Question

At the end of the day, banks have to make money to survive. They make their money by charging interest on loans, or by selling CDs (Certificate of Deposit). In both cases, they intend to make money off of your money! Before a bank enters into a legal contract with you as their customer, they want to know all they can about you, your financial history, your current situation, and your financial future so they can make a wise choice. To make these decisions, banks walk very fine lines of ethics and privacy. For this activity, your specific assignment is to research 5 different bank's privacy policies and provide written guidelines for what you think a Privacy Policy should include.

Based on your research, please provide the following information in your report.

• The names of the institutions you looked at, you do not need to include the actual policies.
• Outline (or table) 5-7 items that an effective Privacy Policy should include.
• Describe the internal activities a bank manager should engage in to make sure employees are aware of required compliance with the Policy - be specific.

Make sure that you use an appropriate format (e.g. business memo). Include an introduction and closing statement.

Basically, you are looking for "themes" from the policies you looked at but it's up to you to decide what should be included in a Privacy Policy. For example, should the protection of personal information be included (is this info. shared to non-affiliates for marketing purposes?). How about banks storing your computer's "IP Address" when you visit their website (should this be protected and disclosed to the user that it is being recorded?). These are just some things I would want to be included in a privacy policy as a consumer.

Answer 1

Given data:

Privacy laws around the world dictate that if you collect personal information from your website visitors, then you need to have a Privacy Policy posted to your site and available with your mobile app (if applicable).

Many third-party services used to enhance website performance (like payment processing tools, analytics suites and advertising plug-ins) also require you to have a Privacy Policy.

A Privacy Policy is a legal agreement that explains what kinds of personal information you gather from website visitors, how you use this information, and how you keep it safe.

Examples of personal information might include:

Names

Dates of birth

Email addresses

Billing and shipping addresses

Phone numbers

Bank details

Social security numbers

A Privacy Policy generally covers:

The types of information collected by the website or app

The purpose for collecting the data

Data storage, security and access

Details of data transfers

Affiliated websites or organizations (third parties included)

Use of cookies

CalOPPA is one of the strictest privacy laws in the US. It affects anyone who collects personal information from people residing in California, which means its reach goes far beyond state borders.

While CalOPPA is strict, it isn't overly complicated to comply with. Having a Privacy Policy is its key requirement.

CalOPPA

CalOPPA's purpose is to provide protection of personal data collected from California residents. While CalOPPA is a state law and not a federal law, it very likely affects your website regardless of where you operate from because of the chance your website will attract California residents.

CalOPPA requires websites and apps to have a clearly visible and accessible Privacy Policy. Here's how the Consumer Federation of California Education Foundation describes CalOPPA:

CalOPPA classifies "personally identifiable information" as:

First and last names

Physical addresses

Email addresses

Telephone numbers

Social Security numbers

Any other contact information shared with a business either physically or online

Birthdates

Details of physical appearance (height, weight, hair color)

Any other information stored online that may identify an individual

How a Privacy Policy Can Comply with CalOPPA

In order to comply with CalOPPA, a Privacy Policy must include the following information:

Details of exactly what types of personal data are collected through the website or app

Any affiliated organizations this data may be shared with

A clear explanation of how users can request amendments to any personal data that is collected

The process for informing users of any changes to the Privacy Policy

The effective date of the Privacy Policy

What happens if a user makes a "Do Not Track" request

Details of third parties who collect personal data through the website or app

Include a "Do Not Track" Clause

"Do Not Track" - DNT for short - is a setting that can be activated on certain browsers to block behavioural tracking from third party services like Google Adwords.

Under CalOPPA, it is not mandatory for a website or app to follow a DNT request. However, websites must inform users if their website or app will respond to a DNT request or not.

If you have to comply with CalOPPA, don't forget this clause.

How to Display a CalOPPA-Compliant Privacy Policy

In order to comply with CalOPPA, a Privacy Policy must:

Be clearly visible and easily accessible for visitors to your website or users of your app

Contain the word "privacy" in the display link

This requirement helps make it easy for people to find your Privacy Policy, which helps with transparency.

Privacy Policies Required by Third-party Services

Many third-party services commonly used by website and apps also require that a Privacy Policy be made available.

For example, email newsletter service providers generally require a Privacy Policy in order to use their service.

The best way to satisfy this requirement of informing customers is with a Privacy Policy.

You also need to make a Privacy Policy available on your website or app if you use third-party services that track user browsing behaviour or that use location data, like Google Analytics or Google Ad sense.

Google Analytics

If your website or app uses Google Analytics, then you need to update your Privacy Policy to meet the Google Analytics Terms of Service. Because Google Analytics uses cookies to track user behavior and cookies collect personal information, a Privacy Policy is required.

Privacy Policy Requirements for the Standard Features of Google Analytics

According to Google Analytics, if you are using the standard features of Google Analytics to track user behaviour on your website or app, then your Privacy Policy must:

State that you use Google Analytics to track user behaviour

Explain how data is collected and processed

Inform the user of the use of cookies

The Privacy Policy should be displayed in a prominent location, such as a website footer or in the main menu of an app.

Additionally, you should have a pop-up or banner Cookie Consent Notice that alerts users to the use of cookies on your website and allows users to block this if they wish.

Privacy Policy Requirements for Google Analytics Advertising Tools

If you use Google Analytics Advertising tools in addition to the standard features, there are further Privacy Policy requirements.

The advertising features covered by these additional requirements include:

Remarketing or retargeting

Google Display Network Impression Reporting

Google Analytics Demographics and Interest Reporting

If you use these tools, Google Analytics requires you to inform users of this fact by including the following information in your Privacy Policy:

The Google Analytics Advertising tools that you use, and how and why you use these features.

A notice that cookies are used by third-parties to display relevant advertising to the user.

Instructions on how users can opt-out of the Google Analytics Advertising features through Google's Ad Settings.

Google does not provide guidance on the exact language to use in your Privacy Policy. However, it should always be written in plain English and in a way that is easy to understand.

Google Ad sense

If your website or app uses Google Ad sense, then you need to update your Privacy Policy in line with the Google Ad sense Terms and Conditions.

You must provide a Privacy Policy that discloses your use of Google Adsense, including:

A statement that third-parties, including Google, use cookies to display relevant advertising to a user based on previous browsing behaviour.

Information on Google's Double-click cookies.

Instructions on how users can opt-out of the use of Double-click cookies through Google's Ad Settings.

Google also requires that you use "commercially reasonable efforts" to make sure you get consent to use cookies on a user's device.

This is generally done by using a pop-up or banner that alerts users to the use of cookies on your website and allows users to block this if they wish, as mentioned earlier in the article.

Cookies Consent

Consent to place cookies must be obtained from the user actively, meaning users must click a button or check or box or take some other action to confirm they consent.

Active consent, also called informed consent, involves requiring the user to confirm consent with a checkbox or an "I agree" button.

What to Include in a Privacy Policy

The content of Privacy Policies varies from one business to another. How a website collects and manages information, and how it interacts with third parties is unique to every company. Additionally, where a website's users live can impact the company's Privacy Policy because of international laws protecting global consumers.

At minimum, your Privacy Policy should cover the following points:

Business Name and Contact Details

Your Privacy Policy needs to contain your official business name and contact information.

This information is commonly seen at the very beginning or very end of a Privacy Policy and users know to look there, so that's the best practice recommended placement.

Types of Personal Data You Collect

You are required to disclose the various types of personal data you collect from users both directly and indirectly.

Note that the clause lists how the data may be collected as well as examples of specifics like email addresses, zip codes and "precise locations." Remember: the more thorough you are, the better.

Why You Collect Personal Data

Privacy laws require you to collect only the personal data you need, and to explain why you need it.

Note that it not only tells users why the information is used, but for what specific reason. It also addresses legitimate interests for using personal data, which helps with GDPR compliance.

How the Data is Used

How you use the data you collect is another important component of every Privacy Policy.

Using a list format helps you convey a lot of information in a more organized way, which is important in order to keep your Privacy Policy easily readable by a general audience. Make sure to include as many specific ways as possible that you use the data.

How You Share Data with Third Parties

Most websites use one or more third party tools to enhance site performance and user experience. Examples might include Google Analytics to understand website visitors, or Ad Sense for personalized advertising.

Most sites also use cookies, which are technical tools that record user behavior to personalize their web experience.

All instances of third party data sharing must be explained in your Privacy Policy, and you should provide links to those third party companies' policies as well.

Breaking up the information into paragraphs to address separate types of third-party sharing, like advertising and analytics, is very helpful and makes the information easier to digest.