This is a short overview on privacy policies on websites and in apps in the US. Most privacy related rules are still to be found on a state level, as opposed to a few based on federal law. California is usually setting the pace in privacy law to protect their residents from data hungry organizations. The most recent developments were the Attorney General’s application of CalOPPA (Section 22575 of the Business and Professions Code that handles the privacy disclosures at large) to mobile applications and CalOPPA’s amendment related to the Do Not Track process.

Most countries have privacy laws that require you to include a privacy policy – a statement of your data collection as a disclosing service to your visitors or users – as a website owner or app developer. It’s important to understand that this is a global phenomenon and there are mostly a few similar criterions that trigger such a requirement.

Usually the trigger is the collection or sharing of personal information like names, emails, images or any other means of identifying a returning user (the way ad networks serve targeted advertising for example). “Commercial” is an often used trigger for privacy policies, which is generally defined very broadly. The same is true for California.

The introduction to Do Not Track reads like this:

Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.

The term “online service” extends to mobile apps.

What do I care about California?

I’m glad you asked. If you’d like to reread the above quote, then you’ll find the answer:

(…) through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy (…)

The legal magic here is: if you have a service that may possibly collect personal information from a Californian resident you are falling under that law. By this logic, having a mobile app privacy policy is even more important, because most of the time they are location unaware and would like to have as many users as possible.

Do Not Track

The privacy landscape is an increasingly changing one. From now on (1/1/2014) you should be informed about the changes that the Do Not Track process is bringing to your privacy policy.

“Do Not Track” is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.

If you do not respond to DNT signals, it will be enough to indicate this fact in your privacy policy, but you have to talk about it. If you, however, respond to DNT in some way, the privacy policy should disclose how you respond to its signal.

What about federal laws?

There are federal laws as well. The most important in our vertical is the Children’s Online Privacy Protection Act.

COPPA – Children’s Online Privacy Protection Act

COPPA was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The primary goal of COPPA is to protect children’s privacy online (and at the same time on the mobile ecosystem). COPPA puts parents in control over what information from their children is collected and used.

When do you as a web or mobile developer or operator/owner of these services fall under COPPA? And what does that fact mean for you?

The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

One of the consequences of you falling under COPPA, you guessed it, is the requirement to outline your data collection practices in a comprehensive online privacy policy.

Read a more thorough guide about COPPA and websites or mobile apps.

Other special requirements – HIPAA

There are other special laws that should not be forgotten, like the HIPAA, the Health Insurance Portability and Accountability Act. It’s mostly not relevant for our users, so please get in touch if you have any questions regarding it.

Our international approach

The way iubenda’s privacy policy is generated and written is by taking the strictest privacy rules into account (from Europe, Australia, Canada & USA). You can therefore also automatically generate identical privacy policies in French, German, Italian and Spanish.

If there are any more questions, we are always happy to take them.

Links:

Disclaimer: please keep in mind that this is a very simplified view and overview of the landscape, but it essentially depicts what you need to know to get started and keep in mind for your mobile or online privacy policy.

Generate a privacy policy for the USA


About Privacy Policies in CaliforniaDo Not Track California Privacy Policy ChangesLaunch: Mobile Apps Privacy Policy Generator

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app
www.iubenda.com

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now
RSS FEED

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now