Does my website or app need Privacy Policy?

The legal component of any business always causes a headache. There are enough current tasks, but there is a constant need to consult lawyers! Recalling the General Data Protection Regulation (also known as GDPR) in May 2018, developers faced another barrier to trade without any restrictions – yes, we’re going to talk about privacy policy.

Does Ukraine need a Privacy Policy?


It isn’t easy to accept, but even the intention to work in Ukraine doesn’t relieve the need to guard carefully the personal data given to you.

In the Privacy Policy, Ukrainian consumer is entitled to see the following:

• Information about the personal data holder;
• The composition and content of the collected personal data;
• Rights of the data subject;
• The purpose of the personal data gathering;
• Details about the persons to whom their data is transmitted;

All this information has to be accessible to the user immediately as the data is gathered. However, suppose personal data are obtained by other means. In that case, the owner must notify the user about the collection not less than thirty working days from the data gathered.

It is also needed to remind users about their rights in the Privacy Policy. For instance, according to the National legislation, Ukrainian user is eligible to:

• Know how and for what purposes his data was gathered;
• Know the owner’s or distributor of personal data’s location (In other words, the Data Controller and Processor)
• Know who has access to their personal data and under which conditions it is provided (Including access to information about the specific third persons);
• Review and, if necessary, modify the data collected to ensure that it is correct and up-to-date;
• Object to the processing of personal data;
• Demand to correct or delete their personal data if it is being processed illegally or is unreliable;
• Require the protection of their personal data against illegal processing, accidental loss, deleting or damaging, intentional concealment;
• On request, receive the personal data on time;
• Demand the protection from information disclosure that is unreliable or prejudicial to honour, dignity or business reputation;
• Complain to Ukrainian Parliament Commissioner for Human Rights, to file a lawsuit or defend themselves in case of violation of their rights in another way;
• Limit the owner’s or receiver’s right to process their personal data at the time of consent;
• Revoke consent to the processing of Your personal data;
• If it is automized, to know the mechanism for the personal processing data and demand the protection from the automized decision if it could have legal consequences (For example, loan rejection etc.)

It is essential to know that these rights are inalienable. Any agreement rejection wouldn’t protect the owning company from the obligation to honour them.

What does GDPR require?

All that Ukrainian legislation requires and even more:

• To specify your role – As a Data Controller or Processor;
• Grounds for processing (User’s agreement, legal interests of the Controller, performance of the contract etc.);
• The period of data storage and the procedure of its deleting:
• Right, GDPR provides to Europeans (right to access, rectification, erasure, restriction of processing, right to be informed, data portability, objection, right not to be subject to a decision based solely on automated processing);
• Procedure for notifying users about security breaches in their personal data;
• Cookies, web beacons, log policies (individual terms or even individual policies);
• Moving data abroad or receiving it from the EU4
• Level of personal data protection and some protective methods against data’s loss or damage;
• Company’s or Data Protection Officer contact information – in case you have the last one.
• Privacy acceptance and updating date and Personal Data Protection Policy (The best practice is an archive with earlier Policy editions);
• Procedure for obtaining and withdrawing consent for personal processing data (Moreover, this is a non-exhaustive list of practical things!).

All Privacy and Personal Data Protection Policy should be written in plain language without industry-specific slang – so that every user (Even those who don’t have any knowledge in the IT-sphere) could understand the future Controller’s intentions and the consequences of providing him personal data.
Note that any marketing processing requires information and voluntary consent (In other words, the user is needed to explain what data is collected for the future mailing and targeted advertising via SDK) and forcing a user to consent under the threat of service denial is considered as a bad tone, especially in the most concerned states (Such as Germany).
It’s important that information cannot be collected without the explicit consent of the user (For instance, “sensitive” data and data for marketing purposes) shouldn’t be collected until the user agrees to the gathering conditions (e.g. doesn’t check the corresponding Privacy Notice).

Marketing Cooking Notice and Private Policy, of course, also need it.

Is Privacy Policy also necessary in the USA?

Sure! It implies both federal and individual state legislation – directly in the text of the laws.
For example, Californian law requires owners of commercial sites and online services (which collect State residents’ personal information through the Internet and check who owns the information) to publish your Privacy Policy in the way the visitor can see it and find it without any effort.

The owner of the site or application must indicate there:

• Which categories about personal data does it collect;
• Categories of third persons to whom it discloses these data;
• Procedure for requesting and modifying previously provided personal information;
• How the user will be notified of significant changes in Privacy Policy;
• Date of entry into force this policy;
• How a website or application will react to “Do not track” user browser’s signals and similar mechanisms of preventing behavioral advertising ((i.e., whether it will take them into account or ignore them), including when using other sites (as well as whether such third site or application can collect information about this user and responds to DNT-settings) etc.

This law applies to anyone who collects data about Californians (it has been in force long before GDPR!). There are similar laws and initiatives in other states – for example, you have to compose your Politics in Nevada or Massachusetts carefully. So many developers from other states are adopting California law as a standard – why should we abandon this part of the market?

Particular attention should be paid to websites or applications that children and schoolchildren may interact with: some state laws prohibit advertising, reporting or collecting data on such users for any other purpose other than improving the school or the school class performance. If children are under 13 years of age, certain mobile games (which collect data on children) will require direct (and, moreover, confirmed – for which there are special mechanisms) parental or guardian consent, provided that all transactions with this personal data are clearly described in Privacy Policy, and the policy itself lists parents rights and indicates the processors who also collect the data.

Finally, please note the sectoral laws that may require additional items to your Policy, in particular, if your website or application deals with insurance, finance or health care. Sometimes laws also regulate the data handling in individual life cycles of a company. For example, if a company is purchased or becomes bankrupt, the user’s former customer is notified and given time to refuse to move their data to the new owner (usually as a part of the company’s intellectual property).

Be careful with other people’s personal data and take care of your clients’ nerves (and don’t forget about your own – against the demands of the controlling authorities and particularly picky clients). Sometimes the extra hour spent on writing documents can save months of protracted litigation and, finally, give you an advantage over less caring competitors.

    Your question to IT lawyers