Need a Refresher on What We have Discussed:
As we discuss the collection of Personal Data, we will be looking at a couple of different types of data: identifying and non-identifying. You also need to keep in mind that your site may grow and develop faster than you change your policies, so you want to plan for the future. This is about what you can collect, not about what you do collect. Also remember, though you are trying to describe what you will collect, you are not trying to limit yourself to your descriptions in this policy. To see how this works, let’s go to the examples.
Example from The Outsourced Associate
Collection of Personal Data
Two types of data may collected from you:
Personal information is information collected that may identify you. Personal information is only gathered as voluntarily provided by you. Some information may be gathered by other sources such as third-parties or affiliates.
When you register with the Site, TOA will collect some personal data from you. In some instances, TOA may gain access to some personal data through third-parties or affiliates. Some of the information that may be collected can include, but is not limited to:
- contact information such as name, email address, address and telephone number;
- information related to your current business well-being;
- financial information such as credit card or bank account numbers;
- additional information required to verify your identity;
- supplemental information from third parties (for example, if you incur a debt to TOA, a credit check may be conducted by obtaining additional information about you from a credit bureau, as permitted by law); and
- any other information you may provide.
Non-identifying information is anonymous information. This information is technical and is often gathered from analytics software for the Site. All such information is also subject to the Privacy Policies of the analytic services. Some of the information collected can include, but is not limited to:
logs, contact information, and other information about the communications between registered users.
information based on your activities on the Service, such as search information, computer sign-on data, statistics on page views, traffic to, from and within the website, ad data, and IP address and standard web log information.
Unpacking the Language
In these sections, we are focused on describing what we may do. We are trying to fully describe what is you are doing, but allowing for enough wiggle room to make changes to how we run our business without running afoul of our own policy. So, let’s break down what is going on in these sections:
- Separating the Descriptions – This is not necessary. In fact, if you only have a blog and you aren’t collecting email addresses (which would be a mistake, but we have talked about that before), you will likely not be collecting much personally identifying information. Unless of course, you are allowing comments and people are inputting their email addresses, names, websites and other information at the time. You can combine these if you are not doing much in the way of separating information. I have separated them for the TOA site because of some of my future plans (allowing clients to input much of their business information at registration for better service, etc). That way, if, as I am working on the new parts of my business, I am not able to get this policy changed right away it is sufficient. Also, separating the provisions this way will make it easier for me to update the Personal Information section without touching the rest of the document. You will see, however, in the LTE policy below, they are not separated.
- Acknowledging Information from Other Sources – This is allowing a few options. If you have, as I do, another site that is a part of your business, you may receive additional information from that source. You may also run credit checks in your business or receive information from referral sources. Even if you don’t, you likely will at some point. This is broad language which allows you to do (or not do) what you need in the collection of data from your users.
- List – This is where the information you have been working on for the past couple of sessions will come in handy. What are you collecting? Are you collecting email addresses? Do you require more information for registration? Are you collecting payment information? Business information? Other contact information? Think about your blog comments, your site registration, your email registration and any other contact forms you may have on your site. Remember, your list does not have to be comprehensive, but it needs to be thorough.
- Non-Identifying Language – This is your analytics information. Much of this is pretty standard and everyone expects you to be collecting this information anyway. Something to consider, if you are using advanced analytics that capture more than normal, is to explain what you are tracking in your site. Are you using heat maps? Mouse tracking analytics? Do you plan to? Go ahead and include that information here.
This section is pretty straightforward, just make sure to be thorough as you think through what you are (or may be) collecting. Now, let’s look at the LTE policy and see how it is different. Remember, LTE does not sell anything or directly collect information (except for your first name and email address).
Legal to English Example
Collection of Information
When you use this site, it is possible, we will be collecting some kind of information from you. Most of this information will be analytics data. Right now, we aren’t using anything fancy, but we do know what kind of browser you are using and where you are located (normal Google Analytics stuff) and what pages you viewed. If that changes, I will, of course, let you know here.
There may be some personal information you voluntarily provide to us. Right now, that is going to be your first name and your email address. That is how you join the conversation. I like to have your first name, because I like to use it when we talk. If you leave a voicemail or respond to any of my emails with information, I will (obviously) have the information you gave me voluntarily. In the future, I may collect more information from you, if so, I will tell you about it when I make the changes. I may have missed something, but the main point is that, if you give me information I have it. I will not be collecting any kind of information about you unless you give it to me or I receive it from another source. If I missed something on the analytics, it may be because reading analytics is new to me. I will make the update when I discover it, but it will not be identifying information and you probably know more about what analytics know than I do.
Simpler right? It still covers the same stuff, but it is more conversational. It is specific while allowing for mistakes. It explains more than tells and it encourages conversation.
Tomorrow, we will talk about how you are using this information, and what you need to tell your users about it.