How Widely Used Services Create Privacy Policy Obligations for All Online Businesses
Is your business breaking any privacy policy laws or violating the terms of services of businesses like Google, Facebook, or Cloudflare? — Probably!
Many of us know that Google Analytics require users to post a privacy policy on their website to inform their own customers of the collection of data.
What most of us don’t know is that more and more services are following in Google Analytics footsteps and are including their own requirements for use.
This means that it is time for you to pay attention to those pesky terms of service agreements that you sign on to.
Not playing by the rules may result in you breaking laws or getting banned from using the services your business is built upon.
Let’s take a look at five examples of businesses that demand that you have a privacy policy in place and that you mention your specific use of their services in it:
Google Analytics
“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data. This can be done by displaying a prominent link to the site “How Google uses data when you use our partners’ sites or apps”, (located at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time).”
Google Analytics requirement is straight forward. You must have a privacy policy on your website and in that policy, you must describe how you use cookies and that you are using GA.
This is well known and you might even have come across other policies that mention Google Analytics and include the link above. The question is: do you have this information in your own privacy policy?
If you don’t, you can get a free clause to include here.
“If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”
Facebook also demands that you have a privacy policy that explains what information you collect and how you intend to use that information.
Do you have a page for your business on Facebook? Do you run events or host live shows? Do you have a Facebook app? Then you are likely collecting information and need a privacy policy that reflects that in order to not violate the terms of service of Facebook.
CloudFlare
“You acknowledge that it is your responsibility to ensure that the use of Cloudflare’s Service is permitted under the laws of your jurisdiction and you agree to indemnify and hold Cloudflare harmless if your use of the Service is in violation of local law. Where required by law, you agree to post a privacy policy on any that, at a minimum, discloses any and all uses of personal information that you collect from users including any information collected via the Service. You agree to indemnify and defend Cloudflare from and against any and all claims stemming from your failure to comply with this provision and/or your failure or refusal to abide by the terms and provisions of any applicable privacy policies.”
Cloudflare is limiting the need for a privacy policy to when it is required by law. Depending on what jurisdiction you operate your business in, you have to have a policy that informs your users of all collection and use of personal information through Cloudflare.
You not only need to know what the law says in the country or state you have incorporated in, you also need to know the laws applicable where the people you collect the information from are located.
Your safest bet is to include a privacy policy since you are required by law to do so in the EU, Canada, Australia, and California among many other jurisdictions.
Drift
“You retain any and all of your rights to any Content you submit, post or display on or through the Service and you are responsible for protecting those rights. We take no responsibility and assume no liability for Content you or any third party posts on or through the Service. However, by posting Content using the Service you grant us the right and license to use, modify, publicly perform, publicly display, reproduce, and distribute such Content on and through the Service. You agree that this license includes the right for us to make your Content available to other users of the Service, who may also use your Content subject to these Terms.”
Drift does not require you to include a privacy policy on your website, but they reserve the right to use whatever content you share through their service in any way. This means that private information shared on Drift is no longer private.
Taking into account that your business most likely has users in jurisdictions that require full disclosure in a privacy policy, you need to include your use of Drift in your policy.
Leadpages/Drip
“If you create or use your own privacy policy or statement for your business in connection with the use of the services, you hereby acknowledge and agree to include in such privacy policy or statement, a disclosure with respect to our collection, use and disclosure of personally identifiable information of your customers disclosed to us that is consistent and in accordance with our privacy policy, including with respect to the potential disclosure of such information to third partners.”
Leadpages and Drip have a joint policy that says that if you have a privacy policy, you must disclose that you use Drip and how information is being collected by them and by potential third parties.
If you are using another lead services, it is likely that you need to make similar disclosure to make sure that you are compliant with both their terms of service and privacy laws that apply to your business.
Privacy Policies are starting to look like Russian nesting dolls
Most businesses are required by law to have a privacy policy on their websites. It used to be pretty straight forward. You stated the information you collected and tried to limit your responsibility for any information shared with third parties.
Now those third parties are throwing the responsibility back to you. They determine that you are the one responsible for the information collected and for informing your customers of how you use their information.
So, what are the consequences of not having a correct privacy policy in place?
First of all, you are probably breaking a few laws. That is never good. It can lead to fines or even revoked business license depending on your jurisdiction.
Secondly, if for example Google Analytics, Facebook or any other company that require that you mention them in a privacy policy find out that you don’t, they can all terminate your use of their services immediately.
That can put you out of business just as quickly, if not even quicker, than breaking a privacy policy law can.
How can I protect my business?
There are two ways of doing it:
- Take an inventory of all the services you use to provide your own services or products online.
- Go through the terms of use and privacy policies of each service to figure out what clauses you need to include in your own privacy policy.
- Write the proper clauses and include the correct information to comply with both the laws and the obligations of the service that you use.
- Keep track of changes in the terms of services to make sure that you own policies are up to date.
Or
- Use your existing privacy policy or get a template.
- Get the most commonly needed clauses for free and include them in your privacy policy
- You just saved yourself the time it takes to dig into every single policy for yourself!