When you hear someone mentioning privacy and data protection, you might think it affects you only when your privacy is at stake. However, as soon as you start your business’ online presence and even more when you actively start doing business online (as well as offline), certain obligations to protect individuals’ privacy start to exist for you.
Many people are not aware that the EU has stricter privacy and data protection rules compared to the USA for example – that is to say that here, in good old Europe, we take privacy very seriously.
- You are required by law to inform users about certain aspects of processing personal data;
- You need a way to obtain users’ consent about the personal data processing you do;
- It makes you (look) more transparent and honest to customers/business partners, i.e. it creates trust.
- Keep it simple
Do not use too sophisticated legal language – all that legal mumbo-jumbo sounds great for lawyers, but everyone else finds it really hard to read and understand. And a well-kept secret is that even lawyers are often bored and confused by excessive legal terminology.
- Be specific and include details (not to the extreme)
- Do not just copy it from another website
- Consult with other people/departments within your organization about what you really do with personal data
- Update it every time something privacy related changes
WHAT TO INCLUDE
- What kind of personal information you collect – e.g. name, birthdate, e-mail, bank details, etc.
- How you collect it – through website registration, Facebook log-in, google analytics, etc.
- For what purposes you collect it and how you process it – e.g. to provide your service, to organize events, to administer users’ requests, etc.
- How you protect it – encryption, operational procedures, etc.
- Do you provide it to 3rd parties and if yes, why, what protection measures are taken, etc.
- How can users access and correct their personal data – in the EU you must provide users with such access.
- How will the policy be changed and users notified of the changes.
As a bare minimum, you should include:
- What kind of data you collect through Google Analytics – e.g. Cookie and Usage Data.
- What features/services of Google Analytics are used – e.g. Display Advertising, Google Analytics Demographics and Interest Reporting, etc.
- Provide users with an opt-out link from certain Google Analytics services (such as Display Advertising) or cookies (such as the DoubleClick cookie) – more info here: https://www.google.com/intl/en/analytics/learn/privacy.html
The ePrivacy directive requires you to ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts using them.
For users’ consent to be valid, it must be:
- freely given and
- must constitute a real indication of the individual’s wishes.
Luckily, some cookies are exempt from this requirement:
- Cookies used for the sole purpose of carrying out the transmission of a communication, and;
- Cookies that are strictly necessary in order for the provider of an online service explicitly required by the user to provide that service.
Examples of the clearly exempt cookies include user-input cookies (session ID), authentication cookies, user centric security cookies, multimedia content player cookies, load balancing cookies, user-interface customization cookies, etc.
*Featured image by Nenov Borthers, www.dollarphotoclub.com