Are you confused whether privacy regulations apply to your website and what is required? We were too so we did some homework.
Privacy regulations were developed as a result of public concern over privacy. With all the privacy regulations, it is difficult to understand what the requirements are. No one wants to be fined. There is a growing list of location-based regulations, but here are some starting points below to consider. A legal professional should be consulted to ensure you are in compliance.- Does your website collect any Personal Data from Users?
The following are examples of privacy data:
- Basic identify information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Birthday
- Height, weight, hair color
- Health and genetic data
- Biometric data
- Racial and ethnic data
- Political opinions
- Sexual orientation
- Where are the people from that can access your site and is your business included in that location’s compliance requirement criteria?
- California
CalOPPA (California Online Protection Act) (statute)
- Criteria
- Any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service.
- Requirements
- Conspicuously post your Privacy Policy on home page you’re your website.
- Privacy Policy include process by which users can request changes to personal data
- Include in your Privacy Policy how “Do Not Track” requests are handled (AB 370)
- Notify affected users in the occurrences of security breaches that impact their data.
- Effective Date of Privacy Policy
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
- Criteria
- Gross annual revenue of over $25 million
- Buy, receive or sell the personal information of 50,000 or more California residents, households, or devices, or
- Derive 50% or more of their annual revenue from selling California resident’s personal information.
- Requirements
- Notice at collection – list categories of personal information collect and purpose
- If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link.
- Link to Privacy Policy which is a written statement that gives a broad picture of its online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. Required to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.
- Criteria
- European Union
- Criteria for companies required to comply with GPDR:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive data.
- What is required? Here is a link to the full article with requirements. Here are some of the highlights:
- Processing and storing personal data All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. That data may be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” All personal data must be processed securely to protect against unlawful access, loss or damage “using appropriate technical or organizational measures.” Those measures are not defined, but presumably if the data is lost or stolen, a company could be considered not in compliance.
- Consent All processing of personal data must be done lawfully, by which is meant that each individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual, with the exception of public authorities.
- Right to Access: EU citizens have the right to know upon request what personal data a company is using and how it is being used.
- Right to Personal Data Deletion EU citizens can expect companies to stop processing and to delete their personal data upon request.
- Reporting of Data Breaches Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.
- Criteria for companies required to comply with GPDR:
- Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) covers how businesses handle personal information.- Responsibilities
- Businesses must follow the 10 fair information principles to protect personal information:
- Responsibilities
- Other Geographies New Regulations are being added, including Brazil, Chile, Columbia, India, Japan and more. Be sure to check laws for countries of allowed visitors of your website with your attorney.
- California
CalOPPA (California Online Protection Act) (statute)
- Add policies and tools as needed to comply.
Some tools that may be useful:
- Iubenda – Not sure what items you need to comply? Take Quiz here.
- Complianz plugin for WordPress
- Websitepolicies
The Site cannot and does not contain legal advice. The information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, we encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.