Privacy policy: why is it needed

The law obliges to publish “a document defining a policy regarding the processing of personal data.” There is no exact requirement for the name of such a document in the law, so it can be called differently: privacy policy, user agreement, provision on the processing of personal data, or otherwise. The point is not in the title of the document, but in its content and location.

What should the privacy policy contain

The document should contain the following information:

1. Data about the operator. Here you need to indicate the real legal or natural person – the owner of the site, and not the name of the Internet resource. If this is a site of a registered media outlet, the name of the editorial office must be indicated.

2. Purposes of data use. The user must understand where his data will be used and for what. This is a very important part of the document. If it later turns out that the operator uses user data for purposes not specified in the policy (for example, transfers to third parties), this will be considered a violation.

3. What kind of personal data is collected by the operator. Here it is worth knowing that the policy of Roskomnadzor is this: the operator should not collect more personal data than is necessary for his activities. That is, if you, for example, offer to subscribe to news, but at the same time request the user’s date of birth and address, this will look strange and may be considered a violation. In such cases, it is necessary to explain for what purposes you collect such information.

4. The procedure and conditions for the processing of personal data. It describes how the data will be stored, when and how it will be destroyed, how it will (if any) be transferred to third parties. In the latter case, the operator must ensure that, when transferring user data to someone else, he warns of the need to respect the confidentiality of data.

In the same part, practically significant information is indicated: what rights the user has, where he can apply with a request for the processing of his data, with a statement to withdraw his consent, etc.

Where to publish

The law does not specify exactly where a privacy policy should be placed on a website. But according to the meaning of the requirements and according to existing practice, the link to the document must be placed so that the user has the opportunity to read the text of the policy at the moment when he fills out the form with his data. That is directly under this form.

The best option is to get confirmation from the user. That is, by filling out the form with their data, the site visitor must check the box next to the text like “I accept the terms of the privacy policy.” In this case, the phrase “privacy policy” is a hyperlink to the text of the document. Whether the user reads it or not is his business. But until he checks the box, submitting the form will not be available.

Alternatively, you can use unchecked text with something like this: “By clicking the “Submit” button (“Register”, “Subscribe”, etc.), I accept the terms of the privacy policy” (the last two words are again a hyperlink to the document).

A link to the privacy policy can be additionally placed in the “footer” of the site.

Cookies and IP adresses are also data

When a user works with a site, some information about him remains on the server. They should also be mentioned separately.

First, the web server records the IP addresses of the devices through which the user accesses the site. In most cases, they can be used to determine the geographic location of the visitor, his Internet provider.

Most websites use cookies, which are small data files. The web server forwards the “cookie” to the user’s computer, and the browser then sends them back. So the server “learns”, for example, which pages of the site the user has already visited, what data he entered, and other information.

Information about users’ IP addresses and cookies are also data that must be used with the permission of the resource visitor. That is, the user should be warned about this at the very beginning of his work with the site.