Checklist to Audit Privacy Policy For Your Website

The messaging app, WhatsApp in January 2021 caused mass confusion when it updated its privacy policy. It stated that it will share some user information with its parent company, Facebook. Although data sharing with Facebook and its subsidiaries has been going on even before the update, they made it clear about the type of information only when they updated the privacy policy.

A privacy policy is the means of communication for a business to share how it handled its customers’ data. In that regard, WhatsApp may have failed its users (more on that later). However, the users in the EU may have had an advantage over others, thanks to GDPR. 

In this article, we will look at a checklist for auditing your privacy policy and avoid any confusion among users and any setbacks.

A privacy policy is an important page of a website. It disclosed information about how a website collects, uses, shares, and retains tits visitors’ data. Using this information, the visitors can make an informed decision whether to go ahead and let the website collect and share its information. It is extremely important to not miss crucial details, else it may cause privacy violation.

The article discusses the important aspects of privacy one must take care of to create or update a privacy policy. 

A privacy policy is a document or page on a website that discloses how an organization or the website handles its users’ (visitors and customers) data. It provides information such as how it will collect, use, share and protect the personal data of its users.

So many data privacy and protection laws have stated the need for organizations and websites to be transparent about their business practices. A privacy policy is a website or organization’s way of bringing transparency into its data processing activities. So, take it as a legal statement after reading which the users must be aware of what happens to their personal data once they share it with the website. 

There is no direct mention of the privacy policy in the official text of GDPR, whereas the CCPA directly makes references to it. 

GDPR privacy policy

 The General Data Protection Regulation (GDPR) has stated several rules for disclosing information related to data processing. Though not a direct mention, one can infer that a website must implement it through a channel or page. There is nothing better than a privacy policy page to do that. 

Art. 13 of the Regulation discusses the information to be provided if you collect personal data from users:

• The contact details of the website owner/organization or its data protection officer (if appointed).
• The purpose of processing personal data and the lawful basis for processing the data.
• The legitimate reason for processing the data by you or any third party, if any.
• The recipients of the users’ personal data.
• If there is a need for cross-border transfer of data, and if so, the safety measures taken to protect the data.
• The period of storing the data and why.
• The rights of users and how they can exercise them.
• The right to withdraw consent at any time.
• The right to lodge a complaint with a supervisory authority that monitors the implementation of GDPR.
• If there is any contractual obligation to provide the data and the possible consequences of failing to do it. 
• If you use automated decision-making including profiling and if so, why and the possible outcome of it.

Art. 14 lists out the information to be provided in case you do not collect the data directly from the users. Here, you will have to provide the information about the categories of personal data you collect and the source.

Not all the points will apply to your website but it can be used as a guide while preparing the privacy policy page.

CCPA privacy policy

 Sec 7 1798.130.(5) of the California Consumer Privacy Act (CCPA) official text lists out the information a website must provide in its privacy policy:

• The categories of personal information it will collect from the users.
•  The categories of sources from which the personal information is collected.
• The purpose for collecting or selling personal information.
• The categories of third parties with whom the business shares personal information.
• Contact details or ways to submit the requests to exercise the CCPA rights.
• An opt-out option/link (Do Not Sell My Personal Information) to stop collecting or selling the personal information.

The privacy policy must be updated every 12 months or whenever there is a change in your business practices.

On January 4, 2021, WhatsApp created a ruckus among its users when its updated privacy policy popped up on the application. It created mass confusion among its users and drew huge criticism about its “take it or leave it” approach. There was a widespread belief that if the users do not accept the new terms and conditions by a stipulated time, their account will get deleted. 

What’s clear from the reaction to this most recent privacy policy change is that WhatsApp shares much more information with Facebook than many users were aware, and has been doing it since 2016. https://t.co/vrwfrXBmes

— EFF (@EFF) January 23, 2021

WhatsApp had to clear the confusion and push back the date of update (currently, May 15, 2021). It still remains a cause of worry that users will not be able to access its full features unless they agree to the new privacy policy. 

We want to address some rumors and be 100% clear we continue to protect your private messages with end-to-end encryption. pic.twitter.com/6qDnzQ98MP

— WhatsApp (@WhatsApp) January 12, 2021

WhatsApp says on its FAQ that “If you haven’t accepted by then, WhatsApp will not delete your account. However, you won’t have full functionality of WhatsApp until you accept. For a short time, you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app.” Exchanging messages is the main feature of WhatsApp, so this announcement is a huge setback for its users.

WhatsApp has been sharing information with its parent company, Facebook long before the new update, however, the new privacy policy clarifies what type of data it shares. The messages shared between uses are still encrypted. 

Here are some highlights of the updated privacy policy:

• WhatsApp will collect device and connection-specific information, such as “battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).”
• WhatsApp will collect “IP addresses and other information like phone number area codes to estimate your general location (city, country)” regardless of whether you use their location-related features,
• If you interact with a business on WhatsApp, “the content you share may be visible to several people in that business”, and to the third-party services, the business has given access to.
• When you use any third-party services (including Facebook) integrated with the app, WhatsApp will share your information with them. However, it adds that your WhatsApp message will not be shared on Facebook and “In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services.”
• If you use any of their payment services, they will process the payment and transaction information.
• If you delete your WhatsApp account from your phone and not using the in-app settings, your information will remain with them for a longer period. Your information related to the group you created and any copy of your message other users have will remain even if you delete the account.

However, the app users in the European Union do not have to agree to the new terms to continue using its services. The GDPR’s stringent laws give the EU users data protection compared with users in other parts of the world. This has drawn huge criticism from countries like India, where the social messaging giant has the highest number of users. The Indian government has cracked down on WhatsApp for its separate policy for the country. It is crucial to note that India lacks a robust data protection law (the Personal Data Protection Bill is currently in draft), which prevents its citizens from a higher level of data protection. WhatsApp’s “all or nothing” approach is currently being discussed in Indian court now. 

If you already have a privacy policy page for your website, you should still check if it caters to the requirements as stated by the applicable data privacy laws. Here is a checklist to audit the privacy policy for GDPR and CCPA compliance:

▢  Are you aware of the data privacy law(s) that applies to your website?

▢  Will a layperson find the language and tone of your privacy policy content simple and easy to understand?

▢  Does the privacy policy content use legal or technical terms that may confuse the users?

▢  Have you mentioned the date of the last time the privacy policy was updated?

▢  Does the privacy policy include the information and contact details of your organization or administrator?

▢  Does it mention what type or categories of personal data or information you will collect?

▢  Does your website have any legal basis for collecting and using the users’ data?

▢  Do you get user consent for data collection and use?

▢  Do you provide opt-in and opt-out choices for data collection and if so, what is the method you use?

▢  Do you have the list of cookies used by your website and the details about their source and purpose for the policy (privacy or cookies policy) page?

▢  If CCPA applies, do you provide a “Do Not Sell My Personal Information” link on your website for users to opt-out of selling their data?

▢  Are your users aware that they can opt-out of data collection and use and how to do it?

▢  What type of information do you store and for how long?

▢  Do you have information about all third parties with whom you share the data?

▢  Are your users aware of the rights granted to them under the applicable data privacy laws and how to exercise them?

▢  Are your users aware of the security measures you have taken to protect their data?

▢  Do the users have the right channel to get in touch with you for lodging complaints or asking queries about the privacy policy?

▢  Have you provided the contact details of the data protection officer or grievances officer, if any?

Creating a privacy policy page from scratch or updating it to comply with legal standards is quite hard. It will require legal or expert assistance to draft the content. Any necessary information missing may put you in trouble. And so does the unnecessary or misleading information. You should avoid any information that may cause confusion, mislead the users, and prevent them from obtaining the necessary information to make an informed decision.

CookieYes privacy policy generator is a free online tool that will help you to create a privacy policy that meets the legal standards and displays your business’ transparency.

Our online tool collects necessary information from you about your website’s data collection and use practices to automatically create a privacy policy for the website. The whole process barely takes more than two minutes. 

You can copy and paste the content as text or HTML or directly send it to your email to edit it.

Be it for GDPR or CCPA, CookieYes privacy policy template meets the necessary requirements.

As discussed, a privacy policy must discuss what type of information you collect and how the users can opt-out. If your website uses cookies, the privacy policy must include details about it.

CookieYes is a cookie consent management application for your websites to comply with data protection laws like GDPR, CCPA, ePrivacy Directive, CNIL and LGPD. It helps websites to collect cookie consent using its fully customizable cookie banners. It automatically scans your website for cookies and identifies the third-party cookies and auto-blocks them before getting user consent. You can also add the scripts that you want CookieYes to block before user consent. The cookie list it identifies can be added to your privacy policy.

You can let users take control of what type of cookies the website must load by giving granular consent choices (opt-in and opt-out) for cookie categories. CookieYes logs the consent received in a downloadable file that you use to demonstrate proof of consent, if necessary.

There is a free privacy policy generator in the application as well. As discussed earlier, it generates a privacy policy for your website in less than two minutes.

Other than that, CookieYes offers many other features, such as auto-translation of the cookie consent banner, geo-targeted display of the banner, banner callback button, and additional CSS customizations.