A Privacy Policy is a written statement that tells the user how the company will collect and use their information. It is typically made available through the company’s website. The Privacy Policy establishes the company’s guidelines when collecting and using user information. A privacy policy is meant to protect the company from claims that it has misled the user about the company’s collection or use of information.
A company’s privacy policy must reflect how a company collects, uses, and discloses personal information. Companies should appoint a Data Privacy Officer, who ideally should be a person with legal and IT experience.
Privacy laws differ from country to country, so if a business or website operates in different countries, ensure that the privacy policy accounts for the laws in the different jurisdictions.
The General Data Protection Regulation (GDPR) is the most extensive privacy law. The GDPR sets out guidelines for collecting and processing personal information from individuals who live in the European Union and the European Economic Area. Generally, the GDPR sets out seven principles to guide personal data processing practices as follows;
1. Lawfulness, fairness, and transparency
Lawfulness mandates that data should be processed only when there is a good reason for doing so. Good reasons include that the user has given consent; the processing is necessary to make good on a contract or fulfill a legal obligation; the data is being processed for the protection of vital interests of a natural person; other legitimate interests that can be proven and are not overridden by the rights and interests of the data subject.
Fairness and transparency mandate that you should not deliberately withhold information about why you are collecting the data. Furthermore, you should be transparent, open, and honest with data subjects about who you are and why and how you process their data.
2. Purpose limitation
This mandates that data be collected and used only for “specified, explicit, and legitimate purposes.” The purpose of data collection from data subjects must be communicated clearly through the privacy notice and strictly followed. If the data is to be used for a different purpose than earlier specified, consent for this new purpose must be specifically requested from the data subjects.
Data minimisation
This principle directs that only the smallest amount of data needed to achieve the specified purpose should be collected.
4. Accuracy
The company is responsible for ensuring the accuracy of the data they collect and store.
5. Storage limitation
This principle mandates that the company or organization must justify the length of time they store each piece of data. Companies can fulfill this obligation by incorporating data retention periods into their privacy policiespolicies.
6. Integrity and confidentiality (security)
This principle mandates that a company keep all data it collects and stores confidential and secure, protecting the data from unauthorised or unlawful processing and accidental loss, destruction, or damage.
7. Accountability
This principle mandates companies to have appropriate measures and records to prove their compliance with the data processing principles.
The US does not have federal legislation guiding data privacy but has a combination of industry-focused data privacy laws. These include the US Privacy Act, Gramm-Leach-Bliley Act (GLBA), which protects financial nonpublic personal information, Health Insurance Portability and Accountability Act (HIPAA), and the Children’s Online Privacy Protection Act (COPPA).
The HIPAA regulations protect healthcare and health insurance personal data. It provides for confidentiality by limiting a healthcare provider’s access to and use of a patient’s protected health information only if it is related to treatment, payment, or healthcare operations.
The COPPA protects the personal information of children aged 12 and younger. It prevents online companies from asking children 12 and under for personally identifiable information unless there is verifiable parental consent. Personal information includes email addresses, photographs, screen names, audio files, video chat names, and street-level geo coordinates.
In addition, certain US states have privacy laws, such as California, Nevada, and Maine. The California Consumer Privacy Act (CCPA) has similar consumer privacy protection provisions to the GDPR, and it broadly defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
In Nigeria, data protection is generally regulated by the Nigerian Data Protection Regulation (NDPR). It generally provides that data processing shall be lawful where the data subject has given consent, or the data processing is necessary for the performance of a contract, compliance with a legal obligation to which the data controller (a person who determines the purposes for and how personal data is processed) is subject; or is necessary to protect the vital interests of the data subject or for public interest.
Similar to the GDPR, the NDPR mandates that a company appoint a Data Protection Officer. Further, it has similar principles to the GDPR—transparency, purpose and limitation, accuracy, storage limitation, confidentiality and accountability—which a privacy policy must adhere to.
Other regions with international privacy laws for data protection include Brazil, South Africa, the British Virgin Islands, Bahrain, Canada, India, Israel, Angola, Australia, and the Philippines.