Most legal requirements focus on notifying a user about one or more of the following:
- What information is collected.
- Who collects the information and how to contact them.
- How the information is collected.
- The legal basis for collection.
- How the information is stored.
- Who, including any third parties, can access and use the information.
- Any rights a user has over their information.
Some places have more extensive requirements and place certain duties on website owners. For example, under the European Union's General Data Protection Regulation (GDPR), users must be able to easily:
- Withdraw consent to their data usage at any point in time.
- Correct personal information held by a company.
- File complaints with governmental authorities.
Additionally, GDPR-compliant Online Privacy Policies have to be drafted with certain style guidelines in mind to be more understandable to users.
Another consideration is how customers agree to the policy. Some laws, such as those in the U.S., have an opt-out standard where customers implicitly agree to data collection unless they inform the website owner otherwise. In other countries, such as across the EU, there is an opt-in standard. This requires customers to "check the box" and explicitly permit data collection. Some laws, like California's Consumer Protect Act (CCPA), employ a hybrid approach.
What privacy and data protection laws do businesses need to follow?
Figuring out what laws apply to you or your website can be tricky, especially since data privacy laws continuously evolve, but still lags behind technological advancements. It is a good idea to ask a lawyer to get the most current information for your area, and to understand what actions you may need to take to be compliant.
Countries around the world and states throughout the U.S. have their own data privacy regulations. Some privacy regulations, such as the GDPR, CCPA, and COPPA, apply based on the location of the user or the business. This means that if either the business, website, or the user are located in a place where a data privacy law applies, the business or website must follow it.
Uniquely, the United States does not have a general data privacy law at the federal level other than for websites that:
- Knowingly collect the information of children under 13 years of age (COPPA).
- Are "significantly engaged" in financial activities (GLBA).
- Are regulated by the Health Insurance Portability and Accountability Act (HIPAA).
But they go even further by prohibiting businesses from discriminating against a consumer who has exercised their data privacy rights.
What are the penalties for data privacy violations?
The penalties for violating data protection laws can be severe. For example, in California a business may face $2,500 in damages for every time a non-compliant mobile app was downloaded by a California resident. Under federal law, COPPA violations may result in fines up to $40,000 for each child whose information is improperly collected. The GDPR allows for up to 4% of a company's annual turnover (revenue) as a penalty for non-compliance.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.