Privacy Policy Best Practices

If your startup is based around an app or uses a website where you collect user information, even if it’s information such as log data or cookies, you should probably have a privacy policy. The first thing to remember about privacy policies is that they are not the same thing as your app or site’s terms of service (although your privacy policy should probably be integrated into your terms by reference) — your terms are the agreement between you and your users regarding their rights and your rights as to their use of your app or site, where as the privacy policy describes to your users what information of theirs you collect and what you do with that information.

It goes without saying that your privacy policy should accurately reflect what user information you collect and what you do with it (and when you change what information you collect and/or what you do with it, you should immediately update your policy to reflect the changes), but you should also make sure that users have easy access to the policy and are given an opportunity to agree to it — like with terms of service, I recommend, if possible, having users on sign up be prompted to read the policy by having to scroll through the entire document before being allowed to click “I Accept”.

There are no comprehensive federal laws concerning privacy policies; however, laws you should be cognizant of when drafting your policy are unfair and deceptive trade practice acts (both at the federal and state level, although all have broadly similar language), as well as COPPA, the Children’s Online Privacy Protection Act, which requires sites to obtain verifiable parental consent before collecting the personal information of minors under the age of 13. In practice, obtaining verifiable parental consent is a tricky situation, so most sites simply have users certify that they are 13 or older. Finally, there may be specifically laws governing privacy policies for the particular industry in which your startup operates; for example, in the financial or healthcare industries.

Your privacy policy should cover four broad topics, each of which has several sub-issues that should be addressed. The four topics your policy should cover are:

– Collection of information

This section should describe what information you collect from the user, whether the information you collect is personal or anonymous, how you collect the information (cookies, log data, etc.), who you collect the information from (e.g., the user themselves, or when they connect to third-party partners such as Facebook), and if and how the user can control what information is collected (usually by going to their account settings).

– Use of information

Most importantly, in this section you need to explain why you collect each kind of information; for traffic information such as cookies or log data, it is usually enough to explain that you use such information to monitor, customize, and improve your service, although if you use such information for other purpose, explain so. You should also explain in this section where you send user information to be processed or stored — though U.S. startups will usually keep information in the U.S., some third-party service providers may be located overseas and this possibility must be noted. Finally, you should also explain what steps you take to secure user information, even if it’s just to point out that you use commercially reasonable means (if you use server companies or the like, you may not know what specific measures they take to secure data).

– Sharing of information

Here you should describe who you share user information with, and whether you require the user’s consent to share particular types of information with particular parties. In particular, you should note what information you share with third parties, as well as what happens in the event there is a change in ownership of the company (usually by acquisition — a very real proposition for startups!)

– Changes to the policy

Finally, you should detail your rights and the user’s rights to changes in the policy — generally, most companies reserve the unlimited right to change the policy, with notice coming to the user if there is a material change (what is material is subject to the sole discretion of the company). You should also give users the means to contact you regarding questions and issues with privacy. You can also cover issues such as severability, termination, and integration here.

Hopefully this gives you a good understanding of what’s needed in a privacy policy you decide to make a go at writing one for your startup yourself — there are plenty of open-source policies you can use as a starting point. Otherwise, any startup attorney would be happy to draft one for your company and can usually have one done quickly.

Off-topic Note: The First Venture Legal Blog will be on Thanksgiving break this Friday; however, we’ll be back with a new article next Tuesday, November 27th!