Revulytics Blog

How to Stay Compliant with Privacy Laws When Collecting Data with Revulytics Usage Intelligence

October 27, 2015

Subscribe

Image source: openDemocracy US and EU Flags

When collecting data of users online or through any call-home product, it’s important to stay compliant with any and all privacy laws that apply to you.

Being aware of what data privacy laws require can save you from trouble later on, as users are becoming increasingly conscious of their rights and entitlements in terms of the privacy and use of their information.

There are two main jurisdictions that I will examine: the US, and the EU. We’ll take a look at what kind of information is captured by these laws, and how to comply with them.

There are two key things you can do to stay in line with these laws: first, set up a Privacy Policy that covers your obligations, and second make sure your users are legally bound by it.

Privacy Laws in the US and EU

The privacy laws in the US and EU are very different. The EU law is extremely comprehensive, far-reaching, and strict. The US on the other hand has very piecemeal legislation that covers particular areas of privacy (like financial privacy, health and medical information, and the private information of children), but there is no general overriding law on data privacy online.

The California Online Privacy Protection Act (OPPA) is the only general data privacy law in the US, and it is a state law rather than a federal law. It establishes that operators of commercial websites or online services that collect personally identifiable information about individual consumers residing in California must conspicuously post a privacy policy online or make that policy available. You can make your policy available by way of a hyperlink to a web page, or by displaying the policy in full for the user at the time that they install your software.

EU law is covered in the EU Data Protection Directive, which has disclosure requirements that apply to EU-based businesses processing the “personal data” of EU citizens. EU-based businesses include companies incorporated in the EU, sole traders operating there, businesses that have branch offices or agencies there, or overseas companies that process the data within the EU. “Processed” is quite broadly defined in the Directive, and includes collection, recording, use, making available, and destruction. The full definition is below:

 

Eu Data Protection Directive Article Image source: EU Data Protection Directive Article 2(b)

 

The EU data protection laws are anticipated to change soon to become even more strict: a new EU Data Protection Regulation was proposed by the European Commission in 2012, which will broaden the scope of EU law. This Regulation was discussed earlier on the Revulytics blog, here.

What is Personal Data?

Personal data is any information that could identify an individual, or information in combination with other information, such as:

  • Location
  • Contacts
  • Mobile numbers
  • Identity of the data subject
  • Identity of the phone (name of the device)
  • Credit card and banking data
  • Call logs
  • Text messages, emails, or other forms of messaging
  • Browsing history
  • Pictures and videos
  • Biometrics data

All of the metrics collected by Revulytics Usage Intelligence are anonymous; end-users are only identified by way of a unique installation ID generated automatically by the Usage Intelligence SDK. This means that by default, Usage Intelligence does not store any personal information. However, Usage Intelligence does collect an IP address for cross-referencing the unique installation ID with a GEO-IP database; the IP address is not stored, but is processed. This means that it is personal data that the Directive applies to.

Usage Intelligence also provides the software developer or vendor with specific API calls to collect whatever custom data they deem appropriate. For example, typical use may be collecting data relating to events within the product, but a software developer could choose to gather information that would be considered “personal data”.

Revulytics gives the software developer or vendor complete control over collecting custom data, but Revulytics requires in their Terms of Use that no illegitimate information be collected.

Revulytics also requires that the developer or vendor must inform their customers about custom information that they are collecting, and that the developer and vendor must have a Privacy Policy in place.

This ties in neatly with the requirements of EU and US law, as both pieces of legislation are most easily complied with by creating a Privacy Policy that sets out your obligations and responsibilities to your customers.

 

How to Comply with the Law

The best way to comply with many of the obligations under EU law is to set them out in a Privacy Policy that is readily accessible to your users; for US law as noted above, a Privacy Policy is required under OPPA if you are operating a website or online service. If your software using Trackerbird has any online components, it could be considered to be an online service.

For EU law, a Privacy Policy itself is not required, but it is the best way to ensure that you meet your obligations to disclose certain information to your users.
Let’s take a look at what your Privacy Policy should cover to meet the requirements of both EU and US law, and how to display it so that your users are legally bound by it.

Content of your Privacy Policy

The key sections that your Privacy Policy needs to cover are:

  • Who you are (the person or company collecting the information);
  • What types of information you will be collecting;
  • How you will protect and store the information;
  • What you will do with that information and in what circumstances you will release it or share it with other people;
  • How the customer can review the information you hold on them;
  • How the customer can change or delete that information;
  • How you respond to “do not track” requests (whether via website or other mechanism of choice for your customer);
  • The policy's effective date and a description of any changes since then; and
  • Dispute resolution information if your customer wants to lay a complaint or raise an issue.

Displaying your Privacy Policy

It’s important to display your Privacy Policy in such a way that you can ensure any agreement is legally binding.

Browsewrap is a method of obtaining agreement where the user is presumed to have agreed to your Privacy Policy by way of browsing your website or exploring your software. This is not an effective method of creating a legally binding agreement.

Most courts have held that browsewrap methods are not legally binding on your users.

This is an example of browsewrap, from Businesswire:

 

Businesswire footer Image source: Businesswire footer

 

You can see that the user is required to scroll to the bottom of the web page, find the link and then click on that link to read the Privacy Policy. You can also see that the links to the Privacy Policy and Terms of Use are not clearly distinguished from the other links in the footer.

Instead, use a clickwrap method. Clickwrap is when your user actually clicks “I agree” to show their explicit assent to the Privacy Policy.

Courts are in general agreement that clickwrap methods create a legally binding agreement between you and your users.

Here’s an example of clickwrap, from YouTube:

 

YouTube Account Creation Image source: YouTube Account Creation

 

You can see the “I agree” statement must be ticked before users can continue.

You should ensure that your Privacy Policy is agreed to in any installation of software that uses Usage Intelligence, ideally by using a clickwrap method such as a pop up or tick box. Here’s an example of a EULA pop up within the installation of Mozilla Firefox - you can use this method with your Privacy Policy as well.

Mozilla Frifox Privacy Policy

 

You can see that the user is required to click “I accept” before they can click the “Next” button in the software installation process.

Conclusion

Staying compliant with both EU and US laws will ensure that you are kept safe from fines or penalties, and a comprehensive Privacy Policy can also help to build trust with your users, particularly when you disclose any information collection in clear and concise language. Always remember to outline your purposes for the collection of data, and disclose any third parties that you will disclose user information to. Finally, ensure that you always use clickwrap methods of obtaining agreement.

Get Started with Usage Analytics

Register a free account and start touring analytics immediately. Then, simply integrate the SDK into your app to start your free trial. Start making data-driven decisions.

Leah Hamilton

Post written by Leah Hamilton

This is a guest post by Leah Hamilton,. Leah is a qualified Solicitor and writer working at TermsFeed, where businesses can create legal agreements in minutes using the Generator. You can follow TermsFeed on Twitter @TermsFeed, or on Medium.