Most countries around the world have some form of data privacy legislation in place, and most of this legislation covers not just the use of that data, but any dealings with it, which includes collection. Any time you collect the data of an individual person, particularly for marketing purposes, sales purposes, analysis, or tracking, you’ll likely need to comply with this legislation.
When using Datanyze, you collect publicly available information; however, if you collect information in other ways, such as through web forms or lead-gen marketing, you need to be aware of these privacy laws.
Privacy Law In The US vs. The EU
First let’s take a look at privacy laws in two of the major jurisdictions you may be based in: the United States and the European Union. If you are based in the UK, don’t worry: UK law follows EU law, so those two can be examined together.
There are a number of large differences between US and EU law, but your compliance measures should be the same for both, particularly if you have an international client or user base.
At a high level, EU law is strict and broad, while US law is patchy and weak. The only general data privacy law that the US has in place is a state law rather than a federal law: the California Online Privacy Protection Act of 2003.
The California Online Privacy Protection Act
The California Online Privacy Protection Act only applies when you are the operator of a commercial website, and you are dealing with the data of individual consumers residing in California.
- The kinds of information gathered;
- How the information may be shared with other parties;
- How you respond to “do not track” requests;
- The process the user can follow to review and make changes to the information you have on them; and
- The policy's effective date and a description of any changes since then.
Even if you are based outside of California, if your website collects the data of individuals in California, you must comply with the above law. If you have any American customers, consider the fact that some of them may be from California and it may be prudent to comply with the above requirements.
The EU Data Protection Directive
In contrast, EU law is covered by the EU Data Protection Directive. Later this year (2015), it is expected that the Data Protection Directive will be replaced by the Data Protection Regulation, but this is not currently in force yet. We’ll take a look at what the current law is, as many of the rules in the Directive will stay the same under the Regulation.
Under the EU Data Protection Directive, when your website or software is collecting or processing "personal information" you need to comply. You may be collecting information when customers or potential customers fill in their information on a lead-gen landing page for example, and then you process that data when you store it and use it later.
Personal information is any information that could identify an individual (can include information on its own - e.g. name, email address), or information in combination with other information, (e.g. IP address, physical address, product key). For the purposes of the Directive, "personal information" includes "any information relating to an identified or identifiable natural person". This could be:
- User’s location
- Unique device identifiers (such as mobile numbers)
- Identity of the data subject
- Identity of the phone (name of the device)
- Credit card and banking data
- Call logs
- Text messages, emails, or other forms of messaging
- Browsing history
- Pictures and videos
- Biometrics data
The Directive requires that if you are collecting this "personal information", and you are an EU-based company (i.e. if you have a business based in the EU, or a branch office, or your company is incorporated there), then there are a number of principles and criteria under the Directive that you need to comply with. For instance, you should:
- Identify who is collecting the data (you);
- Notify your users of what information you are collecting, and why;
- Ensure that all data collection is collected only for specified, explicit and legitimate purposes;
- Ensure that any data collected is adequate, relevant and not excessive;
- Ensure that data collected is accurate;
- Allow users to view what data you hold on them and allow them to change or update it;
- Notify your users of who else can view the data you hold on them; and
- Keep the data safe and secure.
- What types of information you will be collecting;
- How you will protect and store the information;
- How you will respond to “do not track” requests (you can hyperlink to another policy if you wish);
- What you will do with that information and in what circumstances you will release it;
- How the customer can review the information you hold on them;
- How the customer can change or delete that information;
- The policy's effective date and a description of any changes since then; and
- Dispute resolution information if your customer wants to lay a complaint or raise an issue.
Here’s an example of Clickwrap from PayPal during the user sign-up process:
Here’s another example for use on web forms:
You can see that in all of the examples above, the legal documents that the user is agreeing to are hyperlinked within the checkbox text. It’s important to ensure that your user has easy access to the documents and that it is clear what legal documents they are clicking "I agree" in relation to.
Clickwrap is a much stronger method than what most websites typically use, Browsewrap. This is where the user does not click "I agree" to anything, and instead is simply presumed to have agreed to the terms by implication.
The terms are usually displayed at the bottom of the webpage, and the user must browse to read them. There is no certainty for the website owner that the user has read the terms. Here’s an example of Browsewrap from VentureBeat:
You can see that the text is in very small writing, and not drawn to the user’s attention at all.
About the Author: Leah Hamilton is a qualified Solicitor and writer working at TermsFeed, where businesses can create their Privacy Policies and Terms and Conditions in minutes.
About the AuthorMore Content by Leah Hamilton