This is a short overview on privacy policies for websites and apps in the US.
Most privacy related rules are still to be found on a state level, as opposed to a few based on federal law. California is usually setting the pace in privacy law to protect their residents from data hungry organizations.
Among the most important developments:
- the CCPA, California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California;
- the Attorney General’s application of CalOPPA (Section 22575 of the Business and Professions Code that handles the privacy disclosures at large) to mobile applications; and
- CalOPPA’s amendment related to the Do Not Track process.
Most countries have privacy laws that require you to include a privacy policy – a statement of your data collection as a disclosing service to your visitors or users – as a website owner or app developer. It’s important to understand that this is a global phenomenon and there are mostly a few similar criterions that trigger such a requirement.
Usually the trigger is the collection or sharing of personal information like names, emails, images or any other means of identifying a returning user (the way ad networks serve targeted advertising for example). “Commercial” is an often used trigger for privacy policies, which is generally defined very broadly.
The same is true for California.
The introduction to Do Not Track reads like this:
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.
The term “online service” extends to mobile apps.
What do I care about California?
If you’d like to reread the above quote, then you’ll find the answer:
(…) through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy (…)
The legal magic here is: if you have a service that may possibly collect personal information from a Californian resident you are falling under that law. By this logic, having a mobile app privacy policy is even more important, because most of the time they are location unaware and would like to have as many users as possible.
CCPA
The California Consumer Privacy Act puts in place new requirements for processing personally identifiable information, and grants Consumers additional rights. The law is set to become effective on January 1st, 2020, and to become fully enforceable on July 1st, 2020.
Like the CalOPPA, it doesn’t only apply to California businesses, but it applies to any business that impacts people in California.
Read our guide to learn more about CCPA requirements and CCPA compliance.
Do Not Track
The privacy landscape is an increasingly changing one. You should be informed about the changes that the Do Not Track process has brought to your privacy policy.
“Do Not Track” is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.
If you do not respond to DNT signals, it will be enough to indicate this fact in your privacy policy, but you have to talk about it. If you, however, respond to DNT in some way, the privacy policy should disclose how you respond to its signal.
What about federal laws?
There are federal laws as well. The most important in our vertical is the Children’s Online Privacy Protection Act (COPPA).
COPPA – Children’s Online Privacy Protection Act
COPPA was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The primary goal of COPPA is to protect children’s privacy online (and at the same time on the mobile ecosystem). COPPA puts parents in control over what information from their children is collected and used.
When do you as a web or mobile developer or operator/owner of these services fall under COPPA? And what does that fact mean for you?
The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
One of the consequences of you falling under COPPA, you guessed it, is the requirement to outline your data collection practices in a comprehensive online privacy policy.
Read a more thorough guide about COPPA and websites or mobile apps.
Other special requirements – HIPAA
There are other special laws that should not be forgotten, like the HIPAA, the Health Insurance Portability and Accountability Act. It’s mostly not relevant for our users, so please get in touch if you have any questions regarding it.
Our international approach
The way iubenda’s privacy policy is generated and written is by taking the strictest privacy rules into account (from Europe, Australia, Canada & USA). You can therefore also automatically generate identical privacy policies in English, Italian, German, French, Dutch, Russian, Spanish and Brazilian Portuguese.
If there are any more questions, we are always happy to take them.
Disclaimer: please keep in mind that this is a very simplified view and overview of the landscape, but it essentially depicts what you need to know to get started and keep in mind for your mobile or online privacy policy.
