Privacy Policy Articles - PrivacyTerms.io https://privacyterms.io/ Mon, 15 Mar 2021 04:52:50 +0000 en-US hourly 1 https://wordpress.org/?v=6.2 What is the Data Protection Act 2018? https://privacyterms.io/privacy/what-is-the-data-protection-act-2018/ Mon, 15 Mar 2021 04:52:49 +0000 https://privacyterms.io/?p=3387 The Data Protection Act (DPA) 2018 is the UK's updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom's exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]

The post What is the Data Protection Act 2018? appeared first on PrivacyTerms.io.

]]>
The Data Protection Act (DPA) 2018 is the UK's updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom's exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998.

The United Kingdom is no longer a part of the EU and the Data Protection Act alongside the UK GDPR are the current data protection laws that govern the processing of personal data in the UK.

Data Protection Parts

The Data Protection Act is made up of four data protection parts, also known as "data protection regimes", these are:

  • Part One: Preliminary
  • Part Two: General processing
  • Part Three: Law enforcement processing
  • Part Four: Intelligence services processing

For the majority of businesses Parts one and two of the Data Protection Act 2018 are most relevant and important, so let's take a more detailed look at these two parts as they most likely apply to you and your business.

Part One: Preliminary

definitions

Part One of the Data Protection Act 2018 sets out definitions of key terms that are used in the act. Most of the key terms are the same as those found in the GDPR, and below are the main terms:

  • Personal data: this is defined as "Any information relating to an identified or identifiable living individual."
  • Identifiable living individual: this is defined as "A living individual who can be identified, directly or indirectly, in particular by reference to:
    • an identifier such as a name, an identification number, location data or an online identifier; or
    • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual"
  • Processing: the word processing is defined in the DPA 2018 as "In relation to information, means an operation or set of operations which is performed on information, or on sets of information". Examples of these types of operations are collection, storage, organising, structuring, retrieval, use, disclosure via transmission, erasure etc.
  • Data subject: a data subject is defined as "the identified or identifiable living individual to whom personal data relates."
  • Controller Processor: Controller is defined as "the natural or legal person, who alone or jointly with others determines the purpose and means of the processing of personal data" and Processor is defined as "the natural or legal person who processes personal data on behalf of the controller".
  • Personal data relating to criminal convictions and offenses or related security measures: defined in the DPA as personal data relating to: "
    • the alleged commission of offenses by the data subject; or
    • proceedings for an offense committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing."
  • Court: according to the DPA the word court doesn't include a tribunal.

Part Two: General processing

Under the DPA the term processing is defined as:

In relation to information, means an operation or set of operations which is performed on information, or sets of information such as:
• collection, recording, organisation, structuring or storage;
• adaptation or alteration;
• retrieval, consultation or use;
• disclosure by transmission, dissemination or otherwise making
available;
• alignment or combination; or
• restriction, erasure or destruction.

Part two of the Data Protection Act supplements the UK GDPR. It relates to the processing of personal data that is both within the scope of the EU GDPR and that which falls outside of it.

Processing that is included in the GDPR

The Data Protection Act is in line with the central provisions relating to the protection of personal data that are included in the GDPR. These include the following the data protection principles as follows:

  • personal data is processed lawfully, fairly and transparently
  • personal data is only used for specific, explicit purposes
  • personal data is used in an adequate, relevant and necessary manner
  • personal data is accurate and kept up to date where necessary
  • personal data is not kept linger than necessary
  • personal data is handled securely, being protected against unlawful or unauthorized processing, access, loss, destruction and damage

Processing that differs to the GDPR

There are a few key areas where the processing of personal data differs between the DPA and the GDPR. They are:

  • The DPA sets the age of consent in processing online data to 13, where as the GDPR sets the age to 16.
  • Covers data processing in the following areas that are not included in the GDPR: law enforcement, national security and immigration.
  • The DPA specifies fines and repercussions for privacy law infringements. These include unlimited fines for illegally re-identifying personal data that had been anonymized for data protection.
  • The DPA allows for automated processing of personal data if there are legitimate grounds for the processing.

Legal Bases for Processing Personal Data

Under the DPA there are six legal bases for collecting and processing personal data, which must be adhered to. These are:

  • Consent given by the user
  • To fulfill a contract with the user
  • to protect an individuals vital interests (health and life)
  • you have a legal obligation to process the personal data
  • you are executing a task in the public interest or under official authority
  • there is a legitimate interest for your business for processing the personal data.

Whenever you are collecting and processing personal data you are required to have one of these legal basis for doing so.

Should you be collecting and processing personal data under the basis of consent, you must ensure you are meeting the requirements under the DPA. These methods need to be:

  • Unambiguous: the consent forms you use need to be clear and easily understood.
  • Explicit: consent must be obtained by stand alone means and not with other items.
  • Informed: your users must have information that fully explains what they are consenting to.
  • Freely given: when obtaining users consent it needs to be given in a clear whay, such as checking a check box or clicking a button to affirm consent.
  • Recorded: you are required to maintain records of consent.

Ensure that you obtain consent from your users prior to collecting and processing their personal data.

Data Subjects Rights

The DPA, like the GDPR, sets out data protection rights for data subjects. There are a couple of exceptions for intelligence and immigration services, however these are not relevant for the majority of businesses.

When processing personal data the following data subjects rights need to be adhered to. The individual has the right to

  • access a copy of their personal data from you
  • be informed. Should your user wish to obtain information regarding what data is collected, processed, shared or stored, you must give them this information.
  • rectification: should you have incorrect personal data the user may request changes to be made at any time.
  • be forgotten: your users have the right to having their data erased.
  • data portability: your users can request and be given their data for use with other services
  • withdraw consent: the consent for collecting , processing and storing data may be withdrawn at any time.
  • object to how their data is being used at any time.
  • automated decision making: the user can object to the automated processing of their data
  • profiling: the user can object to their personal data being used for profiling. an example of this is when data is used to predict your behaviour

Conclusion

In order to ensure you are complying with data protection principles and data subjects rights, there are a few things that you can do depending on the size of your organization. These are:

  • Create a Privacy Policy. A privacy policy is required by any website or organization that collects any personal data. It is a requirement by law, not just under the DPA but under most privacy laws.
  • Create a Data Protection Policy. A data protection policy ensures that anyone working within your organization understands what is required of them with regards to processing, maintaining and securing personal data and how they should handle any data breaches should they occur.
  • Perform a Data Audit. By performing a data audit, you will be aware of the type of data that's collected and how its maintained, secured and processed by your organization.

The post What is the Data Protection Act 2018? appeared first on PrivacyTerms.io.

]]>
3 Reasons Your Website Needs a Privacy Policy https://privacyterms.io/privacy/3-reasons-your-website-needs-a-privacy-policy/ Wed, 03 Feb 2021 07:52:49 +0000 https://privacyterms.io/?p=3374 Whether you own a website, blog or eCommerce store you may find yourself wondering, do I need a privacy policy? The short answer is, if you collect personal data from your readers or users in any form, then yes you do need a privacy policy. The three most important reasons you will require a privacy […]

The post 3 Reasons Your Website Needs a Privacy Policy appeared first on PrivacyTerms.io.

]]>
Whether you own a website, blog or eCommerce store you may find yourself wondering, do I need a privacy policy?

The short answer is, if you collect personal data from your readers or users in any form, then yes you do need a privacy policy. The three most important reasons you will require a privacy policy are:

  1. It is a legal requirement of international privacy laws.
  2. It is a requirement of a third party service you are using. (an example is Google Analytics)
  3. It builds trust and shows respect for your users privacy

Let's delve a little deeper into these 3 reasons that you are going to need a privacy policy.

1. It's a Legal Requirement of International Privacy Laws

A privacy policy is a legal requirement of most countries, when personal data is being collected and stored. There are a multitude of ways that you may be collecting data from your users. Some examples are : your website uses cookies, you collect email address for monthly newsletters or to advise when you are running a sale or when your next blog post is out, you collect personal details to send goods to your customers, or you collect financial information for payment.

Here are a list of some of the major international privacy laws, which require a privacy policy to be accessible to users and customers once you are collecting personal data:

A number of the above mentioned privacy laws are not only applicable to the businesses that are operating within that country but also to any that are serving users and customers in those regions. For example, a website that is located in California and has users in Australia, Canada and the European Union, will be required to adhere to CalOPPA, COPPA and CCPA as well as GDPR, Australian Privacy Act and PIPEDA. Having a privacy policy in place that covers these laws is essential.

site stats

2. It is a Requirement of a Third Party Service you are Using

Running an online business or website often requires you to use third party tools or services. For example most websites run analytics in order for them to track the traffic that comes to the website and the behaviour of that traffic. Websites and blogs often use advertising as a way of creating revenue and also affiliate links. All of these services require that your website, blog or eCommerce store have a privacy policy in place. Lets take a closer look at some of the third party services that require a privacy policy as part of their terms and conditions of use.

Google

Google provide a number of services and tools that are used by many, many websites, blogs and online stores. The following all requires that you have a privacy policy in place:

from Google Adsense terms and conditions
  • Google Ads
  • Google Play Store
Google Adsense

Analytics

Apart from Google Analytics there are a number of other analytics tools that also require a privacy policy to be in place:

  • Adobe Analytics
  • Clicky Analytics
  • Hotjar
hotjar terms
from Hotjar terms and conditions
  • Kissmetrics
Kissmetrics terms
from Kissmetrics terms and conditions
  • Matamo

3. It Builds Trust and Shows Respect for Your Users Privacy

Apart from the fact that having a privacy policy on your website is a legal requirement, it also shows your users that you take data privacy seriously. A privacy policy shows respect for your users privacy and sensitive data.

Your privacy policy will need to include the following:

  • what personal data you collect from your users
  • how the personal data is collected
  • how the personal data will be used
  • if you use cookies on your site then disclosing this and how your users can opt out of them
  • disclosing third party tools or services you use and what information is shared with them
  • how you secure personal data
  • where personal data is stored

Conclusion

A privacy policy is a legal requirement of a number of international privacy laws, third party tools and services as well as being a sign of respect as to how you handle your users personal data.

The privacyterms.io privacy policy generator will generate a privacy policy customized for your specific business or blog requirements. They are GDPR, CalOPPA, COPPA,CCPA,PIPED, and Australian Privacy Act compliant.

The post 3 Reasons Your Website Needs a Privacy Policy appeared first on PrivacyTerms.io.

]]>
Why is Everybody Updating Their Privacy Policy? https://privacyterms.io/privacy/why-is-everybody-updating-their-privacy-policy/ Tue, 17 Nov 2020 10:37:48 +0000 https://privacyterms.io/?p=2992 If it seems that everyone is updating their privacy policies, it's because they are. Companies update their privacy policies in order to be compliant with the data protection laws and to inform users of their rights and how their data is collected, stored and used. Among the latest are GDPR and CCPA, both laws increase […]

The post Why is Everybody Updating Their Privacy Policy? appeared first on PrivacyTerms.io.

]]>
If it seems that everyone is updating their privacy policies, it's because they are. Companies update their privacy policies in order to be compliant with the data protection laws and to inform users of their rights and how their data is collected, stored and used. Among the latest are GDPR and CCPA, both laws increase the need for transparency surrounding personal data and ensuring users are aware of their rights.

Listen to this article in audio format

What is a Privacy Policy?

A privacy policy is a legal document that explains how a website or company handles personal data. Personal data is any information that can be used alone or in conjunction with other information to identify an individual. This includes, but isn't limited to, a name, address, date of birth, phone number, place of employment, ID numbers, medical history and marital status.

A privacy policy should include the following information:

  • The name of the website or company
  • the types of personal data that is collected
  • how this personal data is collected and stored
  • the reason for the collection of personal data
  • how the website or company will use personal data
  • how the user can access their personal data or ask for a correction
  • how the user can lodge a complaint
  • the users rights
  • cookies

International Privacy Laws

Internation Privacy Data protection

There are a number of International Privacy Laws that need to be considered when you are creating your privacy policy. The ones that will apply to you are dependent upon where your users are situated, not your business. are GDPR, CCPA, CalOPPA, COPPA, PIPEDA, and the Australian Privacy Act 1988.

Let's take a brief look at each of these data protection laws. For more detailed information please follow the links to individual articles which will go into further detail.

GDPR

gdpr
gdpr general data protection regulation concept with big text and team people discussion - vector illustration

GDPR stands for General Data Protection Regulation. It is an European Union privacy law which protects the personal data of residents of the EU. Companies and websites privacy policies need to include the following to be GDPR compliant:

  • your company contact details contact details of your data protection officer if you have one
  • a list of data protection rights of your users
  • the right for your user to withdraw consent at any time
  • the right for your user to lodge a complaint with a supervisory authority if required
  • if you have an automated decision making system implemented, then details about how the system is set up and what the consequences of this system are.
  • what personal data is collected
  • your companies reason for processing personal data
  • the length of time that personal data is retained
  • who personal data is shared with, if any other party

CCPA

CCPA privacy policy
Pharmaceutical policy on clipboard and researchers, tiny people. Pharmaceutical policy, pharmaceutical lobby, drugs production control concept. Bright vibrant violet vector isolated illustration

CCPA stands for the California Consumer Privacy Act. It is a privacy law which protects the rights and personal data of the residents of California. Companies and websites who collect personal data from the residents of California will need to include the following privacy rights in their privacy policies :

  • the right to know
  • the right to delete
  • the right to opt out
  • the right to non discrimination

The privacy policy will also need to include the categories of personal information that are collected.

CalOPPA

CalOPPA
Corporate compliance. Corporate culture and policies. Representation of the business laws, regulations and standards. Ethical practices of the company. Vector isolated concept creative illustration

CalOPPA stands for California Online Privacy Protection Act, a privacy law which made posting privacy policies online mandatory.

To comply with CalOPPA your privacy policy should include:

  • easy to read format
  • disclose personal data that you collect
  • provide links to privacy policies of third parties that you share personal information with
  • inform users of their rights and choices
  • provide contact details
  • explain how you respond to "Do Not Track" signals
  • clearly label your stance on online tracking, for example "California Do Not Track Disclosures"
  • list any third parties that may collect personal information while on your site.

COPPA

COPPA stands for Children's Online Privacy Protection Rule, which is a privacy act which the primary goal protecting the personal information of children under the age of 13.

If your website does not apply to people in this age range then your privacy policy should state this.

If your website is directed at children 3 years or younger then the following applies:

  • You must post a clear and easily understood privacy policy on your website
  • outline what personal information is collected
  • outline why the personal information is collected and what it is used for
  • explain how you maintain the confidentiality, security, and integrity of information you collect from children

PIPEDA

PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a privacy law which apples to private sector businesses in Canada.

To be compliant with PIPEDA, your privacy policy needs to include the following:

  • what personal data you collect
  • the purpose for the collection of personal data
  • explain how the personal data has been used
  • what are the risks of harm or other consequences of collecting the personal data
  • what third parties, if any, the personal data is shared with
  • make your privacy policy easy to understand and readily available for your customers

Australian Privacy Act 1988

Australian privacy act

The Australian Privacy Act of 1988 is a privacy law which help to protect the privacy of Australian residents and their personal data.

To be compliant with the Australian Privacy Act 1988 your privacy policy needs to include the following:

  • your business name and contact details
  • what personal data you collect
  • how you collect personal data
  • why you collect personal data
  • how you use the personal data you collect
  • disclose if you share personal data with a third party
  • if so what third parties
  • disclose any parties outside of Australia that you share personal data with
  • how can your users access their personal data
  • how can your users lodge a complaint if they think you have mishandled their personal data

Conclusion

privacy policy protect data

Updating your privacy policy to keep inline with international privacy laws is an important aspect of your online business.

To get your updated privacy policy check out our easy to use generator. It is comprehensive and customisable to suit any business requirements. It is lawyer drafted, up to date and compliant with all major privacy laws.

The post Why is Everybody Updating Their Privacy Policy? appeared first on PrivacyTerms.io.

]]>
CCPA vs CalOPPA https://privacyterms.io/privacy/ccpa-vs-caloppa/ Thu, 05 Nov 2020 10:38:13 +0000 https://privacyterms.io/?p=2872 The California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) are both California state laws. Both of these acts are in place to protect the personal information of residents of California. Let's take a look at the similarities and differences between these two acts. Listen to this article in audio format […]

The post CCPA vs CalOPPA appeared first on PrivacyTerms.io.

]]>
The California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) are both California state laws. Both of these acts are in place to protect the personal information of residents of California. Let's take a look at the similarities and differences between these two acts.

map of California
Listen to this article in audio format

Similarities and Differences

CCPACalOPPA
Is a California State Lawis a California State Law
WHO DOES IT APPLY TO?WHO DOES IT APPLY TO
applies to any business collections personal information from residents of California who meets one or more of the following:
  • gross annual turnover of over $25 million
  • buys, receive or sells personal information of 50,000 or more California residents
  • derives 50% or more of its annual revenue for the sale of personal information from Californian residents
applies to any website or online service that collects personal information from California residents.
KEY REQUIREMENTS FOR BUSINESSKEY REQUIREMENTS FOR BUSINESS
Privacy policies will need to include Individuals Privacy Rights. These are the right to: know delete opt out non discriminationPost a privacy policy on your website in a conspicuous manner by: having privacy policy on the homepage OR having a link including the word PRIVACY on the homepage, which takes users directly to the privacy policy OR the privacy policy is linked to the homepage via a hyperlink containing the word PRIVACY written in capital letters or a font that is larger than the surrounding font
Businesses are required to disclose categories of information they collect and this information must be available in their privacy policyThe privacy policy needs to be easy to read, using easy to read font and plain English, avoiding technical jargon where possible 
A “Do Not Sell My Information” link must be provided on the homepage of a website to allow users to exercise their right to opt out.Ensure that your policy contains a section explaining your websites stance on online tracking and ensure it is clearly labelled. Explain how you respond to Do Not Track signals and whether or not you disclose personal information to any third parties.
Any financial incentives that are offered in return for personal information must be disclosed in a notice to the consumer.Disclose all of the ways you use personal data that you collect and provide links, where possible, to any third parties you share personal data with.
All businesses are required to keep records for 2 years of consumer requests and how they have responded to these request.Disclose in your policy, any choices your users have in relation to the collection, use and sharing of their personal information
Business can not sell personal information of consumers under the age of 16 unless: consumers aged 13-16 have authorised the sale of this information consumers under the age of 13 have had their parent or guardian authorise this saleEnsure you are accountable by providing clear contact details so that your users can contact you with any questions or concerns they may have.

CCPA

The California Consumer Privacy Act came into effect on the 1st January 2020. It is a California state based privacy legislation which increases the privacy rights and protection of personal information for the residents of California.

Who Does it Apply to

CCPA applies to any business that collects personal information from residents of California and meets one or more of the following:

  • has a gross annual revenue of over $25 million
  • buys, receives or sells personal information of 50,000 or more California residents, households or devices or
  • derives 50% or more of its annual revenue form selling the personal information of California residents.

Key Requirements for Business

key requirements for business to comply with CCPA

The keys requirements for businesses which need to comply with CCPA are:

Privacy Policy Updates

Businesses will need to update their privacy policies to ensure that they are informing California residents of their new privacy rights. These rights are:

  • the right to know: this is the residents right to know what personal information is collected about them and how that information is used and shared by the business.
  • the right to delete: this is the right of the California resident to request that their personal information be deleted. However there are a number of reasons this request may be denied. For example if the personal information is required in order to comply with legal obligations or it is required in order to complete your transaction.
  • the right to opt out: this allows the Californian resident to opt out of the sale of their personal information
  • the right to non discrimination: this means that a resident cannot be denied goods or services, be charged differently or be provided with a different quality of goods or services because they exercised their rights under CCPA.

Disclose Categories of Personal Information Collected

Under CCPA businesses are required to notify the consumer of the categories of information that they collect and what the purpose for collecting the information is.. This can be done at the time or before collection takes place. The information must be readily available on the privacy policy and be updated every 12 months.

"Do Not Sell My Personal Information"

Businesses are required to provide a "Do Not Sell My Information" link on the home page of their website which takes them to an opt-out page so that they can exercise their right to opt out.

Financial Incentives

Businesses can offer financial incentives in return for personal information as long as these incentives are disclosed in a notice to the consumer explaining the terms of this incentive.

Records

Under CCPA, businesses are required to keep records of consumer requests and how they respond to these requests. These records must be kept for 2 years.

Parental or Guardian Consent

Businesses must not sell personal information that relates to consumers under the age of 16 unless :

  1. consumers aged 13-16 have authorized the sale of their personal information or
  2. consumers under the age of 13 have had their parent or guardian authorize the sale of their personal information.

CalOPPA

The California Online Privacy Protection Act came into effect in 2004 but was amended in 2013 to reflect new privacy disclosures regarding tracking online visits. It is the first state law to make it mandatory for websites and online services to post a privacy policy.

Who Does it Apply to

If you own a website or online service that collects and maintains personally identifying information from a California resident then CalOPPA applies to you. "Personally identifying information" refers to data collected via the internet that either alone or when collected together can reveal the identify of the individual.

Examples of personally identifying information are: the individuals name, address, email address, telephone number, and social security number.

Key Requirements for Business

CalOPPA requirements staff training

If you own or operate a website or online service then you are required to post a privacy policy on your website in a conspicuous manner. To comply you must:

  • ensure the privacy policy is shown on the homepage of the website or
  • have a link via an icon containing the word Privacy on the homepage that takes users directly to the privacy policy or
  • the privacy policy is linked to the homepage via a hyperlink text containing the word PRIVACY written in capital letters or in greater size font than surrounding text.

You are also required to stick with what is stated in your privacy policy. As stated by the General California Department of Justice "It requires them to say what they do and do what they say—to conspicuously post a privacy policy and to comply with the terms of the policy."

Privacy Policy Recommendations

CalOPPA compliant privacy policy

To comply with CalOPPA your privacy policy needs to comply with the following recommendations from the General California Department of Justice:

Readability

  • Use an easy to read format
  • use plain, easily understood English and avoid technical jargon where possible.

Online Tracking/ Do Not Track

  • Ensure the part in your privacy policy that explains your stance on online tracking is labeled clearly for your consumer. Example "California Do Not Track Disclosures"
  • Explain how you respond to Do Not Track signals.
  • Disclose whether any third parties may collect personal identifiable information when on your site.

Data Use and Sharing

  • Disclose all of your uses of personal data collected.
  • If possible provide a link to privacy policies of any third parties you share personally identifiable information with

Individual Choice and Access

  • Disclose the choices a consumer has in relation to the collection, use and sharing of their personal information.

Accountability

  • Ensure you provide contact details for any questions or concerns your users may have.

Conclusion

Both CPPA and CalOPPA are California state laws. They both apply to businesses that collect data from California residents however CCPA only requires compliance if your business has an annual turnover of over $25 million OR buys, sells or receives personal information of 50,000 or more California residents OR derives 50% or more of its annual revenue from selling the personal information from Californian residents.

Both CCPA and CalOPPA require that your business has a privacy policy, however each law requires different specific requirements. Check out our table above for the specific requirements of each of these Acts.

Your business does not need to be located in California for either of these laws to apply to you. If you have any users or customers who are residents of California then you must ensure you are complying with the laws.

For your CalOPPa and CCPA compliant privacy policy please check out our generators.

The post CCPA vs CalOPPA appeared first on PrivacyTerms.io.

]]>
What is PIPEDA? 🤔 https://privacyterms.io/privacy/pipeda/ Sat, 03 Oct 2020 04:07:54 +0000 https://privacyterms.io/?p=2539 PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal privacy law which applies to private sector organizations in Canada who collect, use or disclose personal information for commercial activity. PIPEDA law regulates how businesses collect, use and disclose personal information from their customers for use in a commercial activity. But […]

The post What is PIPEDA? 🤔 appeared first on PrivacyTerms.io.

]]>
PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal privacy law which applies to private sector organizations in Canada who collect, use or disclose personal information for commercial activity.

Canada image

PIPEDA law regulates how businesses collect, use and disclose personal information from their customers for use in a commercial activity. But what constitutes a commercial activity?

The law defines commercial activities as "means an activity that promotes, creates, or exchanges commercial products or services. Commercial activities include, but are not limited to, advertising, fund-raising, buying or selling any product or service, encouraging paid membership in any group, association or organization, or the marketing of commercial activities. Commercial activities do not include such activities by or for government entities."

What is personal information?

examples of identification

Personal information is any factual information that relates to an identifiable individual. This includes, but isn't limited to the following:

  • name and age
  • home address, business address, email address
  • health, finances, education
  • identifying numbers such as social security number, tax file number, drivers license, telephone number, mobile number
  • race and ethnic origin
  • DNA and blood type

Who does PIPEDA apply to?

PIPEDA applies to all private sector enterprises in Canada that collects, uses and/or discloses personal information, unless they are located in Alberta, British Columbia or Quebec. Why? these three provinces have strong privacy laws in place that are similar to PIPEDA.

What constitutes a private sector organization? A private sector organization is run by individuals or groups in order to turn a profit, they are not usually under government control. They include:

  • sole proprietors
  • partnerships
  • small, medium and large companies

Some federally regulated organizations are also subject to PIPEDA. These organizations include:

  • airports, aircraft and airlines;
  • banks and authorized foreign banks;
  • inter-provincial or international transportation companies;
  • telecommunications companies;
  • offshore drilling operations; and
  • radio and television broadcasters.

Your responsibilities under PIPEDA

fair information principles of PIPEDA

Schedule 1 of PIPEDA sets out 10 fair information principles that businesses must follow. These principles are:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

1. Accountability

staff complying with PIPEDA

In order to comply with the first fair information principle your organization needs to:

  • comply with all 10 fair information principles
  • Appoint a person to be responsible for your PIPEDA compliance
  • protect personal information held by your organization
  • develop and implement best personal information practices

2. Identifying Purposes

In order to collect and use personal information under PIPEDA, your organization must have a reason for collecting the data. To comply with fair information principle 2 you will need to:

  • Identify and document the purpose for collection of personal information.
  • inform your customers of the reason you are collecting their personal information before or at time of collection.
  • Obtain new consent if you require using their personal information for a new purpose.

In the case of online businesses, this can all be achieved by having a PIPEDA compliant privacy policy located on your website.

3. Consent

PIPEDA compliant privacy policy

In order to collect, use and disclose personal information legally, you must obtain consent from your customers. In order to comply with fair information principle 3 you must:

  • obtain meaningful consent from your customers for the collection, use and disclosure of their personal information
  • to make consent "meaningful" you must explain what purpose you have for the collection of your customers information and what you will use it for.
  • you may only obtain consent for use or disclosure that is necessary to fulfill a specified and legitimate purpose.
  • how you seek consent depends on the circumstances and type of information you are collecting
  • your customers may withdraw consent at any time, subject to legal and contractual obligations, and they must understand the implications of their withdrawal of consent.

For online businesses who require the collection of personal data to run their business, this can be obtained through a compliant privacy policy that includes the following:

  • what personal information you collect
  • what third parties, if any, the personal information is shared with
  • the purpose for the collection of personal information
  • what are the risks of harm or other consequences of collecting the personal data
  • provide this information in a clear and easily accessible manner on your website

4. Limiting Collection

The fourth fair information principle requires that you collect only the personal information from your customers, that you require in order to fulfill a legitimate, identifiable purpose. To comply with this principle you need to:

  • collect only the information you require
  • be honest about the reasons you are collecting the personal information
  • collect personal information by fair and lawful means

5. Limiting Use, Disclosure, and Retention

limit use, disclosure and retention of personal data

To comply with fair information principle 5 your business will need to:

  • disclose any personal information you have collected for it's intended purpose only, unless otherwise required by law
  • keep personal information only as long as you need it for the intended purposes
  • be aware of what personal information you have, where it is stored and what you are using it for
  • ensure you get new consent if you wish to use personal information for a new purpose
  • collect, use and disclose personal information in a way the a reasonable person would deem appropriate
  • have procedures for destroying personal information in place

6. Accuracy

In order for your business to comply with fair information principle 6, you must ensure that you minimize the possibility of using incorrect information when either making a decision about an individual or disclosing any personal information to a third party. In order to do this you should keep personal information as accurate and up to date as possible.

7. Safeguards

safeguard personal information

It is your responsibility to safeguard the personal information you have collected from your customers. In order to comply with this fair information principle 7 you will need to:

  • protect personal information appropriate to it's sensitivity
  • protect personal information against loss, theft and unauthorized access

You can achieve this by ensuring you have appropriate security safeguards in place. For information stored technologically, this may include, passwords, firewalls or encryption. For physical data this could include locked filing cabinets or alarm systems.

8. Openness

Your business needs to ensure that it makes clear what it's personal information management practices are. You must ensure you have a privacy policy outlining the collection, use, disclosure and security of personal data available for your customers to read and agree to.

In order to comply with fair information principle 8 you should:

  • inform your customers that you have policies for managing personal information in place
  • make your privacy policy easy to understand and readily available for your customers

9. Individual Access

access to personal data

Should your customers wish to access their personal information then they have this right and you need to comply. They also have the right to challenge accuracy and completeness of the personal information you hold. Should there be any errors they have the right to request for you to amend it.

In order that you comply with fair information principle 9, your business will need to :

  • disclose what personal information you hold on request
  • detail where the personal information was obtained from
  • disclose who the personal information has been shared with, if anyone
  • explain how the personal data has been used
  • provide access to personal data at no, or minimal cost. If you are unable to provide personal data you need to be able to explain why not.
  • correct any errors in personal information if applicable
  • keep record of any disputes about personal data

10. Challenging Compliance

The final fair information practice requires that any individual must be able to make a complaint and challenge your compliance in regards to the 10 fair information principles. To ensure you are complying, you will need to:

  • have complaint handling procedures in place
  • give complainants information about what recourse they can take
  • investigate all of the complaints you receive
  • improve information handling practices if they are not complying

For all privacy related complaints in Canada you can go to : https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint

Conclusion

PIPEDA is similar to many other privacy laws around the world. It's aim is to balance the need for personal data collection and use with the rights of the individual.

To ensure you comply with this Canadian law collect the minimum personal information you can from your customers, make sure you obtain their consent for the collection, use and disclosure of their information and be transparent about your businesses practices.

If you are an online business or have an online presence, you will be required to have a privacy policy on your website. Your privacy policy will need to disclose what personal information you collect, how you use this information, how it is stored, how you keep it secure and how long you hold it for. You will also want to ensure that you include your contact details so your customers can reach out to you if they have any concerns relating to their personal information.

The post What is PIPEDA? 🤔 appeared first on PrivacyTerms.io.

]]>
What is CalOPPA? https://privacyterms.io/privacy/caloppa/ Tue, 29 Sep 2020 06:21:52 +0000 https://privacyterms.io/?p=2475 CalOPPA stands for California Online Privacy Act. It is a state law of California which came into effect in 2004 and was amended to extend it's reach in 2012. It requires websites and online services to post a privacy policy on their websites if they collect any personally identifying information from residents in California, and […]

The post What is CalOPPA? appeared first on PrivacyTerms.io.

]]>
CalOPPA stands for California Online Privacy Act. It is a state law of California which came into effect in 2004 and was amended to extend it's reach in 2012. It requires websites and online services to post a privacy policy on their websites if they collect any personally identifying information from residents in California, and to comply with their privacy policy. They must also disclose how they handle Do Not Track requests.

Does CalOPPA apply to you?

Do you own a website or online service that collects and maintains personal data from a California resident? Then CalOPPA applies to you. Your website or business does not need to be in California for this law to apply, you just need to have users or visitors from California. If you are unsure whether this applies to you or not, it's best for you to err on the side of caution and have a privacy policy in place that has you covered.

What is Personal Data?

Personal data is information about an individual that either alone or when collected together can reveal the identify of the individual.

Personal Data

Examples of personal data are:

  • full name
  • home address
  • email address
  • telephone number
  • birth date
  • social security number
  • height
  • weight

What are your requirements?

In order to be compliant with the CalOPPA you will need to ensure that your website has the following:

  1. A conspicuous privacy policy
  2. Disclosure of Do Not Track signals
  3. Privacy Policy requirements

A Conspicuous Privacy Policy

One of the main requirements under CalOPPA is having a conspicuous privacy policy on your website. In order for your privacy policy to comply with CalOPPA you need to:

  • have a conspicuous link on your homepage that includes the word "privacy"
  • make the link stand out by increasing the size of the font, using a contrasting colour or a symbol that calls attention to it

Not only must you post your CalOPPA compliant privacy policy but you must ensure that you adhere to it also to be CalOPPA compliant.

Your privacy policy, according to the California Attorney General's office "It requires them to say what they do and do what they say – to conspicuously post a privacy policy and to comply with it".

Disclosure of Do Not Track Signals

In order to comply with the requirements of CalOPPA, you are required to disclose how you respond to Do Not Track signals. Specifically you are required to:

  • ensure it's easy for your users to locate the section that discloses your practices in your privacy policy by labeling it clearly, for example "California Do Not Track Disclosure".
  • explain how you respond to a browsers Do Not Track signal
  • state whether any third parties may be collecting personal data on your website.

Privacy Policy Requirements

Insurance policy concept, data security, business concept vector illustration

In order for your privacy policy to comply with CalOPPA's requirements it needs to contain the following:

  • use an easy to read format: consider adding an index to make it easy for your users to find the appropriate clauses
  • ensure the policy is in a format that can be easily printed
  • list what personal data you collect
  • list how you collect that data
  • provide a retention period for personal data
  • explain what you use the personal data for
  • list third parties you share data with and if possible provide a link to their privacy policy
  • if you use cookies, list which cookies you use
  • list the rights and choices of the consumer with regards to their personal data
  • outline what security measures are in place to help safeguard your users data
  • a description of how you notify your users of changes to your privacy policy
  • your contact details if your user has any queries relating to your privacy policy
  • the privacy policies effective date

Privacy Policy Clauses

To ensure your privacy policy is compliant the following clauses should be included.

Personal Data Collection

In this clause you outline what personal data you collect from your users and the ways in which you collect it.

Examples of the types of personal data collected could be: full name and address, residential address, mailing address social security number or passport number.

The ways in which personal data might be collected are: registering for an account, requesting a service, or signing up to receive emails for examples.

Use of Personal Data

Explain to your users in your privacy policy how you use their personal data once collected. Some ways your website might use data include: providing products and services, verifying users identities, tracking sales data or investigating complaints amongst many others.

Sharing of Your Data

Do you share your users data with a third party? if so you will need to include this clause in your privacy policy. Third party services you may supply personal data to include, but are not limited to: insurers, third party suppliers and payment service providers.

If you share data with any third party services you are required to list that service. Examples of third party services you may share personal data with are advertising services, analytics services (such as Google Analytics), debt collection services or data storage services.

Retaining and Deleting Personal Data

Outline to your users how long you retain their personal data for. It's not always possible to know in advance how long you will need to retain your users data. In that case you will need to specify the criteria for retention, this might be until the user no longer holds an account with you, for example.

Your Rights and Choices

It is important that your users and visitors are aware of their choices and rights.

Examples of choices for your users may be that they can opt out of email marketing or they can opt out of some service related communications.

The rights for US based citizens, that you will need to include, are: Your Rights to Access, Your Right to Withdraw Consent, and Your Right to Update, Correct or Delete.

California Privacy Rights

In this clause you will list the specific rights of California residents, which have not already been listed above, including the Do Not Track Disclosure clause.

California residents are permitted to obtain, information regarding third parties, who you disclose personal data to, once a year, free of charge. Residents who are under 18 years of age are allowed to request and have removed any content they have posted publicly.

Cookies

As part of your cookie policy, you will need to explain what cookies are, the types of cookies you use, the purpose of using cookies, cookies used by third party service providers (if any), and how to manage cookies.

There are a number of different cookies that may be used on your website, they include session cookies, persistent cookies, functionality cookies, performance cookies, advertising tracking cookies and affiliate tracking cookies.

The purposes of using cookies may include: authentication, advertising and analysis, for example.

It is important that you give your users information on how they can opt out of cookie tracking with any third party services you share their personal data with.

For more information on cookies see our article: What are Cookies and What do They do?

Data Security

Outlining the ways in which your website does its best to secure personal data is another requirement for your CalOPPA compliant privacy policy. As there is no foolproof method of securing online data, so it is important to add this into your clause, along with any security measures in place.

Changes and Updates

Let users and visitors know how you will make any changes to your privacy policy.

Our Details

Ensure your users can contact you if they have any questions regarding your privacy policy. Include an email address and/or contact page in your policy.

Consequences of not Complying

There are no enforcement provisions of it's own, so CalOPPA is expected to be enforced through California's Unfair Competition Law. This law "prohibits unlawful, unfair or fraudulent business acts or practices."

Any violations to CalOPPA can be reported to the California Attorney general's office website.

Conclusion

In order to be compliant with this California Privacy Law your website will need to ensure it has a privacy policy which contains all of the information listed above. You will also need to ensure that the link to your privacy policy is placed conspicuously for your users to see.

Our privacy policy meets all of the requirements to comply with CalOPPA.

The post What is CalOPPA? appeared first on PrivacyTerms.io.

]]>
Why do You Need a Privacy Policy for Google Analytics? https://privacyterms.io/privacy/google-analytics-privacy-policy/ Thu, 03 Sep 2020 10:05:26 +0000 https://privacyterms.io/?p=2049 Why do you need a privacy policy if you use Google Analytics? Google Analytics, a free website analysis tool from Google, tracks traffic on your website by placing a cookie on visitors browsers and thereby collecting information. As part of Google Analytics Terms and Conditions you are required to have a privacy policy and secondly, […]

The post Why do You Need a Privacy Policy for Google Analytics? appeared first on PrivacyTerms.io.

]]>
Why do you need a privacy policy if you use Google Analytics?

Google Analytics, a free website analysis tool from Google, tracks traffic on your website by placing a cookie on visitors browsers and thereby collecting information. As part of Google Analytics Terms and Conditions you are required to have a privacy policy and secondly, you have begun to collect personal information so you are now required by law to have a privacy policy in place.

google analytics privacy policy

What is Google Analytics?

Google Analytics is a free website analysis tool from Google. It is used to track the traffic to your website and help you to understand your users behavior. Tracking is achieved by a cookie being placed on the browser of your users when they visit your website.

Google Analytics then provides you with data from each of your users visits. The data it gives you includes the amount of visitors you get to your website, which channels drive the traffic to your site, what pages are most popular, how long the average user stays on your site amongst many other useful statistics.

Google Analytics and Complying with Privacy Laws

As soon as your website begins to collect any personal data you are then required by law to have a privacy policy. As cookies collect this personal information and send that information to you, you are now required to have a compliant privacy policy.

Most international laws will require you to have the privacy policy in place and disclose your use of Google Analytics. These laws include General Data Protection Regulation (GDPR), California Online Privacy Act (CalOPPA), California Consumer Privacy Act (CCPA), and the Australian Privacy Act 1988.

Google Analytics Terms of Use

As part of the terms of use of Google Analytics you are agreeing to their terms and conditions. Clause 7, shown below, clearly states that you must have an appropriate privacy policy that complies with applicable laws relating to the collection of personal information from Users posted on your website.

Clause 7 Google Analytics Terms

How to Comply with Clause 7

By using Google Analytics your website is using cookies to track user information. You are therefore required to disclose, in your privacy policy that you use cookies. Your privacy policy needs to contain a cookie policy that includes the following information:

  • the types of cookies you use
  • the purpose of these cookies
  • the option to opt out of cookie tracking
an example of the cookie policy from a PrivacyTerms.io Privacy Policy

You can see that our Privacy Policy clearly states the use of Google Analytics and links users to an opt out option as well as Google Analytics Privacy Policy.

Google Analytics Advertising Features

About Google Advertising Features

Google Analytics Advertising Features groups together features which enable you to use the data which has been collected through the cookies in place for Google Analytics, to use for advertising.

These tools include remarketing (aka retargeting), Google Analytics demographics, Google Display Network Impression Reporting and Interest Reporting.

If you choose to make use of the Google Analytics Advertising Features then the following applies

If you use an SDK to implement any Google Analytics Advertising Features, such as Audience Reporting or Remarketing, you must comply with the Policy for Google Analytics Advertising Features, in addition to the Google Play Developer Program Policies, and any other applicable policy.

https://developers.google.com/analytics/devguides/collection/protocol/policy
Policy requirements for Google Advertising Features
https://support.google.com/analytics/answer/2700409

What this Means for Your Privacy Policy

By choosing to use Google Analytics and possibly the Google Analytics Advertising Features you need to ensure that you have a privacy policy that complies with Googles requirements. Let's recap what this means for your privacy policy:

  • disclose your use of Google Analytics in your privacy policy
  • have a cookies policy included in your privacy policy which describes what type of cookies you are using, what these cookies are used for and what third party cookies you use
  • include the option to "opt out" of cookies tracking for your users
  • ensure you are complying with the necessary international privacy laws, including GDPR, CalOPPA, CPPA, and Australian Privacy Act 1988
  • include that you use advertising features if applicable

The post Why do You Need a Privacy Policy for Google Analytics? appeared first on PrivacyTerms.io.

]]>
PDPB 2019 - India's Personal Data Protection Bill https://privacyterms.io/privacy/pdpb-2019/ Sun, 30 Aug 2020 09:17:39 +0000 https://privacyterms.io/?p=1888 What is The Personal Data Protection Bill of 2019? On December 11, 2019 India's minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, introduced the Personal Data Protection Bill in Lok Sabha, India, aiming to provide protection of the personal and sensitive data of the citizens of India. The bill seeks to govern the […]

The post PDPB 2019 - India's Personal Data Protection Bill appeared first on PrivacyTerms.io.

]]>
What is The Personal Data Protection Bill of 2019?

On December 11, 2019 India's minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, introduced the Personal Data Protection Bill in Lok Sabha, India, aiming to provide protection of the personal and sensitive data of the citizens of India. The bill seeks to govern the processing of personal data of the individual by the Indian government, Indian companies, any citizen of India and foreign companies who handle personal data of Indian Citizens.

Terminology of the PDPB

Personal Data

First lets begin with looking at what personal data means. Personal data is any information that is related to a naturally born person, which enables the identity of that person. The exact definition in the bill is as follows:

personal data" means data about or relating to a natural person who is
directly or indirectly identifiable, having regard to any characteristic, trait, attribute or
any other feature of the identity of such natural person, whether online or offline, or
any combination of such features with any other information, and shall include any
inference drawn from such data for the purpose of profiling

https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

Examples of personal information are:

  • full name
  • home address
  • email address
  • date of birth
  • place of birth

Sensitive Data

Sensitive data is personal data that is protected against unauthorized access. Examples of sensitive personal data are

  • financial information
  • health information
  • caste
  • bio metric data
  • religious beliefs
  • genetic data

Data fiduciary

The term data fiduciary is defined by the DPBP as

any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

Data principal

The data principal is the natural person that the data is relating to.

Who does the bill apply to?

The PDPB applies to the following entities who process personal data about individuals of India:

  • the Indian government
  • companies incorporated in India
  • foreign companies who deal with the personal data of individuals in India

Exemptions for small business

Under the PDPB there a few exceptions for small entities as follows:

  • a turnover less than twenty lakh rupees (approx 28.000 USD)
  • doesn't share personal information with any other business
  • did not process the personal data of more than 100 data principals on a single day in the past 12 months

The main features of India's Personal Data Protection Bill are:

  • the protection of the individuals privacy in relation to personal data
  • obligations of the data fiduciary
  • rights of the individual
  • grounds for data processing
  • data protection authority
  • transfer of personal data outside of India
  • exemptions
  • offenses
  • transparency and accountability

Protecting the Individual's Privacy

Privacy is a fundamental human right. It is the right to "freedom from unauthorized intrusion." When it relates to personal information, it means that the individual should have some right over how their personal information is handled.

With so much of our personal information now being collected online, many countries have created personal data regulations to help protect their residents data and privacy. The GDPR, CCPA and Australian Privacy Act 1988 are just a few of them. India's Personal Data Protection Bill 2019, which is expected to pass this year, is an important data governance infrastructure that will have consequences for any company that does business in or with India.

Obligations of the Data Fiduciary

The data fiduciary decides the means and purpose for processing personal data. The processing of the data is subject to the following conditions:

  • for specific, clear and lawful purpose.
  • in a fair and reasonable manner, ensuring the privacy of the data principle.
  • for the purpose which has been consented to by the data principal or which is connected to the initial purpose of collection, and which the data principal would reasonably expect that the data would be used for.
  • collection of personal data is only as necessary for the purpose of processing.
  • the data principal is given notice at the time of collection.This notice must include:
    • your company name and contact details
    • your purpose for processing
    • what personal data you collect
    • notice to the data principal that they have the right to withdraw consent
    • the basis for processing
    • source of collection if other than data principal
    • whom the data may be shared with, if this applies
    • how long you store personal data
    • how data principals can exercise their rights
    • the process for addressing grievances
    • the right to make a complaint
  • necessary steps will be taken in order to ensure that the personal data is complete, accurate, not misleading, up to date and having regard to the purpose of processing it.
  • personal data will not be retained for any longer than is necessary, unless it has been consented to by the data principal or is required by law.
  • the data fiduciary is responsible for complying with the provisions laid out in the act
  • consent must be given by the data principal before any data processing commences.
  • proof of consent for processing of personal and sensitive data must be able to be shown by the data fiduciary.

Rights of the Individual

The data principal has certain rights under the PDPB, they are as follows:

  • the right to confirmation and access: to be provided, in a clear and concise manner the following information:
    • confirmation of the processing of their personal data
    • what personal data has been processed,
    • a brief summary of the processing activities that have been undertaken
    • the right to access who the personal data has been shared with.
  • the right to correction and erasure: the right to have inaccurate or misleading data corrected, to have incomplete data completed, to have personal information that is out-of-date updated and to have personal data which is no longer necessary for the purpose it was processed erased.
  • the right to data portability: where the data has been processed by automated means then the individual has the right to have a copy of the data in a "structured, commonly used and machine-readable format." This data includes:
    • personal data provided to the data fiduciary,
    • data that has been generated while providing goods or services
    • any data which is part of a profile created about the data principal.
  • the right to be forgotten: the right to restrict or prevent continuing disclosure of personal information in the following circumstances:
    • the data is no longer required for the purposes it was collected for
    • consent for processing has been withdrawn
    • the data was disclosed unlawfully

Grounds for Data Processing

The PDPB states that personal data may only be processed with consent from the data principal. However there are a number of circumstances which allow the data fiduciary to process personal data without consent. these are:

  • in order to perform a function of the State: The Indian government may process personal information without consent in order to provide a government service or benefit to the individual or for the issuance of a certificate, license or permit made by Parliament or State legislature.
  • legal compliance: personal data may be process without consent if required under any law made by the Indian Government or in order to comply with the courts or tribunals of India.
  • in response to a medical emergency: in the event of a medical emergency which involves a threat to the life of, or severe threat to the health of the individual then personal data may be processed without consent. It may also be processed without consent in order to provide medical treatment or health services to any individual during an epidemic,outbreak of disease or any other public health threat.
  • for purposes related to employment: the processing of personal data, not including sensitive data, may be processed in order to recruit or terminate employment, in order to provide a service or benefit requested by the employee, in order to verify the attendance of the employee and for any activity that relates to the assessment of the employees performance.
  • other reasonable purposes: in order to determine what are reasonable purposes for processing the data the following needs to be considered:
    • what are the interests of the data fiduciary?
    • can consent be reasonably obtained?
    • is there a public interest for processing?
    • what effects will the processing have on the individual?
    • would the individual reasonably expect the processing?

Reasonable purposes may include the following:

(a) prevention and detection of any unlawful activity including fraud;
(b) whistle blowing;
(c) mergers and acquisitions;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data; and
(h) the operation of search engines.

Data Protection Authority

The Indian government shall establish a Data Protection Authority for the purposes of this act. The duty of the Authority will be to

  • (i) protect the interests of the individual,
  • (ii) monitor and enforce the provisions of the Act
  • (iii) take prompt, appropriate action in the case of data breaches
  • (iv) maintaining a database on its website that contains the names of significant data fiduciaries along with a trust score
  • (v) examine data audit reports
  • (vi) issue certificates of registration to data auditors and maintain the renewal, withdrawal, suspension or cancellation of them, along with maintaining a database of registered data auditors.
  • (vii) promote awareness and understanding of the risks, rules, safeguards and rights of personal data in accordance with the Bill
  • (viii) monitoring technological developments and commercial practices affecting personal data
  • (ix) advising the Indian government on measures that are required to protect personal data and to ensure the application and enforcement of the act.
  • (x) to specify fees and charges in order t carry out purposes of this Act
  • (xi) dealing with complaints under this Act
  • (xii) performing any other functions as required

Transferring Personal Data Outside of India

Sensitive personal data may be transferred outside of India, but must still be stored in India. In order for the data to be transferred the data principal must give consent and meet the following conditions

  • the transfer is made as per a contract or an Authority approved scheme
  • the Indian government has allowed the transfer to the country, an entity of the country, or international organization
  • the Authority has allowed the transfer for a specific purpose

Exemptions

The Indian government can exempt any of its agencies if it is satisfied that it is "necessary and expedient" and:

  • it's in the interest of the sovereignty and integrity of India and positive relations with foreign states and public order
  • it will prevent the incitement to the commission of any cognizable offense

Exemptions to the bill are also found in the processing of personal data for the following purposes:

  • for prevention, detection, investigation and prosecution of an offense or breach of the law
  • as required for legal proceedings
  • if it is necessary for judicial function
  • personal or domestic purposes
  • journalistic purpose

All processing of the above must be for specific, clear and lawful purposes.

Offenses

Violations under the bill are punishable by a fine and in some cases imprisonment. They are as follows:

  • processing or transferring of personal data in violation of the PDPB provisions is liable to a penalty of up to 15 crore rupees (approx 2.7 million USD) or 4% of the company worldwide turnover, whichever is higher
  • selling personal data that results in harming an individual or re-identifying anonymized data may result in imprisonment for up to 3 years

Transparency and Accountability

Like the majority of privacy laws, India's Personal Data Protection Bill requires that you have a privacy policy. In order to be compliant with the PDPB your privacy policy will need to include the following:

  • types of personal data are collected and how you collect it
  • the purposes for processing the personal data
  • categories of personal data that are collected in exceptional circumstances
  • the rights of the data principal and how they can access them
  • the individuals right to file a complaint about you
  • if applicable a data trust score
  • where applicable, information regarding cross border transfers of personal information

If you already have a GDPR, CCPA and Australian Privacy Act compliant privacy policy then you many of these will already be covered.

In order to safeguard the personal data you collect and store the following need to be implemented:

  • de-identification and encryption methods
  • protection of the integrity of personal data
  • necessary steps that will prevent the misuse, unauthorized access to, modification, disclosure or destruction of personal data

If for any reason there is a breach of any personal data that you have processed then the Authority must be informed of the breach, if it is likely to cause any harm to the individual. The notice needs to include the following:

  • the nature of personal data that is subject to the breach
  • the number of data principals affected by the breach
  • the possible consequences of the breach
  • the action you are taking to remedy the breach

The PDPB requires that a Data Protection Officer is employed if they are considered a "significant data fiduciary" by the Authority. The Authority classifies a data fiduciary as significant based on :

  • volume of personal data processed
  • sensitivity of personal data processed
  • the turnover
  • risk of harm by processing of the data fiduciary
  • use of new technologies for processing
  • any other factor causing harm from such processing

Conclusion

India's Personal Data Protection Bill is about to become the latest international law which helps protect the privacy rights of the individual. The enactment of this bill will make India a safe country in which to handle and process personal information. There are a few things which you can do in order to be prepared for when the PDPB becomes a law:

  • review and update data protection policies
  • review how you notify your users that you collect their data
  • review how you obtain consent from your users
  • review how you keep personal data safe
  • consider how you will meet the requests of your users data principal rights

The post PDPB 2019 - India's Personal Data Protection Bill appeared first on PrivacyTerms.io.

]]>
Do I need a Privacy Policy if I Don't Collect Personal Information? https://privacyterms.io/privacy/privacy-policy-if-i-dont-collect-personal-information/ Tue, 18 Aug 2020 13:30:36 +0000 https://privacyterms.io/?p=1438 Do I Need a Privacy Policy if I Don't Collect Personal Data? The short answer is yes. You still need a privacy policy even if you do not collect data because it's in the policy that you state your app or website doesn’t collect personal data.  A privacy policy informs your users what data you […]

The post Do I need a Privacy Policy if I Don't Collect Personal Information? appeared first on PrivacyTerms.io.

]]>
Do I Need a Privacy Policy if I Don't Collect Personal Data?

The short answer is yes. You still need a privacy policy even if you do not collect data because it's in the policy that you state your app or website doesn’t collect personal data. 

A privacy policy informs your users what data you collect (or do not collect), how the data will be stored, used, and the rights your users have over their data. 

Even though it is a legal requirement, a privacy notice also demonstrates to your users that you have a transparent process of handling their data and, therefore, worthy of their trust.

Third parties such as Google, Facebook, or MailChimp gather user’s data. So, if you use third-party services, you should have a privacy policy that communicates what data third parties collect and how it will be used. 

If you do not collect personal data and don’t use third-party tools, you’ll still need a privacy policy that explains such a position to your users.  

The General Data Protection Regulation (GDPR) is the primary privacy law regulating how entities manage user data. In this article, you will learn:

  • What is GDPR?
  • What are the privacy requirements in the EU, Australia, and Canada?
  • Do I need a privacy policy to access Google Analytics?
  • What needs to go into my privacy policy to be compliant with the GDPR?

What is GDPR?

The General Data Protection Regulation outlines the requirements for collecting data from residents in the European Union

It safeguards the rights of EU citizens concerning use and control over their data, notwithstanding the entity collecting their data is outside the Union. It provides what these entities must do to safeguard the interests of EU users. 

Besides the GDPR, the Organization for Economic Cooperation and Development (OECD) provides guidelines for protecting the privacy and trans border flows of personal data. 

The 2013 OECD guidelines guide its 37 member countries on the development of data protection laws and touch on among other areas issues of private data storage, abuse, and unauthorized disclosure of such data. The guidelines also note the importance of supporting the free flow of data for sectors such as banking and insurance. 

Both the GDPR and the OECD privacy guidelines work in a complementary function, and more or less have similar provisions. The only difference is that the OECD guides member country laws while the GDPR is more for website/ application owners. Although both are global efforts, the GDPR protects EU residents, while OECD guidelines are cross-cutting as the institution has members from all eight continents. 

What Are the Privacy Requirements in Australia, Canada, and the United States?

Australia’s Privacy Act outlines the legal framework for data privacy and requires entities operating in Australia to have a privacy policy. The law limits the collection of data to only information relevant to the company business. According to the law, users have the right to know why you collect their data, who handles it, and who will be preview to it. The entities also have the responsibility of ensuring the private data isn’t lost or abused. 

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that protects Canadians against institutions abusing data collected from them. The law requires web and application owners to get users to agree to their data being collected, used, and disclosed. 

Institutions collecting data are also required to state how the data will be used and use it according to the stated purpose. The Canadian law establishes the office of a Privacy Commissioner to handle complaints against institutions that misuse personal data. 

Do I Need a Privacy Policy to Access Google Analytics, AdWords, and AdSense?

Yes. Google requires you to have a privacy notice if you’re to access free tools such as Google Analytics, AdWords, and AdSense

Since you built your web/application for people, you will undoubtedly find analytics useful in helping you organize your online presence. Furthermore, you may also want to promote your website on Google, to expand its reach. 

Analytics provides insights on who your users are, what sections of your site they find most useful, where they come from (geography), and your sources of traffic. 

It is for this reason that Google requires you to have a privacy policy if you’re to access Google Analytics and AdWords. If you have any ambition of making money from your content using Google AdSense, then you also need the policy. 

You need the privacy notice because to use these tools, as Google needs to monitor and monetize the behaviors of the people who use your platform.  

What Needs to Go Into My Privacy Policy to Be Compliant With the GDPR?

Even though you do not intend to collect data, your privacy policy must include the following provisions:

  • Scope of your privacy policy
  • Explain you do not collect data
  • Indicate if you share data with a third parties

Scope of the Privacy Policy

For instance, Oracle, the computer technology corporation in its privacy policy, give the scope of their policy. It provides that their policy covers the processing of personal information from not only the site users but also their visitors and attendees of their events. The notice is also meant to include private data Oracles collects from suppliers, business partners, and subscribers of their magazines.

 Explain That You Do Not Collect User Data  

Ecquire does not collect or store any data or messages on their platform. They use their privacy notice to explain how they can stay away from collecting user data. 

Indicate If You Share Data With Third Parties

Even though Ecquire doesn’t collect data, they use a third-party analytics tool, which does. In their privacy notice, they indicate the data the third party collects and how they use it. 

Conclusion

You can opt for an elaborate privacy policy or a short one depending on the nature of your business. You may also choose to have a summary version alongside a detailed notice. Either way, it is essential to have a privacy notice to comply with the legal requirements the country your business operates in and the country your target audience is situated. 

Our free privacy policy generator will provide you with a customisable lawyer drafted privacy policy to cover your business requirements.

The post Do I need a Privacy Policy if I Don't Collect Personal Information? appeared first on PrivacyTerms.io.

]]>
What are Cookies and What do They do? https://privacyterms.io/privacy/what-are-cookies/ Wed, 12 Aug 2020 11:53:41 +0000 https://privacyterms.io/?p=1044 When it comes to websites most people have heard of a cookie but what exactly are they? Cookies 🍪 are text files held on your computer that store information about you and the website you are visiting. The website sends the cookie to your computer and your computer then stores this information. This information allows […]

The post What are Cookies and What do They do? appeared first on PrivacyTerms.io.

]]>
When it comes to websites most people have heard of a cookie but what exactly are they?

Cookies 🍪 are text files held on your computer that store information about you and the website you are visiting. The website sends the cookie to your computer and your computer then stores this information. This information allows the website to remember certain pieces of information when you browse to a different page or start another session.

What do Cookies do? 🍪

What do Cookies do? 🍪

Cookies store information about your activity on a website. For example a cookie will remember your login details so if you close your browser page and reopen it you will still be logged in. They will remember what you have placed in your cart while you are still browsing the site. Without cookies your cart would empty each time you changed pages on a website.

How Secure are Cookies? 🍪

Cookies alone don't pose any threat to your security. They simply store information that has been given to a website. However there are some cookies known as malicious cookies. These cookies track and store your online activity without your knowledge. It is possible that this information can be made available to third party websites.

Types of Cookies

There are a number of different types cookies and each of them have their own functions. The following are some of the more common cookies.

🍪 Session Cookies

Session cookies are temporary cookies that are deleted when your web browser is closed. These cookies require you to log in each time you visit a site as they do not remember your information from one visit to the next.

Examples of session cookies uses are shopping cart, remembering you from one page to the next, and multi media content playing.

🍪 Persistent Cookies

Persistent cookies are cookies which are saved in your browser until you delete them or they they are deleted by your browser when they expire.

Examples of uses of persistent cookies are language selection, authentication, favourites and internal site bookmarks.

🍪 Functionality Cookies

Functionality Cookies allow a website to remember choices that have been made by the you. This then helps create an experience that is tailored just for you.

Examples of uses of functionality cookies are language selection or region selection.

🍪 Performance Cookies

Performance cookies are used to collect information. This information gives feedback on how the website is being used and helps to create a better user experience. Information collected by performance cookies is anonymous.

Examples of uses of performance cookies are tracking the most used pages and error messages.

🍪 Advertisement Tracking Cookies

Advertisement tracking cookies are third party cookies used by advertisers to enable them to to tailor their advertisements to the individual user. Information is collected from your browser about the types of websites you visit. Then advertisements that are most inline with your interests are then presented to you.

🍪 Affiliate Tracking Cookies

Affiliate tracking cookies are stored on your browser when you click on an external link from a website to a new website's product page. This allows the initial website to earn a commission from the product if you make a purchase.

If you use Affiliate cookies or advertisement tracking cookies, you can include relevant clauses using our privacy policy generator.

privacyterms.io team

How Secure are Cookies?

Cookies alone don't pose any threat to your security. They simply store information that has been given to a website. However there are some cookies known as malicious cookies. These cookies track and store your online activity without your knowledge. It is possible that this information can be made available to third party websites.

Managing Cookies in Your Browser

You may wish to delete cookies from your browser at some stage. Please be aware before you delete all cookies that by doing so you will be forgotten when you are returning to sites that normally recognize you and may need to login again.

So, with that said, let's delete some cookies. In this example I will be showing how to manage and delete cookies in Firefox on a Mac.

  • Open your browser, this is where your cookies are stored. The most popular browsers are Internet Explorer, Chrome, Firefox, Safari and Edge.
  • Locate where the cookies are stored. For example, on my Mac, in Firefox, I choose Firefox in the top left of me screen. This opens a drop down menu.
  • From this menu I select preferences and this brings up a new tab. In preferences I scroll down to Cookies and Site Data and here I can choose to clear or manage my data.
Image of Firefox Data preferences
  • Clear data. Clearing the data will clear all cookies from all websites you have visited. You will get a warning that clearing all of your cookies may result in you being signed out of websites.
  • Manage Data: By selecting to manage your data you will be taken to a screen as shown below. Here you can select which sites you wish to delete cookies from.
  • Manage Permissions: here you can select which websites always have permission or never have permission to use cookies and site data.

Although I have given an example using Firefox, each browser has an option to manage cookies. In Internet Explorer select Tools then Internet options and lastly the General tab. In Chrome select Menu then Settings and then Show advanced settings. If you cannot find the exact location, Google will be able to help you. Just type in the browser name you are using and delete or manage cookies.

Final Words

In majority of cases cookies are user friendly and harmless. They function to make your online experience seamless and easier. If you are concerned you may have some bad cookies then doing a little clean up will be useful.

The post What are Cookies and What do They do? appeared first on PrivacyTerms.io.

]]>