« go to the main website

iubenda blog

iubenda's blog, privacy policy generator for websites and apps

Posted on by Simon Schmid


I have recently written about a topic close to my heart: Twitter's Lead Generation cards and their requirement to add a privacy policy to the attached information. A similar requirement is true for the Twitter website tag and remarketing.

The "Twitter website tag" has its own policy and Twitter itself requires you to have a privacy policy for this product (or sufficient legal notice):

Advertisers using the website tag must provide sufficient legal notice of the following to site visitors:

  • How you are working with third parties to collect visitor/user data for conversion tracking purposes.

  • If remarketing is enabled, how you are working with Twitter to collect visitor/user data for remarketing purposes, and that visitors/users may find instructions on how to opt out of Twitter's collection of remarketing data here.

Apart from the information regarding your use of third party components for converison tracking purposes, Twitter requires the basic explanations of how remarketing works with you and Twitter as well the presence of the opt-out link in your documents.

That's exactly what we've done today. We've added a clause called "Twitter Remarketing" to our privacy policy generator ready for you to use and love. 

Since a couple of lines of Twitter advertising disclosure don't make a complete privacy policy, you may be profiting from our generator that generates a privacy policy in currently 6 languages based on the strictest privacy laws out there (Europe's with additions for the US and other countries).

Generate a privacy policy for Twitter Remarketing

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

The French CNIL (La Commission nationale de l’informatique et des libertés) has long been Europe's frontrunner when it comes to cookie compliance. In December 2013 the CNIL has published a guide to what it considers cookie compliance to look like

Now the beginning of October 2014 marks the start of automated compliance checks. The CNIL will start with looking at sites for compliance with their December 2013 recommendations. In particular this is what French site owners need to take a closer look at:

  • cookies are not placed or run before the user could express agreement;
  • the arrangements for obtaining consent by the user;
  • visibility, quality and simplicity of information about cookies;
  • the ability for the user to withdraw consent at any time;
  • the lifetime of cookies and validity of consent (which shall not exceed 13 months).

The loi Informatique et Libertés

The use of cookies normally requires the user's consent. In France this is a rule under the Data Protection Act (loi Informatique et Libertés, article 32-II de la loi du 6 janvier 1978 modifiée par l’ordonnance du 24 août 2011). Those requirements have their roots in European directives, called 2002/58/CE and 2009/136/CE.

The requirement can be reduced to this main statement:

It's necessary to inform users of the presence, purpose, the shelf life of the cookies placed in their browsers, and the means at their disposal to oppose it.

It's a general requirement for anyone that publishes on the web, via a site or application. 

What are the CNIL's recommendations?

The CNIL therefore adopted a recommendation which proposes to set up a 2-step procedure mandatory since February 2014.

First Step for cookie compliance in France

The visited site must have a banner informing the user that further navigation of the site constitutes an agreement for the installation and reading of cookies. This banner must specify the purpose of the cookies used and about the possibility to object (via a link to a dedicated page of the site). This banner does not disappear until the user has not continued elsewhere (another page or item on the site).

Second Step for cookie compliance in France

The user needs to be informed of the possibilities to accept or refuse all or some of the cookies in a simple and readable way.

To make these recommendations more accessible the CNIL has set up a page with code examples and frequently asked questions that are helpful in understanding the scope of the requirements:

The consent for the cookie's setting cannot exceed 13 months.

Which are the cookies that are exempt from the consent rule?

As is the case in other European countries, France has exempted certain cookies from the cookie consent rule. Those are the cookies strictly necessary to offer the service sought after by the user. Examples for such cookies are:

  • the shopping cart cookie;
  • session cookies or persistant cookies for a couple of hours of duration in certain circumstances;
  • authentication cookies;
  • session cookies created by a multimedia reader;
  • load balancer cookies;
  • certain first party analytics (PIWIK);
  • persistant cookies for inteface personalization.

This is it. It's going to be interesting how the whole cookie disclosure pans out in Europe. Btw. the CNIL has also announced that it is about to take part in another "Cookie Sweep Day" during the week of the 15th September. So stay tuned about another round of results regarding the use of cookies on the European web.

Use iubenda's cookie disclosure tool

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid


Surely by now this comes as no surprise to most (and even less to people who follow this blog closely):

a survey of over 1,200 mobile apps made by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used.

The above paragraph is posted verbatim from the news release published by the ico., the UK's data protection authority. The survey has been a conducted as a result of the work done by the GPEN, a body that incorporates several privacy authorities from across the world. I had priorly reported about the "mobile apps sweep day" by the GPEN, now the results are out.

The main takeaways are:

  • 85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information.
  • More than half (59%) of the apps left users struggling to find basic privacy information.
  • Almost 1 in 3 apps appeared to request an excessive number of permissions to access additional personal information.
  • 43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages. .

The release also shows what the regulators consider good practice:

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more. The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

It's not hard to do better than 85% of these app owners. One tip is to get your privacy policy out there in front of people's eyes.

  1. Into the app's settings
  2. Onto the app store
  3. Onto the app's promotional site

Also you can easily generate a privacy policy with the help of iubenda's mobile app privacy policy generator.

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid


Apple has just released a new page to remind developers of the most commonly cited reasons for app rejections.

Among these reasons Apple has also found a spot for reminding developers of the binding inclusion of a privacy policy for apps for kids: "and if you're offering auto-renewable or free subscriptions or your app is in the Kids Category, you must also provide a link to your privacy policy."

Yet, this page should change fairly soon with the release of iOS 8, when Apple will broaden the set of apps that go from "recommended privacy policy" to "required privacy policy". 

As iubenda has reported before the privacy policy requirements for iOS 8 will likely look like this:

  • Apps that link against HealthKit
  • Apps that link against HomeKit
  • Third party keyboards
  • Kids

So far, unsurprisingly, the Firefox OS store seems to be the most strict about including privacy policies into your apps.

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

Google is pushing Google Analytics users to update to their Universal Analytics implementation so it's time to take a quick look into the changes that are coming with it in regards to privacy regulation compliance. Universal Analytics will eventually replace the prior technology.

How to set up Universal Analytics

Here's a basic guide on how to set up Universal Analytics by Google. What we are interested in is the User ID part. User ID is core to the new possibilities in Universal Analytics. Universal Analytics allows the connecting of various sessions to one user and therefore allows you to track the activity on your property more accurately. 

Google explains it like this: 

The User ID is a Universal Analytics feature that you can use to associate multiple sessions (and any activity within those sessions) with a unique ID. When you send an unique ID and any related engagement data to Google Analytics, all activity is attributed to one user in your reports. With the User ID, you can get a more accurate user count, analyze the signed-in user experience, and get access to the new Cross Device reports. Learn more about the User ID.

In the first step of the setup flow you will find a toggle and you'll switch it to ON to indicate that you’ve read and agreed to the User ID PolicyThis enables the User ID feature in your account.

Security and privacy in Universal Analytics (source)

Google stresses the fact that it hasn't changed its privacy stance. The existing safeguards like IP masking, the Google Analytics browser opt-out add-on, data confidentiality, and security still work on the new analytics.js. Additionally, the information stored in the local first-party cookie is reduced for the new analytics.js, the snippet can be implemented without a need for a cookie at all.

About User ID and privacy

The User ID feature processes pseudonymous data which presumably in many cases will only be legitimate in the case that the particular user had not objected to that kind of processing priorly. The user needs to be advised on their right to opt-out from this sort of data processing.

Google themselves impose the following requirements onto the user:

You will give your end users proper notice about the implementations and features of Google Analytics you use (e.g. notice about what data you will collect via Google Analytics, and whether this data can be connected to other data you have about the end user). You will either get consent from your end users, or provide them with the opportunity to opt-out from the implementations and features you use.

You will not upload any data that allows Google to personally identify an individual (such as certain names, social security numbers, email addresses, or any similar data), or data that permanently identifies a particular device (such as a mobile phone’s unique device identifier if such an identifier cannot be reset), even in hashed form.
Since Google's own opt-out link only opts you out from the specific device you are on, you will have to implement another manual way for people to opt-out. The easiest way to do this is to implement a process in which people can opt-out via email.

What are the steps included?

Quick Start Guide

  • Have a privacy policy in place and tell users about your use of Google Analytics and User ID;
  • Tell them that they can oppose to the collection in that way;
  • Do not send Google any data that allows them to personally identify your users;
  • Check out the other guides below for Google Analytics and Google Analytics in Germany

iubenda and Universal Analytics/User ID

We have introduced a slightly changed clause for the use with User ID soon allowing you to use this feature along with Google Analytics. The clause is called "User ID extension" and can be added to your iubenda privacy policy from the iubenda dashboard.


Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

Brazilian privacy policy launch

Today we are launching a localization in Brazilian Portuguese. 

Until this day our privacy policy framework could be generated in 5 languages: English, Italian, German, French and Spanish. Today we’re adding an often requested 6th language on top of this: Brazilian Portuguese

How can you use our languages?

Iubenda's languages can be used individually (French, English, Italian, Portuguese...), or they can be combined if your site runs in more than one language (English & Brazilian Portuguese). In that case you start your privacy policy - let's say in Brazilian - and then you add a second language on top. The generator will automatically take all of the work you've done with your first policy and duplicate it into the second language (here in this example it's English).

How do you generate your Brazilian privacy policy?

Note about Brazilian: Since Portuguese and Brazilian Portuguese are rather far apart, this localization means it will be understood and correct only by Brazilian ears and grammar standards.

Note about iubenda: iubenda is based on European data protection laws (which are known for their strict rules). Here and there we've added in additional clauses for you to choose from. Among them there's some wording for the US COPPA for example (Children's Online Privacy Protection Act). Iubenda's privacy policy generator is meant to help you out a great deal on the way to privacy compliance both on the web and mobile apps.

If you are new to iubenda you can generate your Brazilian Portuguese privacy policy for your website, Facebook application or mobile application via our website. Sign up for an account, log in and then in your dashboard find a green button saying "generate privacy policy". Follow the simple instructions to get you all set up.


How do you add a política de privacidade to an existing privacy policy?

add Brazilian Portuguese

If you already have a site with a privacy policy in another language: log in to your account, select the site you would like to add a Portuguese privacy policy to and then choose "Add language" in the sidebar of your dashboard. This will guide you through the end of your process.

Launch discount

To introduce the Brazilian localization of our privacy policy framework we're giving off 50% for 48 hours after the publication of this post. 

Blogger discount

If you are a tech blogger who wants to take the product for a spin, you can use it for free for one year. We're happy to talk about this at [email protected]

Affiliate possibility

If you have any friends that may be able to get some use out of iubenda, send them a personalized link (or share the link on your social networks). To do that simply follow this process:

You’ll find a link in your dashboard’s “Love and Rewards” tab. Share it and profit.


By visiting your sharing page you will find a couple of pre-crafted sharing possibilities. Instead of these options you can also simply copy paste the provided link and share it with whoever you like.


If you need more details about this, you'll be able to find out more in a recent post "How to make money by referring iubenda".

Generate a Brazilian Portuguese Política de Privacidade

Posted on by Simon Schmid | Posted in Category | Tagged , , ,