If you’re not a legal professional, getting your website or app to be compliant with international privacy laws can be tedious and difficult. iubenda provides several comprehensive and customizable solutions that you can seamlessly integrate into your website or app.
What you need to know
Under the vast majority of legislations, it is required to disclose data collection and to implement a method of receiving consent or facilitating its withdrawal. Failure to adhere to these laws can result in hefty fines, leave you open to litigation and negatively affect the credibility of your website or app.
Users need to be informed about website/app owner details, what data is being collected, their rights in regards to that data, your notification process for policy changes, the effective date of the policy and third-party access to their data (for example, third-party widgets, social buttons, ad service integrations etc). They also need to be informed about your general conditions (including sales conditions).
Another important point to note here is that under laws like the US’s California Consumer Privacy Act (CCPA), users will need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure will need to be visible from the homepage of the site and must include an opt-out (DNSMPI) link.
Allow users to give, decline or withdraw consent
Users need to be able to give, decline or withdraw consent (depending on the regional law). In the US, the law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
Compared to the US regulations, EU law (in particular the GDPR) is more stringent when it comes to consent. Consent under the GDPR, must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The regulation also gives a specific right to withdraw consent; it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital (and mandatory) that you document and keep clear records related to the consent.
Records of consent should at least contain the following information:
- the identity of the user giving consent;
- when they consented;
- what disclosures were made (what they were told) at the time they consented;
- methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
- whether they have withdrawn consent or not.
It’s useful to remember that under GDPR regulations consent is not the only reason that an organization can process user data. It is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. However, there will always be data processing activities where consent is the only or best option.
Users need to be informed about cookie use and given the option to consent or decline. Also related to consent, the ePrivacy Directive or the Cookie Law requires users’ informed consent before storing cookies on a user’s device and tracking them.
Maintain records of processing activities
You must maintain records of processing activities (legally mandated if the GDPR applies to you). Under EU law (specifically the GDPR) you must keep and maintain “full and extensive” up-to-date records of your business processing activities, both internal and external, where the processing is carried out on personal data.
Full and extensive records of processing are expressly required in cases where your data processing activities:
- are not occasional;
- could result in a risk to the rights and freedoms of others;
- involve the handling of “special categories of data”; or
- where your organization has more than 250 employees — this effectively covers most common scenarios.
However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone.
🔍 Read more about how to maintain compliant records for controllers and processor in our GDPR guide.
Generally, these laws apply to any service targeting residents of the region, which effectively means that it’ll most likely apply to your business whether the organization or web servers are located in the region or not. It is, therefore, always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Ask our experts live
View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.
Attend our free webinars
Since most third-party apps and services also need to follow the law, they may require that websites & apps meet regulatory standards.
From time to time third party requirements can change in response to internal or regional regulations. It’s often necessary that your policies meet the latest requirements in order to avoid interruption of service. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.
🔍 You can read more about Google’s requirements here and here. You can read more about Apple’s requirements here.
Protecting your interests and making the law work for you
It governs the contractual relationship between you and your users and sets the way in which your product, service or content may be used, in a legally binding way. It is therefore essential for protecting your content from a copyright perspective as well as protecting you from potential liabilities.
They typically contain copyright clauses, disclaimers and terms of sale, allow you to set governing law, list mandatory consumer protection clauses, and more.
As the Terms & Conditions document is a legally binding agreement, it’s critically important to ensure that it’s up-to-date, easily understandable, and precise. It’s also vital that users can both easily see it and agree to it in an unambiguous way (for example, by clicking a checkbox with a visible link to the document before being allowed to create an account or comment).
You’ll likely need to set Terms & Conditions if you:
- have different user levels (eg. registered vs non-registered);
- would like to have some legally enforceable control over, and set rules about, how your product, service or content may be used;
- want to set the rules for user behavior (including comments) and state grounds for termination of accounts;
- facilitate or otherwise process payments and/ or other sensitive user data;
- provide a product or service which can potentially cause harm if misused;
- allow your users to upload content;
- participate in some kind of commerce, including affiliate programs; or
- run a service or platform which allows users to sell or trade with other users.
Terms and Conditions documents must work within the boundaries of the law. If the situation occurs where your set terms contradict applicable law, the law will supersede the document. It is therefore important to take note of applicable legislation when preparing your Terms and Conditions to ensure that your terms work for you to their maximum ability within the boundaries of the law.
How iubenda can help
iubenda’s approach to compliance
Here at iubenda, we believe in the importance of a comprehensive approach to data law compliance. We keep track of the major legislations and build solutions with the strictest regulations in mind, giving you full options to customize as needed.
This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers — building trust and credibility.
Here’s what you need to get started with full compliance:
- Comply with the EU Cookie Law
- Set Terms and Conditions
- Manage consent and maintain detailed records related to it
- Internal Privacy Management
As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
🔍 For more information on privacy policies click here.
2. Complying with the EU Cookie Law
Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law.
There are two parts to this:
- Cookie banner which you can get with the iubenda Cookie Solution.
Our Cookie Solution complies with provisions of the European cookie law-banner management. It allows you to easily inform users and obtain their consent while including the option to block any scripts that install cookies without prior consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.
3. Set Terms and Conditions
Our Terms and Conditions Generator helps you to easily generate and manage Terms and Conditions that are professional, customizable from over 100 clauses, available in 8 languages, drafted by an international legal team and up to date with the main international legislations. It is powerful, precise, and capable of handling even the most complex, individual scenarios and customization needs.
It comes with:
- guided set-up;
- hundreds of possible personalizations;
- legislation monitoring;
- plug-and-go integrations for popular store platforms such as Shopify and WooCommerce;
- pre-defined scenarios: buildable text modules for marketplace, affiliate programs, copyright, e-commerce, mobile, and more.
The solution is optimized for everything from e-commerce, blogs, and apps, to complex scenarios like marketplace and, SaaS.
Getting started is easy. Simply activate the Terms and Conditions (uses 1 Ultra license) within your dashboard and start generating.
🔍 For a list of the full features of the Terms and Conditions Generator, click here or read the guide here.
4. Manage consent and maintain detailed records related to it
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected.
These records must show:
- when consent was provided;
- who provided the consent;
- what their preferences were at the time of the collection;
- which legal or privacy notice they were presented with at the time of the consent collection; and
- which consent collection form they were presented with at the time of the collection.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
5. Internal Privacy Management
Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:
- which data you collect;
- for which purposes it was collected;
- the legal basis for processing;
- data retention policy for each processing activity;
- the parties involved (both inside and outside your organization);
- security measures;
- data transfer outside of the EU, if any; and
- other related details which may apply company-wide, including data of employees.
Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations.
It allows you to create records of processing activity:
- add processing activities from 700+ pre-made options;
- divide them by area (sub-divisions within which data processing activities are the same);
- assign processors and other member roles; and
- document legal bases and other GDPR-required records.
Please note: Even if your processing activities somehow fall outside of the situations mentioned here, your information duties to users (Articles 13 & 14 ) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone
Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.
🔍 For a list of the full features of the Internal Privacy Management tool click here or read the guide here.
🎙️ Have your questions answered live and learn more about both the Consent Solution and Internal Privacy Management Solution by attending one of our free English webinars.