Psh! Rules are meant to be broken, are they? Well, yeah…except when they can bring some pretty hefty fines.
Yeah, well, I don’t live in Cali. If you live in New York but someone from California clicks on your website and you collect their “personally identifiable information,” it applies to you. And by the way, CalOPPA says “personally identifiable information” is:
- First and last names
- Physical addresses
- Email addresses
- Phone numbers
- Social Security numbers
- Any other contact information shared with a business (online or physically)
- Details of physical appearance (height, hair color, weight)
- Any other information stored online that may identify an individual
Google’s stand on Privacy Policies and Terms & Conditions Pages
Google has been really pushing for all websites to have Privacy Policies and Terms and Conditions. In the good news department, there are no laws requiring you to have a Terms and Conditions on your site. So technically, you could get away with it (legally, that is). But you may want to think twice about that, because Terms and Conditions are how you make the rules. With a Terms and Conditions page publicly accessible on your site, you call the shots.
What Is a Terms & Conditions Page?
It’s what tells your website visitors how they are and aren’t allowed to use your website. Whether or not they actually read it, is largely irrelevant.
GDPR – important even if you’re not in the EU
If you live in the European Union, you must include GDPR as well. But GDPR can be interpreted to include companies who aren’t in the EU. And according to this PwC survey,
92 percent of U.S. companies consider GDPR a top data protection priority.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
According to CSO Online, GDPR (General Data Protection Regulation) “is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.”
Unfortunately, GDPR isn’t crystal-clear on what it requires. For example, it says that companies must give a “reasonable” amount of protection to personal data, but it never tells us exactly what “reasonable” is (or isn’t).
However, it does say that the following is considered personal data that must be protected by companies:
- Basic ID info, like names and addresses
- Race and ethnicity
- Political opinions
- Web data, such as the data cookies gather, IP address, and RFID tags
- Health and genetic data
- Biometric data
- Sexual orientation
It also calls out companies who absolutely must comply with GDPR:
- Companies with a presence in an EU country
- Companies who process personal data of European residents, even if they don’t have a presence in the EU
- Companies with over 250 employees
- Companies with less than 250 employees, but whose “data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.”
(That last point basically means nearly every company).
How To (And How NOT TO) Write Privacy and Terms Pages
Fortunately, it’s ok to leave the “legal speak” behind and keep it in plain English. Make it easy for people to understand what you’re saying. Check out how Apple did this in their Terms and Conditions:
“Our Services may allow you to submit materials such as comments, pictures, videos, and podcasts (including associated metadata and artwork). Your use of such features must comply with the Submissions Guidelines below, which may be updated from time to time. If you see materials that do not comply with the Submissions Guidelines, please use the Report a Concern feature. You hereby grant Apple a worldwide, royalty-free, perpetual, nonexclusive license to use the materials you submit within the Services and related marketing, and Apple internal purposes. Apple may monitor and decide to remove or edit any submitted material.
Submissions Guidelines: You may not use the Services to:
- post any materials that you do not have permission, right or license to use;
- post objectionable, offensive, unlawful, deceptive or harmful content;
- post personal, private or confidential information belonging to others;
- request personal information from a minor;
- impersonate or misrepresent your affiliation with another person, or entity;
- post or transmit spam, including but not limited to unsolicited or unauthorized advertising, promotional materials, or informational announcements;
- plan or engage in any illegal, fraudulent, or manipulative activity.”
“3. Your rights and your preferences: Giving you choice and control
You may be aware that a new European Union law, called the General Data Protection Regulation or “GDPR” gives certain rights to individuals in relation to their personal data. Accordingly, we have implemented additional transparency and access controls in our Privacy Center and Privacy Settings to help users take advantage of those rights. As available and except as limited under applicable law, the rights afforded to individuals are:
- Right of Access – the right to be informed of and request access to the personal data we process about you;
- Right to Rectification – the right to request that we amend or update your personal data where it is inaccurate or incomplete;
- Right to Erasure – the right to request that we delete your personal data;
- Right to Restrict – the right to request that we temporarily or permanently stop processing all or some of your personal data;
- Right to Object –
- the right, at any time, to object to us processing your personal data on grounds relating to your particular situation;
- the right to object to your personal data being processed for direct marketing purposes;
- Right to Data Portability – the right to request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service; and
- Right not to be subject to Automated Decision-making – the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.
In order to enable you to exercise these rights with ease and to record your preferences in relation to how Spotify uses your personal data, we provide you with access to the following settings via your Account Settings page:
- Privacy Settings – allows you to control some of the categories of personal data we process about you, enables you to access your personal data via a ‘Download my Data’ button, and includes a link to the Privacy Center on spotify.com where you can find out more information about how Spotify uses your personal data and what your rights are; and,
- Notification Settings – allows you to choose which communications you receive from Spotify, manage your publicly available personal data, and set your sharing preferences.”
Your Next Steps
Here’s Your Privacy and Terms To-Do List
- Use an online service to generate and customize your Terms and Policy. (Be sure it’s easy to read and understand!)
- Run it by a legal professional to make sure you worded it correctly and included everything necessary.
- Put it up on your website in an easy-to-spot-and-access place.