How should the User Privacy Policy of the NFT digital collectibles platform be written?

How to write the User Privacy Policy for an NFT digital collectibles platform?

Introduction

The “User Agreement” and “Privacy Policy” serve as the first barrier between the NFT digital collectibles platform and its users. On one hand, they clarify the rights and responsibilities between the platform and the users. On the other hand, the expression of these agreements is also an important window to convey the platform’s attention and sincerity towards its users.

During the transaction process, the digital collectibles platform inevitably stores a large amount of personal data and sensitive information, and the protection of this data is crucial for the platform. The “Privacy Policy” explains to users how their personal information and privacy data are collected and used.

In our article “Practical Sharing | How to Write the User Agreement for NFT Digital Collectibles Platform?” we have analyzed the user agreement of the digital collectibles platform. This series of articles is divided into two parts. In this article, let’s take a look at the common violations of the privacy policy of the digital collectibles platform.

• Exclusive Interview with Hong Kong Legislative Council Member Qiu Dagen Policy Gap with Singapore is Only One or Two Years, Users Should Only Trust Licensed Exchanges
• Exclusive Interview with Qiu Dagen Advocate of the ‘Three Arrows Three Circles’ Initiative Interprets the Latest Policies in the Hong Kong Virtual Asset Industry
• Lawyer interprets CSRC’s warning to JPEX Transition period does not mean no regulation, all exchanges must comply with new regulations.

01. What data does the digital collectibles platform involve?

In different usage scenarios, the digital collectibles platform collects, uses, stores, and shares user data differently. We have summarized the main data involved in different stages:

02. Non-compliant display of the privacy policy

1. No privacy policy in the app

The app should provide rules formulated by the app operator regarding the collection and use of users’ personal information, which is the privacy policy. However, after reviewing the privacy policies of many digital collectibles platforms, we found that some platforms are “careless”, specifically manifested as: invalid privacy policy links, abnormal display of text, no rules for collection and use, and even the privacy policy of the platform cannot be found at all.

2. Difficulties in accessing the privacy policy

The essence of compliance regulation for data/privacy protection is “informed consent”. Therefore, in order to ensure that users are informed, the platform not only needs to have a privacy policy, but also needs to have a substantial privacy policy.

In plain language, you not only need to have it, but also let others know that you have it, and it should be clickable to view.

In the product design of the platform, many project parties have the following problems:

(1) After entering the main interface of the app, it takes more than 4 clicks or operations to access it;

(2) The path is set too biased, and it can only be accessed through search or consulting customer service;

(3) The privacy policy is only displayed on the official website or Apple App Store (H5), and cannot be found within the app.

3. The app does not clearly prompt users to read the privacy policy when it is first launched.

When users first enter the app, the app did not prompt users to read the privacy policy through pop-ups or checkboxes to confirm reading.

03 The content of the privacy policy is not compliant

1. The purpose, methods, and scope of collecting and using personal information are not explicitly listed one by one

Some digital collectible platforms only inform the scope of personal information collection but remain silent on the purpose of collection. They even use vague expressions such as “etc.,” “for example,” “including but not limited to,” etc., to expand the collection scope.

Therefore, as the party collecting, using, and storing user data, the platform must clearly state which data is collected, why it is collected, and how it is collected. It is not allowed to use vague and general expressions. This is not only a common problem in digital collectible platforms but also a common problem in many online platforms.

2. The content of the collection and usage rules is obscure, lengthy, and complicated, making it difficult for users to understand

After reading the privacy policies of many digital collectible platforms, lawyer Man Kun believes that platform users do not pay much attention to the agreements provided by the platforms. Besides users’ own cognitive reasons, the agreements are also “unfriendly” in the industry. Some platforms attempt to evade their own risks through the accumulation of content and wording, resulting in privacy policies that are excessively lengthy and complicated, containing a large amount of content unrelated to the platform, making it difficult for users to read and understand.

If the platform wants to reasonably mitigate risks through privacy policies, it must carefully consider the agreements in the text, combining them with the actual situation of the platform. At the same time, it should reduce users’ understanding barriers through formatting, reducing professional terms, refining key content, providing convenient download and viewing methods, etc.

3. The collection and usage of personal information exceeds the necessary limit

When our team of lawyers tested various digital collectible platforms, we found that although some platforms clearly state in the privacy policy and other data usage rules that even if users do not agree to collect non-essential personal information or open non-essential permissions, the platform will not refuse to provide business functions.

However, in the actual use of the app, the actual situation of the platform does not match the rules. For example, users cannot browse or view the platform without registering, cannot view collectibles or browse consignment information without real-name authentication, and collect other information unrelated to the use of the platform. In these cases, the platform collects and uses personal information far beyond the necessary limit.

04 Improper consent and update operations of the privacy policy

1. User consent is solicited through non-explicit means such as default selection of agreement to the privacy policy

Some platforms use automatic checkbox selection to directly help users agree to the privacy policy, rendering the privacy policy meaningless.

Therefore, many digital collectible platforms bind the options for registration or login with the agreement to the privacy policy, ensuring that users must actively check the agreement to the privacy policy before registering or logging in, so that users have to read and understand the content of the privacy policy.

2. When there are changes to the rules for collecting and using personal information, users are not notified in an appropriate manner

When the purpose, method, or scope of collecting and using personal information by the platform changes, users should be notified and reminded to read the information in an appropriate manner, such as through pop-up windows, push notifications, emails, phone calls, etc. Due to the time limitations of the evaluation, the author has not yet discovered any updates to the privacy policy on various digital collectible platforms.

However, just like the user agreements mentioned in the previous section, platforms also update the content of the privacy policy without notifying any users or seeking their consent again.

Therefore, lawyer Mankun suggests that developers should confirm whether a pop-up window will appear to prompt users to reconfirm after updating the privacy policy.

05 Mankun Lawyer’s Summary

With the promulgation of laws and regulations such as the “Cybersecurity Law” and “Data Security Law,” regulatory authorities are paying more and more attention to data protection. As an NFT digital collectible entrepreneur, one should not treat it as a formal document. Instead, platforms should pay more attention to it, take compliance actions from both the technical and textual aspects, and demonstrate their proactive attitude towards regulation and their care for user data.

Platform agreements are not just decorative, and when actual disputes arise between the platform and users, user agreements and privacy policies are important agreement documents for the allocation of rights, obligations, and responsibilities between the platform and users. Both platforms and users should take this seriously.

Hopefully, through the sharing of these two practical articles, it can bring some ideas to platform owners.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!