This is a guest post by Leah Hamilton, a qualified solicitor and writer from TermsFeed.
First, let’s examine the US. In the US, the federal laws are sadly lacking in this department, with no general data protection law in place. Instead, state laws run the show, with the California Online Privacy Protection Act (CalOPPA) one of the most well-known laws for online data privacy.
what information is being collected, and any third parties this information may be shared with
how users can request changes to the information that was collected
the effective date of the agreement
how you will respond to user requests asking to opt-out or not be tracked
whether any other third parties can collect personally identifiable information through your service
In the EU, data protection law is more comprehensive than in most other places. The current law is called the EU Data Protection Directive (the Directive), and it applies to EU-based companies that process the data of EU citizens. A new data protection law has recently been adopted, and will be applicable as of 2018; this law is called the General Data Protection Regulation (the Regulation). The Regulation is stricter than the Directive, and includes greater penalties for non-compliance.
Although stricter, most of the general data protection requirements of the Regulation are only slightly different to the Directive. You must:
notify users that their data is being collected
tell users why their data is being collected
not keep data for longer than you have to
clearly identify yourself (the data collector)
explain how user data is kept secure
allow users to access their data
notify users if you profile them using their data, and what any consequences will be
notify users within 72 hours of any data breach occurring
any requests for consent to collect must be clear and obvious
cloud service providers must also meet the requirements of the Regulation
any data transferred outside the EU is still subject to the Regulation
3 Key Things You Must Do
Follow Applicable Laws
what information you will collect
how you will protect it
what you will do with that information
when you will release it or share it with third parties
whether third parties can collect information through your service
how your user can see, amend, or delete the information you hold on them
how you respond to “do not track” requests
what your policy’s effective date is
any changes since then, and how you will tell users your policy has changed
dispute resolution procedures
For legal purposes, when using Piwik you will need to disclose it as a “third party” that can collect information via your website or service. As a result, you should should make it clear exactly what information Piwik collects.
And here’s how Piwik covers personally-identifying information:
Many websites use what is called browsewrap, which looks like this, from The Atlantic:
Notify Users When Your Policy is Changed
The best way to notify your users is to send them an e-mail, as long as you have permission to contact them using their e-mail address, and you have collected their e-mail address legally. If this is the case, you can send an e-mail like the one from Bing below:
It is not sufficient to simply change the document and assume that users will find those changes.
3 Key Things Not To Do
Now that you’re aware of what you should be doing, let’s take a quick look at three key things that you should not do.
Don’t Prevent Users from Opting-Out of Data Collection
When using an analytics or tracking service, it may be tempting to try to stop users from opting-out. After all, if they know you’re collecting information on them, won’t most people request not to be tracked? Not necessarily. Google has indicated that around 6% of users opt out of Google Analytics tracking, and another experimenter found that this number was around 8%.
You could use this type of checkbox when your user creates a user account, or allow them to change this option in their account preferences. Alternatively, you could include this checkbox in a popup on your website.
Don’t Turn a Blind Eye to Who You Are Collecting Information From
It’s also important to be acutely aware of who you are collecting information from, and you shouldn’t just assume that only people in your own country are accessing your service. If you find out that users from the EU are using your service, even though you’re based in the US, you will need to ensure that you then go ahead and comply with applicable EU laws such as those we discussed earlier.
If, for example, you discover that a minor is using your service and that you have collected their personal information, you will need to comply with laws protecting children as well. In the US there is a law in place to protect the online data of children: the Children’s Online Privacy Protection Act (COPPA). COPPA requires that if you are running a service targeted at children, you must comply with its provisions. Alternatively, even if your service is not targeted at children, but you discover that a child is using your service (and that their personal information is being collected), you must comply.
Leah Hamilton is a qualified solicitor and writer working at TermsFeed, where businesses can create legal agreements in minutes using the Generator.