Online privacy can be a tricky issue which requires a balance between the commercial interests of internet-based companies and the privacy rights of their users. These tips will help you get that balance right in your Privacy Policy and ensure users are fully aware of how you handle their information.

Accounts and Personal Information

The definition of "Personal Information" encompasses many things that may not seem very personal at first. But Personal Information is an intentionally broad term. It includes anything that could be used to help identify a person. For example, an email address is Personal Information because it can be used to track down the owner of that address. Other pieces of information, like name, age, address, or phone number, are also Personal Information.

When your website collects Personal Information of any sort, you are required to clearly disclose the company's use of that information and obtain users' consent. This is why a detailed Privacy Policy is necessary for operating most websites.

There can be strict legal consequences for failing to disclose the types of information your website is collecting and the ways that information is being used. So it is best to be completely transparent in the Privacy Policy and allow users to fully understand your company's data collection strategy.

Additional Data Collection

Websites routinely collect more information than just the data manually entered by their users. Most websites have built-in tools to capture additional information about their users' location, their software and hardware configurations, and the amount of time they spend on the website before clicking elsewhere. These additional pieces of data can be very valuable to a company. However, just like Personal Information, users are entitled to know what information is being collected. The Privacy Policy must provide clear details on this additional data collection, including what information is being collected and the purpose of that data collection. 

Cookies

Cookies are tiny data files that are stored on a user's computer. Cookies are used  for a variety of purposes, but most commonly they are used to facilitate the saving of usernames and passwords, or to provide information to advertisers about the products or services the user has viewed online.

Although cookies are very common on the internet, it is still important that websites disclose their use of cookies. If cookies are used, the website should disclose how they are used. 

As a website's use of cookies may change over time, the Terms of Use generated through Founded contain fairly broad provisions for the use of cookies, including permitting the company to use cookies for advertising purposes. Even if the company is not presently using cookies for advertising purposes, these provisions will allow the company to do that in the future with users' permission.

Third Party Applications

Many websites contain integrations with third-party service providers or other websites. These integrations increase the functionality of the website and can be very convenient. At the same time, user data can be shared with other websites, and users need to give their consent before their information is shared. Listed below are some common ways that websites can be integrated with third-party applications.

Remarketing 

Remarketing is common among e-commerce websites. When a user shows interest in your products or services, remarketing services will continue to show advertisements to that potential customer after they leave your website. This is usually facilitated through the use of cookies on the website. If your website engages in remarketing, the Privacy Policy will make note of that and broadly explain remarketing to users.

Referral

Referral services are a common lead-generation strategy for online businesses. Users of a website are often given an incentive to provide the contact information for other people who might be interested in using the website. This can be an effective and inexpensive way to generate new users for your website. However, it is important to disclose how the company will treat the contact information for the leads generated through the referral service. If referral services are selected when generating a Privacy Policy on Founded, the Privacy Policy will state that the company will send a preliminary email to any contact submitted through the referral service, and the company will continue to store that contact information in order to track whether or not the referral is successful. Keep in mind that any emails sent through an online platform must be compliant with anti-spam laws.

Data Storage

For most internet-based companies, user data is only ever stored in electronic form. But in some instances, companies print out user data and store that information on paper in their office.  Users are entitled to know whether data storage will be entirely electronic, or if there are some paper-based processes. If information is stored on paper, the company will be under an obligation to take reasonable precautions to keep that data safe and confidential. 

It is also important to let users know where their electronic data is stored. Each country has different laws about accessing electronic information. If you use data storage servers outside of Canada, user data may become subject to international laws. This is not uncommon, but users are still entitled to know which laws will govern the storage of their information. If all data is stored on servers located in Canada, then that data will be subject to Canadian laws.

Security Breaches

No data storage system is perfect and security breaches are a risk in any business. Any website that collects user information must have a policy about how users will be informed in the event of a security breach. It is best to have a clear timeline for informing users of a security breach. The company should designate a senior employee to oversee its security policies, including the policy about responding to security breaches. This person is often referred to as the Chief Privacy Officer. If the GDPR applies to your business, then you must report a breach within 72 hours of becoming aware of a security breach to the supervisory authority. This is the case unless you can establish that the breach has caused no actual risks for your users or other individuals.

Age Restrictions

Collecting personal information about children on the internet is highly regulated and often completely prohibited under the law. It is never recommended to collect any information on users under the age of 18. To make it clear that minors are not permitted to submit information on the website, many Privacy Policies and Terms of Use explicitly prohibit anyone under 18 from using the website for any reason.
If, due to the nature of your business, your website collects any information about anyone under 18, you must include additional details on the precautions the company takes to protect information related to children.

Did this answer your question?