Image source: openDemocracy US and EU Flags
When collecting data of users online or through any call-home product, it’s important to stay compliant with any and all privacy laws that apply to you.
Being aware of what data privacy laws require can save you from trouble later on, as users are becoming increasingly conscious of their rights and entitlements in terms of the privacy and use of their information.
There are two main jurisdictions that I will examine: the US, and the EU. We’ll take a look at what kind of information is captured by these laws, and how to comply with them.
The privacy laws in the US and EU are very different. The EU law is extremely comprehensive, far-reaching, and strict. The US on the other hand has very piecemeal legislation that covers particular areas of privacy (like financial privacy, health and medical information, and the private information of children), but there is no general overriding law on data privacy online.
EU law is covered in the EU Data Protection Directive, which has disclosure requirements that apply to EU-based businesses processing the “personal data” of EU citizens. EU-based businesses include companies incorporated in the EU, sole traders operating there, businesses that have branch offices or agencies there, or overseas companies that process the data within the EU. “Processed” is quite broadly defined in the Directive, and includes collection, recording, use, making available, and destruction. The full definition is below:
The EU data protection laws are anticipated to change soon to become even more strict: a new EU Data Protection Regulation was proposed by the European Commission in 2012, which will broaden the scope of EU law. This Regulation was discussed earlier on the Revulytics blog, here.
Personal data is any information that could identify an individual, or information in combination with other information, such as:
All of the metrics collected by Revulytics Usage Intelligence are anonymous; end-users are only identified by way of a unique installation ID generated automatically by the Usage Intelligence SDK. This means that by default, Usage Intelligence does not store any personal information. However, Usage Intelligence does collect an IP address for cross-referencing the unique installation ID with a GEO-IP database; the IP address is not stored, but is processed. This means that it is personal data that the Directive applies to.
Usage Intelligence also provides the software developer or vendor with specific API calls to collect whatever custom data they deem appropriate. For example, typical use may be collecting data relating to events within the product, but a software developer could choose to gather information that would be considered “personal data”.
Most courts have held that browsewrap methods are not legally binding on your users.
This is an example of browsewrap, from Businesswire:
Courts are in general agreement that clickwrap methods create a legally binding agreement between you and your users.
Here’s an example of clickwrap, from YouTube:
You can see the “I agree” statement must be ticked before users can continue.
You can see that the user is required to click “I accept” before they can click the “Next” button in the software installation process.
Product teams work tirelessly to build products that customers will love. But how do they know when it is time to celebrate their ...
Instinct can lead to wonderful places. Henry Ford and Bill Gates are just a couple of business leaders who followed gut decisions ...
Despite an industry obsession with data analytics, most companies lack confidence in their ability to pull off advanced big data ...