The Data Protection Act (DPA) 2018 is the UK's updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom's exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
Do I need a Privacy Policy if I Don't Collect Personal Information?
Do I Need a Privacy Policy if I Don't Collect Personal Data?
The short answer is yes. You still need a privacy policy even if you do not collect data because it's in the policy that you state your app or website doesn’t collect personal data.
A privacy policy informs your users what data you collect (or do not collect), how the data will be stored, used, and the rights your users have over their data.
Even though it is a legal requirement, a privacy notice also demonstrates to your users that you have a transparent process of handling their data and, therefore, worthy of their trust.
Third parties such as Google, Facebook, or MailChimp gather user’s data. So, if you use third-party services, you should have a privacy policy that communicates what data third parties collect and how it will be used.
If you do not collect personal data and don’t use third-party tools, you’ll still need a privacy policy that explains such a position to your users.
The General Data Protection Regulation (GDPR) is the primary privacy law regulating how entities manage user data. In this article, you will learn:
- What is GDPR?
- What are the privacy requirements in the EU, Australia, and Canada?
- Do I need a privacy policy to access Google Analytics?
- What needs to go into my privacy policy to be compliant with the GDPR?
On this page
What is GDPR?
The General Data Protection Regulation outlines the requirements for collecting data from residents in the European Union.
It safeguards the rights of EU citizens concerning use and control over their data, notwithstanding the entity collecting their data is outside the Union. It provides what these entities must do to safeguard the interests of EU users.
Besides the GDPR, the Organization for Economic Cooperation and Development (OECD) provides guidelines for protecting the privacy and trans border flows of personal data.
The 2013 OECD guidelines guide its 37 member countries on the development of data protection laws and touch on among other areas issues of private data storage, abuse, and unauthorised disclosure of such data. The guidelines also note the importance of supporting the free flow of data for sectors such as banking and insurance.
Both the GDPR and the OECD privacy guidelines work in a complementary function, and more or less have similar provisions. The only difference is that the OECD guides member country laws while the GDPR is more for website/ application owners. Although both are global efforts, the GDPR protects EU residents, while OECD guidelines are cross-cutting as the institution has members from all eight continents.
What Are the Privacy Requirements in Australia, Canada, and the United States?
Australia’s Privacy Act outlines the legal framework for data privacy and requires entities operating in Australia to have a privacy policy. The law limits the collection of data to only information relevant to the company business. According to the law, users have the right to know why you collect their data, who handles it, and who will be preview to it. The entities also have the responsibility of ensuring the private data isn’t lost or abused.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that protects Canadians against institutions abusing data collected from them. The law requires web and application owners to get users to agree to their data being collected, used, and disclosed.
Institutions collecting data are also required to state how the data will be used and use it according to the stated purpose. The Canadian law establishes the office of a Privacy Commissioner to handle complaints against institutions that misuse personal data.
Do I Need a Privacy Policy to Access Google Analytics, AdWords, and AdSense?
Yes. Google requires you to have a privacy notice if you’re to access free tools such as Google Analytics, AdWords, and AdSense.
Since you built your web/application for people, you will undoubtedly find analytics useful in helping you organise your online presence. Furthermore, you may also want to promote your website on Google, to expand its reach.
Analytics provides insights on who your users are, what sections of your site they find most useful, where they come from (geography), and your sources of traffic.
It is for this reason that Google requires you to have a privacy policy if you’re to access Google Analytics and AdWords. If you have any ambition of making money from your content using Google AdSense, then you also need the policy.
You need the privacy notice because to use these tools, as Google needs to monitor and monetise the behaviours of the people who use your platform.
What Needs to Go Into My Privacy Policy to Be Compliant With the GDPR?
Even though you do not intend to collect data, your privacy policy must include the following provisions:
- Scope of your privacy policy
- Explain you do not collect data
- Indicate if you share data with a third parties
Scope of the Privacy Policy
For instance, Oracle, the computer technology corporation in its privacy policy, give the scope of their policy. It provides that their policy covers the processing of personal information from not only the site users but also their visitors and attendees of their events. The notice is also meant to include private data Oracles collects from suppliers, business partners, and subscribers of their magazines.
Explain That You Do Not Collect User Data
Ecquire does not collect or store any data or messages on their platform. They use their privacy notice to explain how they can stay away from collecting user data.
Indicate If You Share Data With Third Parties
Even though Ecquire doesn’t collect data, they use a third-party analytics tool, which does. In their privacy notice, they indicate the data the third party collects and how they use it.
Conclusion
You can opt for an elaborate privacy policy or a short one depending on the nature of your business. You may also choose to have a summary version alongside a detailed notice. Either way, it is essential to have a privacy notice to comply with the legal requirements the country your business operates in and the country your target audience is situated.
Our free privacy policy generator will provide you with a customisable lawyer drafted privacy policy to cover your business requirements.
Disclaimer
The information in this article is for informational purposes only and should not be construed as legal advice on any matter and does not create a lawyer-client relationship