« go to the main website

iubenda blog

iubenda's blog, privacy policy generator for websites and apps

Posted on by Simon Schmid


Canada's anti spam legislation is going into effect tomorrow, July 1st (with a 3-year transition period attached to it).

This change in Canadian spam rules (the regulation itself is called Canadian Anti-Spam Legislation, CASL) is not directly related to our service, the generation of privacy policies. But it does not hurt to know more about the topic. Emailing is a privacy related topic, therefore make sure you educate yourself about it. Spam is a very serious problem and privacy authorities have powerful tools to hurt organisations that go against their provisions. 

When does the CASL apply to you?

The CASL is relevant to you and your situation when you have Canadian users on your emailing lists. 

What's the most important information regarding CASL?

You should probably start using permission based email-marketing. That means you have express consent by the people on your list. It's the easiest way to make sure everything is going down smoothly.

There are three general requirements for sending a commercial electronic message (CEM) to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The questions under this heading relate to the second requirement – identification information.

To find out what that means consult the FAQ.

More basic information about the CASL?

The CASL is enforced by three agencies. They are the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner. The CRTC is providing a lot of guidance to some of which I'll be linking right below in the informational green box.

That's it. If you are using Mailchimp for your newsletter/emailing needs then you may consult their blog post regarding CASL here.

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

If you're based in Europe or you are officially targeting European users, then the cookie provisions may be relevant to you.

The reason for the cookie related obligations is the EU cookie law (also called e-Privacy Directive), which was last updated on 26 May 2011. Since then European states have interpreted and implemented the rules in various ways and stages. Your compliance measures will therefore depend on the country that is relevant to your project.

What's excpected from you if you fall under a cookie provision?

Make sure you explain what the cookies are used for. In particular these four tips seem to be a good framework to start from:

  • Which are the cookies used on your site?
  • Who is installing them?
  • What are they being used for?
  • How do you reject their installation/how do you uninstall them?

Iubenda's privacy policy generator will assist you with the creation of a cookie policy. By activating the cookie policy within iubenda you will get a complete section covering the use of cookies on your site or application, within your existing privacy policy.

This post explains how you can create a cookie policy easily with the help of iubenda's privacy policy generator.


How it works

Create a privacy policy with iubenda or choose the pre-existing privacy policy you want to improve. Then choose "Activate cookie policy" from within the customization settings in the right sidebar. This will open a modal window with forms that will help you with filling out and finalizing your cookie policy.

Iubenda prepopulates the cookies we know of (originating at your third party services). Therefore, all you have to do is to double-check your own cookies, add them to the appropriate forms and double-check the cookies we've identified for you.

What iubenda helps you with/Your next steps

The generator helps you out with a relevant structure by identifying the various relevant categories:

  1. Strictly necessary cookies
  2. Other cookies
  3. Automatically included cookies (included by the generator)

While you will have to manually include all of the cookies set by your application, we will help out by providing the cookies set by your third party services. We will also automatically group them with the appropriate categories, therefore we'll also make sure that people understand what these cookies are good for.

Since the handling of cookie disclosures and their enforcement couldn't be more of a mess across the continent, we've decided to start with this minimal implementation. Each country has their own rules for how you should handle the cookies and their disclosure. What this initial version provides you with, is the framework for disclosure within your privacy policy.

What you will have to take care of is the actual cookie notice and technical implementation according to your legislation. Some cookies need user consent and therefore need some sort of a banner to make sure that a user is able to consent to the use of those cookies.

Take this as a general statement:

Not all cookies require consent to be used. Those eligible to this exception are cookies essential to delivering the service requested by the user (the strictly necessary cookies mentioned above):

  • session cookies,
  • authentication cookies (for the duration of the session) and
  • user security cookies (the above mentioned strictly necessary cookies).

Cookies that need consent are usually to be found in advertisement and analytics related fields.

We encourage you to read up on the situation in your country. To facilitate this, we’ve linked you to the relevant coverage below.


Overview for Europe's legislations 

Below you'll find some notes regarding our main markets and some links to the relevant sites and documentation. Euopean regulators as part of Article 29 Working Party have published an opinion on cookies, which is why this document makes for insightful reading.

Here's an additional interesting pdf that compares the state of the cookie law implementation across the EEA which is helpful on many levels.

A defining element across the legislations is how that user consent needs to be sought. Is "implied consent" enough (the user sees the notice and keeps browsing because he consents to the setting of the cookies), or do you have to get prior consent that comes down to an "opt-in" solution?


Status: the ICO investigates based on complaints.

Strict ‘opt-in’ consent required (or expected): no

The ICO regarding implementation of the notice:

It is likely to be more difficult to obtain consent for this type [not strictly necessary cookies] where you do not have any direct relationship with a user – for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies. There are various ways in which information about cookies can be — see Providing information about cookies. 


The authority regarding implementation of the notice:

It is particularly important that the requirements are met where so-called 'third party' or 'tracking' cookies are being deployed, such as when advertising networks collect information about websites visited by users in order to better target advertising. For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website's use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies. Practically, for Irish website operators we suggest the following for minimum compliance with these requirements:

Paraphrased these requirements are:

  1. Consent may be obtained explicitly through the use of an opt-in checkbox which the user can tick if they agree to accept cookies: "I accept cookies from this site [Checkbox]";
  2. Consent may also be obtained by implication: "By continuing to use this site you consent to the use of cookies in accordance with our cookie policy".


Status: uncertain

Strict ‘opt-in’ consent required (or expected): no

The situation is confusing to say the least. The directive seems not to be implemented properly, while recent news seem to be confirming the opposite (more information in German). If you want to be completely sure, go with an opt-in solution.


Status: enforcement not before May 8th, 2015.

Strict ‘opt-in’ consent required (or expected): no

Official guidance outlines the need for a privacy policy with cookie info, to be published through a special banner shown on the homepage of the website. That banner must contain two parts: 

  • Advise the users that the site installs cookies (first as well as third party cookies) allowing users to consent to this kind of data processing;
  • Place a link in the same banner to further information, especially for third party cookies which will allow the user to provide consent in a selective way.

Italian site owners are not liable for third party cookies according to this guidance by the Garante.


Status: active

Strict ‘opt-in’ consent required (or expected): yes/no

The CNIL recommends a two-step approach to obtaining consent:

  1. the website must have a banner on the home page that complies with the CNIL recommendations;
  2. the user must be informed in a simple and intelligible way (on a dedicated page) of how they may consent or refuse to all or some of the cookies. The information must be clear and set out full details about each type of cookie used on the site and the reasons why each cookie is used. 

Cookies can only be served if the visitor gives explicit/opt-in consent. Limited exemptions apply to analytics cookies.


Cookies may be served if the user given the user's consent (the information must be clear and comprehensive about why their personal data will be collected and processed). Implied consent is possible.

Le mécanisme de recueil de consentement, analysé ci-dessous, doit fournir un avertissement clair, compréhensible et visible concernant l’utilisation des cookies. Cet avertissement renverra vers l’information complète relative à la politique d’utilisation des cookies.

.La Commission considère que le butinage vers d’autres espaces du site (« further browsing ») pourra être considéré comme un comportement actif par lequel l’utilisateur signifie son consentement indubitable si l’utilisateur est clairement informé à ce propos et si cette information reste présente sur le site jusqu’à ce que l’utilisateur fasse un choix explicite ou ferme l’espace d’information.


Spain’s data protection authority has produced great guidance which states that the cookie notices should be sufficiently visible and link to a place with more information in which you can reject the cookie installation. It’s enough to show the notice upon the first visit. Implied consent may be enough.

"En los casos en que el usuario no manifieste expresamente si acepta o no la instalación de las cookies, pero continúe utilizando la página web o la aplicación se podría entender que éste ha dado su consentimiento, siempre que se le haya informado claramente en este sentido y se ofrezca en todo momento a través de las formas señaladas en esta guía un aviso que ofrezca de modo permanente información sobre la utilización de las cookies y la posibilidad de desinstalarlas.

La información que se ofrezca en esta primera capa se podrá mostrar a través de un formato que sea visible para el usuario como por ejemplo un layer, una barra o a través de técnicas o dispositivos similares, teniendo en cuenta que la localización en la parte superior de la página captaría mejor la atención de los usuarios."


Status: active

Strict ‘opt-in’ consent required (or expected): yes

Explicit guidance from the Portuguese data protection authority about consent is still missing. The opinions regarding the Portuguese DPA's stance is unambiguous, however: implied consent is probably not going to be enough and continuous use of a website will only be regarded as consent if clear and evident information has been given.

What's next

Activate the cookie policy like this and follow the instructions in the cookie modal.


And take a look at our guides for 

Or just make your first privacy policy with iubenda's generator.

Cookie policy pricing

The cookie policy is included in our standard Pro subscription pricing at $27/year or any other license for that matter. 

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

Two days ago we've announced the integration of the image processing service Cloudinary and the affiliate marketing app called Referral Candy. Today is starting off by the integration with another analytics  tool called Parse Analytics. This means you can now easily browse the collection of services/clauses within iubenda and find & add Parse Analytics to your privacy policies.



What is Parse Analytics?

Parse Analytics is a product by the Parse team that lets you properly analyze app usage and custom analytics.

With a single line of code, track any data point you can imagine in your app. Simply send us the data and we'll break it down for you in the Analytics dashboard.

Why include a privacy policy for Parse Analytics?

Analytics tools have the potential to analyze the behavior of your users. It's largely considered to be an activity that has to be disclosed to users/visitors of a website or app.

Parse has a paragraph for you to have a privacy notice in place in their terms, too:

3.3 You agree that you will protect the privacy and legal rights of the End Users of your application. You must provide legally adequate privacy notice and protection for End Users. If End Users provide you with user names, passwords, or other login information or personal information, you must make the End Users aware that the information will be available to your application and to Parse.

By using iubenda for your app this becomes as easy as choosing the Parse Analytics clause and adding it to your privacy policy. Let us help you with it.


Generate Privacy Policy for Parse

Posted on by Simon Schmid | Posted in Development

Leave a comment

Posted on by Simon Schmid


A little earlier we've announced the integration with an image processing service called Cloudinary. Now I'm happy to let you know our integration with an affiliate tool called Referral Candy. This means you can now easily browse the collection of services/clauses within iubenda and find & add Referral Candy to your privacy policies.


What is Referral Candy?

Referral Candy helps you acquiring new customers & increase sales with a referral program. You'll use it to amplify Word-of-mouth, increase sales and have richer customer insights. The set up is very flexible and lets you completely integrate it with your app, or test some campaigns manually.

Why include a privacy policy for Referral Candy?

Referral Candy collects the e-mail addresses of users, aggregates information on what pages consumers access or visit, and information volunteered by the consumer (such as survey information and/or site registrations). They also collect the total invoice amount and timestamp for purchases made by customers of retailers on their service. 

The data collection happening is something that should be disclosed and go into a privacy policy.

By using iubenda for your site this becomes as easy as choosing the Referral Candy clause and adding it to your privacy policy. Let us help you with it.


Generate Privacy Policy for Referral Candy

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid


We've recently integrated Cloudinary with our privacy policy generator. This means you can now easily browse our ever growing collection of services/clauses and find & use Cloudinary in your privacy policies.

This is how you add a Cloudinary clause to your privacy policy

What is Cloudinary?

Cloudinary makes image management in the cloud simple. They can be used for web and mobile applications. Some of the features include: 

  • Upload images to a cloud-based storage
  • Tons of image manipulations & effects
  • PDFs, sprites, watermarks, social profile pictures
  • Fast CDN delivery for better user experience
  • Powerful dashboard, media library and reports
  • Comprehensive image management APIs

Why include a privacy policy for Cloudinary?

Using Cloudinary you may be uploading content to the service that includes personal information. The data collection happening is therefore something that should be disclosed and go into a privacy policy.

Cloudinary has a paragraph for your privacy compliant behaviour in their terms

You represent that your disclosure of privacy practices to Authorized Users will cover the Service's use of personal information pursuant to the Service's privacy policy, located at http://cloudinary.com/privacy.

By using iubenda for your site this becomes as easy as choosing the Cloudinary clause and adding it to your privacy policy. Let us help you with it.


Generate Privacy Policy for Cloudinary

Posted on by Simon Schmid | Posted in Category | Tagged , ,

Leave a comment

Posted on by Simon Schmid

Last year we've written about the so called Internet Sweep Day which was a coordinated audit by 19 members of the GPEN (Global Privacy Enforcement Networt) looking at over 2000 popular sites and applications worldwide.

Between the May 12 and 18 the GPEN went ahead with organizing an international privacy sweep, specifically targeted at mobile applications, this time around involving 27 data protection authorities around the world.

The communicated issues to be examined before the sweep were as follows:

Sweep participants will be looking at the types of permissions an app is seeking, whether those permissions exceed what would be expected based on the app’s functionality, and most importantly from a transparency perspective, how the app explains to consumers why it wants the personal information and what it will do with it.

Participating authorities will look at some of the most popular apps or apps that are of particular interest in their country or region. For example, some authorities plan to focus on health-related apps or apps developed by public sector organizations.

A little later in the year we plan to take a look at some of the reactions from the sweep. This should help form an understanding of which elements are being closely looked at and therefore should be closely looked at by you. 

Some of the interesting results will be found in Australia, UK, Spain, New Zealand, Mexico, Italy, Ireland, France, Germany and Canada.



Posted on by Simon Schmid | Posted in Category

Leave a comment