broader personal information definition.
👉 **Notice:**

The General Data Protection Regulation (GDPR) broadens the scope of what constitutes personal data, encompassing:

  • Location Data
  • Online Identifiers
  • Genetic Identity Factors
  • Pseudonymous Data

GDPR also expands the definition of 'special categories', this includes:

  • Genetic Data
  • Biometric Data
  • Data on Sexual Orientation

Step 7: If your product allows users create content (e.g. you run a social app)

👉 You need to regularly update this section to reflect any new types of personal information you start collecting.

You should review the 'Information You Provide to Us' Section to:

  1. Reflect Actual Data Collection: Ensure this section accurately mirrors the types of information you request from users. If your platform frequently undergoes changes, consider describing categories of information rather than specific types. This approach helps maintain accuracy, especially if updates are not consistently communicated to your legal team.
  2. User Contributions: If your platform allows user-generated content visible to other users or the public, clearly state in your policy that such content is shared at the user’s risk and may be accessible to the general public. This is particularly crucial for social media apps or interactive websites.
  3. Privacy Settings for User Information: If your app or website offers varying privacy settings for different information categories, detail these options in your policy. Provide clear instructions on how users can set or modify these settings, ensuring they understand how to manage their privacy effectively.

Step 8: Regarding the Automatic Information Collection and Tracking

👉 Your goal is to provide complete transparency about your automatic data collection processes.

When reviewing the 'Automatic Information Collection and Tracking' section of your privacy policy, consider the following:

  1. Full Disclosure of Automatic Data Collection: Clearly state all types of information your app collects automatically, such as unique mobile device IDs, IP addresses, and usage details. Be transparent about the use of cookies, web beacons, digital fingerprinting, or other tracking technologies, especially if they are used for online behavioral advertising.
  2. Specifics of Data Collection and Usage: This section must accurately reflect the kinds of information your app collects passively and how this information is utilized. This includes detailing the specific technologies used for data collection.
  3. Third-Party Advertiser Practices: If your app involves third-party advertisers, disclose your practices regarding this and how it might affect user data. Also, mention any relevant behavioral advertising self-regulatory principles that your app adheres to.
  4. California Do-Not-Track Disclosures: Under CalOPPA, you need to explain how your app responds to do-not-track requests, particularly if you collect personal information from California residents. This should include:
    • Whether your app collects personal information through behavioral tracking.
    • How your app responds to browser 'do-not-track' settings and similar mechanisms.
  5. Cookies and User Options: Describe how your app uses cookies, including their purpose and how they are stored and accessed on users’ devices. Inform users about their options regarding cookie storage and the implications of not accepting cookies, such as restricted app functionality.
  6. Other Tracking Technologies: Beyond cookies, disclose any other tracking technologies used, like device fingerprinting. If your app engages in behavioral advertising, make sure to communicate this clearly to users, offering them choices regarding the collection of their information for such purposes.
  7. Compliance with Self-Regulatory Standards: If applicable, reference adherence to self-regulatory standards, such as those set by the Digital Advertising Alliance (DAA), in your policy.

Step 9: If your product displays advertising or other third-party content

👉 Your goal is to ensure users are fully informed about how their data may be collected by third parties through your website or app.

You need to make sure your privacy policy:

  1. Disclosure of Third-Party Tracking Technologies: Acknowledge that third-party content, including advertisements, may use cookies or other tracking technologies.
  2. Limitation of Your Control: Make it clear that you do not control and are not responsible for third-party practices. Encourage users to review third parties' privacy policies to understand their data collection practices.
  3. CalOPPA Compliance for California Residents: If your platform may collect personal information from California residents, disclose under CalOPPA whether third parties may collect personally identifiable tracking information. Although difficult to control in practice, this disclosure is necessary for transparency.
  4. Inclusion of Opt-Out Options: If applicable, inform users about the availability of opt-out options for certain types of data collection within the app or device settings, particularly in the case of behavioral advertising. Provide links to opt-out resources for various providers and detail any adherence to self-regulatory principles for online behavioral advertising.
  5. Nevada and Other State Laws: Be aware of specific requirements under Nevada's online privacy law and other state consumer privacy laws that may necessitate disclosures about third-party data collection over time and across different websites or online services.
  6. Behavioral Advertising Disclosures: If your platform includes behavioral advertising, include specific disclosures about this practice. Provide users with information on how to opt out of behavioral advertising from various providers.
  7. Compliance with CCPA: For apps collecting personal information from California residents, comply with the CCPA by disclosing any third-party collection of personal information and the specific information regarding third-party disclosures.

Step 10: How Your Use the Users’ Information

👉 Your privacy policy should accurately reflect your current and potential data use practices. This not only fosters trust with your users but also ensures compliance with applicable privacy laws and regulations.

You need to make sure your privacy policy:

  1. Purpose of Data Use: Clearly state the purposes for which you use the information collected on your website, such as order processing, billing, or delivery. This practice is recommended for transparency and is required by laws like the CCPA and VCDPA.
  2. Detailing Specific Uses: While the disclosure can be broad, explicitly mention any non-standard uses of information. For instance, specify if you intend to use the data for direct marketing, Online Behavioral Advertising, or any other specific purposes.
  3. Self-Regulatory Codes for OBA: If engaging in Online Behavioral Advertising, ensure you are adhering to relevant self-regulatory codes of conduct and disclose this practice clearly. Provide users with options to opt out of such practices and include links to relevant resources.
  4. User Choices and Preferences: Inform users about their choices regarding the use and sharing of their information, particularly for marketing purposes. Describe how they can update their preferences, such as through account settings or by contacting you directly.
  5. Future Uses Consideration: Anticipate potential future uses of collected data to avoid frequent policy updates. Make sure your policy is comprehensive enough to cover these possibilities.

Step 11: Disclosure of the Users’ Information

👉 The goal of this section is to provide clarity and honesty about how user information may be shared. This not only builds trust with your users but is also crucial for compliance with various privacy laws.

You should consider the following key points:

  1. Identify Categories of Third Parties: Clearly list the categories of third parties with whom you may share personal information. This includes any entity involved in processes like credit card clearance, order fulfillment, delivery, data analysis, or customer support.
  2. Circumstances of Sharing: Specify the scenarios under which you might share personal information. This ensures transparency and helps users understand the conditions that might prompt such disclosures.
  3. Purposes of Sharing: Explain the reasons for sharing personal information with third parties. This could range from operational necessities, like order processing, to other services like customer support.
  4. Compliance with Privacy Laws: Ensure your policy aligns with legal requirements, including those under the CCPA, CalOPPA, and other relevant state consumer privacy laws. These laws often require specific disclosures about the categories of personal information shared.
  5. Transfer of Information in Business Transactions: Include a provision stating your right to transfer user information in the event of a business sale, bankruptcy, or liquidation. Make it clear that this applies even when the business does not continue as an ongoing concern.
  6. Avoid Overly Broad Promises: Be careful not to make promises in your policy that don’t accurately reflect your actual practices. Avoid statements that could mislead users about your information sharing practices, such as claiming you never disclose information to third parties if this is not the case.

Step 12: The Users’ Choices in Collection, Use, and Disclosure of Information

👉 Your privacy policy should clearly articulate the choices available to users and how they can exercise these options.

You need to review the “Your Choices About Our Collection, Use, and Disclosure of Your Information” part and make sure:

  1. Inform Users of Their Choices: Clearly inform users about the options they have concerning how their information is collected, used, and disclosed by your app. This information is crucial for transparency and user autonomy.
  2. Specific User Choices: Address choices related to:
    • The use of cookies and tracking technologies like web beacons.
    • The use of information by your app for advertising, marketing, and promotional purposes.
    • The disclosure of personal information to third parties for their advertising, marketing, and promotional purposes.
    • The use of personal information for Online Behavioral Advertising (OBA).
  3. Opt-Out Approach: Your may adopt an opt-out approach for these uses and disclosures. However, for certain types of personal information use or sharing, especially sensitive personal information, an affirmative opt-in choice may be required or preferred, in line with legal obligations like those under the CCPA.
  4. Sensitive Personal Information: Always provide an opt-in choice for uses and disclosures involving sensitive personal information. The FTC recommends obtaining affirmative express consent when collecting or sharing sensitive information. Sensitive information normally include:
  • medical conditions,
  • racial or ethnic origin,
  • political opinions,
  • religious beliefs,
  • trade union membership, and
  • details about sex life.
  1. No Choice Approach: In cases where your app does not collect or disclose sensitive information, you may choose to simply describe your information practices and advise users not to submit their sensitive information if they do not consent to its use as described in your policy.

Step 13: If your product provides users with the ability to access, correct and delete their personal information (It is a must under GDPR)

👉 Under the GDPR's fair processing principles, it's imperative that privacy policies clearly communicate to individuals the control they have over their personal data. Although not mandatory, allowing users to review and correct their personal information is good practice recommended by FTC.
  1. Exercising Control Over Personal Data under GDPR: The privacy policy must outline how and when individuals can exercise control over the use of their personal data. This should include clear instructions and processes for users to follow.
  2. Specific Disclosures Under CCPA: If your app falls under the CCPA, you must provide a separate, California-specific disclosure that details users’ rights to access and delete their personal information. (CalOPPA does not have such requirement)

Step 14: Data Security

👉 Various US federal and state data security laws require businesses to maintain a certain level of security for personal information they collect. Be aware of laws in all 50 states, the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands, which mandate notification to individuals in the event of a data breach involving their personal information.

You should:

  1. Statement on Security Practices: Include a general statement in your privacy policy about your security practices. This assures users that you are taking appropriate measures to protect their personal information. However, be cautious with the wording to avoid making promises about security that are unrealistic or may not be consistently achievable.
  2. Avoid Over-Promising on Security: Be careful not to make overly broad claims about your website's security that may not be accurate or could be challenging to fulfill. Remember, the FTC closely monitors and enforces data security promises made to consumers.
  3. Ensuring Compliance with Applicable Laws: Ensure that your data security practices align with relevant laws and regulations.

Step 15: Data Retention Periods (must have under GDPR)

👉 Under GDPR, organizations are required to be more specific about their data retention periods.
  1. Specify Retention Periods: Instead of vague statements like “data will be kept as long as necessary,” clearly specify the exact time period for which different categories of personal data will be stored. For instance, financial data might be retained for a different duration compared to marketing data.
  2. Justify Retention Periods: Be prepared to justify the retention periods you have set. This justification should be based on a balance of various factors, including legal obligations, the necessity for fulfilling the purposes of processing, and the rights and freedoms of data subjects.

Step 16: Changes to Our Privacy Policy

You need to:

  1. Notification Method: Clearly describe how you will notify users of changes to your privacy policy. This is not only a best practice but also a requirement under laws like CalOPPA and Nevada's online privacy law. Notifications can be made through:
    • Email announcements.
    • Prominent notices posted on your website, possibly requiring click-through consent.
  2. Compliance with Previous Promises: Acknowledge that you must comply with the terms of the privacy policy that was in effect when a user provided their information. Therefore, any changes to the policy should generally only apply to:
    • Information collected after the date of the changes.
    • Information for which the user has given consent to the new terms.
  3. Opt-In Consent for Material Changes: If you intend to materially change how you use users' personal information, you should obtain users' explicit (opt-in) agreement to these changes.
  4. Handling Non-Responsive Users: Be aware that users who do not respond to notifications about policy changes should not be considered as having consented to these changes. Continue to treat their information according to the privacy policy under which it was collected. This might require maintaining different sets of data under different versions of your privacy policy.
  5. Adapting the Policy Section: Customize this section to accurately reflect your specific practices for notifying users about changes to your privacy policy.

Step 17: Methods for Submitting Complaints, Concerns, or Questions

👉 GDPR requires you to ensure effective communication and address any issues related to your privacy policy.

You should:

  1. Dedicated Email Address: Set up a specific email address (e.g., privacy@yourdomain.com) for privacy-related inquiries.
  2. Contact Form on Website: Implement a contact form specifically for privacy issues on your website.
  3. Other Support: Provide a dedicated phone line, a postal address or online chat support will be considered as good practice.

Step 18: Cross-Border Data Transfers

👉 Under GDPR, special attention must be given to the transfer of personal data outside the European Economic Area (EEA)
  1. Informing About Data Transfers: Clearly state in your privacy policy if there's any possibility of personal data being transferred outside the EEA. This includes direct transfers (e.g., from a UK subsidiary to a US parent company) and indirect transfers (e.g., data hosted in the US by third-party service providers).
  2. Specifying Adequacy Mechanisms: Specify the adequacy mechanism legitimizing such transfers. This could include EU model clauses, Privacy Shield certification (if still applicable), Binding Corporate Rules, individual consent, or other recognized adequacy mechanisms. It's crucial to identify the specific mechanism to ensure transparency and compliance.
  3. Legal Basis for Transfers: Ensure that there is a valid legal basis for transferring personal data outside the EEA. This might be the individual’s explicit consent or other legal grounds as defined by GDPR.
  4. Detailed Explanation: Provide a detailed explanation in your privacy policy of how these data transfers comply with GDPR requirements. This includes elaborating on the safeguards in place to protect personal data during and after the transfer.

Step 19: If Your Have Global Users

👉 You need to adapt your Privacy Policy to reflect your compliance with these international regulations!

International Data Laws: Be aware of other national data protection laws that may apply to your users in different jurisdictions. These laws can have unique requirements that impact how you collect, use, store, and transfer personal data.