Image source: openDemocracy US and EU Flags
When collecting data of users online or through any call-home product, it’s important to stay compliant with any and all privacy laws that apply to you.
Being aware of what data privacy laws require can save you from trouble later on, as users are becoming increasingly conscious of their rights and entitlements in terms of the privacy and use of their information.
There are two main jurisdictions that I will examine: the US, and the EU. We’ll take a look at what kind of information is captured by these laws, and how to comply with them.
Privacy Laws in the US and EU
The privacy laws in the US and EU are very different. The EU law is extremely comprehensive, far-reaching, and strict. The US on the other hand has very piecemeal legislation that covers particular areas of privacy (like financial privacy, health and medical information, and the private information of children), but there is no general overriding law on data privacy online.
EU law is covered in the EU Data Protection Directive, which has disclosure requirements that apply to EU-based businesses processing the “personal data” of EU citizens. EU-based businesses include companies incorporated in the EU, sole traders operating there, businesses that have branch offices or agencies there, or overseas companies that process the data within the EU. “Processed” is quite broadly defined in the Directive, and includes collection, recording, use, making available, and destruction. The full definition is below:
The EU data protection laws are anticipated to change soon to become even more strict: a new EU Data Protection Regulation was proposed by the European Commission in 2012, which will broaden the scope of EU law. This Regulation was discussed earlier on the Flexera blog, here.
What is Personal Data?
Personal data is any information that could identify an individual, or information in combination with other information, such as:
- Mobile numbers
- Identity of the data subject
- Identity of the phone (name of the device)
- Credit card and banking data
- Call logs
- Text messages, emails, or other forms of messaging
- Browsing history
- Pictures and videos
- Biometrics data
All of the metrics collected by Usage Intelligence are anonymous; end-users are only identified by way of a unique installation ID generated automatically by the Usage Intelligence SDK. This means that by default, Usage Intelligence does not store any personal information. However, Usage Intelligence does collect an IP address for cross-referencing the unique installation ID with a GEO-IP database; the IP address is not stored, but is processed. This means that it is personal data that the Directive applies to.
Usage Intelligence also provides the software developer or vendor with specific API calls to collect whatever custom data they deem appropriate. For example, typical use may be collecting data relating to events within the product, but a software developer could choose to gather information that would be considered “personal data”.
How to Comply with the Law
- Who you are (the person or company collecting the information);
- What types of information you will be collecting;
- How you will protect and store the information;
- What you will do with that information and in what circumstances you will release it or share it with other people;
- How the customer can review the information you hold on them;
- How the customer can change or delete that information;
- How you respond to “do not track” requests (whether via website or other mechanism of choice for your customer);
- The policy’s effective date and a description of any changes since then; and
- Dispute resolution information if your customer wants to lay a complaint or raise an issue.
Most courts have held that browsewrap methods are not legally binding on your users.
This is an example of browsewrap, from Businesswire:
Courts are in general agreement that clickwrap methods create a legally binding agreement between you and your users.
Here’s an example of clickwrap, from YouTube:
You can see the “I agree” statement must be ticked before users can continue.
You can see that the user is required to click “I accept” before they can click the “Next” button in the software installation process.