This is a guest post by Leah Hamilton, a qualified solicitor and writer from TermsFeed.
A clear and comprehensive privacy policy is extremely important for your website or e-commerce store. This is even more true when you are using an analytics service such as Piwik PRO. Online users are increasingly interested in how their private data is dealt with, both by companies and the government. It’s best to err on the side of being open and transparent, both for legal purposes and to build customer confidence.
When using Piwik PRO to track visitor behaviour and analyse data, we recommends explaining in your Privacy Policy how Piwik PRO works and what data it gathers.
If you don’t already have a Privacy Policy, or you need to review what it covers, this article is for you! First we’ll briefly discuss what the laws are, and then we’ll look at 3 key “dos” and 3 key “don’ts” when creating your Privacy Policy.
Privacy Laws
We’ve discussed privacy and data analytics at Piwik PRO previously, here, where we also briefly talked about some of the laws around the world. Let’s have a quick look at some of those laws, and learn in more detail what they mean for your Privacy Policy in the next section.
First, let’s examine the US. In the US, the federal laws are sadly lacking in this department, with no general data protection law in place. Instead, state laws run the show, with the California Online Privacy Protection Act (CalOPPA) one of the most well-known laws for online data privacy.
CalOPPA requires that websites and online service operators who deal with the data of California residents must post a Privacy Policy on their website, or make the policy available through that service. For the purposes of CalOPPA, you need to cover:
- what information is being collected, and any third parties this information may be shared with
- how users can request changes to the information that was collected
- how you will tell users if your Privacy Policy changes
- the effective date of the agreement
- how you will respond to user requests asking to opt-out or not be tracked
- whether any other third parties can collect personally identifiable information through your service
In the EU, data protection law is more comprehensive than in most other places. The current law is called the EU Data Protection Directive (the Directive), and it applies to EU-based companies that process the data of EU citizens. A new data protection law has recently been adopted, and will be applicable as of 2018; this law is called the General Data Protection Regulation (the Regulation). The Regulation is stricter than the Directive, and includes greater penalties for non-compliance.
Although stricter, most of the general data protection requirements of the Regulation are only slightly different to the Directive. You must:
- notify users that their data is being collected
- tell users why their data is being collected
- not keep data for longer than you have to
- clearly identify yourself (the data collector)
- explain how user data is kept secure
- allow users to access their data
- notify users if you profile them using their data, and what any consequences will be
- notify users within 72 hours of any data breach occurring
Furthermore:
- any requests for consent to collect must be clear and obvious
- cloud service providers must also meet the requirements of the Regulation
- any data transferred outside the EU is still subject to the Regulation
Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps
Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:
3 Key Things You Must Do
Follow Applicable Laws
Now that you’re aware of what the laws are, it’s important to comply with them. For a Privacy Policy that meets the strict requirements of EU law, as well as the simpler requirements of CalOPPA, you will need to cover:
- your identity
- what information you will collect
- how you will protect it
- what you will do with that information
- when you will release it or share it with third parties
- whether third parties can collect information through your service
- how your user can see, amend, or delete the information you hold on them
- how you respond to “do not track” requests
- what your policy’s effective date is
- any changes since then, and how you will tell users your policy has changed
- dispute resolution procedures
For legal purposes, when using Piwik PRO you will need to disclose it as a “third party” that can collect information via your website or service. As a result, you should should make it clear exactly what information Piwik collects.
Piwik PRO collects two types of information: aggregated or non-personally-identifying information, and some personally-identifying information. Here are some of the ways in which Piwik PRO covers its own website’s collection of these types of data. You should feel free to use these kinds of clauses in your own Privacy Policy, once you have examined how your own website or service collects data. For example, here’s how Piwik PRO addresses non-personally-identifying information:
And here’s how Piwik PRO covers personally-identifying information:
You can read more about Piwik PRO Privacy Policy here. If you don’t already have a Privacy Policy at all, TermsFeed can help you to create one.
Get Clear Agreement to Your Privacy Policy
The next step, once you have set up a compliant Privacy Policy, is to ensure that you can get legally binding agreement to that policy. The best way to do this is to use what is called a clickwrap method. Clickwrap is a method of obtaining agreement where your users actually click “I agree” in some way. On your website, clickwrap might look like this, from Inbox.com:
In this example, you can see that the checkbox is located directly next to the statement “I have read and agree to the Terms of Use and Privacy Policy”. This is the first key feature of a legally enforceable clickwrap agreement (proximity and clarity of agreement). Second, you can see that the Terms of Use and Privacy Policy are both hyperlinked, so the user can easily open them and read them. This is enough for “reasonable notice” of those documents, and the user has been clearly informed that the checkbox and “I agree” statement relates to those documents.
Many websites use what is called browsewrap, which looks like this, from The Atlantic:
In this example you can see that the Privacy Policy is just one link among many, down the bottom of the page in the footer. It is not distinguished in any way, and there is no clear way for the user to indicate their assent.
Browsewrap is when the user is expected to browse the website and is simply assumed to agree to the Privacy Policy or legal terms. Courts looking at the issue have said that browsewrap methods are not legally enforceable, while clickwrap methods in most cases are.
Notify Users When Your Policy is Changed
Now that you have a Privacy Policy set up, and your users have clearly agreed to it, make sure that you correctly notify them when any changes are made.
The best way to notify your users is to send them an e-mail, as long as you have permission to contact them using their e-mail address, and you have collected their e-mail address legally. If this is the case, you can send an e-mail like the one from Bing below:
If you don’t have this type of permission, you should release an alert via your service, or put a notice up on your website stating that your Privacy Policy or Terms have changed. Here’s an example of what this notice might look like, from Meridian:
It is not sufficient to simply change the document and assume that users will find those changes.
3 Key Things Not To Do
Now that you’re aware of what you should be doing, let’s take a quick look at three key things that you should not do.
Don’t Prevent Users from Opting-Out of Data Collection
When using an analytics or tracking service, it may be tempting to try to stop users from opting-out. After all, if they know you’re collecting information on them, won’t most people request not to be tracked? Not necessarily. Google has indicated that around 6% of users opt out of Google Analytics tracking, and another experimenter found that this number was around 8%.
Letting users opt out will not affect your analytics in any major way, but not notifying your users that you are collecting their data, or trying to prevent them from opting-out may destroy your business credibility and make you unappealing to customers. Piwik PRO has an example in their Privacy Policy that shows how you could allow users to opt out with a checkbox:
You could use this type of checkbox when your user creates a user account, or allow them to change this option in their account preferences. Alternatively, you could include this checkbox in a popup on your website.
Don’t Turn a Blind Eye to Who You Are Collecting Information From
It’s also important to be acutely aware of who you are collecting information from, and you shouldn’t just assume that only people in your own country are accessing your service. If you find out that users from the EU are using your service, even though you’re based in the US, you will need to ensure that you then go ahead and comply with applicable EU laws such as those we discussed earlier.
If, for example, you discover that a minor is using your service and that you have collected their personal information, you will need to comply with laws protecting children as well. In the US there is a law in place to protect the online data of children: the Children’s Online Privacy Protection Act (COPPA). COPPA requires that if you are running a service targeted at children, you must comply with its provisions. Alternatively, even if your service is not targeted at children, but you discover that a child is using your service (and that their personal information is being collected), you must comply.
Don’t Remove Links to Your Privacy Policy on your Landing Page
From a marketing perspective, many marketers advocate removing all links from landing pages, so that they don’t distract the user from the call-to-action. However, removing your Privacy Policy, especially if your landing-page is a lead generation page, could break privacy laws.
Your Privacy Policy needs to be displayed when you collect user information, ideally before you collect it. If you have a lead generation landing page with a web form for the user to provide contact information, you need to ensure that the web form itself allows the user to agree to your Privacy Policy. Here’s an example of what I mean, from Vimeo:
You can see that under the text entry fields there is a checkbox to agree to the Terms of Service. Using a similar checkbox for your Privacy Policy is an excellent way to include this important information on your landing page.
Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps
Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:
Conclusion
Creating a Privacy Policy for your website doesn’t need to be a struggle. By covering just a few key clauses and ensuring that you comply with applicable laws, you’ll be well on your way to compliance and legal safety.
Make sure that you get clear agreement to your Privacy Policy, notify users when your Policy changes, and don’t try to prevent users from opting-out of data collection if they wish. Place links to your Privacy Policy anywhere that personal information is collected from users, and do your best to know exactly who you are collecting data from.
Author’s bio:
Leah Hamilton is a qualified solicitor and writer working at TermsFeed, where businesses can create legal agreements in minutes using the Generator.
leah.hamilton@termsfeed.com