If you’re not a legal professional, getting your website or app to be compliant with international privacy laws can be tedious and difficult. iubenda provides several comprehensive and customizable solutions that you can seamlessly integrate into your website or app.
Under the vast majority of legislations, it is required to disclose data collection and to implement a method of receiving consent or facilitating its withdrawal. Failure to adhere to these laws can result in hefty fines, leave you open to litigation and negatively affect the credibility of your website or app.
Users need to be informed about website/app owner details, what data is being collected, their rights in regards to that data, your notification process for policy changes, the effective date of the policy and third-party access to their data (for example, third-party widgets, social buttons, ad service integrations etc). They also need to be informed about your general conditions (including sales conditions).
Another important point to note here is that under laws like the US’s California Consumer Privacy Act (CCPA), users will need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure will need to be visible from the homepage of the site and must include an opt-out (DNSMPI) link.
Users need to be able to give, decline or withdraw consent (depending on the regional law). In the US, the law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
Compared to the US regulations, EU law (in particular the GDPR) is more stringent when it comes to consent. Consent under the GDPR, must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The regulation also gives a specific right to withdraw consent; it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital (and mandatory) that you document and keep clear records related to the consent.
Records of consent should at least contain the following information:
Users need to be informed about cookie use and given the option to consent or decline. Also related to consent, the ePrivacy Directive or the Cookie Law requires users’ informed consent before storing cookies on a user’s device and tracking them.
You must maintain records of processing activities (legally mandated if the GDPR applies to you). Under EU law (specifically the GDPR) you must keep and maintain “full and extensive” up-to-date records of your business processing activities, both internal and external, where the processing is carried out on personal data.
Full and extensive records of processing are expressly required in cases where your data processing activities:
However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone.
? Read more about how to maintain compliant records for controllers and processor in our GDPR guide.
Generally, these laws apply to any service targeting residents of the region, which effectively means that it’ll most likely apply to your business whether the organization or web servers are located in the region or not. It is, therefore, always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Since most third-party apps and services also need to follow the law, they may require that websites & apps meet regulatory standards.
From time to time third party requirements can change in response to internal or regional regulations. It’s often necessary that your policies meet the latest requirements in order to avoid interruption of service. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.
It governs the contractual relationship between you and your users and sets the way in which your product, service or content may be used, in a legally binding way. It is therefore essential for protecting your content from a copyright perspective as well as protecting you from potential liabilities.
They typically contain copyright clauses, disclaimers and terms of sale, allow you to set governing law, list mandatory consumer protection clauses, and more.
As the Terms & Conditions document is a legally binding agreement, it’s critically important to ensure that it’s up-to-date, easily understandable, and precise. It’s also vital that users can both easily see it and agree to it in an unambiguous way (for example, by clicking a checkbox with a visible link to the document before being allowed to create an account or comment).
You’ll likely need to set Terms & Conditions if you:
Terms and Conditions documents must work within the boundaries of the law. If the situation occurs where your set terms contradict applicable law, the law will supersede the document. It is therefore important to take note of applicable legislation when preparing your Terms and Conditions to ensure that your terms work for you to their maximum ability within the boundaries of the law.
Here at iubenda, we believe in the importance of a comprehensive approach to data law compliance. We keep track of the major legislations and build solutions with the strictest regulations in mind, giving you full options to customize as needed.
This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers — building trust and credibility.
Here’s what you need to get started with full compliance:
As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
? For more information on privacy policies click here.
Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law.
There are two parts to this:
Our Cookie Solution complies with provisions of the European cookie law-banner management. It allows you to easily inform users and obtain their consent while including the option to block any scripts that install cookies without prior consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.
? For more information on our Cookie Solution click here.
Our Terms and Conditions Generator helps you to easily generate and manage Terms and Conditions that are professional, customizable from over 100 clauses, available in 8 languages, drafted by an international legal team and up to date with the main international legislations. It is powerful, precise, and capable of handling even the most complex, individual scenarios and customization needs.
It comes with:
The solution is optimized for everything from e-commerce, blogs, and apps, to complex scenarios like marketplace and, SaaS.
Getting started is easy. Simply activate the Terms and Conditions (uses 1 Ultra license) within your dashboard and start generating.
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected.
These records must show:
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:
Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations.
It allows you to create records of processing activity:
Please note: Even if your processing activities somehow fall outside of the situations mentioned here, your information duties to users (Articles 13 & 14 ) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone
Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.
?️ Have your questions answered live and learn more about both the Consent Solution and Internal Privacy Management Solution by attending one of our free English webinars.