Your Privacy Policy describes how you collect, use and disclose information of your mobile app or website users and what choices your users have with respect to the information.

Privacy Policy Template
You may want to start with the LittleLawBook.com privacy policy template, which is an easy and effective way to ensure that you are covering key elements required in a privacy policy.

Privacy Policy Checklist
Following are the key clauses and corresponding checklists in a Privacy Policy.

Information Collection and Use
This is the most important section of the Privacy Policy, where you need to inform users about what kind of their personal information you collect and how you are using that information.

Following is the checklist for this section:

1. Do you require a user to provide personally identifiable information (Customer Data)? If yes, which all information a user needs to provide? How are you going to use that information?
   (a) Example of user information that you may be asking for could include name, email, phone, date of birth, gender etc.
   (b) You may also collect user information if a user signs in to your site or mobile app using Facebook, Google or Linkedin.
    
2. There may be other types of information (Other Information) that you may be collecting such as:
   (a) Services metadata: Example - content read, link clicked, time spent, files shared, 3rd-party services used etc.
   (b) Log data: Example - user's IP address, browser type and version, pages visited before using your website, browser configuration and plugins, language settings, time spent, referrer, buttons and linked clicked etc.
   (c) Mobile device information: user's mobile devices (mobile and tablets) accessing the website, including type of device, operating system, device settings, unique device identifiers and crash data.
   (d) Location information: user's location information using IP address received from the browser or mobile device.
    
3. How you use user's information? Some examples are:
   (a) To provide, update, maintain and protect your website and mobile app including service / product that you offer.
   (b) As required by applicable law, legal process or regulation.
   (c) To communicate with a user by responding to service requests, comments and questions.
   (d) To develop and provide additional features and personalized search/suggestions based on historical use and predictive models.
   (e) For billing, account management and other administrative matters.
   (f) To investigate and help prevent security issues and abuse.
    
4. Put a disclaimer if you do not allow the use of your website or services by anyone younger than 16 years old.
   
   
   Data Retention
5. Do you retail user's data?
6. Is data retention based on time? For example - 3 months after a user deletes his account.
7. Is data retention based on an event? For example - as long as you need to pursue legitimate business interests, conduct audits, comply with legal obligations, resolve disputes and enforce your agreements.
8. Can a user customize his data retention settings?

Log Data

1. Do you collect user's information while browsing your site or using your mobile app?
2. Example of user information that you may be logging are user's IP address, browser type and version, pages visited before using your website, browser configuration and plugins, language settings, time spent, referrer, buttons and linked clicked etc.
    

Cookies

1. Do you set cookie to the user's laptop / mobile phone? Even if you use third-party tools such as Google Analytics or Facebook Pixels, you are using Cookies.
2. Cookies are text files containing data that you specific to identify the user. For example, you can set a cookie to check if a user has already registered on your site and, if yes, you may want to show a different website home page.
3. You may show explicit confirmation to a user to accept usage of Cookie. If a user refuses, he may not be able to use some portion of your services. You may use Cookie Consent notice as shown below:

Sharing Data

1. Do you share and disclose user information with third-party? If yes, put a disclaimer such as:
   (a) Third-Party Services are not owned or controlled by you and third parties that have been granted access to user Information may have their own policies and practices for its collection and use. Please check the privacy settings and notices in these Third-Party Services or contact the provider for any questions.
   (b) For example, you may be using MailChimp to collect email addresses from users subscribing to your newsletter.
2. Put a disclaimer if you need to share user information with your corporate affiliates, parents and/or subsidiaries. If you enters into a merger, acquisition, insolvency, dissolution or reorganization proceedings, or steps in contemplation of such activities (e.g. due diligence), some or all user Information may be shared or transferred.
3. Put a disclaimer if you need to disclose or use aggregated or identified user information for any legitimate business purpose. For example, you may want to tell your prospective customers average time that a user spent in using your services.
4. Put a disclaimer that if you receive a request for information, you may disclose user Information if you reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.
5. Put a disclaimer to protect and defend the rights, property or safety of your company or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
    

Compliance with GDPR

1. Identify the Data Controller and Data Processor
   (a) For example, a user (the Customer) is the controller of Customer Data (defined above) and you are the processor of Customer Data (defined above) and controller of Other Information.
   (b) Do you have multiple legal entities to cater to customers from different geographies? Identify controller and processor if that varies based on geographies. For example, you may have a legal entity in Ireland that is controller of Other Information and processor of Customer Data for customers outside of the US and Canada. You also may have a USA entity that is controller of Other Information and processor of Customer Data for customers in the US and Canada.
2. Mention email of your Data Protection Officer
3. Mention contact details of your Data Protection Authority in European Economic Area for a resident user to direct his questions or complaints about your services.
4. Mention how a user can access, update or delete his personal Information. For example, you may have a settings page that a user can access after signing in to your website.

Security
A Security disclosure in the privacy policy assures users that their personal data is well protected, but you may also want to note that no method is 100% secure.

Here is an example disclosure: You work hard to protect users personal information from loss, misuse and unauthorised access or disclosure. Given the nature of communications and information processing technology, you cannot guarantee that Information, during transmission through the internet or while stored on your systems or otherwise in your care, will be absolutely safe from intrusion by others.

Links to Other Sites
Do you link to other sites? If yes, put a disclaimer that you have no control or responsibility towards those sites.

Change in Privacy Policy
Put a disclaimer that you may change your Privacy Policy from time to time as laws, regulations and industry standards evolve or your business changes. To stay informed, a user should review your Privacy Policy and if he disagrees to changes, he should deactivate his account and request for removal of his personal data.

Contacting You
Mention your email and/or postal address for a user ask any questions about your privacy policy or exercise any of his statutory rights such as deletion of personal information.

Enforcing a Privacy Policy
Always use the clickwrap method to get your users to agree to your terms.

With clickwrap, a user is informed of the legal agreements and must take some action that demonstrates that they're clearly accepting the terms.

Lets look at an example from Dropbox.com, which uses a checkbox for a user to demonstrate that he has accepted the terms of Dropbox.com that includes its privacy policy.

Conclusion
If you are looking for insights on more contracts, check-out my blog at LittleLawBook.com.

Now I�d like to hear from you:
Which insights from today's post are you going to use in your review of Privacy Policies?
Are you drafting or reviewing any other contracts for new-age technology companies?
Either way, let me know by leaving a comment below right now.

End-Notes:

LittleLawBook.com