GDPR stands for General Data Protection Regulation, a European Union law that regulates how organizations collect, use, and protect personal data. It applies to many businesses worldwide and requires transparency, security, and accountability when handling personal information.

If your website or app collects personal data, you’ve probably heard of the GDPR.

The General Data Protection Regulation is one of the most important privacy laws in the world.

It sets the rules for how organizations collect, use, and protect personal data. It came into force in May 2018 and applies to many companies both inside and outside the European Union.

If you offer services to people in Europe, track website visitors, or collect personal information such as email addresses or IP addresses, the GDPR may apply to you.

In this guide, we explain what the GDPR is, why it was introduced, and who it applies to. We also cover the key principles, legal requirements, user rights, and practical steps organizations can take to stay compliant.

An overview of GDPR

GDPR stands for General Data Protection Regulation.

It’s a European Union law that regulates how organizations handle personal data. The regulation sets clear expectations for how companies collect, process, store, and protect information about individuals.

The goal is simple: people should understand how their data is used and have control over it.

For organizations, this means being transparent about data practices, collecting only the information that is necessary, and protecting it properly.

What is the purpose of GDPR?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives:

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Who does GDPR apply to?

Many organizations assume that GDPR applies only to companies based in Europe. In reality, the scope is broader. GDPR applies in the following situations:

For example, a company in the United States that sells products to EU customers or tracks EU website visitors may still need to comply with GDPR.

What counts as personal data?

Under the GDPR, personal data is any information that can identify a person, either on its own or when combined with other data. That includes obvious identifiers such as names, email addresses, and phone numbers, as well as less-obvious identifiers such as IP addresses, location data, or device IDs. In simple terms, if a piece of information could reasonably be used to figure out who someone is, it likely counts as personal data under the GDPR.

The seven principles of GDPR

The regulation is built around seven core principles that guide how organizations handle personal data.

Lawfulness, fairness, and transparency

Personal data must be processed legally, and users must understand how it is used.

Purpose limitation

Data must be collected for specific and legitimate purposes.

Data minimization

Organizations should collect only the data that is necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage limitation

Data should not be kept longer than necessary.

Integrity and confidentiality

Personal data must be protected against unauthorized access or loss.

Accountability

Organizations must be able to demonstrate compliance with these principles.

These principles form the foundation of GDPR compliance.

Legal bases for processing personal data

GDPR requires organizations to have a valid legal reason for processing personal data.

The regulation defines six possible legal bases.

• Consent from the user
• Performance of a contract
• Compliance with a legal obligation
• Protection of vital interests
• Public interest or official authority
• Legitimate interests of the organization

Consent is commonly used for marketing activities and cookie tracking, but it is not always required if another legal basis applies.

Key GDPR requirements for businesses

Organizations must implement several practical measures to meet GDPR obligations. These measures help organizations demonstrate accountability.

User rights under GDPR

One of the central goals of GDPR is to give individuals greater control over their personal data.

The regulation grants several rights to users.

• Right to be informed about how their data is used
• Right of access to the personal data that an organization holds about them
• Right to rectification of inaccurate data
• Right to erasure, also known as the right to be forgotten
• Right to restrict processing in certain situations
• Right to data portability between services
• Right to object to certain types of data processing
• Rights related to automated decision-making and profiling

Organizations must provide ways for individuals to exercise these rights.

Cross-border data transfers

GDPR also regulates the transfer of personal data outside the European Economic Area.

Data transfers are allowed only when certain safeguards are in place.

Examples:

• Countries recognized as providing adequate data protection
• Standard Contractual Clauses
• Binding Corporate Rules

These mechanisms ensure that personal data remains protected even when transferred internationally.

GDPR compliance strategies

Staying compliant with the GDPR isn’t bout ticking a single box. It requires clear processes for how your organization collects, uses, and protects personal data. While every business is different, most GDPR compliance strategies start with a few fundamental steps.

Organizations should focus on:

• Understanding what data you collect. Map the personal data your business collects, where it comes from, and how it is used.
• Identifying a legal basis for processing. Make sure every data processing activity has a valid legal basis under the GDPR, such as consent, contract, or legitimate interest.
• Being transparent with users. Clearly explain your data practices in an accessible privacy policy and provide users with meaningful information about how their data is handled.
• Managing consent properly. When consent is required, collect it in a clear and verifiable way and keep records of it.
• Respecting user rights. Put processes in place to respond to requests such as access, deletion, correction, or data portability.
• Protecting personal data. Implement appropriate technical and organizational security measures to safeguard the data you process.
• Keeping internal documentation. Maintain records of processing activities and review them regularly to ensure they stay accurate as your business evolves.

Together, these steps create a solid foundation for maintaining GDPR compliance as your organization grows.

A practical GDPR compliance framework

For many organizations, GDPR compliance becomes easier when it is approached through a structured framework. Instead of treating privacy as a one-time task, businesses should build processes that guide how personal data is collected, documented, and protected across the organization.

A practical GDPR framework typically includes the following steps:

• Understand what personal data you collect. Identify the types of personal data your organization collects, where it comes from, and how it is used.
• Define a legal basis for processing. Ensure each processing activity has a valid legal basis under the GDPR, such as consent, contractual necessity, or legitimate interest.
• Provide clear privacy information. Make your data practices transparent through accessible privacy policies and clear disclosures to users.
• Manage consent where required. Collect and store consent in a way that is verifiable, easy to withdraw, and properly documented.
• Keep records of processing activities. Maintain internal documentation that describes what data you process, why it is processed, and who it is shared with.
• Protect personal data. Implement appropriate technical and organizational measures to safeguard personal data.
• Review and update regularly. As your services, tools, and partners change, review your compliance setup to ensure it remains accurate and up to date.

Together, these steps help organizations build a practical and sustainable foundation for GDPR compliance.

GDPR fines and consequences of non-compliance

GDPR introduced significant penalties for organizations that fail to comply with the regulation.

In addition to financial penalties, authorities may issue warnings, conduct audits, or restrict certain data processing activities.

GDPR compliance checklist

Here’s a simplified checklist organizations can use as a starting point.

• Publish a clear and accessible privacy policy
• Identify the legal basis for all data processing activities
• Obtain consent when required
• Implement a compliant cookie banner if cookies are used
• Maintain records of consent and data processing
• Enable users to exercise their data rights
• Protect personal data with appropriate security measures
• Regularly review and update compliance practices

Why was the GDPR introduced?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives.

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Frequently asked questions about GDPR

Does GDPR apply to businesses outside the EU?

Yes. GDPR can apply to organizations outside the EU if they offer goods or services to people in the EU or monitor their behavior, such as through website tracking or analytics.

Do small businesses need to comply with GDPR?

Yes. Business size does not automatically exempt you from GDPR. If you process personal data from people in the EU, the regulation may apply regardless of company size.

Do I need a Data Protection Officer (DPO)?

Only some organizations must appoint a DPO. This usually applies to public authorities or companies that process large amounts of sensitive data or monitor individuals at scale.

How long can personal data be stored under GDPR?

Personal data should only be kept for as long as it is necessary for the purpose it was collected. Organizations must define retention periods and delete or anonymize data when it is no longer needed.

Start simplifying GDPR compliance today

Aligning with GDPR compliance involves many moving parts. Understanding what data you collect, being transparent with users, managing consent, and keeping proper records all take time and attention. The good news is you don’t have to handle everything manually.

iubenda helps you simplify the process, from generating privacy and cookie policies to managing consent and documenting your data processing activities in one place. Start simplifying your GDPR compliance today, and spend less time worrying about regulations and more time building your business. Create a new project to get a free website compliance audit and recommendations for how to build your compliance setup.

Useful links

• Smart compliance for UK GDPR
• GDPR compliance for e-commerce (what online shops need to know)

The post Everything you need to know about GDPR appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’re introducing 1-Click Embedding for Google Tag Manager, a guided way to embed your iubenda solutions without manually installing plugins or handling embed snippets.

What’s new

With 1-Click Embedding for Google Tag Manager, you can install your configured iubenda solutions through a guided flow that runs in a secure pop-up window.

This process brings everything together in one place and uses Google’s native login and authorization screens to guide you through the installation.

This experience is already available for WordPress and Shopify, and is now supported for teams using Google Tag Manager, too.

Which iubenda solutions can you embed via GTM?

The GTM 1-Click Embedding flow supports the iubenda solutions you’ve already configured, including:

• Privacy and Cookie Policy Generator
• Terms and Conditions Generator
• Privacy Controls and Cookie Solution (cookie banner)

A more guided setup, with more control

The new GTM embedding flow brings these decisions into a single, guided experience while keeping you in control of where the installation takes place. Now, you can: 

• Move through the installation step by step
• Select the exact account, container, and environment you want to use
• Complete the embedding automatically once confirmed
• Finish the setup without editing your site’s code

How 1-Click Embedding works with Google Tag Manager

Start by logging in with your Google account and approving the connection through Google’s native authorization screens. Select where the installation should take place by choosing the appropriate GTM account, container, and environment.

Once confirmed, iubenda automatically installs and embeds your configured solutions.

When the installation is complete, you’ll be prompted to publish the changes in Google Tag Manager to activate them. At the same time, a scan will automatically run inside your iubenda dashboard to verify that everything is in place.

For detailed, step-by-step instructions, you can refer to our help guide on using 1-Click Embedding with Google Tag Manager.

How to access 1-Click Embedding

If you’re using Google Tag Manager, you’ll see the simplified embedding option in two areas of your iubenda dashboard:

• In the configuration checklist, during the embedding step
• In the embedding section below the snippet boxes for supported solutions

In both cases, selecting Go to simplified embedding starts the guided GTM setup.

Before you publish

Publishing the installation in Google Tag Manager will include any other unpublished edits in your workspace. If you prefer to review those changes first, you can do so directly from your GTM dashboard before publishing.

If an issue occurs during installation, you’ll see a clear message with the option to try again. The system will restart the process.

A simpler way to set up iubenda with GTM

If you’re already using Google Tag Manager, 1-Click Embedding offers a clear, guided way to complete your setup, combining the flexibility of GTM with a simpler installation flow.

The post Introducing 1-Click Embedding for Google Tag Manager appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But, what is it really? And more importantly, why should you care?

What exactly is the GDPR

The acronym GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how user data should be collected, used, protected or interacted with in general. The intent here is to bolster and centralize data protection within the EU, putting personal data control back into the hands of all people whose personal data fall within its scope.

The GDPR is the biggest change to data protection in the region in 20 years and replaces the Data Protection Directive of 1995. The regulation was adopted in April 2016, and following a two-year transitionary period, it will be fully enforceable by May 25th, 2018 (meaning that you’re are expected to be GDPR compliant by that date!).

Does GDPR apply to you?

The short answer is most likely, yes. The GDPR applies to all government agencies, companies and organizations (including non-profits) and individuals that are based in EU; or access the data of people in the EU in anyway; or offer goods and/or services to people in the EU (even if the offer is for free).

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether you’re located in the EU or not.

As a matter of fact, a recent PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.

What exactly does “Personal Data” comprise of?

Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. This applies even to data that has been pseudonymized or encrypted as long as the encryption/ anonymization is reversible.
In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymised data.

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, political opinions, and sexual orientation data.

Examples of non-personal data include company registration numbers, generic company email addresses such as info@company.com, and anonymized data.

Are there penalties for non-compliance?

Yes. The legal ramifications for non-compliancy include fines, sanctions (inclusive of audits) and potential litigation.

• The fines are up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
• Sanctions include official reprimands (for first-time violations) and periodic data protection audits (which can lead to the potential seizure of valuable data in cases where similar data was obtained using non-compliant methods).
• Under the GDPR, users have the right to compensation for any damages resulting from an organization’s non-compliance, hereby leaving violators open to potential legal action.

So it’s pretty important to be ready.

Core requirements of the regulation

Lawful basis for processing data (Article 6):
Under the GDPR data can only be processed if there’s at least one lawful reason for doing so.
The Lawful bases are:

• The user has given consent for one or more specific purposes.
• The data processing is necessary for a contract in which the user is a participant or necessary in order to take steps (requested by the user) prior to entering the contract.
• The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
• The processing is necessary for protecting the vital interests of the user or of another person.
• The processing is necessary for doing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
• The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.
Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.

User Rights:
Under the GDPR users have specific rights that must be honored. These include:

• The right to be informed (Articles 13&14): In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
• The right of access (Article 15): Users have the right to access to their personal data and information about how their personal data is being processed.
• The right to rectification (Article 16): Users have the right to have their personal data rectified if it is inaccurate or incomplete.
• The right to erasure (Article 17): When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
• The right to restrict processing (Article 18): Users have the right to restrict the processing of their personal data in specific cases.
• The right to data portability (Article 20): Users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
• The right to object (Article 21): Under the GDPR, users have the right to object to certain activities in relation to their personal data.
• Rights related to automated decision making and profiling (Article 22): Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Privacy by design and default (Article 25):
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.

Maintain records of processing activities (Article 30): 
In several specific cases, the GDPR may require that up-to-date records of the data processing activities being carried out are kept and maintained. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.

Breach Notification (Articles 33&34):
If there is a data breach, the data processor will have to notify the controller immediately after becoming aware. The data controller must then notify the Supervisory Authority within 72 hours of becoming aware of the breach. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was anonymized (for example via encryption).

Data Protection Impact Assessment (Article 35):
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.

Appointment of Data Protection Officers (Article 37):
In public authorities (except courts/judicial authorities), organizations that systematically process personal data on a large-scale and in cases where special categories of data are being processed, a professional with expert knowledge of data protection law and practices must be appointed as Data Protection Officer (DPO). This officer should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.

Cross-border data transfers (Articles 44-50):
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). If transferring data outside of these conditions, informed consent must be received from the user —in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.

What this means for businesses

As with most new regulations, the GDPR has it’s pros and cons from a business point of view. Generally speaking, the new regulations will mean more restrictions on the commercial use of data and more initial spending of becoming compliant. However, in the long term, the regulation is intended to encourage innovation, reduce the cost of doing business in the EU, mitigate risks and associated potential costs, safeguard individual data security rights and encourage consumer trust.

Next Steps

In terms of compliance, some of the first logical steps are to:

• Make sure that your privacy policy is up to regulation. You can click here for information on what your privacy policy should contain (at the very least) or you can simply generate one here.
• Review your current data processing systems and ensure that they are up to regulatory specifications.
• Review your data processors’ GDPR readiness (data processors can include your cloud service provider, email marketing service providers, analytics companies etc.). The ICO’s controller/processor Contracts and liabilities Guide is a good place to start.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to reserve your spot NOW (as our webinars often fill up quickly).

You can also read our GDPR overview here and the full GDPR legal text here (available in several languages).

iubenda helps you to:

• easily create your legally required privacy and cookie policy;
• fully manage consent to cookies via our Cookie Solution;
• meet GDPR-relevant recordkeeping requirements for both consent and your overall processing activities.

Start Generating

The post What is the GDPR and how will it affect your business appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Google Analytics and Google are pushing their new standard hard. Soon all accounts will be required to use Universal Analytics instead of the older implementation technologies.

With Universal Analytics, users benefit from new technology and tracking features. Its best advertised feature is User ID which allows to “Connect multiple devices, sessions, and engagement data (…).”

In short User ID lets you more accurately track various sessions to one user. It’s not hard to see that this potentially makes the analytics data much more insightful. This is what Google itself is saying about the feature:

The User ID is a Universal Analytics feature that you can use to associate multiple sessions (and any activity within those sessions) with a unique ID. When you send an unique ID and any related engagement data to Google Analytics, all activity is attributed to one user in your reports. With the User ID, you can get a more accurate user count, analyze the signed-in user experience, and get access to the new Cross Device reports. 

What changes for my privacy policy with User ID?

With User ID you also have some changes coming to your privacy policy. Google itself asks you to make those changes. Let’s see what they are and where we can find these requirements.

The User ID feature is built for use with the Universal Analytics technologies. All implementations must comply with the Google Analytics Measurement Protocol / SDK / User ID Policy. The Universal Analytics usage guidelines, and security & privacy principles also apply.

Source https://support.google.com/analytics/answer/3123668?hl=en

 Let’s, therefore, dive in deeper.

The Google Analytics Measurement Protocol / SDK / User ID Policy requirements

Here are Google’s requirements from the Measurement Protocol:

• You will give your end users proper notice about the implementations and features of Google Analytics you use (e.g. notice about what data you will collect via Google Analytics, and whether this data can be connected to other data you have about the end user). You will either get consent from your end users, or provide them with the opportunity to opt-out from the implementations and features you use.
• If you use an SDK to implement any Google Analytics Advertising Features, such as Audience Reporting or Remarketing, you will abide by the Policy for Google Analytics Advertising Features, in addition to the Google Play Developer Program Policies , or any other applicable policy.

Source https://developers.google.com/analytics/devguides/collection/protocol/policy

 Three things are important here and will have direct impact on your privacy policy text. 

• proper notice about the implementations and features
• get consent or provide them with the opportunity to opt-out from the features and implementations
• if you use Audience Reporting or Remarketing you need to additionally abide by further policies

The Universal Analytics Usage Guidelines requirements

Let’s dive in right away:

Let your users know about these Google Analytics features, and give them proper notice about your implementation changes. Get consent or provide an opportunity to opt-out of your services.

When you implement Universal Analytics, it is your responsibility to ensure that your use is legally compliant, including with any local or regional requirements for specific notification to users.

Source https://support.google.com/analytics/answer/2795983?hl=en

Google wants you to let your users know about the changes (moving from the older version to Universal Analytics). There is no direct impact here on your privacy policy.

Security and privacy in Universal Analytics requirements

Here’s an outtake:

(…) In case you use a service that has implemented the Measurement Protocol, please check the notice given and choice offered by this service directly with the Google Analytics customer using such service, as the opt-out directly provided by Google Analytics does not affect data reported through the Measurement Protocol.

Source https://support.google.com/analytics/answer/2838718

The point her is that you need to offer your users a way to opt-out for the features you use with Google Analytics that Google cannot control. Add a way for people to opt-out of these features to your privacy policy.

How iubenda can help you

If you have a privacy policy that you are confident in, consider making the changes written about above. Here is a summary:

• proper notice about the implementations and features
• get consent or provide them with the opportunity to opt-out from the features and implementations
• if you use Audience Reporting or Remarketing you need to additionally abide by further policies

If you don’t have a privacy policy or you want to improve your existing privacy policy, iubenda generates the privacy policy for you and spits out text ready to use on your site (or app). Here is another, shorter post, that outlines some other rules set out by Google about how you should implement User ID.

The post Google Analytics User ID in Your Privacy Policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The amendment added two new requirements to Californias so called CALOPPA:

Now the Attorney General’s office of California has released another guide for website owners and developers (yes mobile app owners as well). This time the guides covers the Do Not Track requirement and how to make sure you comply with it.

You can read and download the Do Not Track guide “Making your Privacy Practices Public” here.

The key takeaways of the guide can be summarized like this:

• Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures.”
• Describe how you respond to a browser’s Do Not Track signal or similar mechanisms within your privacy policy instead of providing a link to another website.
• If third parties are or may be collecting personally identifiable information, say so in your privacy policy.
• Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
• Describe what personally identifiable information you collect from users, how you use it and how long you retain it.
• Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
• Use plain, straightforward language that avoids legal jargon and use a format that makes the policy readable, such as a layered format. Use graphics or icons instead of text.

As you can see only the first two takeaways are about Do Not Track itself.  That’s because the underlying goal is quite simple. Tell your visitors what Do Not Track does on your site, or what it doesn’t.

I’m pasting in the larger recommendations regarding Do Not Track in their entirety for you below:

Make it easy to find the Do Not Track section of your policy.

Clearly identify the section in which you describe your specific policy regarding online tracking or how you respond to consumers’ DNT signals. Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”

Describe how you respond to a browser’s DNT signal or to another such mechanism.

Describing your response in your privacy policy statement is preferable to simply providing a link to a related “program or protocol” (hereinafter referred to as a “program”) because it provides greater transparency to consumers.

And

If you decide not to describe your response to a DNT signal or to another mechanism, provide a clear and conspicuous link in your privacy policy statement to a program that offers consumers a choice about online tracking.

Our Privacy and Cookie Policy Generator offers you a standard clause that you can use to declare you do not support “Do Not Track” requests. You can find it by typing “Do Not Track” in the service search bar.

If instead you support “Do Not Track” requests, and you want to declare it inside your privacy and cookie policy, please create a new custom clause where you explain how “Do Not Track” requests are handled.

Generate a privacy policy with iubenda

The post How to include Do Not Track info in a privacy policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In short

For mobile apps, you should consider adding your privacy policy in 3 places:

1. into the actual app (menu?);
2. into the app store as a link;
3. on the promotional website, if you have one.

The mere fact that privacy policies should not a be simple afterthought for developers and app owners has probably sunken in with most people by now. There are various reasons why you should add a privacy policy to your app, many of which can be traced back to California’s Attorney General and her efforts to do something about the situation for privacy in apps.

Where we still see a lot of potential for improvement at the moment is the way the privacy policy is displayed for an app. We always rejoice when we see a product using our policies in an efficient and fine way. Therefore, we’re now publishing a quick guide to showcase how you could effectively embed a privacy policy in your app.

To illustrate this guide we’re going to use Wordbase, an app that started using iubenda and made a good impression with their implementation practices.

• A bit of theory
• Privacy policy in the app
• Privacy policy on the app store page
• Privacy policy on your website

Minimal theory about privacy policies in apps

Data protection authorities have been working on improving the privacy situation in apps for a good while now. There’s a fair amount of guidance and documentation to be found about that fact. This should not be a surprising development, mobile phones are becoming devices with access to our most intimate details. This trend will continue.

The basic premise is that when the use of your app involves processing of personal data of individuals, privacy laws will kick in. One of the consequences is the required disclosure of your data processing to your users and that information should be made readily available before a mobile app is downloaded.

How should you link to your privacy policy in your app?

So let us move to this article’s main question: how should you link your privacy policy for your app?

To illustrate that, we’ll use a quote from Europe’s Article 29 Working Party which is a sort of think tank regarding European data protection practices (emphasis added, you can view the paper in full here and mainly under 3.7.2 the form of the information):

The essential scope of information about data processing 1) must be available to the users before app installation, via the app store. Secondly, the relevant information about the data processing 2) must also be accessible from within the app, after installation.

As a joint controller with the app developers with regard to information, app stores must ensure that every app provides the essential information on personal data processing. They should check the hyperlinks to included pages with privacy information and remove apps with broken links or otherwise inaccessible information about the data processing.

Make sure your users can view the policy before the installation. They should also be able to view the “relevant information about the data processing” from within the app.

The Working Party recommends that information about personal data processing is also available, and easy to locate, such as within the app store 3) and preferably on the regular websites of the app developer responsible for the app. It is unacceptable that the users be placed in a position where they would have to search the web for information on the app data processing policies instead of being informed directly by the app developer or other data controller.

Make your policies available where people are viewing your app.

At the very least, every app should have a readable, understandable and easily accessible privacy policy, where all the above-mentioned information is included. Many apps do not meet this minimum transparency requirement. According to the June 2012 FPF study, 56% of the paid apps do not have a privacy policy and almost 30% of the free apps.

Apps which do not, or are not intended for the processing of personal data, should clearly state this within the privacy policy.

Therefore add your privacy policy to:

1. the app store page;
2. within the app, preferably in the main settings view; and
3. on your promotional site that is connected with the app.

Privacy policy in the app

On websites a privacy policy belongs in the footer or any other main navigation that is easily available from virtually any page. For apps, this is a bit more complicated because of space constraints, but mostly there will be a great spot in settings or navigation list.

Example Wordbase app:

Privacy policy on the app store page

This one is important. Make the privacy policy available before the download on the app store. The stores have dedicated link forms for this. iubenda makes this very easy, just grab the link for your generated privacy policy and paste it there.

Wordbase on the App Store:

To help you find your way around, we’ve made two guides for the most popular app stores out there:

• Privacy Policy for iOS & macOS Apps
• Privacy Policy for Android Apps

Privacy policy on your website

At last but not at least, make use of your online pages and link to your privacy policy from your app’s page as well.

Example website wordbaseapp.com:

All of this is really just a consequence of informing your users before their usage of your app and shouldn’t be too hard to do. Yet so many developers/app owners don’t do this consequently. Don’t be one of them, do it right.

Generate a privacy policy for your app

Bonus tip: Privacy policy offline mode

Some privacy authority bodies request that a privacy policy be available within the app in offline mode. In that case, you would need to embed the privacy policy text in a view to be available without an internet connection.

With iubenda you’d just embed the policy in a view in your app and cache the content to stay available also in offline mode.

All the information on how to make your privacy policy available for offline viewing can be found here.

The post How to Add/Link a Privacy Policy to an App appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Update February 2020: all of the earlier guidance on the site of the Hamburg data protection authority has been deleted. Newer guidance hasn’t been issued, but there are some breadcrumbs one can find that we’ll link to in the article below.

Update mid-2017: The authority of Hamburg has provided new docs about a compliant use of GA, in German only.

Update December 2016: The authority of Hamburg has disabled their guides, to reassess the situation.

Update September 2016: Google has published their Privacy Shield certification, and updated the terms for using Google Analytics in Germany, including the contract for data processing. 

On datenschutz-hamburg you can find a document called Guidelines for Hamburg-based website operators using Google Analytics, that outlines in detail what you have to do in order to use Google Analytics in a compliant way in Germany.

Note: read this post in German instead: Aufsetzen der Datenschutzerklärung bei Nutzung von Google Analytics.

Since we’ve first published this guide a lot has changed and the guides we originally linked to, don’t exist any longer.

However, the Tätigkeistbericht, of the authority of Hamburg of 2019 (published in 2020) gives some pointers about what’s changed:

• Google Analytics has changed and in addition to helping the website owner to analyse their traffic, it helps Google extract information
• There’s a new court decision by the CJEU dated the 1.10.2019, C-673/17 „Planet49“ which requires explicit consent for the setting of cookies

In order to use Google Analytics and iubenda the way it is intended by the German data protection authorities you have to follow the two processes outlined below:

1) Things you are required to do regarding Google Analytics

To quote the data protection authority of Hamburg: To use Google Analytics in a compliant way, you as the website operator must implement the following measures as a minimum

1. Sign agreement: you must conclude (in writing) the data processing agreement prepared by Google. This agreement can be found here.
2. Privacy policy & opt-out: inform about your use of Google Analytics in your privacy policy. Inform about their opportunity to object, and link to this opt-out extension made by Google: http://tools.google.com/dlpage/gaoptout?hl=de. This part, the privacy policy generation, is what iubenda helps you with.
3. Opt-out II: you should implement your own opt-out link for the privacy policy. The reason for this is that Google’s extension works mainly for non-mobile browsers. Therefore, the more mobile visitors you have, the more important this opt-out option will be. When you use iubenda, we will add such an opt-out link to the privacy policy automatically, but you have to additionally follow the instructions below for it to work perfectly.
4. IP-Anonymization: You need to use the anonymization function provided by Google in your Google Analytics snippet called “_anonymizeIp()”. Read more about the anonymization part here.
5. Delete old data: if you haven’t used Google Analytics with the anonymizeIp() function so far, you are required to delete prior data because it is considered to have been collected unlawfully.

Read about these requirements in more detail here.

Update 2017: The English pdfs on the Hamburg DPA were suspended, therefore we’re linking to the updated German version here instead.

In the newest Taetigkeitsbericht [German], the authority concludes that its earlier guides aren’t to be followed any longer and that at the very least the following is needed to run Google Analytics in a compliant fashion:

1. a contract for the data processing pursuant to Art. 28 DSGVO should first be concluded between Google LLC and the website operator.

2. in addition, if the “standard setting” is selected, the website operator is also required to conclude a “Controller-Controller-Agreement”, from which it follows that both Google and the website operator act under their own responsibility and reserve the possibility of their own further processing of the data.

3. taking into account European case law (ECJ, ruling dated 29 July 2019, Ref. C-40/17), the standard setting recommended by Google can therefore be assumed to be a joint responsibility pursuant to Art. 26 DSGVO. Therefore, the HmbBfDI is also of the opinion that consent pursuant to Art. 6 para. 1 lit. a DSGVO is required for the use of Google Analytics or similar services. (this, according to the authority follows from the ECJ ruling dated 1.10.2019, Ref: C-673/17 “Planet49” and Google itself that obliges the website operator to take reasonable steps to give the user transparent, comprehensive information.

In other words, compared to the good old days, in addition to a privacy policy, you are expected to show a cookie banner and only place those cookies after you’re received consent from users [which iubenda helps you do].

Of the same opinion, by the way, is the Bavarian authority, that requires prior explicit consent for Google Analytics.

2) How iubenda can help you regarding Google Analytics

1. Sign up/Sign in and add the Google Analytics clause called “Google Analytics with anonymized IP” to the privacy policy.
2. No longer necessary: Use the “direct text embedding” option for our privacy policy on your site. There is no way around it if you want to closely follow German practice. The way the Javascript is set up by Google, it will only work and effectively opt-out your users like this from your site.
3. Before you place a Google Analytics cookie, make sure you show a cookie notice and get the user’s consent [for that you can use the Cookie Solution].

Other posts to read regarding Google Analytics

The process looks more complicated than it is. Basically you have to

• make sure you follow the requirements as outlined by the data protection authorities – details
• iubenda will help you with crafting a privacy policy – details

If you want to do additional reading, you will find other relevant posts here in this list below:

• Privacy Policy for Google Analytics
• IP Anonymization in Google Analytics
• Display Advertising for Google Analytics
• Data Processing Agreements in Google Analytics
• How to Find the Google Analytics Data Processing Agreement

Let us help you to do this.

Generate privacy policy for Google Analytics

This used to be part of the guide, we’ll keep it here for archiving purposes:

1. Integrate the Javascript code* for the opt-out provided by Google, it needs to be placed on every page BEFORE the Google Analytics snippet. Here are Google’s instructions.

*the Javascript snippet provided by Google that must be placed before Google Analytics (basically, what iubenda will do for you: if you have integrated Google’s code above correctly into your site, we will show an opt-out success message, if not, we will send people to Google’s opt-out mechanism that opts-out only part of your audience – if you want this to work, you need to embed the privacy policy on your own site):

// Set to the same value as the web property used on the site
var gaProperty = 'UA-XXXX-Y';

// Disable tracking if the opt-out cookie exists.
var disableStr = 'ga-disable-' + gaProperty;
if (document.cookie.indexOf(disableStr + '=true') > -1) {
  window[disableStr] = true;
}

// Opt-out function
function gaOptout() {
  document.cookie = disableStr + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';
  window[disableStr] = true;
}

The post How to Craft Your Privacy Policy for Google Analytics in Germany appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This guide has one goal: we want to help you find your way to the app stores as fast as possible and would like to help you become compliant with privacy regulations. Below you will find a very comprehensive guide that runs you through the most important aspects of COPPA.

For our US readers: this information is provided as a general guide to the issues, and is not legal or technical advice

1. What is COPPA?
2. When Do I Fall under COPPA?
3. How Do I Comply with COPPA?
4. The App Store Part
   • iOS
   • Parental Gating
   • Android
5. Summary

In a nutshell: If you develop apps or run websites directed to children under 13 years of age and collect their personal information you are very likely to fall under COPPA and should therefore follow its rules.

1. What is COPPA?

COPPA is an abbreviation for the Children’s Online Privacy Protection Act (COPPA) that was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1st, 2013.

The primary goal of COPPA is to protect children’s privacy online (and at the same time on the mobile ecosystem). COPPA puts parents in control over what information from their children.

2. When Do I Fall under COPPA?

When do you as a web or mobile developer or operator/owner of these services fall under COPPA? And what does that fact mean for you? The Rule applies to operators of commercial websites and online services (again, it includes mobile apps) directed to children under 13 that collect, use, or disclose personal information from children.

It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Let us dissect this catalogue:

1. Operators of commercial websites and online services
2. directed to children under 13
3. that collect, use, or disclose personal information from children.

It also applies to:

1. operators of general audience websites or online services
2. if they have actual knowledge that they are collecting, using, or disclosing personal information
3. from children under 13.

And it applies to:

1. websites or online services that have actual knowledge that
2. they are collecting personal information directly from users of another website or online service
3. directed to children

There are a few things we still have to look at more deeply here. What is a website or online service as they are quoted in the Rule? What is personal information exactly? And what does collect, use or disclose mean in this context? Turns out the terms in the Rule are mostly defined broadly:

2.1 Website or online service?

So what is the definition of a website or online service under COPPA?

• mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
• internet-enabled gaming platforms
• plug-ins
• advertising networks
• internet-enabled location-based services
• voice-over internet protocol services

2.2 Personal Information

What kind of information is considered personal and therefore triggers the COPPA compliance requirement? This is important: COPPA has updated the list for “personal information” that cannot be collected without parental notice and consent to include geolocation information, photographs, video and  audio files that contain a child’s image or voice. At large the list of personal information looks like this:

• full name;
• home or other physical address, including street name and city or town,
• online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
• screen name or user name where it functions as online contact information;
• telephone number;
• Social Security number;
• a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
• a photo, video, or audio file containing a child’s image or voice;
• geolocation information sufficient to identify a street name and city or town; or
• other information about the child or parent that is collected from the child and is combined with one of these identifiers.

What is, then, the collection of personal information like the above?

2.3 Collecting Personal Information

You are collecting information if you request, prompt, or encourage the submission of information, even if it’s optional.

• let information be made publicly available (for example, with an open chat or posting function)
• unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records;
• or passively track a child online.

If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA. If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too. So how do you go from being required to follow COPPA’s rules, to actually complying?

3. How Do I Comply with COPPA?

1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
4. Provide parents access to their child’s personal information to review and/or have the information deleted;
5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the  information using reasonable measures to protect against its unauthorized access or use.

Let us dissect this again:

3.1 Post a clear and comprehensive online privacy policy

This is the first step where iubenda comes in helpful. To generate a privacy policy with us, visit the generator here. You can add our COPPA compliance clause “The Service is directed to children under the age of 13”. Generally, if you feel like doing it by yourself you’ll have to follow this pattern: Describe clearly and comprehensively how personal information is collected.

The notice must describe not only your own practices (description of what is collected and how it is used), but also the practices of any others collecting personal information on your site or service, like for example third party applications you may be using. Link to your policy from a prominent spot. What separates the privacy policy under COPPA from other privacy policies is the inclusion of a description of parental rights.

Your privacy policy must tell parents:

• that you won’t require a child to disclose more information than is reasonably necessary to participate in an activity;
• that they can review their child’s personal information, direct you to delete it, and refuse to allow any further collection or use of the child’s information;
• that they can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless that’s part of the service (for example, social networking); and
• the procedures to follow to exercise their rights.

If you want us to help you accomplish this, try the generator and don’t forget to add our COPPA clause.

3.2 Provide direct notice to parents and obtain verifiable parental consent

Before you start collecting personal information from children, you need to give parents “direct notice”. The notice must be clear and easy to read and include the following:

• that you collected their online contact information for the purpose of getting their consent;
• that you want to collect personal information from their child;
• that their consent is required for the collection, use, and disclosure of the information;
• the specific personal information you want to collect and how it might be disclosed to others;
• a link to your online privacy policy;
• how the parent can give their consent; and
• that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.

If you change your practices, make sure to send an updated direct notice to parents so they know about those changes. There are circumstances that allow to skip the requirement for getting parental consent. Check the graph at the bottom of this site for more information.

Additionally to the direct notice you need to get parents’ verifiable consent before starting the collection of personal information from their children. The way you do this is up to you, but you should be able to ensure that the person giving consent is the child’s parent.

Acceptable methods of verifiable parental consent:

• sign a consent form and send it back to you via fax, mail, or electronic scan;
• use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
• call a toll-free number staffed by trained personnel;
• connect to trained personnel via a video conference; or
• provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.

The method “Email Plus”: If you will use a child’s personal information only for internal purposes and won’t disclose it, you may use a method known as “email plus.” Using that method, you’ll send an email to the parent and have them respond with their consent. You must send a confirmation to the parent via email, letter, or phone call. Using “email plus”, you must let the parent know they can revoke their consent anytime.

4. The App Store Part

If you are a mobile developer, let us walk you through some of the relevant information from the documentation.

Apple App Store and Coppa

Apple has changed their App Review Guidelines and requires you to include a privacy policy if your app is directed to children under the age of 13 (“primarily intended for use of kids under 13”). In their guideline they go on to declare a few relevant things:

• 24.2 Apps primarily intended for use by kids under 13 may not include behavioral advertising (e.g. the advertiser may not serve ads based on the user’s activity within the App), and any contextual ads presented in the App must be appropriate for kids
• 24.3 Apps primarily intended for use by kids under 13 must get parental permission or use a parental gate before allowing the user to link out of the app or engage in commerce
• 24.4 Apps in the Kids Category must be made specifically for kids ages 5 and under, ages 6‐8, or ages 9‐11

“Parental Gating”

Apple’s 24.3 mentions the term “parental gate”. What it is and how others make use of this technique can be found in this insightful post How are kids’ app developers communicating to parents? by MOMs with apps. The main techniques include the following pattern:

• System: touch the “THING” for “AMOUNT OF TIME”.
• System: hold for “AMOUNT OF TIME”.
• System: perform a “MATHEMATICAL OPERATION”.

Here are a few examples of how that may look like:

More examples can be found on the original post by MOMs with apps.

You can read more about the App Store’s requirements regarding privacy policies in iOS apps here.

Google Play Store and COPPA

The Google Play store doesn’t impose any similar additional rules as the App Store does. The only reference to COPPA is the following in the Google Play terms of service:

Age Restrictions. In order to use Google Play you must be 13 years of age or older. If you are between 13 and 18 years of age, you must have your parent or legal guardian’s permission to use Google Play. You must not access Google Play or accept these Terms if you are a person who is either barred or otherwise legally prohibited from receiving or using the Service or any Products under the laws of the country in which you are resident or from which you access or use Google Play.

You can read more about Android and privacy policies in general in our dedicated post about this topic.

Summary for COPPA Compliance

If you collect any personal information by children you have to be extra careful with your privacy policy and what you do within your app. We advise you to follow COPPA’s requirements carefully and take a look at what you may need to do according to app store terms if you are a mobile developer.

Also don’t forget to double-check if your third party services are compliant with COPPA because you are liable for their collection practices as well. We hope iubenda serves you well on the way to compliance.

Further Information

• General FTC COPPA FAQ
• Changes to COPPA
• Children’s Privacy by FTC
• Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business

The post A Guide to COPPA and Mobile Apps appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

• If you want to read a more general overview of privacy policies in mobile apps then you can read that here
• If you want to skip all that and just use our generator to help you make a privacy policy for your Windows Phone app then follow me

Since we’ve launched our mobile apps privacy policy generator we’ve started to publish guides on how to submit your app to the app stores with a privacy policy. You are reading the guide on the Windows Phone.

All our (other) guides can be found here: 

• You can find a similar privacy policy guide for Android here: Privacy Policy for Android Apps
• You can find a similar privacy policy guide for iOS here: Privacy Policy for iOS Apps
• You can find a similar privacy policy guide for BlackBerry here: Privacy Policy for BlackBerry Apps
• You can find a similar privacy policy guide for Firefox OS here: Privacy Policy for Firefox OS Apps

Let’s say I want to include a privacy policy into my Windows Phone application: what do I need to do?

1) Do I have to include a privacy policy in my Windows Phone app?

1. Well, that depends on what the app is doing. But consider the fact, that you can never be wrong including a link or a full page view of your privacy policy. It is however very likely that you are required by law to include a privacy policy into your Windows Phone creation. Easy CHECK: Am I collecting/storing/sharing personal information like email, names or sensitive data like payments info or using a third party service that accesses my info?
2. You are likely using a third party service in your app that requires you to add a privacy policy to your app. Additionally to a legal requirement it is often an additional prerequisite to use a specific service. Check in your service provider’s terms. A very popular third party service that requires you to post a privacy policy in their TOS is Google Analytics (they also have a mobile solution).

2) Am I required by the Windows Phone Store to post a privacy policy?

1. This store does still not require you within a blank statement to have a privacy policy in any case. You can therefore post an app to the store that is non-compliant with privacy laws. But it’s actually very unlikely that you won’t be covered by one of the following requirements below:
2. From the App certification requirements for the Windows Store: “If your app has the technical ability to transmit data, you must maintain a privacy policy. You must provide access to your privacy policy in the Description page of your app, as well as in the app’s settings as displayed in the Windows Settings charm”
3. From the App Developer Agreement: “If your app enables access to and the use of any Internet-based services, or otherwise collects or transmits any user’s personal information, you must maintain a privacy policy. You are responsible for informing customers of your privacy policy (including by submitting that policy to us for display to customers). Your privacy policy must (i) comply with applicable laws and regulations, (ii) inform users of the information collected by your app and how that information is used, stored, secured and disclosed, and (iii) describe the controls that users have over the use and sharing of their information, and how they may access their information. You must also provide access to your privacy policy in the app’s settings as displayed in the Windows settings charm”.
4. From same App Developer Agreement: The app and your marketing of the app must comply with the laws of each territory or country into which you request distribution of the app. This includes: (i) data protection, privacy and other laws and regulations relating to collection and use of user information by your app (ii) telecommunications laws and (iii) content ratings regulations. If you are required to make any disclosures to consumers prior to sale or download of the app, you must provide those in the app description field. Those may include your full contact information, notice that an app supports in-app purchases, or other disclosures. You must make such notices sufficiently prominent as is required by local law. Your app must not require further export, import or technology control licensing from any government. You must disclose to Microsoft any controlled technology employed, used or supported by your app. You may not use the Windows Store or any services or tools made available for the development of apps for any illegal activity.
5. From App policies for Windows Phone: The privacy policy of your app must inform users about how location data from the Location Service API is used and disclosed and the controls that users have over the use and sharing of location data. This can be hosted within or directly linked from the app. The privacy policy must be accessible from your app at any time – (2.7.2).
6. Same App policies I (2.7.4): If your app publishes or makes available location data obtained from the Location Service API to any other service or other person (including advertising networks), your app must implement a method to obtain opt-in consent. To “implement a method to obtain ‘opt-in’ consent,” the app must:
   • provide your privacy policy, which must be persistently accessible from within the app (and may also be made available in app details by populating the Privacy URL field in Dev Center) and must describe how the location information will be accessed, used or shared;
7. Same App policies II (2.8): If your app (a) accesses or uploads a user’s Contacts, Photos, Phone number, SMS history, Browsing history or any other data reasonably considered personal in nature, or if your app shares any of the foregoing information with third-party services or individuals, or (b) shares any unique device or user IDs, combined with user information, with third-party services or individuals, the app must implement a method to obtain the user’s “opt-in” consent. To “implement a method to obtain ‘opt-in’ consent,” the app must:
   • provide your privacy policy, which must be persistently accessible from within the app (and may also be made available in app details by populating the Privacy URL field in Dev Center) and must describe how the information will be accessed, used or shared;
8. The California Attorney General is working on making all apps privacy regulations compliant and working on this with the big platform providers like Microsoft. This situation could therefore change down the road.

3) How do I add/edit my privacy policy on the Windows Phone store?

This section explains how you add your privacy policy to the actual app store page for users or customers to preview the data collection practices before downloading:

1. Log into your Windows Phone Dev Center account
2. Next, add the link to your privacy policy in the Privacy URL field
3. Done.

4) An example privacy policy for Windows Phone Apps?

A lot of people ask for sample privacy policies for apps. Let’s start with the legal minimum requirements. A good starting point is the California Online Privacy Protection act (CalOPPA), and even better Europe’s minimum requirements since they are more refined:

CalOPPA minimum requirements:

Provide info about the personally identifiable information (PII) like:

• a description of the types of PII collected and disclosed by the operator;
• a description of the process by which a consumer can access and request changes to his or her PII, if available;
• a description of the process by which the operator will notify consumers of material changes to the privacy policy; and
• an effective date

EU Privacy Directives minimum requirements:

Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:

• who you are (identity and contact details),
• what precise categories of personal data the app wants to collect and process,
• why the data processing is necessary (for what precise purposes),
• whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
• what rights users have, in terms of withdrawal of consent and deletion of data

You can easily google for an example privacy policy for X but chances are you won’t find anything ready-made. Helpful docs: 1. Privacy on the Go 2. Article 29 Working Group

Our Approach of Generating a Windows Phone Privacy Policy

So here’s where iubenda’s privacy policy generator will come in very handy: 1) Define the services and categories of data collection your app is making use of. 2) Add the services (and categories of data collection like “access to address book”) you are using to your policy and it will generate the full text privacy policy in a condensed easily scannable fashion as well as an entire document your users can read if they want. 3) You can either link to your policy or embed the text into your app.

Try Our Mobile Privacy Policy Generator    

The post Privacy Policy for Windows Phone Apps appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

• If you want to read a more general overview of privacy policies in mobile apps then you can read that here
• You can skip all that and just use our generator to help you make a privacy policy for your iOS app

Let’s say you want to include a privacy policy into your iOS application: what do you need to do?

1) Do I have to include a privacy policy in my iOS app?

1. Well, that depends on what the app is doing. But consider the fact, that you can never be wrong including a link or a full page view of your privacy policy. It is however very likely that you are required by law to include a privacy policy into your iOS application. Easy CHECK: Am I collecting/storing/sharing personal information like email, names or sensitive data like payments info or using a third party service that accesses my info?
2. You are likely using a third party service in your app that requires you to add a privacy policy to your app. Additionally to a legal requirement it is often an additional prerequisite to use a specific service. Check in your service provider’s terms. A very popular third party service that requires you to post a privacy policy in their TOS is Google Analytics (they also have a mobile solution).

2) Am I required by Apple’s App Store to post a privacy policy?

You could post an app to the store that is non-compliant with privacy laws. However since WWDC 16, there has been a lot of change and general consolidation in Apple’s App Store Review Guidelines. You can now find all the relevant information regarding privacy policies in section 5.1. It will tell you when you are indeed required to add a privacy policy:

• (i) Apps that collect user data must have a privacy policy and secure user consent for the collection. This includes—but isn’t limited to—apps that implement HealthKit or other health/medical technologies, HomeKit, Keyboard extensions, Apple Pay, include a login, or access user data from the device (e.g. location, contacts, calendar, etc.). – (from 5.1.1)
• iOS 11 adds new requirements “apps that utilize ARKit, Camera APIs, Photo APIs, or other software for depth of facial mapping information,” to the list of apps that are required to offer a privacy policy.
• Moreover, apps in the Kids Category or those that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, the ability to chat, other personal data, or persistent identifiers used in combination with any of the above) from a minor must include a privacy policy and must comply with all applicable children’s privacy statutes. For the sake of clarity, the parental gate requirement for the Kid’s Category is generally not the same as securing parental consent to collect personal data under these privacy statutes. – (from 5.1.4)

Now, Apple got very good at making these rules very clear.

3) How do I add/edit my privacy policy on the App Store?

This section is for the link to your privacy policy on the App Store and not in the actual app. There is a link form for privacy policy URLs when you submit your app for review. Fill that in.

In iTunes Connect, under “My Apps”, you will find “Localisable Information”, among which you will also find the privacy policy URL. Fill in a privacy policy for each language that your app is translated into (iubenda offers 8 privacy policy languages out of the box at the moment)

When you visit the app page that the store generates for you, e.g.

https://itunes.apple.com/app/idxXxxXXXetc,

you will not find that privacy policy link (yet). This is only the case however, because Apple decided not to show it there yet, for some reason. You will find the link when opening the app in an iTunes window:

4) An example privacy policy for iOS apps?

A lot of people ask for sample privacy policies for apps. Let’s start with the legal minimum requirements. A good starting point is the California Online Privacy Protection act (CalOPPA), and even better Europe’s minimum requirements since they are more refined:

CalOPPA minimum requirements:

Provide info about the personally identifiable information (PII) like:

• a description of the types of PII collected and disclosed by the operator;
• a description of the process by which a consumer can access and request changes to his or her PII, if available;
• a description of the process by which the operator will notify consumers of material changes to the privacy policy; and
• an effective date

EU Privacy Directives minimum requirements:

Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:

• who you are (identity and contact details),
• what precise categories of personal data the app wants to collect and process,
• why the data processing is necessary (for what precise purposes),
• whether data will be disclosed to third parties (not just a generic but a specific
  description to whom the data will be disclosed),
• what rights users have, in terms of withdrawal of consent and deletion of data

Here are some helpful docs by authorities about privacy policies.

Helpful docs:

1. Privacy on the Go
2. Article 29 Working Group

Our Approach of Generating an iOS Privacy Policy

So here’s where iubenda’s privacy policy generator will come in very handy:

1) Define the services and categories of data collection your app is making use of.

2) Add the services (and categories of data collection like “access to address book”) you are using to your policy and it will generate the full text privacy policy in a condensed easily scannable fashion as well as an entire document your users can read if they want.

3) You can either link to your policy or embed the text into your app.

4) Any additional texts can be added by you manually.

5) Add many other languages for localised versions of your app.

6) Modify and change your privacy policy at any time

Generate your iOS Privacy Policy now

Since we’ve launched our mobile apps privacy policy generator we’ve started to publish guides on how to submit your app to the app stores with a privacy policy. You are reading the guide on the App Store by Apple. 

All our other guides can be found here:

• You can find a similar privacy policy guide for Android here: Privacy Policy for Android Apps
• You can find a similar privacy policy guide for Windows Phone here: Privacy Policy for Windows Phone Apps
• You can also find a similar privacy policy guide for BlackBerry here: Privacy Policy for BlackBerry Apps
• You can find a similar privacy policy guide for Firefox OS here: Privacy Policy for Firefox OS Apps

Read this guide also in German “Datenschutzerklärung für iOS Apps“

The post Privacy Policy for iOS Apps appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What do you need to do and be aware of if you want to include a privacy policy into your Android application?

Let us go through this systematically. Feel free to skip a section you might already know enough about.

1) Do I have to include a privacy policy in my Android app?

That depends on what your app is doing. Consider that you are always on the safer side including a link or a full page view of your privacy policy.

It is very likely that you are required by law to include a privacy policy into your Android app.

Easy check: Am I collecting/storing/sharing personal information like email, names or sensitive data such as payments information or am I using a third party service that accesses that information?

You are likely using a third party service in your app that requires you to add a privacy policy. In addition to any legal requirements, third parties often require a privacy policy as an additional prerequisite to use a specific service. Check in your service provider’s terms. A very popular third party service that requires you to post a privacy policy in their TOS is Google Analytics (they also have a mobile solution).

2) Am I required by the Google Play Store to post a privacy policy?

You may get away with not posting a privacy policy, but don’t be deceived, this doesn’t mean it’s not required in your situation. If you use dangerous permissions like the camera, contacts, audio, accounts and phone state you will get mail by Google. Count on it. 

Since February 2017 Google enforces a strict privacy policy requirement on apps requesting sensitive permissions and user data. There are quite a few places in the Google Play Store documentation that points out that requirement.

If you want to read up the statements by Google in their documentation and terms, you can find them below following the links or by reading the excerpts shown.

• Help center 
• Developer content policy
  • Privacy and Security
• Developer Distribution Agreement

From the Developer Console Help: 

Adding a privacy policy to your app’s store listing helps provide transparency about how you treat sensitive user and device data.

The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared. Google is unable to provide you with legal advice and you should consult your own legal representative.

• For apps that request access to sensitive permissions or data (as defined in the user data policies): You must link to a privacy policy on your app’s store listing page and within your app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
• For apps in the Designed for Families program: You must link to a privacy policy on your app’s store listing page and within your app, regardless of your app’s access to sensitive permissions or data. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
• For other apps: You’re not required to post a privacy policy.

In other words, it is very unlikely that you are not covered by any of the requirements set out either by the Platform (Play Store), third party service providers or any of the privacy regulations. How do you add and edit that privacy policy on the Play Store?

3) How do I add/edit my privacy policy on the Play store? (source)

1. Log into your Google Play Developer Console
2. Next, select All Applications and select the application whose privacy policy you’d like to edit.
3. After that, select Store Listing.
4. Then, scroll to the section marked Privacy Policy and enter the URL where you have the privacy policy hosted online – generate your privacy policy here.
5. Lastly, be sure to click Save or update.

4) What if I don’t want to add a privacy policy at this time?

If you do not want to add a privacy policy at the moment very first moment you create the app, you can check the box next to Not submitting a privacy policy URL at this time (see screenshot above) on the Store Listings screen of your application in the Google Play Developer Console. Follow the instructions above to view that screen.

5) What if I’m using sensitive/dangerous Android permissions?

Google has started to enforce proper privacy policy disclosures for sensitive permissions in apps (or also if your app makes use of any user data at all, for instance using Admob). A good example of a data type are location permissions that allow accessing the device location such as follows:

Design pattern supplied by the Permissions Pattern Library

You might be using other dangerous/sensitive permissions like access to the camera, contacts, audio, accounts and phone state. In this case you are required to have your privacy policy in place properly and also incorporate text disclosing your use of these permissions.

If any of the following permissions look familiar to you, check out the guide for incorporating these permissions into your privacy policy:

• READ_CALENDAR
• WRITE_CALENDAR
• CAMERA
• READ_CONTACTS
• WRITE_CONTACTS
• GET_ACCOUNTS
• ACCESS_FINE_LOCATION
• ACCESS_COARSE_LOCATION
• RECORD_AUDIO
• READ_PHONE_STATE
• CALL_PHONE
• READ_CALL_LOG
• WRITE_CALL_LOG
• ADD_VOICEMAIL
• USE_SIP
• PROCESS_OUTGOING_CALLS
• BODY_SENSORS
• SEND_SMS
• RECEIVE_SMS
• READ_SMS
• RECEIVE_WAP_PUSH
• RECEIVE_MMS
• READ_EXTERNAL_STORAGE
• WRITE_EXTERNAL_STORAGE

Of course, do not forget that these sensitive permissions aren’t the only trigger for a privacy policy requirement.

6) About Prominent Disclosure requirements

This part in Google’s User Data policy is key: “If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.“

If you collect and transmit personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface with your app, then you need add prominent disclosures. You can read more about prominent disclosures it here.

7) An example privacy policy for Android Apps?

A lot of people ask for sample privacy policies for apps. Let’s start with the legal minimum requirements. A good starting point is the California Online Privacy Protection act (CalOPPA), and even better Europe’s minimum requirements since they are more refined:

8) How to actually write a privacy policy for your Android Google Play app

Since iubenda and mobile apps are international practically by definition, let us take some hints from two relevant diverse entities far apart from each other:

“Privacy on the Go” by the Attorney General of California and the “Orientierungshilfe zu den Datenschutzanforderungen an App-Entwickler und App-Anbieter” the document produced by the German data protection agencies (which we’ll summarize in English).

The most important takeaway is, that it is ok, even encouraged, to be creative. Don’t forget to back the creativity up with the actual readable full version of your policy.

In the section Lesbarkeit (readability), the data protection authorities outline that, because of the small screen real-estate, it is particularly useful to create small “categories that can be opened one by one”.

The most important takeaway here is, that a layered approach is state of the art and explicitly welcomed by the data protection authorities for mobile apps.

We think these are very solid guidelines to be creative within. Let us show you what we did with it at iubenda for mobile apps:

9) iubenda’s Approach of Generating an Android Privacy Policy

This post gives you all the information for getting started to write your privacy policy. Here’s where iubenda’s privacy policy generator will come in very handy:

Generate your Android Privacy Policy Now

Since we’ve launched our mobile apps privacy policy generator we’ve started to publish guides on how to submit your app to the app stores with a privacy policy. You are reading the guide on the Android Play Store by Google. 

All our (other) guides can be found here:

• You can now find a similar privacy policy guide for Windows Phone here: Privacy Policy for Windows Phone Apps
• You can now find a similar privacy policy guide for iOS here: Privacy Policy for iOS Apps
• You can also find a similar privacy policy guide for BlackBerry here: Privacy Policy for BlackBerry Apps
• You can find a similar privacy policy guide for Firefox OS here: Privacy Policy for Firefox OS Apps

Other related interesting reading: 

• If you want to read a more general overview of privacy policies in mobile apps then you can read that here
• If you want to read a more specific post about an Android permissions warning “Action Required *Policy issue*” then you may read this post

Read this guide also in German “Datenschutzerklärung für Android Apps“

The post Privacy Policy for Android Apps appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.