User information can include such details as:
- Phone numbers
- Email addresses
- IP addresses
- Credit card numbers
- Device information
This kind of data is usually collected through means such as:
- Signup pages
- Contact forms
- Checkout pages
- Third-party services (such as analytics software)
Privacy policies include information about what data you collect, why it’s collected, how it’s gathered, with whom it may be shared, and what rights users have over their information.
Privacy policies are required by many laws around the world. In addition to being a legal necessity, privacy policies are required by many third-party service providers.
Here are some of the most important laws and service providers that require privacy policies:
The General Data Protection Regulation (GDPR)
The GDPR is a law based in the EU that applies to any business that collects information about users in the European Economic Area (EEA).
Considered the most important data privacy law today, the GDPR emphasizes transparency from websites, and mandates that sites and apps have easily-accessible privacy policies.
The California Consumer Privacy Act (CCPA)
Known as the California GDPR, the CCPA is similar to the GDPR, especially in its rules regarding privacy policies. This California law applies to businesses that collect information about Californian users while meeting other thresholds (such as annual income or amount of data collected).
Like the GDPR, the CCPA focuses on transparency between websites and users, and requires privacy policies that are easy to find and understandable to the average user.
California Online Privacy Protection Act (CalOPPA)
CalOPPA is the first law to make privacy policies mandatory for businesses that collect information from Californian users, and remains in effect today.
The law states that any website that collects information from or about a Californian user:
Google Analytics is just one example of a third-party service that requires its users to post privacy policies.
What Data You Collect
As you can see in the image, Target keeps their description about what information they collect brief and straightforward, making it clear to users what information may be collected.
How You Collect Data
Your privacy statement needs to briefly outline what means you use to collect data.
Pinterest explicitly lists what means they use to collect data and at what points users give their data (such as when they log in using a Google or social media account).
Why You Collect Data
Once your privacy notice includes the what and how of your data collection, you need to let users know why that data is being collected and for what it may be used.
Note that Shopify’s policy specifically says that they process data “to fulfill a contractual obligation.” This is one of the legal bases for data processing established by the GDPR.
Who You Share Data With
What Rights Users Have Over Their Data
You’ll notice that Slack first has a section about users’ rights, and then the following section is specifically for users from California.
Due to the CCPA, many companies are choosing to include specific sections for California users, that focus on their unique data rights.