Privacy Policy Legal Requirements

Published on: April 17, 2023 (Updated on: April 28, 2024)

Introduction

With businesses now online, consumers have to fill in different personal information to facilitate online transactions. Some of the data collected by website owners or online service providers outlive the transactions, especially in instances of one-time transactions. The rate at which customers provide different information online has raised data privacy and security concerns across the globe. This article focuses on the need for privacy policy on websites as a means to curb the data security fear and also in complying with data protection laws.

With the migration of business from the traditional ‘brick and mortar’ store to online platforms or online market as a result of technological growth and advancement, business operations now have a wide online presence where transactions are made by consumers filling various information to finalize their transactions. The nature of online transactions is very different from when businesses only had physical outlets where business transactions were made, and the transactions ended with customers paying cash in exchange for goods.

Definition of Data in Privacy Policy Law

Data has been described as the oil of the digital era.1 Data “means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device”.2 Data are pieces of information gathered from various sources or observations.

Personal Data means information such as name, address, photo, email address, bank details, posts on social networking websites, medical information, cultural or social identity, etc. belonging to an individual.

With the amount of data collected online by various website owners or data controllers in general, there is a need to ensure the protection of these personal information. One of such means for the protection of data is the privacy policy found on websites. The privacy policy is in furtherance to data protection.

What is Privacy Policy?

Image depicting Privacy Policy

A privacy policy is a legal statement or document found on a website or mobile app. It gives a detailed explanation of how the website owners collect, store and use data obtained from their visitors. Websites include privacy policies to enlighten users on how their collected personal information is being used and/or protected3

In keeping up with data protection laws, data controllers (which include) website owners are legally required to display a privacy policy on their websites or any medium of collecting personal data within 3 months of commencing business on the website. They are also required to inform the individuals whose data are collected of any changes that require a new or different content.4

The privacy policy is usually displayed in a conspicuous place on the website to ensure easy access by the website visitors. The content of the privacy policy includes;

  1. what constitutes the data subject’s consent;
  2. description of collectable personal information;
  3. purpose of collection of personal data;
  4. technical methods used to collect and store personal information, cookies, JWT, web tokens etc.;
  5. access (if any) of third parties to Personal Data and purpose of access;
  6. available remedies in the event of violation of the privacy policy;
  7. the time frame for remedy; and
  8. provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in this Regulation.

Global Recognition of Privacy Policy

Any website with an international reach must consider privacy policy because it is a global legal requirement backed up by various laws or statutes. We will briefly examine some countries and their requirements

Privacy Policy in the EU

The General Data Protection Regulation (GDPR) is a European Union (EU) law that came into effect in 2018 with an aim to regulate how companies obtain and process the personal information of EU citizens as well as protect customer’s data by giving individuals more control over how their data are collected, used and protected online. While the GDPR is made for EU citizens, it extends to any website or online service provider outside the EU but with an EU reach.

The introduction of the GDPR brought more requirements that privacy policy must contain in order to comply with data protection laws. They are;

  1. Information of who the data controller is and their contact
  2. Identity of the company/website’s Data Protection Officer and contact information
  3. Whether the data collected is used to make automated decisions
  4. Provide information to users of their 8 rights (which are right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision making and profiling),
  5. whether you transfer data internationally,
  6. you must give a legal basis for processing data

Privacy Policy in the United States

The California Online Privacy Protection Act (CalOPPA) applies to businesses (online commercial websites and mobile applications) that collect personal information from residents of California regardless of whether the business is located in California or another country. Businesses not located in California or owned by Californians but have a California reach must abide by the CalOPPA rules. Websites or online service providers are expected to display a privacy policy. Any website operator who fails to comply with the guideline will be given 30 days to comply after notification. Some requirements of the privacy policy are;

  1. Details of the types of personal information collected
  2. Affiliates or third parties with whom the personal data collected will be shared
  3. Information on how users can change personal data
  4. How users can be informed of changes made to the privacy policy
  5. Date, when the last privacy policy was updated
  6. How a “Do Not Track” request is handled

The Children's Online Privacy Protection Act (COPPA) 1988 is another data protection law in the United States which protects the privacy of children under 13 years of age, where their personal information will be taken. This includes businesses in the United States or businesses outside the United States but with a US reach. The website or online service provider must display a notice of what information it collects from the children and how the information is used. In addition, parental consent of the child or children must be obtained as the parent can refuse the use of the personal information collected after review.

Privacy Policy in Nigeria

Nigeria Data Protection Regulation (NDPR) 2019 is the most comprehensive national legislation on data protection in Nigeria. It was issued by the National Information Technology Development Agency (NITDA) pursuant to Section 6 (a) and (c) of NITDA ACT 2007. It applies to both public and private sectors and guides data administrators/processors on the measures they need to take when dealing with personal data for those in Nigeria. As well as Nigerians who live abroad. Under this law, the privacy policy to be be displayed by any online service provider must meet the following requirement;5

  1. What constitutes the user’s consent
  2. Description of the personal information collected
  3. Purpose of collection of the personal information
  4. Technical methods used to collect and store personal information
  5. Whether any third party has access to the personal information and reason why they have access
  6. Remedies available where the privacy policy is violated and time frame for the remedy.

Conclusion

The importance of data protection law on the digital economy, where almost all transactions are carried out online cannot be overemphasised. There remains a growing increase of online use for different services such as banking, business, education, government e.t.c. These service providers house their information and operation through websites and or mobile apps. While there are legitimate business reasons for collecting, retaining and sharing data, the need for a privacy policy on websites and complying with its legal requirements cannot be undermined.

1 Economist (2017, May 6). Data Is Giving Rise to a New Economy. The Economist.

2 Analysis of the Privacy Policies of Nigerian Online Shops

3 Section 2.5 of the Nigeria Data Protection Regulation 2019

4 Art 2.5 Nigeria Data Protection Regulation 2019

5 Section 1.3 of the Nigerian Data Protection Regulation 2019

Author:

Preye Ezonfade, LLB