Best Practices: Online Privacy Policies

In a previous article, I discussed some of the reasons why a mobile app may need a privacy policy. The reasons set out there apply not only to mobile apps but also to all websites and online applications. This week, we consider some best practices for developing and deploying online privacy policies.

With increased regulation of privacy rights, you would expect data owners to be keener on data collection and processing practices. However, there is increasing evidence that whilst online users are concerned about their privacy, they hardly ever take time to read online privacy policies. They instead have an expectation that regardless of what you say in your privacy policy, you will respect their privacy rights.

Therefore, your users’ disinterest in your privacy policy does not give you the right to use their information as you please. In fact, in addition to providing an online privacy policy, you should show that your organization walks the “talk” of the policy. In other words, you should do what your policy says. This not only gives credence to your brand but also protects you from legal disputes.

Let’s now look at some best practices to consider in preparing or publishing an online privacy policy.

Best Practices for an Online Privacy Policy

1. Be Factual

Avoid exaggerating the nature and extent of privacy you provide. Ensure that anything you say in the policy can be verified or is a true reflection of your organisation’s data handling practices. Outline in clear detail the following matters:-

  • the types of personal information you collect including indirect collection methods such as the use of cookies and location tracking;
  • the methods you use to collect personal data;
  • the purpose for collection of the information;
  • if you share the information with third parties, who are these parties, and what safeguards do you and the third party have in place for the shared information?
  • how will you store the information? for how long will you store it?
  • what rights do users have in relation to their personal information?

2. Make it clear and simple

Although online privacy policies are legal documents, they are meant to be read by the general public. Therefore, you should produce a privacy policy that is written in plain simple, and plain language. Avoid using legal words like “duty of care” and “jurisdiction” and a whole host of legal jargon. Instead, break it down in a way that even a primary school child can understand what is going on. Give examples that explain how your policy works in practice.

Further, avoid copy and paste policies and instead tailor your privacy policy to the mission and purpose of your website. For instance, a blog’s privacy policy will differ from that of an e-commerce platform such as Amazon. Similarly, a social media platform such as Instagram will have a different policy from an online learning platform such as Udemy.

3. Obtain User Consent

Prior to collecting an individual’s personal information, seek their consent. Provide a way for your users to give you express consent at all stages where you ask for personal information. For instance, if they are creating a new account and need to provide details such as their email addresses or phone numbers, provide a checkbox and link to your privacy policy on the registration page. If they make a purchase on your website, the same procedure should apply.

4. Make Your Privacy Policy Readily Accessible

Provide an easily accessible link to your Privacy Policy on your website or on your app. For websites, the standard practice is to place the privacy policy at the footer of your homepage. You should also include it in all places where you request your user’s to key in personal information. For mobile apps, the link may be placed on the welcome screen of your App and on an accessible drop-down menu within your app.

5. Demonstrate Accountability

Apart from having a written privacy policy, ensure that you train and hold your team accountable for your privacy obligations. If your team does not understand the organisation’s privacy requirements, there will definitely be a mismatch between what your policy states and what you do in practice. This may expose you to data breaches and litigation risks.

Designate or appoint a Data Protection Officer (DPO). This is an individual responsible for data protection and compliance within your organisation. Publish the name and contact details of the DPO on your Privacy Policy.

6. Follow Data Minimisation Approach

Collect only the amount of personal data that is relevant for the purposes that you have identified in your policy. In the context of your online business/website/app, ask yourself what is the absolute minimum information you require and how do you intend to use it? For example, if it is a blog, you may need only email addresses so you can alert your followers of new posts or you can send them newsletters on the latest topics or trends. Telephone numbers and IDs may not be necessary. On the other hand, if you are selling products through your app or website, you may need a host of information for purposes of the contract. This may include full names, email, phone numbers, credit/debit card information etc. But even here, be careful to seek only what you require. The bottom line, be clear on why you need the information you are collecting. Avoid collecting data on the off-chance that it may be useful in the future.


Disclaimer! Venturelawkenya contains only general information about legal matters. It is not legal advice and should not be treated as such. You must not rely on the information on this website as an alternative to legal advice from your lawyer/advocate or other professional legal services provider. If you have specific questions about any legal matter you should consult with your advocate or any other suitable professional legal service provider.


Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.

Tags:

No Comments

Leave a Reply