That’s why the evolution of privacy regulations, or rules governing the protection of personal data, has reshaped how marketing teams operate.

According to IAB’s State of Data 2024 report, 82% of organizations say the makeup and structure of their teams have been impacted by legislation and changing data rules.

The default response is typically to focus more resources on legal teams or consultants. In this article, find out why consent management should matter more to marketers and how it can help boost their marketing performance.

Is your compliance tech stack holding your marketing team back?

That’s a problem worth examining.

The tools you use for consent management, generating privacy policies, and monitoring your setup don’t just affect your legal exposure but also your opt-in rates, analytics accuracy, brand trust, and your ability to run campaigns with reliable data. Those are marketing outcomes. And they deserve a marketing approach to what is seen as “compliance tools”.

Most marketing teams didn’t deliberately build their compliance stack. They assembled it piece by piece in response to regulation:
– an outdated privacy policy, drafted by a legal professional once or through an online template,
– a cookie banner and cookie policy when the ePrivacy came into force,
– legal text that hasn’t been updated or optimized with your processes in mind.

This is the patchwork stack, and it creates friction at every turn.

The hidden cost of a fragmented compliance setup

Think about consent rate as a marketing metric, because that’s what it is. Every percentage point of missed opt-in is a user you lose insight into.

On top of that, if you don’t properly comply with industry best practices such as the IAB’s Transparency and Consent Framework, your ability to attribute campaign performance or track conversions is affected. A poorly configured or underperforming consent banner makes that worse, and it’s a problem that sits squarely in the marketing team’s lap.

Lastly, the privacy landscape continues to evolve. With a fragmented stack, each change triggers a manual chain: understand the regulation, assess the impact across tools, update each separately, and verify consistency across environments. That’s time your team isn’t spending on core marketing activities.

Manual coordination between tools means:

• slower response when something changes,
• duplicated work: your marketing team builds a consent flow, your legal team checks it against the policy doc, your development team deploys it, and then the cycle repeats every time a regulation shifts or a new market comes into scope.

Invest in all-in-one compliance tools for your marketing growth

IAB’s research states that one of its four key focus areas for adapting to a privacy-aware ecosystem is to optimize your company technology stack for efficiency by identifying overlapping functionality and evaluating whether tools can be consolidated and simplified.

Meanwhile, Think with Google research on privacy-forward marketing makes the commercial stakes clear: people are willing to share their data when they can see the value and trust the company. Your ability to deliver that experience depends on the tools for managing consent and transparency.

Tanneasha Gordon, Data & Digital Trust Leader at Deloitte, declares for Think with Google:

“Today’s digital privacy landscape offers a tapestry of opportunities and technologies to those willing to adapt […]. Marketing leaders should consider empowering their teams to invest in privacy-first solutions and experiment with technologies […]. Find the right partners, establish processes, and innovate with privacy-preserving technology.“

Reduced complexity as a competitive edge

One connected platform means one configuration, one dashboard, one update when laws change. Your marketing and legal teams share the same source of truth, cutting the back-and-forth that delays launches.

Fewer tools mean fewer failure points and no risk of a touchpoint being out of sync with another.

Reallocate resources into your compliance infrastructure

When privacy is managed in one place, every hour recovered is an hour your team can spend building core marketing activities.

Andreea Mandeal, our Chief Marketing Officer at iubenda, has seen this play out firsthand:

“Speed comes from handling compliance early. Teams that ‘stay agile and fix it later’ almost always end up slowing themselves down with rework, blocked launches, or emergency legal reviews, and that’s coming from experience. When consent, privacy, and compliance are built in from day one, product, marketing, and growth teams can move faster with confidence. You test more, ship more, and scale without hitting invisible walls. Getting it right upfront saves time, money, and rework later.”

The companies adapting fastest are investing in training, not just tools. According to IAB, 63% of organizations are now training staff on first-party data collection, and 54% on privacy compliance and privacy-preserving technology.

Marketing teams that build this literacy internally move faster. Knowing how consent works, which data you can use, and how regulations affect your measurement setup reduces the dependency on legal review cycles. You also get to understand what you can test or improve to get a better consent rate, for instance.

Use compliance tools that offer performance-related features

Regulation isn’t settling down. A platform that handles it well also comes with marketing features most teams overlook. Your banner is a legal obligation, but also a conversion surface.

Compliance tech comes with features that directly impact your performance, for example:

• Consent rate analytics: Track opt-in rates by page, geography, and device. Understand where you’re losing users before they even engage with your content.
• Banner A/B testing: Test copy, layout, and timing to improve opt-in rates. A better-performing banner means a larger measurable audience.
• Geo-targeted consent flows: Serve different banner experiences and languages by region based on local regulations, without rebuilding your setup each time.
• Regulatory updates without the sprint: When laws change, the platform updates. Your team moves on.

Trusted solutions built for the long term

Not all privacy tools are built the same way. When evaluating options, look for signals that a platform is complete and designed for durability, not just current requirements. The platform should:

• stay ahead of where the market is going, not just where it is today. E.g., a provider with IAB’s Transparency and Consent Framework (TCF) is on top of requirements for advertising in Europe and building to stay there,
• cover what marketing teams need to manage in one place, like consent and preferences management or records, related analytics, legal document management like privacy policies or terms. These tools work together, which means updates are consistent and your team manages everything from one dashboard.

For marketing teams that want to move fast, improve opt-ins, and measure in a reliable and privacy-friendly way, the right compliance infrastructure is the foundation.

Consent management is a marketing performance question because the compliance tools that manage data practices and user consent to marketing activities like content personalization or tracking play a key role in your opt-in rate, ad serving, brand trust, or first-party data strategy. These aren’t only compliance outputs but marketing metrics.

See how iubenda’s connected set of digital compliance solutions helps your marketing team move faster as you scale

The post Why your consent management setup is a marketing performance question appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

GDPR stands for General Data Protection Regulation, a European Union law that regulates how organizations collect, use, and protect personal data. It applies to many businesses worldwide and requires transparency, security, and accountability when handling personal information.

If your website or app collects personal data, you’ve probably heard of the GDPR.

The General Data Protection Regulation is one of the most important privacy laws in the world.

It sets the rules for how organizations collect, use, and protect personal data. It came into force in May 2018 and applies to many companies both inside and outside the European Union.

If you offer services to people in Europe, track website visitors, or collect personal information such as email addresses or IP addresses, the GDPR may apply to you.

In this guide, we explain what the GDPR is, why it was introduced, and who it applies to. We also cover the key principles, legal requirements, user rights, and practical steps organizations can take to stay compliant.

An overview of GDPR

GDPR stands for General Data Protection Regulation.

It’s a European Union law that regulates how organizations handle personal data. The regulation sets clear expectations for how companies collect, process, store, and protect information about individuals.

The goal is simple: people should understand how their data is used and have control over it.

For organizations, this means being transparent about data practices, collecting only the information that is necessary, and protecting it properly.

What is the purpose of GDPR?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives:

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Who does GDPR apply to?

Many organizations assume that GDPR applies only to companies based in Europe. In reality, the scope is broader. GDPR applies in the following situations:

For example, a company in the United States that sells products to EU customers or tracks EU website visitors may still need to comply with GDPR.

What counts as personal data?

Under the GDPR, personal data is any information that can identify a person, either on its own or when combined with other data. That includes obvious identifiers such as names, email addresses, and phone numbers, as well as less-obvious identifiers such as IP addresses, location data, or device IDs. In simple terms, if a piece of information could reasonably be used to figure out who someone is, it likely counts as personal data under the GDPR.

The seven principles of GDPR

The regulation is built around seven core principles that guide how organizations handle personal data.

Lawfulness, fairness, and transparency

Personal data must be processed legally, and users must understand how it is used.

Purpose limitation

Data must be collected for specific and legitimate purposes.

Data minimization

Organizations should collect only the data that is necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage limitation

Data should not be kept longer than necessary.

Integrity and confidentiality

Personal data must be protected against unauthorized access or loss.

Accountability

Organizations must be able to demonstrate compliance with these principles.

These principles form the foundation of GDPR compliance.

Legal bases for processing personal data

GDPR requires organizations to have a valid legal reason for processing personal data.

The regulation defines six possible legal bases.

• Consent from the user
• Performance of a contract
• Compliance with a legal obligation
• Protection of vital interests
• Public interest or official authority
• Legitimate interests of the organization

Consent is commonly used for marketing activities and cookie tracking, but it is not always required if another legal basis applies.

Key GDPR requirements for businesses

Organizations must implement several practical measures to meet GDPR obligations. These measures help organizations demonstrate accountability.

User rights under GDPR

One of the central goals of GDPR is to give individuals greater control over their personal data.

The regulation grants several rights to users.

• Right to be informed about how their data is used
• Right of access to the personal data that an organization holds about them
• Right to rectification of inaccurate data
• Right to erasure, also known as the right to be forgotten
• Right to restrict processing in certain situations
• Right to data portability between services
• Right to object to certain types of data processing
• Rights related to automated decision-making and profiling

Organizations must provide ways for individuals to exercise these rights.

Cross-border data transfers

GDPR also regulates the transfer of personal data outside the European Economic Area.

Data transfers are allowed only when certain safeguards are in place.

Examples:

• Countries recognized as providing adequate data protection
• Standard Contractual Clauses
• Binding Corporate Rules

These mechanisms ensure that personal data remains protected even when transferred internationally.

GDPR compliance strategies

Staying compliant with the GDPR isn’t bout ticking a single box. It requires clear processes for how your organization collects, uses, and protects personal data. While every business is different, most GDPR compliance strategies start with a few fundamental steps.

Organizations should focus on:

• Understanding what data you collect. Map the personal data your business collects, where it comes from, and how it is used.
• Identifying a legal basis for processing. Make sure every data processing activity has a valid legal basis under the GDPR, such as consent, contract, or legitimate interest.
• Being transparent with users. Clearly explain your data practices in an accessible privacy policy and provide users with meaningful information about how their data is handled.
• Managing consent properly. When consent is required, collect it in a clear and verifiable way and keep records of it.
• Respecting user rights. Put processes in place to respond to requests such as access, deletion, correction, or data portability.
• Protecting personal data. Implement appropriate technical and organizational security measures to safeguard the data you process.
• Keeping internal documentation. Maintain records of processing activities and review them regularly to ensure they stay accurate as your business evolves.

Together, these steps create a solid foundation for maintaining GDPR compliance as your organization grows.

A practical GDPR compliance framework

For many organizations, GDPR compliance becomes easier when it is approached through a structured framework. Instead of treating privacy as a one-time task, businesses should build processes that guide how personal data is collected, documented, and protected across the organization.

A practical GDPR framework typically includes the following steps:

• Understand what personal data you collect. Identify the types of personal data your organization collects, where it comes from, and how it is used.
• Define a legal basis for processing. Ensure each processing activity has a valid legal basis under the GDPR, such as consent, contractual necessity, or legitimate interest.
• Provide clear privacy information. Make your data practices transparent through accessible privacy policies and clear disclosures to users.
• Manage consent where required. Collect and store consent in a way that is verifiable, easy to withdraw, and properly documented.
• Keep records of processing activities. Maintain internal documentation that describes what data you process, why it is processed, and who it is shared with.
• Protect personal data. Implement appropriate technical and organizational measures to safeguard personal data.
• Review and update regularly. As your services, tools, and partners change, review your compliance setup to ensure it remains accurate and up to date.

Together, these steps help organizations build a practical and sustainable foundation for GDPR compliance.

GDPR fines and consequences of non-compliance

GDPR introduced significant penalties for organizations that fail to comply with the regulation.

In addition to financial penalties, authorities may issue warnings, conduct audits, or restrict certain data processing activities.

GDPR compliance checklist

Here’s a simplified checklist organizations can use as a starting point.

• Publish a clear and accessible privacy policy
• Identify the legal basis for all data processing activities
• Obtain consent when required
• Implement a compliant cookie banner if cookies are used
• Maintain records of consent and data processing
• Enable users to exercise their data rights
• Protect personal data with appropriate security measures
• Regularly review and update compliance practices

Why was the GDPR introduced?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives.

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Frequently asked questions about GDPR

Does GDPR apply to businesses outside the EU?

Yes. GDPR can apply to organizations outside the EU if they offer goods or services to people in the EU or monitor their behavior, such as through website tracking or analytics.

Do small businesses need to comply with GDPR?

Yes. Business size does not automatically exempt you from GDPR. If you process personal data from people in the EU, the regulation may apply regardless of company size.

Do I need a Data Protection Officer (DPO)?

Only some organizations must appoint a DPO. This usually applies to public authorities or companies that process large amounts of sensitive data or monitor individuals at scale.

How long can personal data be stored under GDPR?

Personal data should only be kept for as long as it is necessary for the purpose it was collected. Organizations must define retention periods and delete or anonymize data when it is no longer needed.

Start simplifying GDPR compliance today

Aligning with GDPR compliance involves many moving parts. Understanding what data you collect, being transparent with users, managing consent, and keeping proper records all take time and attention. The good news is you don’t have to handle everything manually.

iubenda helps you simplify the process, from generating privacy and cookie policies to managing consent and documenting your data processing activities in one place. Start simplifying your GDPR compliance today, and spend less time worrying about regulations and more time building your business. Create a new project to get a free website compliance audit and recommendations for how to build your compliance setup.

Useful links

• Smart compliance for UK GDPR
• GDPR compliance for e-commerce (what online shops need to know)

The post Everything you need to know about GDPR appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But, what is it really? And more importantly, why should you care?

What exactly is the GDPR

The acronym GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how user data should be collected, used, protected or interacted with in general. The intent here is to bolster and centralize data protection within the EU, putting personal data control back into the hands of all people whose personal data fall within its scope.

The GDPR is the biggest change to data protection in the region in 20 years and replaces the Data Protection Directive of 1995. The regulation was adopted in April 2016, and following a two-year transitionary period, it will be fully enforceable by May 25th, 2018 (meaning that you’re are expected to be GDPR compliant by that date!).

Does GDPR apply to you?

The short answer is most likely, yes. The GDPR applies to all government agencies, companies and organizations (including non-profits) and individuals that are based in EU; or access the data of people in the EU in anyway; or offer goods and/or services to people in the EU (even if the offer is for free).

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether you’re located in the EU or not.

As a matter of fact, a recent PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.

What exactly does “Personal Data” comprise of?

Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. This applies even to data that has been pseudonymized or encrypted as long as the encryption/ anonymization is reversible.
In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymised data.

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, political opinions, and sexual orientation data.

Examples of non-personal data include company registration numbers, generic company email addresses such as info@company.com, and anonymized data.

Are there penalties for non-compliance?

Yes. The legal ramifications for non-compliancy include fines, sanctions (inclusive of audits) and potential litigation.

• The fines are up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
• Sanctions include official reprimands (for first-time violations) and periodic data protection audits (which can lead to the potential seizure of valuable data in cases where similar data was obtained using non-compliant methods).
• Under the GDPR, users have the right to compensation for any damages resulting from an organization’s non-compliance, hereby leaving violators open to potential legal action.

So it’s pretty important to be ready.

Core requirements of the regulation

Lawful basis for processing data (Article 6):
Under the GDPR data can only be processed if there’s at least one lawful reason for doing so.
The Lawful bases are:

• The user has given consent for one or more specific purposes.
• The data processing is necessary for a contract in which the user is a participant or necessary in order to take steps (requested by the user) prior to entering the contract.
• The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
• The processing is necessary for protecting the vital interests of the user or of another person.
• The processing is necessary for doing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
• The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.
Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.

User Rights:
Under the GDPR users have specific rights that must be honored. These include:

• The right to be informed (Articles 13&14): In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
• The right of access (Article 15): Users have the right to access to their personal data and information about how their personal data is being processed.
• The right to rectification (Article 16): Users have the right to have their personal data rectified if it is inaccurate or incomplete.
• The right to erasure (Article 17): When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
• The right to restrict processing (Article 18): Users have the right to restrict the processing of their personal data in specific cases.
• The right to data portability (Article 20): Users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
• The right to object (Article 21): Under the GDPR, users have the right to object to certain activities in relation to their personal data.
• Rights related to automated decision making and profiling (Article 22): Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Privacy by design and default (Article 25):
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.

Maintain records of processing activities (Article 30): 
In several specific cases, the GDPR may require that up-to-date records of the data processing activities being carried out are kept and maintained. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.

Breach Notification (Articles 33&34):
If there is a data breach, the data processor will have to notify the controller immediately after becoming aware. The data controller must then notify the Supervisory Authority within 72 hours of becoming aware of the breach. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was anonymized (for example via encryption).

Data Protection Impact Assessment (Article 35):
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.

Appointment of Data Protection Officers (Article 37):
In public authorities (except courts/judicial authorities), organizations that systematically process personal data on a large-scale and in cases where special categories of data are being processed, a professional with expert knowledge of data protection law and practices must be appointed as Data Protection Officer (DPO). This officer should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.

Cross-border data transfers (Articles 44-50):
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). If transferring data outside of these conditions, informed consent must be received from the user —in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.

What this means for businesses

As with most new regulations, the GDPR has it’s pros and cons from a business point of view. Generally speaking, the new regulations will mean more restrictions on the commercial use of data and more initial spending of becoming compliant. However, in the long term, the regulation is intended to encourage innovation, reduce the cost of doing business in the EU, mitigate risks and associated potential costs, safeguard individual data security rights and encourage consumer trust.

Next Steps

In terms of compliance, some of the first logical steps are to:

• Make sure that your privacy policy is up to regulation. You can click here for information on what your privacy policy should contain (at the very least) or you can simply generate one here.
• Review your current data processing systems and ensure that they are up to regulatory specifications.
• Review your data processors’ GDPR readiness (data processors can include your cloud service provider, email marketing service providers, analytics companies etc.). The ICO’s controller/processor Contracts and liabilities Guide is a good place to start.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to reserve your spot NOW (as our webinars often fill up quickly).

You can also read our GDPR overview here and the full GDPR legal text here (available in several languages).

iubenda helps you to:

• easily create your legally required privacy and cookie policy;
• fully manage consent to cookies via our Cookie Solution;
• meet GDPR-relevant recordkeeping requirements for both consent and your overall processing activities.

Start Generating

The post What is the GDPR and how will it affect your business appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This post may also be read in German “Googles “Erfordernis der deutlichen Offenlegung” für den Play Store“.

More specifically, you would’ve been told, “We’re contacting you because the apps listed at the end of this email handle or request personal or sensitive user data. Apps like this must comply with the Prominent Disclosure requirements of our User Data policy“.

Google goes on to tell you what needs to be done, “Action required: Make sure your apps fulfill the Prominent Disclosure requirements of our User Data policy. If these requirements are not fulfilled within 30 days, your app may be removed from Google Play. Alternatively, you can remove any requests for sensitive permissions or user data within your app. You can also choose to unpublish your app.“

The good news up front: you’ve come to the right place. iubenda helps app and website owners with creating beautiful and professional privacy policies. These policies work even more beautifully for apps like built in the Android ecosystem.

This email seems to target slightly different issues than the one we looked at before about a missing privacy policy.

Let’s look at what else is inside the email and how you ultimately fix your problem.

Try the mobile privacy policy generator now

What are the steps to take?

The warning is being sent to you because may have a privacy policy in place, but it isn’t good enough. Here are some steps to take:

The most important step to understand is the requirements under the Prominent Disclosure requirements in the User Data policy. 

Prominent Disclosure requirements in the User Data policy

In Google’s User Data policy you can find the requirements set out for special disclosures:

If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Your in-app disclosure:

• Must be within the app itself, not only in the Play listing or a website;
• Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
• Must describe the type of data being collected;
• Must explain how the data will be used;
• Cannot only be placed in a privacy policy or terms of service; and
• Cannot be included with other disclosures unrelated to personal or sensitive data collection.

Your app’s request for consent:

• Must present the consent dialog in a clear and unambiguous way;
• Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
• Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
• Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
• Must not utilize auto-dismissing or expiring messages.

The point to understand is the following: Google apparently considers the collection of data that isn’t clear from your app page or from within your interface to be covered by this prominent disclosure policy.

This is a notice for your user in addition to your privacy policy and should ultimately link there for an explanation of the data processed. The data should not be processed until you have affirmative consent by your user. This is what you need to fix. 

You have two options: 

1. remove the offending data collection
2. properly inform via in-app disclosures and consent collection and link it to a proper privacy policy

By the way, adding Android permissions to a privacy policy is super easy with iubenda:

Generate a privacy policy for your Android app

P.s. if you’re interested you may read our more general post about privacy policy for Android apps. It contains additional information about how to structure and write a privacy policy from scratch.

The post Google Play’s Prominent Disclosure Requirements appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The new EU privacy law in-depth

In January (2016), the European Union released a draft of the new European Data Protection Regulation which will replace the current centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC.

On May 4th, 2016, the General Data Protection Regulation (GDPR) has been published in the Official Journal of the European Union.

As is the case with EU Regulations, the GDPR will come into force for the entire territory of the Union within 20 days, that is to say, May 25th, 2016; however, due to its two year implementation period it will not be applicable until May 25th, 2018.

The new Regulation is a milestone in the field of data protection and will serve the purpose of strengthening the existing rights and empowering individuals with more control over their personal data, as well as creating business opportunities and encouraging innovation.

The reform at hand is based on Article 16 of the Treaty on the Functioning of the European Union (TFUE) which allows the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Member States when carrying out activities which fall within the scope of Union law.

It also allows the adoption of rules relating to the free movement of personal data, including personal data processed by Member States or private parties.

The reform consists of two legislative instruments:

• The General Data Protection Regulation with regard to the processing of personal data and on the free movement of such data (which is the one, we as businesses and consumers are mostly interested in).
• The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.

1. The General Data Protection Regulation

First and foremost, it’s important to understand that this will be a regulation, not a directive like the previous Directive 95/46/EC. These two terms are often used interchangeably, but they actually have very different meanings: in fact, a directive is legislatively implemented by individual countries whereas a regulation, once adopted, becomes immediately enforceable as law in all member states simultaneously.

Strengthening of individuals’ rights

The regulation will concern both users and businesses. In fact, on one hand the new rules serve the purpose of strengthening the existing rights and empowering individuals with more control over their personal data. In particular, these include:

1. easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way;
2. a right to data portability: it will be easier to transfer your personal data between service providers;
3. a clarified “right to be forgotten”: when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;
4. processing of personal data of a child: introduction of conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them;
5. the right to know when your data has been hacked: for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.

Business principles

On the other hand – by unifying Europe’s rules on data protection – lawmakers aim to create business opportunities and encourage innovation. In this perspective the new regulation will establish new principles:

• I. One continent, one law: the regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.
• II. One-stop-shop: businesses will only have to deal with one single supervisory authority. This is estimated to save €2.3 billion per year.
• III. European rules on European soil: companies based outside of Europe will have to apply the same rules when offering services in the EU.
• IV. Risk-based approach: the rules will avoid a burdensome one-size-fits-all obligation and rather tailor them to the respective risks.
• V. Rules fit for innovation: the regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (“Data protection by design”). Privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy.

Moreover, this reform will “cut costs and red tape” for European business, with particular attention to small and medium enterprises (SMEs). The EU’s data protection reform will help SMEs break into new markets. Under the new rules, SMEs will benefit from four reductions in red tape:

• I. No more notifications: notifications to supervisory authorities are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely.
• II. Every penny counts: where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
• III. Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
• IV. Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.
• V. Protecting personal data in the area of law enforcement
• VI. Better cooperation between law enforcement authorities

2. Data Protection Directive for Police and Criminal Justice Authorities

According to the European Commission, this directive aims to provide better cooperation between law enforcement authorities enhancing mutual trust between police and judicial authorities of different Member States, thus contributing further to a free flow of data, and effective cooperation between police and judicial authorities. It will also supply citizens with a better protection of their data: individuals’ personal data will be better protected when processed for any law enforcement purpose including prevention of crime. It will protect everyone – regardless of whether they are a victim, criminal or witness. All law enforcement processing in the Union must comply with the principles of necessity, proportionality and legality, with appropriate safeguards for the individuals. Supervision is ensured by independent national data protection authorities, and effective judicial remedies must be provided

Next Steps

Now it’s time to review the above principles, wait for additional instructions, guidance and – when the time has come – the practice by European courts and data protection authorities.

The official documents about the reform of EU data protection rules can be found here.

The post EU data protection reform: General Data Protection Regulation appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In short

For mobile apps, you should consider adding your privacy policy in 3 places:

1. into the actual app (menu?);
2. into the app store as a link;
3. on the promotional website, if you have one.

The mere fact that privacy policies should not a be simple afterthought for developers and app owners has probably sunken in with most people by now. There are various reasons why you should add a privacy policy to your app, many of which can be traced back to California’s Attorney General and her efforts to do something about the situation for privacy in apps.

Where we still see a lot of potential for improvement at the moment is the way the privacy policy is displayed for an app. We always rejoice when we see a product using our policies in an efficient and fine way. Therefore, we’re now publishing a quick guide to showcase how you could effectively embed a privacy policy in your app.

To illustrate this guide we’re going to use Wordbase, an app that started using iubenda and made a good impression with their implementation practices.

• A bit of theory
• Privacy policy in the app
• Privacy policy on the app store page
• Privacy policy on your website

Minimal theory about privacy policies in apps

Data protection authorities have been working on improving the privacy situation in apps for a good while now. There’s a fair amount of guidance and documentation to be found about that fact. This should not be a surprising development, mobile phones are becoming devices with access to our most intimate details. This trend will continue.

The basic premise is that when the use of your app involves processing of personal data of individuals, privacy laws will kick in. One of the consequences is the required disclosure of your data processing to your users and that information should be made readily available before a mobile app is downloaded.

How should you link to your privacy policy in your app?

So let us move to this article’s main question: how should you link your privacy policy for your app?

To illustrate that, we’ll use a quote from Europe’s Article 29 Working Party which is a sort of think tank regarding European data protection practices (emphasis added, you can view the paper in full here and mainly under 3.7.2 the form of the information):

The essential scope of information about data processing 1) must be available to the users before app installation, via the app store. Secondly, the relevant information about the data processing 2) must also be accessible from within the app, after installation.

As a joint controller with the app developers with regard to information, app stores must ensure that every app provides the essential information on personal data processing. They should check the hyperlinks to included pages with privacy information and remove apps with broken links or otherwise inaccessible information about the data processing.

Make sure your users can view the policy before the installation. They should also be able to view the “relevant information about the data processing” from within the app.

The Working Party recommends that information about personal data processing is also available, and easy to locate, such as within the app store 3) and preferably on the regular websites of the app developer responsible for the app. It is unacceptable that the users be placed in a position where they would have to search the web for information on the app data processing policies instead of being informed directly by the app developer or other data controller.

Make your policies available where people are viewing your app.

At the very least, every app should have a readable, understandable and easily accessible privacy policy, where all the above-mentioned information is included. Many apps do not meet this minimum transparency requirement. According to the June 2012 FPF study, 56% of the paid apps do not have a privacy policy and almost 30% of the free apps.

Apps which do not, or are not intended for the processing of personal data, should clearly state this within the privacy policy.

Therefore add your privacy policy to:

1. the app store page;
2. within the app, preferably in the main settings view; and
3. on your promotional site that is connected with the app.

Privacy policy in the app

On websites a privacy policy belongs in the footer or any other main navigation that is easily available from virtually any page. For apps, this is a bit more complicated because of space constraints, but mostly there will be a great spot in settings or navigation list.

Example Wordbase app:

Privacy policy on the app store page

This one is important. Make the privacy policy available before the download on the app store. The stores have dedicated link forms for this. iubenda makes this very easy, just grab the link for your generated privacy policy and paste it there.

Wordbase on the App Store:

To help you find your way around, we’ve made two guides for the most popular app stores out there:

• Privacy Policy for iOS & macOS Apps
• Privacy Policy for Android Apps

Privacy policy on your website

At last but not at least, make use of your online pages and link to your privacy policy from your app’s page as well.

Example website wordbaseapp.com:

All of this is really just a consequence of informing your users before their usage of your app and shouldn’t be too hard to do. Yet so many developers/app owners don’t do this consequently. Don’t be one of them, do it right.

Generate a privacy policy for your app

Bonus tip: Privacy policy offline mode

Some privacy authority bodies request that a privacy policy be available within the app in offline mode. In that case, you would need to embed the privacy policy text in a view to be available without an internet connection.

With iubenda you’d just embed the policy in a view in your app and cache the content to stay available also in offline mode.

All the information on how to make your privacy policy available for offline viewing can be found here.

The post How to Add/Link a Privacy Policy to an App appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This post mainly answers the question why you need to include a privacy policy on your website when you use KISSmetrics and how you can craft one using iubenda (or writing a privacy policy for use with KISSmetrics yourself) .

• If you are additionally using Google Analytics, then check out this privacy policy guide for Google Analytics
• If you want to skip all that and just use our generator to help you make a privacy policy for your website and KISSmetrics then follow me

Let’s assume you have a website, you run KISSmetrics on it and you are thinking about including a privacy policy. What gives?

1) Do I have to include a privacy policy when I use KISSmetrics?

There are two sides to this question from a legal perspective. But actually only one answer: YES.

• There is the legal side of it: Depending on where you are you may fall under European, American (Californian) or Australian privacy laws. The list could go on since most countries have some sort of privacy regulations that extend onto the web – and hefty penalties for non-compliance.
• For analytics services in general: analytical services collect some sort of personally identifiable information as a rule of thumb, which is why you have to disclose this fact to people via something like a privacy policy: More information about the legal framework can be found here.
• There is the company policy side to it as well: Does Space Pencil, Inc., aka KISSmetrics require me in their terms to have a privacy policy when I use their service? See the answer in the next paragraph (2).

2) Am I required by KISSmetrics to post a privacy policy?

Yes. KISSmetrics requires their users to use a privacy policy. When you sign up for their service you consent to their terms that state the following regarding privacy policy:

By using the KISSmetrics Script implementing the use of such cookies, you represent and warrant that: (i) you will comply with all applicable laws relating to the placement of such cookies on Visitors’ computers; (ii) you have posted (or you will post) a privacy policy on each website on which you use the Service, which clearly and conspicuously discloses the use of such cookies and (iii) you have obtained all required consents and authorizations from your website Visitors relating to the use of such cookies.

And…

iii. you have posted (or you will post) a privacy policy on each website on which you use the Service, which contains a link to KISSmetrics’ Privacy Policy and clearly and conspicuously states that:
a) you use third-party service providers to provide certain analytics services to you in connection with your operation of such website, including the collection and tracking of certain data and information regarding the characteristics and activities of visitors to such website;
b) Visitors may opt-out of this analytics service by using KISSmetrics’ Opt-Out Feature;
c) you may disclose Visitor data, including Personally Identifiable Information, to certain such third-party services providers to obtain such services.

The most important parts in these terms regarding the privacy policy are:” (…) you have posted (or you will post) a privacy policy (…)“.

3) How do I add a privacy policy?

Usually, to make a privacy policy legally effective and compliant, it has to be easily found. A best practice is to link to your privacy policy from your footer where your users or visitors can find it at any given time. It should also not be modified to look like you want to hide it (smaller type, light colors that make it literally indistinguishable from the background).

4) An example privacy policy for KISSmetrics?

A lot of people ask for sample privacy policies for their websites & KISSmetrics. In reality those samples don’t do anyone much good because they’re far too generic. Let’s start with an enumeration of what needs to go into a privacy policy. Most countries’ privacy laws require you to include the following information:

– What kind of personal data is collected
– Describe how this information will be used by the company.
– Describe how this information will be transferred to third party companies.
– Provide instructions on how users can modify or delete their personal information.
– Provide instructions on how users can opt-out of future communications.
– Identify its effective date and outline how you notify people of material changes to your privacy policy.

Ideally you would tell the users what the service does in general and how you are using it.

What do I do now?

You can either hire a lawyer, write your own policy or use iubenda’s generator right away to make your policy. The KISSmetrics clause falls under our free limits.

Our Approach of Generating a KISSmetrics Privacy Policy

So here’s where iubenda’s privacy policy generator will come in very handy:

1. Define the services and categories of data collection your app/site is making use of.
2. Add the services (and categories of data collection like “have a contact form”) you are using to your policy. iubenda now takes care of your policy and generates it for you.
3. You can either link to your policy or embed the text into your app/site.

Generate a privacy policy for KISSmetrics

The post Privacy Policy for KISSmetrics appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is the extension for Display Advertising?

What happens when you update your Google Analytics code to support Display advertising, is that you additionally enable data about your traffic to be collected via the DoubleClick cookie. That enhances GA to include features like

• Remarketing with Google Analytics,
• Google Display Network Impression Reporting,
• the DoubleClick Campaign Manager integration,
• and Google Analytics Demographics and Interest Reporting.

Now if you have any of these features installed you are required to update your privacy policy by disclosing these additional capabilities or data collection/merging practices.

What do I add to the privacy policy?

Add the following two facts to your privacy policy. This information below is directly quoted from Google’s support sites (emphasis added):

The Google Analytics features you’ve implemented based on Display Advertising (e.g., Remarketing, Google Display Network Impression Reporting, the DoubleClick Campaign Manager integration, or Google Analytics Demographics and Interest Reporting). Visitors can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Settings.

Google also encourages to link to the Google Analytics opt-out browser add-on, which we also certainly think is necessary when you follow European privacy laws. Here’s an additional caveat, do inform your users about what is happening via an opt-in method:

You will not facilitate the merging of personally-identifiable information with non-personally identifiable information previously collected from Display Advertising features that is based on the DoubleClick cookie unless you have robust notice of, and the user’s prior affirmative (i.e., opt-in) consent to, that merger.

What to add when I use Remarketing with Google Analytics

In this case additionally disclose that:

• You use Remarketing with Google Analytics to advertise online.
• Third-party vendors, including Google, show your ads on sites across the Internet.
• You and third-party vendors, including Google, use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on someone’s past visits to your website.

–> or use our clause Remarketing through Google Analytics for Display Advertising

What to add when I use the Google Display Network Impression Reporting and the DoubleClick Campaign Manager

In this case additionally disclose that:

• You and third-party vendors, including Google, use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) together to report how your ad impressions, other uses of ad services, and interactions with these ad impressions and ad services are related to visits to your site.

–> or use our clause Display Advertising extension for Google Analytics

What to add when I use the Google Analytics Demographics and Interest Reporting

In this case additionally disclose that:

• How you use data from Google’s Interest-based advertising or 3rd-party audience data (such as age, gender and interests) with Google Analytics.

–> or use our clause Display Advertising extension for Google Analytics

How can iubenda’s implementation help?

As you can see above within the various sections, we have a broad range of Google Analytics clauses in iubenda’s privacy policy generator that will help you with creating a compliant privacy policy both regarding legal and Google’s requirements. Choose our standard clause “Google Analytics” and then add the following clauses depending on your actual use case:

• Display Advertising extension for Google Analytics
• DoubleClick for Publishers Audience Extension
• Remarketing through Google Analytics for Display Advertising

If you have any questions, please don’t hesitate to post them in our support forum.   Generate a Privacy Policy for Display Advertising

p.s. if you are using advertising features for Google Analytics, watch out, you’ll also need to follow the EU User Consent Policy, according to rules set out by Google.  

(Update: Google has recently introduced some significant changes in relation to the EU’s General Data Protection Regulation (GDPR). You can read all about the changes and how they will affect you here.)

Take me to the EU User Consent Policy explanation

The post Display Advertising for Google Analytics appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve posted about the update in Apple’s App Review Guidelines which mainly brought some big changes for developers that create apps directed to children aged 13 years and younger. These changes are due to the fact that COPPA is out in a revised version since July 2013 (Children’s Online Privacy Protection Act dating back to 1998).

This post is highlighting some of the things you need to think about when you want to add your app to Apple’s App Store [a) Apple’s App Store Review Guidelines b) COPPA in general c) What’s personal information d) iubenda’s help].

• Mostly app developers may enjoy this very comprehensive guide on how to get on to the path to COPPA compliance.

I’d like to stress that iubenda is doing everything possible or reasonable to help developers and designers like you to become privacy regulation compliant, but that using iubenda is not always enough in terms of what you have to do or sometimes not do. This applies to your apps and COPPA.

Apple App Store and COPPA

As reported, Apple has updated their terms for their App Store admission and added the following regarding children under 13 years of age:

17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children’s privacy statutes, but must include some useful functionality or entertainment value regardless of the user’s age

17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.

24.1. Apps primarily intended for use by kids under 13 must include a privacy policy.

24.2. Apps primarily intended for use by kids under 13 may not include behavioral advertising (e.g. the advertiser may not serve ads based on the user’s activity within the App), and any contextual ads presented in the App must be appropriate for kids.

24.3. Apps primarily intended for use by kids under 13 must get parental permission or use a parental gate before allowing the user to link out of the app or engage in commerce.

24.4. Apps in the Kids Category must be made specifically for kids ages 5 and under, ages 6-8, or ages 9-11.

24.1 Means that you need to include a privacy policy at all costs when you develop your app primarily for children under the age of 13. This, regardless of you actually collecting personal data by these children.

Notice how Apple wants you to pick the age range? Make sure you follow all of Apple’s and COPPA’s requirements.

What else are you supposed to do or to not do at all?

COPPA Rules in General

There are some general rules you need to follow when covered by the COPPA (quoted from the FTC COPPA FAQ):

1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
4. Provide parents access to their child’s personal information to review and/or have the information deleted;
5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the  information using reasonable measures to protect against its unauthorized access or use.

What is personal information in COPPA 2013?

Personal Information under COPPA 2013

Another change that COPPA brings in its 2013 form is the broader definition of “personal information”. Until now the term “personal information” included such categories as first and last name, a home or physical address, an email address, a phone number etc. The amended Rule defines personal information to include:

• First and last name;
• A home or other physical address including street name and name of a city or town;
• Online contact information;
• A screen or user name that functions as online contact information;
• A telephone number;
• A social security number;
• A persistent identifier that can be used to recognize a user over time and across different websites or online services;
• A photograph, video, or audio file, where such file contains a child’s image or voice;
• Geolocation information sufficient to identify street name and name of a city or town; or
• Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

If you collect any of the information above, COPPA will be applied to your app. Don’t forget however, that if you don’t collect any personal information, you are still required to say that in a privacy policy according to Apple’s new app acceptance requirements.

iubenda and COPPA

iubenda has worked the information you have to provide parents with into a clause we call “The Service is directed to children under the age of 13”. Add that clause to your privacy policy. While iubenda helps you craft beautiful and meaningful privacy policies, you need to understand that this isn’t the end of the path to compliance. There are a few things that only you can do like (the source was a mailing to companies that made apps for children)

• You must give notice and get parental consent for personal information collected
  on your applications from third parties, such as ad networks, unless an exception
  applies
• You must take reasonable steps to release children’s personal information only to
  companies that are capable of keeping it secure and confidential.
• You must meet new data retention and deletion requirements.

If you have any questions, we are happy to take them and they will be addressed in our upcoming, more helpful guide. If not feel free to go ahead and generate your app’s privacy policy with us.

Generate App Privacy Policy

Further helpful links:

• Children’s Privacy (FTC)
• Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business
• FTC’s revised COPPA Rule: Five need-to-know changes for your business

The post COPPA, Privacy Policy and iubenda appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

You can think of our Privacy Policy Generator as an advanced and interactive privacy policy creator that is both free and very flexible but has paid upgrades. That’s how we make sure your free privacy policies are as high quality as possible and we provide the additional benefit of more advanced features at a very affordable price.

In that spirit, we wanted to talk about our free privacy policy which means you’re able to generate and use it on your website for completely free.

Many of our clauses and policies will fall within the category of free. The chances are that if you need a simple privacy policy for your website as for example including a clause for Google Analytics and a contact form, you will find that iubenda’s Privacy and Cookie Policy Generator is the perfect partner for you.

Just to name a few, iubenda generates free privacy policies for websites with:

• Contact form
• Google Analytics
• Facebook Like button and social widgets
• Facebook account access
• Twitter Tweet button and social widgets
• Twitter account access
• LinkedIn button and social widgets
• Pinterest “Pin it” button and social widgets
• YouTube video widget
• Google Maps widget
• Mailing list or newsletter
• Mailchimp
• Direct registration
• Disqus
• Facebook Comments
• Font Awesome
• Google Fonts

If you use any of these services you will find it easy to generate and create a free privacy policy for your website with iubenda. The Free plan allows you to add up to 4 services to your privacy policy.

Steps to Generate a Free Privacy Policy

The generation process is easy and intuitive:

• click on Start Generating, choose “Website”, fill in your website name or URL, select your language and generate;
• add the services you’re currently using;
• fill out your website owner and contact details;
• lastly, add the iubenda privacy policy to your site using the standard embedding option.

It’s so simple: try it out and get your free privacy policy now.

Get Free Privacy Policy

The post Free Privacy Policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Attorney General of California made it clear that its Online Privacy Protection Act would be enforced on apps (CalOPPA). To make sure these laws were actually being followed California’s Department of Justice set up a Privacy Enforcement and Protection Unit in July of 2012. This may sound like it’s only valid for developers based in California, but it’s actually a call for compliance for anyone possibly targeting Californians.

Path, Delta and others have been charged or fined because of non-compliance with privacy laws. The FTC and AG of California published guidelines on things to consider when developing mobile applications.

The simple fact is this: there’s really just a small number of apps that are not legally bound to include a privacy policy. Let’s take a look.

When Do I Need a Privacy Policy in my Mobile App?

The simple first question you have to ask yourself is: do I/does my app collect/store/share personal data?

Personal data can be a lot of things: a first and last name, an email address, a telephone number, location data and many more like analytics or ads (examples for personally identifiable information according to AG of California).

If you collect any of this data, you need a privacy policy.

Privacy Laws

If so you may already be under the obligation to include a privacy policy: according to the California AG’s interpretation of CalOPPA, applications that collect personal user data must conspicuously post a privacy policy detailing, clearly and completely, how the application collects, uses, and shares personal data. This rule applies globally to any mobile application that may impact a California consumer. Therefore, if your application possibly provides value to a California resident you are already bound to these rules. App developers that do not comply with CalOPPA by posting a privacy policy for their app can be held accountable under California law.

Last year AG Harris and the six leading mobile application platform providers agreed to bring the mobile application industry into compliance with the terms of CalOPPA following this two-page Joint Statement of Principles. More, dedicated State laws are very likely to be coming up soon.

Let’s assume you have an app that is geared towards European users. The picture doesn’t change. The relevant EU legal framework is the Data Protection Directive (95/46/EC). It applies in any case where the use of apps on smart devices involves processing personal data of individuals. Basically whenever your app is used in the EU, even if you are not residing there (the national law of a Member State is also applicable in cases where the controller is not established on Community territory and makes use of equipment situated on the territory of that Member State. Since the device is instrumental in the processing of personal data from and about the user, this criterion is usually fulfilled), you need to ensure compliance with all the requirements defined under the Data Protection Directive.

The ePrivacy directive (2002/58/EC, as revised by 2009/136/EC) sets a specific standard for all parties worldwide that wish to store or access information stored in the devices of users in the European Economic Area. Many provisions of the ePrivacy directive may not directly apply to you as a developer, but the most important one in regards to developing for mobile platforms is article 5(3) stating that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, among other things about the purposes of the processing.

It is important for app developers to know that both directives are imperative laws in that the individual’s rights are non-transferable and not subject to contractual waiver. This means that the applicability of European privacy law cannot be excluded by a unilateral declaration or contractual agreement.

Therefore you must:

Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:

• who you are (identity and contact details),
• what precise categories of personal data the app wants to collect and process,
• why the data processing is necessary (for what precise purposes),
• whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
• what rights users have, in terms of withdrawal of consent and deletion of data.

According to European laws if your app services European citizens. This document by the Article 29 working party provides interesting insights.

Similar laws exist for most major legislations with slight modifications that might apply to your unique situation. Here’s a link to Australia’s Information Commissioner and docs.

Third Party Services/App Stores

There are other things to consider than pure legislation-skimming. Here are two more for you:

a) Since most third party services you end up using in your app like mobile analytics or ad networks also need to follow the law, they may require you to use a privacy policy within their terms of service. An example is Google Adsense.

b) Since the aforementioned agreement the big 6 app stores are actively improving the privacy policy situation for consumers and are starting to have privacy policies as a requirement in the app approval flow. Here’s an excerpt from an Amazon developer email from last week:

Customer privacy is important to us, and we know it is important to many of you too. That’s why we want to make sure you know how to include links to your privacy policy on product detail pages for your apps. We require all apps that collect personally identifiable information or personal information to provide a link to their privacy policy, so if you haven’t already done so, please take a moment to submit the privacy policy link for each of your apps today.

So much for a simplified look at why you must have a privacy policy in your app.

What Could Possibly Happen if I Don’t Include One?

Most developers don’t include a privacy policy because they think it’s a) too complicated and time-consuming and b) that no one is really enforcing those laws anyways.

Luckily a) isn’t true anymore. iubenda’s editor makes it very easy to make compliant privacy policies for mobile apps quickly.

For b) most of you will know about Path’s costly $800,000 settlement as well as Delta’s case in court that has them at risk of paying a $2500 fine for every app download (the case has been dismissed recently, but surely is not going to rest there). Similar not well known cases are out there as well.

Rest assured that in the wake of PRISM and the growth of the mobile ecosystem all of the above will be more and more important and not the other way around. Be clever and play by the rules.

Generate a Privacy Policy for Your Mobile App

Privacy Policy in App Stores

While this post covers some of the reasons and legal grounds for the privacy policies in mobile apps, it doesn’t say much about the situation across the app stores. That’s why we’ve compiled two guides regarding that:

• Privacy Policy for iOS and macOS Apps
• Privacy Policy for Android Apps

Hopefully these resources will be helpful on the way to your perfect app store listing.

The post The Need for Privacy Policies in Mobile Apps – An Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

It’s not the only case out there, but arguably the best known among the web community. The web (and consequently mobile community) is often at the cutting edge of technology and legal insecurities arise because of new constellations. A good current example is Airbnb’s gripes with a New York ruling in which a host has basically been fined for using Airbnb.

As a result however, we have a better knowledge of how things are to be done. The Federal Trade Commission released two documents that are a good read: Mobile App Developers: Start with Security &  Mobile Privacy Disclosures: Building Trust through Transparency.

As the FTC goes on to explain in a blog post there are four key points we can take from Path’s settlement:

1. The main message comes as no surprise: Honor your privacy promises and be especially careful when it comes to kids’ information. What’s a little different is that the message is going out with ATTN: MOBILE APP DEVELOPERS across the top. Well-established consumer protection principles apply across the board, including to companies in the mobile market.
2. The default mindset about data collection used to be to gather as much as possible whenever possible. We’ve said it before, but that approach is like soooo 20th Century . As savvy companies know, the wiser approach — and a central tenet of “Privacy by Design” — is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data “just ‘cuz” doesn’t cut ice with consumers anymore.
3. Just because a platform gives you the technological capability to do something, doesn’t mean it’s the right thing for your business or your users. It’s a mistake to assume that somebody else — for instance, a mobile operating system provider or a device manufacturer — has thought through the privacy implications. When it comes to your app and your users, the buck stops with you.
4. COPPA isn’t just for kids’ sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don’t be too quick to assume you’re not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they’re collecting personal info from kids.

These guidelines are self-explanatory. If you want to dive into the COPPA legislation and read for yourself what it says: here’s the text.

The post Path Privacy Issues and What You Can Learn from it appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A new amazingly amazing iubenda:
new design and new features

We are working with Jonno Riekwel for making iubenda not only useful, but even beautiful.
The result is amazing, we are excited of what’s coming up, screenshots below.

New Dashboard

We redesigned the dashboard to be more visual and funny to navigate.

New interface for managing services

We now have categories for making the services easier to manage, and a dedicated section for editing the privacy policies generated in the past

Language management

The reason why we only invited italian users to join the beta so far is that there was no way to seamlessly manage multiple languages. Now we are building a dedicated feature for handling the need:

Simplified privacy badges and ‘no branding’ option

This was the most common feature request. The good news is that it’s coming

A completely renewed privacy policy

The process was long, and we explained it on a dedicated blog post, but we can finally show the result:

Stay tuned

Sign up to the waiting list if you didn’t yet, we’ll keep you up to date, as more as we can.
This is just a sneak peek of what we are working on, we are *very* alive and iubenda is moving fast.

What you see on the shots is not live yet, it’s still WIP, but we think you deserved a preview

The post A brand new version: sneak peek appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The truth is that that article was an exaggeration. Here some resources to understand what’s happening:

• This comment to the main article, and this further one by the same author
• This article on Econsultancy

The post European Union, Directives and Privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

If you are one of the millions of people using Gmail, you probably know that Google launched Buzz, its own social network. Launching it, Google made a great mistake, automatically enrolling Gmail users in Buzz and publicly exposing users’ data and their Gmail contacts without their consent.

Many people were complained by this so it was started a class action against Buzz and Google.

Tonight I’ve just received an email from Google telling me about updates on that class action.

Below the email.

“Google rarely contacts Gmail users via email, but we are making an exception to let you know that we’ve reached a settlement in a lawsuit regarding Google Buzz, a service we launched within Gmail in February of this year.

Shortly after its launch, we heard from a number of people who were concerned about privacy. In addition, we were sued by a group of Buzz users and recently reached a settlement in this case.

The settlement acknowledges that we quickly changed the service to address users’ concerns. In addition, Google has committed $8.5 million to an independent fund, most of which will support organizations promoting privacy education and policy on the web. We will also do more to educate people about privacy controls specific to Buzz. The more people know about privacy online, the better their online experience will be.

Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation. Everyone in the U.S. who uses Gmail is included in the settlement, unless you personally decide to opt out before December 6, 2010. The Court will consider final approval of the agreement on January 31, 2011. This email is a summary of the settlement, and more detailed information and instructions approved by the court, including instructions about how to opt out, object, or comment, are available at http://www.BuzzClassAction.com.”

As you can see by the email, there is a site where you can have more information about the litigation.

In the home page there is a useful information: what you can now do?

Below the answer from Buzz Class Action site.

What Are My Options?

• EXCLUDE YOURSELF – This is the only option that allows you to bring your own lawsuit, or be part of any other lawsuit against Google about the legal claims resolved in this Settlement. You must mail your request for exclusion so that it is received no later than December 6, 2010.
• OBJECT – Write to the Court about why you do not like the Settlement. Your objection must be received by January 10, 2011.
• GO TO A HEARING – Ask to speak in Court about the fairness of the Settlement. Send your Notice of Intent to Appear so that it is received no later than January 10, 2011.
• DO NOTHING – Give up your rights to sue Google about the legal claims in this case and thereby accept the terms of this Settlement.

So, what will you do?

The post Google Buzz users received updates on the class action against the social network appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

FTC released a report which recommends that users must be notified at the time their data is collected, while now they are aware of this practice only by reading the privacy policies.

For example, FTC recommends to notify the users when a tracking software is installed on their computers.

FTC’s concerns are mainly focused on a practice called behavioral marketing. Using tracking codes and analyzing the collected data, advertisers can learn about consumers’ habits and vehicle targeted advertising.

However, online advertisers argued that these collected data can’t uniquely identify users. But nonetheless Ms. Mithal replies that the distinction between personally identifiable data and other types of users’ data is unclear.

Just after this, two big american associations launched their private ethic codes.

A code of ethics for web-analytics’ workers

Analyzing the 50 most popular U.S. websites, the WSJ found that they install 64 tracking files on average. They are first-party or third-party cookies.

So, web analysts drafted a code of ethics for web-analytics’ workers.

Their aim is to build a code starting with workers because directly appealing to big players would have undoubtedly led to their refusal.

The promoters of the code hope that when someone of the web-analytics’ operators will be looking for a job opportunity, he will pay more attention to the subscription of this code by his employers, so as to avoid to have to be forced to implement bad practices that may damage the whole category.

The code asks some simple question like: “Are you willing to put your name on a line and say you won’t associate personally identifiable information with tracking cookies unless there has been an explicit declaration thereof? Are you willing to say you won’t transfer the data without permission from the consumer?” Eric Peterson and John Lovett told, when interviewed by Digits.

In the Web Analytics Association’s plan there is also the rolling out of an analyst certification with the release of a seal similar to the one provided by TRUSTe. This should allow the spreading of a trust mark recognizable by users.

IAB releases its Advertising Option Icon

While the Web analytics association releases its ethic code, the IAB together with largest media and marketing trade associations, with support from the Council of Better Business Bureaus, released an icon able to inform consumers about the use of tracking technologies that follow consumers’ habits.

The release of this icon called Advertising Option Icon is an effort to continue the developing of a stricter self-regulation of the online data collection and advertising industry.

Seeing the Advertising Option Icon consumers can know that the company is following self-regulatory principles. On this way, companies may communicate to their audience their attention in consumers’ personal data protection.

The reason why industries are involved in rolling out this ethical self-codes

The business of online advertising is up to $23 billion-a-year on average. Operators know that two bills have already been introduced in the House of Representatives with the aim to restrict these practices. Obviously, they don’t like this possibility.

On the same way, we can read the recent changes to the Google’s privacy policy.

How to apply for this self-codes?

To apply for the web analytics workers’ code of ethics, you have to wait for a final version because the current is only a draft.

To incorporate the Advertising Option Icon you can visit the the coalition’s website.

The post New Self-Codes Regulate Behavioral Marketing and Advertising appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The graph below shows, in a captivating way, the amount of Cookies and Beacons (we’ll write about them soon) the scanned websites install on the browsers of their users.
Cookies and Beacons are, in simple terms, tools for tracking users’ activity on a website, including what users type (for example when filling a form, even if the submit button is not clicked).

The WSJ also published a list with the websites scanned, sorting them by number of trackers (sum of Cookies and Beacons).
Dictionary.com, Comcast, Photobucket, MSN, Yahoo!, Answers, MSNBC are just few of the websites on the top of this black list.

The WSJ also published this article called The Web’s New Gold Mine, in reference to the business of (depersonalized) personal data. You’ll find the article a really alarming reading. You’ll surely be surprised of how many data a website can collect about you, and the fact that your name is never saved in these tracking files will be a poor consolation.

This is the disquieting way that the article has to begin:

Hidden inside Ashley Hayes-Beaty’s computer, a tiny file helps gather personal details about her, all to be put up for sale for a tenth of a penny.

The file consists of a single code— 4c812db292272995e5416a323e79bd37—that secretly identifies her as a 26-year-old female in Nashville, Tenn.

The code knows that her favorite movies include “The Princess Bride,” “50 First Dates” and “10 Things I Hate About You.” It knows she enjoys the “Sex and the City” series. It knows she browses entertainment news and likes to take quizzes.

Here the rest.

The post The WSJ starts What They Know, a new initiative about Privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.