Why are these policies necessary?
- What information you gather
- How you collect the information
- How you store and protect the information
Is there a difference in the types of information collected?
Yes. Most policies separate personally identifiable information from non-private data.
The National Institute of Standards and Technology (NIST) defines personally identifiable information as:
“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Non-private data is defined as:
“Information that may correspond to a particular person, account or profile, but is not sufficient to identify, contact, or locate the person to whom such information pertains.”
- Browser type
- Browser plug-in details
- Local time zone
- Date and time of each visitor request (i.e. arrival, exit on each web page)
- Language preference
- Referring site
- Device type (i.e. desktop, laptop, or smartphone)
- Screen size, screen color depth, and system fonts
Many users concerned with sharing this non-private data employ browser extensions to mask its availability. Also, VPNs help avoid sharing certain types of non-private data. For instance, a VPN can mask the time of the site visit as well as the user’s local time zone. If you're interested in learning more about VPNs, click here.
Yes. Collecting data without detailing the activity to users is punishable by law. You are also at risk if you violate the terms of your policy by collecting more than what you state or otherwise change the data collection/use without updating the policy.
Sites that aren’t GDPR complaint could face fines up to 20 million Euro or 4% of their global revenue.
Thanks to their length and complexity, most online privacy policies go unread. In fact, one study found they are so cumbersome that it would take the average person about 30 full working days to actually read the privacy policies of the websites they visit in a year.
Point #1: Information Collection
Every policy should explicitly describe what information the site collects and its’ collection methods and what will happen with the collected data.
Point #2: Information Use
Companies – and their websites – who take your data security seriously:
- Never sell personally identifiable information to 3rdparties
- Anonymize and/or encrypt the data to protect against breaches
- Only store the data for a short period of time
Point #3: E-Commerce Considerations
For e-commerce sites, the policy should detail the safeguards for a user’s private financial information collected to process transactions. This includes credit card numbers, social security numbers, or bank account information.
Point #4: 3rd Party Information Disclosures
There should be clear language about the website’s relationship(s) with 3rd parties. Ideally, your site will not sell or share personally identifiable information unless there is a legally compelling reason. It should also detail what your company does with non-private data.
Point #5: Information Security and Tracking
Today’s best privacy policies highlight their information security and detail cookie use.
Point #6: Unsubscribe Methods
Point #7: Consent
Click here for a template you can use.
The template language provided in this post should be a starting point only. Every website has different methods and intentions and the best privacy policies reflect a high level of customization. To ensure the effectiveness of your policy, consult with privacy lawyers and research other policies from companies similar to yours. Most of all, keep checking www.vpnmentor.com for more information on policy language and privacy issues.