In August 2021, WhatsApp's Privacy Policy mistakes cost the company EUR 225 million. And in January 2022, Google had to pay 90 million EUR for violating the procedure consent for using cookies. The United States Federal Trade Commission (FTC) is threatening to fine Facebook more than $22.5 million for breaching its Privacy Policy and sharing personal data with Cambridge Analytica during a US election. In October 2018, Facebook was fined $644 million for leaking the user's data.
E-commerce received the highest number of GDPR and CCPA violation fines in 2021. The Social Networking industry takes second place for receiving fines; the Technology sphere is in third place on this list.
In the article IT lawyers explain how to avoid penalties and IT product blocking, how to draw up a Privacy Policy for the website or the mobile application to comply with the requirements of GDPR, CCPA and other acts and regulations in the sphere of privacy and data protection.
What is a Privacy Policy on a website or app?
The Privacy Policy is a legal agreement that explains what personal data you collect for the website or app from the visitors/users, the purposes for this, and how you process and operate with and protect this data.
Why is it necessary to have the Privacy Policy?
Let's highlight 4 reasons to develop and publish a document.
To comply with the GDPR, CCPA and local data protection laws and regulations
There is a legal requirement to have the Privacy Policy on a website or mobile app. If an IT product targets audiences in different countries, then the Privacy Policy must comply with the requirements of the laws of such regions. In this case, the rule applies: if the user comes to you, then your law applies; if you go to the user, then users’ law applies.
California has the California Online Privacy Protection Act (CalOPPA) and the Consumer Privacy Act (CCPA). The acts apply to companies that collect personal data from California residents, meaning their laws go beyond the boundaries of one state. For example, your company is located in Seattle or Boston but processes users' personal data from California. Then the Seattle or Boston company must comply with CalOPPA and CCPA requirements.
These are some acts that regulate privacy:
- The Children's Online Privacy Protection Act (COPPA) is in the US.
- In Canada - Personal Information Protection and Electronic Documents Act (PIPEDA).
- In the EU - General Data Protection Regulation (GDPR).
Your consumer's (user's) location influences the requirements you need to comply with in your Privacy Policy. For example, there are differences between CCPA and GDPR. The first applies to the protection of the B2C segment, but the second - applies to B2C and B2B. At the same time, US companies that work with European markets and consumers must adapt their policies to the requirements of the GDPR.
To publish mobile applications in the AppStore and Google Play
Since 2018, AppStore has required all apps to add and publish Privacy Policy. Now, iOS app developers must publish the Privacy Policy before a product can be submitted for review in the AppStore.
The Google Play Software Distribution Agreement, which you accept as a developer, states that the Privacy Policy is required for all Android applications. In addition, the Android Security and Privacy team provided the statistics that 1.2 million privacy-violating apps were blocked in 2021.
To use Google Analytics, Google Ads, Cookies and remarketing tools
Google Analytics included a requirement to have the Privacy Policy in its Terms of Service. The main goal of Google Analytics is to store cookies on the user's computer and collect data with their support, but for such actions, you need to get permission from the user.
Google Ads requires informing users that the IT solution uses remarketing to advertise a product or service, and the user has an opportunity to opt-out of it.
The Twitter Lead Generation Card requires you to enter your Policy URL to use the services. The same condition is for Facebook. When using the Facebook API, you request users' personal data. Therefore, Facebook requires you to provide the Privacy Policy and ensure that you comply with the data protection laws and regulations.
To use a payment system for online payments
Acquiring systems requires websites or mobile applications to notify users about transferring personal data to payment systems. Therefore, you need the Privacy Policy to connect PayPal, Stripe, Apple Pay, Google Pay, or other payment systems. To make payments in applications, online stores and other IT products, you need to notify users of what financial information you collect, where it goes and for what aims.
Now you know why Privacy Policy is needed on the website or mobile application. Next, we will tell you how to draw it up.
What should be included in the Privacy Policy?
Below are the main questions that should be addressed in the Privacy Policy.
What data do you collect and process?
First of all, define what personal data is.
Stalirov&Co IT lawyers drafted the Privacy Policy for the Youwex freelance exchange and stated that the platform collects such data:
- About customers: first name, last name, email address and password, transaction details (debit/credit card details).
- About freelancers: first name, last name, email address, password, postal code, country, language skills, education, work experience. In addition, the freelancer provides supporting documents and adds photos, videos and presentations.
Another IT product that IT lawyers have cooperated with is SmartWatch Sync & Bluetooth notifier. There is an application for synchronizing smartwatches with android devices. The list of personal data the users provide to this IT solution differs from Youwex, and includes:
- Google account data
- DeviceID
- Device model
- Users' email address, first name, last name, location
- Payment data
Stalirov&Co IT lawyers also drafted the Privacy Policy for the insurance search platform that targeted businesses in the US and EU - InsuranceHunter. Therefore, it was necessary to cover the requirements of the GDPR and the CCPA in the document. Here is an approximate list of personal information compiled by IT lawyers that were collected by the platform and included to the Privacy Policy:
- identification data: name, date of birth, age and any family information;
- biographical data: marital status, gender and employment status;
- contact details: home or other physical address, email address and telephone number;
- driver data: car accident details and vehicle information;
- financial data: credit information and annual income;
- health data: biometric parameters (height, weight) and health information;
- technical information such as IP address or identifier.
What are the purposes and grounds for personal data collection and processing?
Purposes should be specific, legitimate and transparent. The GDPR establishes 6 grounds for lawful personal data processing. The main one is the user`s (as a data subject) consent. Other grounds are:
- Contractual necessity
- Lawful processing based on legal obligations
- Vital interests and lawful personal data processing
- Public interest
The CCPA's approach is fundamentally different and establishes a presumption of the lawfulness of personal data processing. The collection and processing of personal data is a priori legal and may be carried out by companies. At the same time, to protect the rights of data subjects, the CCPA establishes the right of an individual to send requests to the company to prohibit the selling and transferring of their personal data. The Privacy Policy should indicate this right; if such a request is received, the company should address it and does not have the right to act with the user's personal data in future.
For the Island 211 mobile game, IT lawyers set the following goals:
- Registration in the game
- Advertising content demonstration
- Mutual settlements between players
- Funds withdrawal
- Customer support provision and other purposes
The goals for Youwex differ. The platform collects and processes data to:
- Help the users to find a freelancers' profiles, to book and conduct online sessions;
- Check the right to provide services in the selected section and direction to maintain services at the highest professional level;
- Comply with the requirements of legislation in the field of finance and accounting, confirm transactions between the customer and the freelancer;
- Prevent fraudulent activity on the platform and help to manage users' profiles.
Сan the collected data be shared?
An IT product owner may share information with different service providers: including sales, marketing, provision of content and features, advertising, analytics, research, data storage, security, fraud prevention, payment systems, delivery services and other services, social networks, data can be shared with partners, courts, law enforcement and government agencies and other persons (third parties) as well. The main requirement for disclosing information to third parties is that the amount of data that is disclosed must be adequate to the purpose and not exceed its implementation. Such third parties must comply with the rules of the Privacy Policy interacting with users' data. It is necessary to inform users in the Privacy Policy to whom (which categories of third parties) the data is transferred and the purposes of such sharing.
What third-party services does the IT product use?
It is obligatory to notify users that third-party services can get access to their personal data. For example, the SmartWatch app uses Flurry, a mobile app analytics platform. All user actions and clicks within the product are recorded and processed. In addition, SmartWatch uses AdMob to make it easier to generate revenue through advertising and Firebase - for analytics.
Additionally, mobile applications need to obtain consent to access to the device's system settings (mobile phone, for example): location and vibration, background work, opening network links, shopping features, storing data in external storage. In addition to the list, you need to describe the purpose of access to the user's device. For example, the SmartWatch app needs location access to find Bluetooth devices in range.
Another case as an example from our IT lawyers’ experience is Hypelitix. This web service provides public Instagram profile data: posts metadata, IGTV and profile stories. The service uses Google Cloud Vision to recognize text in images and videos on Instagram.
Privacy Policy aims to inform the user about third-party services and, if possible, to fix links to their public documents. This rule also applies to payment systems.
Cookie files
First of all, define what such cookie files are.
IT lawyers prepared the Privacy Policy for the SnekerStudio online store. The document included a detailed description of the types of Cookies, the time and purpose for their storage. For example, basket_id is stored for 4 years for the Basket operation on the website. Google DoubleClick uses the IDE for advertising purposes and collects information about how users can cooperate with the website. Storage time - 1 year. Facebook uses _fbp and fr cookies to deliver relevant ads. Storage time - 2 months.
It is essential to obtain explicit (active) consent from the user to use cookies and provide the opportunity to withdraw such a decision at any time simply.
Advertising distribution
It would help if you devoted a separate paragraph of the Privacy Policy to distributing marketing materials. Suppose you use the user's personal data for marketing and advertising purposes. In that case, it is necessary to indicate how you operate with the personal data for such purposes and specify if you can use it for internal marketing and email delivery, including through mailing lists, SMS and text messages. The user should be able to refuse - to unsubscribe, for example. There is a mandatory requirement of the GDPR and CCPA.
What security measures does the website or app take?
Websites and applications implement physical, electronic and procedural security measures to protect personal data. Article 32 of the GDPR offers to provide the following security measures:
- Anonymization
- Encryption
- Integrity and continued confidentiality
- Stability of processing systems and services
- Ability to restore access in a timely manner
- Efficiency testing
Where and for how long is personal data stored?
Each IT product independently determines the place and time of the user's personal data storage. For example, freelance exchange Youwex undertakes to delete personal data within 180 days from the date of deletion of the profile by the user.
The Sneker Studio stores data throughout the existence of a personal account.
The retention period of the SmartWatch depends on the purpose of data collection. For example, account registration data is stored for marketing purposes while the application is installed on the user's device (mobile phone).
How to get access, update or delete data?
To make the Privacy Policy compliant with the GDPR and CCPA, describe how the user can access, view, update, correct and delete personal data. The algorithm of actions should be simple. For example, to send a request to an email address.
The CCPA and GDPR requirements for user access to personal information differ. Therefore, when Stalirov&Co IT lawyers wrote the InsuranceHunter policy (a platform for users from the EU and the US, including California), they added special notices for California residents describing the rights to access or request for deletion of personal data.
2 additional recommendations for your Privacy Policy
Place the Privacy Policy in an accessible place
The Pew Research Center surveyed 4,272 Americans. Only 9% of them read Privacy Policy entirely before accepting it. About 36% said they never read the document. Despite the disappointing statistics, the document should be easily accessible. In addition, this is a requirement of the GDPR and CCPA. User experience demonstrates that the registration form or website/mobile application footer are the ideal places to place the Policy link and to obtain the user's consent to be bound by its terms.
Use plain language writing the Privacy Policy
Kevin Litman-Navarro, the journalist, studied 150 privacy policies. Using the Lexile service, he tested how easily the documents were understood. According to service standards, doctors and lawyers must understand a material with a score of 1440. To the surprise of the journalist, many politicians exceed this standard. You may think that this is not the core issue. But even regulatory authorities pay attention to the accessibility criterion. Ireland's DPA in the WhatsApp case stated that the messenger did not comply with the policy's easily accessible requirements. The company must use language that is understandable to users. This kind of violation cost WhatsApp EUR 225 million.
We encourage you not to repeat the mistakes of the world giants and use our advice for writing your Privacy Policy understandable (user friendly), choosing convenient formatting and implementing functional navigation.
