Privacy Policy: Amendments to the law “On Personal Data, ” which increased fines for certain violations up to 1290 USD, excited the Internet community. Although the regulatory act itself has existed for 12 years, the owners of the sites started to bring their resources in compliance with its requirements only a year ago – along with the fines, the number of inspections also increased.
We hope that over the year most webmasters have already implemented all the necessary changes and can sleep peacefully. But new resources appear every day, which means that the issue remains relevant. We’ll figure it out, who can not do without the privacy policy and how to implement it on their own resources.
Who needs a privacy policy on the site?
The law obliges to publish the privacy policy only of personal data operators. To understand if such a document is needed on your site, you first need to understand what kind of data it is and who such operators are.
The first concept of the U.S. Federal Open Data Policy gives this definition:
Personal data – any information related directly or indirectly to a certain or determined individual (subject of personal data).
There is no precise list in the law, but based on the definition, it can be concluded that all data that pertain to a specific person and can be identified can be considered personal. Also in the text, there are concepts of general, special, and biometric data.
With operators, everything is simpler – it’s anyone, company, or government agency that collects, stores, processes and performs other actions with personal data. The owner of the Internet resource can be attributed to the operators, if the site has the order forms, comments, registration, and feedback, in which the person enters the name, surname, email address, phone number, etc.
If, when sending a comment from a user, only a name or nickname is required, a privacy policy is not needed, since it is impossible to identify a person from such information.
How to write a privacy policy
There is no form approved by law. But there is a list of information that must be prescribed in the document.
- On what grounds and for what purpose do you collect personal data.
- Your name, contact details, and address.
- Information about who is processing the data, if this is the responsibility of another company, as well as about third parties who have access to them.
- What data you process and from what sources you receive, including cookies.
- Terms of processing and storage of personal data.
- How do you observe the rights of the subject, provided by the law “On Personal Data”.
- Information that you are transferring data outside of the USA.
All this information can be stated in the free form. The main thing is that the document should contain all the information required by the law, and also make it clear to the user what happens to his personal data, how you can use them and what you do to protect his right to privacy and personal secrets.
Copy the privacy policy from other sites is not worth it. At a minimum, you need to adapt the text to your data processing conditions.
The document can be called on the website in different ways: a policy regarding personal data, a privacy policy, a user agreement, etc. It does not change the essence and it does not count as a violation.
How to make a document and place it on the site
The only requirement of legislation in this respect is that personal data subjects have free and unrestricted access to the privacy policy. In other respects, the site owner is free to decide how best to implement it on the site.
Usually, a document is published on a separate page and provides one-click access to any other. Links to the privacy policy should be placed next to the forms where the user agrees to process. Also, a footnote on documents is often placed in the basement or the top menu of the site.
The box “Consent to the processing of personal data” next to the forms is also mandatory. According to the law, you can collect and process information about users only with their consent, except for a few cases that do not apply to sites. Moreover, in the case of verification, the owner of the resource should be able to prove that there was consent.
To comply with this requirement on designers and popular CMS is not difficult – most developers quickly reacted and added this feature to their products.
For WordPress there are new plugins:
- Free – “Privacy Policy for the site. Consent under the forms of Contact-Form 7“.
- Paid – Privacy Policy, the price of the question: 12.04-43 USD., Depending on the priority of technical support and the number of sites.
Both plug-ins meet the requirements of U.S. Federal Open Data Policy and are similar in functionality:
- automatically add checkboxes to the forms of comments and that created with the plugin “Contact Form 7”;
- allow you to create and configure a page with a privacy policy;
- show a notification about the use of cookies;
- Customize the text for the processing consent flag;
- set this default checkbox, although you do not need to do this – the user must agree, and therefore checkbox itself;
- prohibit submitting a form without it.
There are also old plugins that add checkboxes for subscribing to the newsletter, acceptance of a user agreement, etc. However, new products were developed specifically to comply with U.S. Federal Open Data Policy, and customize them for these purposes will be easier.
Finally, there are still a few requirements that you should not forget about
- You can not collect more data than you need to achieve the goals stated in the privacy policy.
- You can not store and process data using databases hosted on foreign servers.
- Before starting to collect personal data, you must be notified to the government in paper or electronic form.
- To delegate the processing of personal data to other legal entities or individuals, you need to enter into a contract.
- The operator of personal data is obliged to ensure their safety through organizational, legal, and technical measures – to instruct staff, to develop local acts, to ensure reliable protection of databases, preventing leakage of information and third-party access.
Image already added