Privacy laws that apply to your website are usually affected by the acting privacy laws in your country. Recently, in over 80 countries, these privacy laws have been enacted in order to increase or improve information privacy and security. Here, we will go over some of these privacy laws.
Argentina
The Argentina Personal Data Protection Act that was brought in October 2000 applies to individuals as well as legal entities within the territory of Argentina who operate with personal information. Personal information includes any sort of data which relates to individuals; basic information like name, occupation, address, or date of birth.
Personal data does, however, include browser cookies; in the event that you use them to track user activity. So, in Argentina, it is only legal to use them if the user has provided an informed consent, which implies you need to tell them the purpose for gathering the data using browser cookies.
Furthermore, the user has the right to demand personal data deletion at any given time. Also, there is still a debate whether IP addresses should be considered as personal information, so just to be sure, ask for consent for that as well.
Australia
Australia’s Privacy Principles (APP) is a privacy law in Australia that consists of 13 principles which serve as guidelines for managing personal information. These principles demand that the information is handled in a transparent manner, which implies that you have to have an up-to-date privacy policy on your website and that you know how to manage personal information.
According to these principles and Australian law, your privacy policy needs to elaborate how and why the data will be collected, and also to explain the consequences of refusing to provide personal information. So, make sure you include all of these details in order to avoid future issues and complaints.
Brazil
In 2014, the Brazilian Internet Act was passed and it delves into policies on the collection, treatment, as well as the use of personal data on the Internet. According to the act, in Brazil, before you acquire someone’s personal data, you must have that person’s consent, and individuals who are under 16 years old are not eligible to give consent at all, whereas those between 16 to 18 years old need to have assistance from their parents or legal guardian. It also necessitates the providers to have a clear and easy to understand privacy policy so that users cannot feel wronged in any way.
Bahamas
The Bahamas have a privacy policy which protects the personal data of its citizens in the public sector as well as the private sector. According to their Data Protection Act 2003, the law appoints someone as a data protection commissioner to the Office of Data protection, and this is done in order to ensure the safety of personal data. However, this act does not meet the standards of the European Union, even though it was created in the first place solely for that purpose. The problem is that the person appointed as the data protection officer is not required to be in the office, and any group or organization is not required to notify the Office of Data Protection in the event breaching privacy. In other words, the act lacks many enforcements and, as such, it is not a reliable privacy policy.
Canada
Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) provides an insight into how you should collect, store and use the personal data of your online users or subscribers, for the purpose of digital marketing. The act states that you must make these privacy policies accessible to your users and that the document is easy to read and understand. So, make sure you provide specific and direct information, and if you need any additional guidelines, you can look up the Privacy Toolkit and Fact Sheet.
Columbia
According to Colombia’s Regulatory Decree 1377, the providers are obliged to inform the users as to why they are collecting the data. Again, it is illegal to obtain this type of data without prior consent, and the policy must also include the description of the purpose and methods of data processing. Additionally, you must supply users with their rights over data and go over how those rights are exercised.
Czech Republic
As you can see, there is a certain pattern here regarding privacy laws, and the same rules apply for the Czech Republic. Act No. 101/2000 Coll., on the Protection of Personal Data is the name of their policy for data protection and it has a conduct that you should adhere to when collecting personal data. You need to ensure your policy is easy to follow without any ambiguous language and, again, you are going to need user consent before gathering personal information.
Denmark
The Act on Processing of Personal Data was passed in 2000, and it appointed the Danish Data Protection Agency to enforce these privacy laws. In the event they discover any privacy law violations, they are authorized to issue a ban or enforcement notice. Again, the company needs explicit consent from the user in order to collect data, and they need to ask for their consent again, in case they want to disclose this information to third parties for the purposes of digital marketing.
Estonia
The Personal Data Protection Act of 2003 in Estonia also demands that personal information is obtained in an honest and legal fashion. Once again, you are going to need the user’s consent before gaining access to personal data and collecting it, and you will also have to inform them about the reason for collecting the data in the first place.
European Union
The privacy law in the European Union is regulated throughout The European Union Data Protection Directive of 1998. According to the data protection directive, the information must be obtained in a way that is fair and lawful. To elaborate, the data can only be collected for specified and legitimate purposes, and the explanation of the purposes must be provided. Users need to give consent in an unambiguous and explicit way. You are also obliged to inform the users if their data is going to be shared with third parties.
Finland
In Finland, privacy law is defined in The Personal Data Act, and it is considered as one of the basic rights. If you want to gather personal information in Finland, the Act necessitates that you have a clear purpose for that, and you are not allowed to use it for any other purpose. Again, user consent is required prior to data gathering, and the user needs to be provided with a data file that describes the gathering process as well as explains the purpose behind data gathering. There are certain restrictions as well that apply in the event that you are collecting data for personalized marketing or e-mail marketing, and your database is limited to basic information and contact information.
France
Data privacy in France is regulated using The Data Protection Act (DPA) of 1978, which was revised in the year 2004. This act also addresses collecting personal data for the purposes of sending e-mails, or the collection of any information which is used to identify a person. The act applies to all of those who are collecting data in France, which is why French Data Protection Authority was able to sue Google for privacy law violation. It goes without saying that, just like with the other laws we mentioned, you need the consent of the user before even collecting their personal information.
Germany
Germany has the Federal Data Protection Act of 2001, which prohibits you to gather personal data without authentic user consent (this also includes IP address). So, you need to get the data from the subject directly and are also not allowed to obtain it from another party, like buying email lists etc. Also, you are only allowed to use the data for the specific purpose you have mentioned in your privacy policy. The law applies to anyone who is collecting data on German soil and there are 16 different data protection agencies that enforce these laws.
Greece
The Processing of Personal Data laws in Greece is there to ensure the privacy of individuals who rely on electronic communication. After asking for the consent of a particular user, you will be allowed to obtain his or her personal data. You also need to inform the user about the type of data you will get, and tell them for what purpose the data is going to be used. Lastly, the users are allowed to withdraw their consent at any time they want.
Hong Kong
Hong Kong’s Personal Data Ordinance is the acting privacy law in Hong Kong and it points out how users must be informed about data collection and the ways that data can be used (if it is shared with a third party for example). The act has certain principles that state how personal data policies, along with practices, must be publicly available and transparent. In the event of privacy law violation, you can be charged with a fee that goes up to HK$50,000, or even spend two years in prison, so it is definitely a matter you should take seriously, considering how easily your users can sue you.
Hungary
The privacy of personal data in Hungary is protected by an act with a very long name – Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. It was created with the purpose to make sure the individuals have control over their personal information. Just like with our previous acts, this one also requires you to have user consent before collecting and handling their personal information. In the event of act violation, you are prone to be sued by the users and you will be liable to pay for any damage that you have caused by misusing their personal data.
Iceland
Even though Iceland has the same principals regarding information and consent, its policy is a bit stricter than the others. Iceland has been labeled as the Switzerland of data due to this strictness and it all explained and stated in the Data Protection Act of 2000. Not only does it require you to make users aware of data collection, but also how the processing is being conducted and how you are going to protect the collected data. Users can also withdraw the consent at any given time and in the event of act violation, you can even end up in prison for 3 years.
Ireland
There are two acts for privacy regulation in Ireland. One of them is the Data Protection Act 1988 and ePrivacy Regulations 2011 (S.I. 336 of 2011) for regulating privacy in the field of electronic communication. In Ireland, there is a difference between an organization’s Privacy Policy and a public Privacy Statement. Basically, a privacy policy is a legal document that elaborates on how an organization applies the 8 data protection principles and a privacy statement is website documentation which clarifies how the data is being collected and handled on that website. Websites have a legal obligation to include privacy policy statements and they can be fined up to 100,000 euros for neglecting this duty.
India
The Information Technology Act demands that websites in India have a privacy policy published and accessible to their users, regardless of whether you dealing with sensitive data or not. Much like other policies, it needs to describe the type of data you are collecting, the purpose behind the collection, and security practices implemented for protecting that data. Sensitive data like passwords or financial information can only be collected with the user’s consent.
Italy
It is similar to other policies so far, but again a bit stricter in terms of electronic marketing. The Data Protection Code demands that you need consent before even tracking your user and using data for advertising or marketing communications. Users need to be provided with specific information before gathering or processing their personal facts, and you also need to include a purpose behind such a request. Much like with France, Italy threatened Google for violating Italian privacy regulations and requested a fee of up to one million euros.
Japan
The Personal Information Protection Act is created for protecting the rights of the individuals regarding their personal information. Personal information, however, has a very broad definition in this act and it even extends to the data found in the public directory. Other limitations are pretty much exactly the same; it requires prior consent and a detailed explanation of the reason for gathering intel.
Latvia
As far as Latvia is concerned, the law pretty much abides the basic formula. Privacy regulations are quite common and under the established rules. Collecting and using data requires consent as well as from you to provide users with specifics regarding its use and implementation. You must also inform them if any third party will also have access to the data you are collecting. The name of the act is The Personal Data Protection Law of Latvia.
Luxembourg
On the 2nd of August, an act was created for the purpose of protection and processing of personal data. As far as its name is concerned, it is a bit unconventional – Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data. It also states how you need consent to provide users with detailed information about why the data is being collected and the name of the parties who will have access to it.
Malta
In Matla, one of the fundamental human rights is the right to privacy, and for that reason, the Data Protection Act of 2001 was created. The difference between this act and most other acts here is that it requires extra steps for providing consent. To be specific, for the user’s consent to be valid, you must provide them with information about your identity and place of residence, you must also give them a reason for collecting data and the list of other data recipients, and ask them if their participation is in fact voluntary. They also have rights to access that data as well as erase it.
Mexico
In Mexico, the Federal Law for the Protection of Personal Data Possessed by Private Persons is there to regulate and protect the privacy of one’s personal information. The reasons for collecting data must align with the ones stated in this policy and you also need to have consent if you want any type of personal information that is not publicly available. Additionally, you are obliged to tell users what their rights are concerning the data you collected.
Morocco
In Morocco’s Data Protection Act personal data is defined as information of any nature, which allows one to identify certain individuals. Providing users with a reason behind data gathering and having their consent is once again obligatory. However, the act will not require you to do this in the event that the individual has personally made the information public. Once again, in order for the consent to be considered valid, you are required to provide the users with your specific and personal information. In the event you break the law, you can be punished either financially, or even with imprisonment.
New Zealand
New Zealand’s Privacy Act of 1993 demands that, when collecting this type of data, you are obliged to seek any nonpublic personal information straight from the individual. The user whose information you require needs to know your name and the purpose for requesting this data. You must also tell them whether the information is required by law, or if it is optional, and they need to be aware of their own rights regarding that data. A complaint by the user can trigger an investigation and you’ll be placed under scrutiny to ascertain if you collected the data in accordance with the privacy law.
Norway
There are no exceptions as far as Norway is concerned Norway’s Personal Data Act gives you an obligation to collect data directly from the user after you have acquired his or her consent. The purpose behind collecting data and its visibility to third parties must also be provided, as well as the identities of you and possible third parties.
The Philippines
The Philippines are known for their strict privacy law; in fact, it is the strictest one in the region. You still need to do the common procedures mentioned in the most of the acts above, but there is also the Republic Act No. 10173. According to this act, individuals are allowed to know your personal identity, your purpose for collecting data, and they have the right know how the data is being processed and also the identities of the third parties, if any, who will have access to it.
Poland
Poland’s Act of the Protection of Personal Data from the year 1997 demands that prior to data processing, you must obtain the subject’s consent, otherwise collecting information is prohibited. Additionally, just like with previous examples, you must provide your personal information like name and address, along with the purpose of collecting data. The subject must also know his or her rights and whether the participation is necessary or voluntary.
Portugal
Act on the Protection of Personal Data in Portugal states that the processing of data must be done in a transparent manner, with full respect towards the user’s privacy. In order to collect personal information, you must have a specific and legitimate purpose for doing so, and you will also need the subject’s consent. You must also give your information to the user, as well as information about all other data recipients.
Romania
In Romania, privacy law regulations are very similar to the common practices mentioned so far. Consent, purpose, and your identification must be provided to the subject prior to requesting data processing, and if you are interested to find out more specific you may read in-depth information about their privacy laws.
Russia
There are two legal documents that are used for regulating privacy in Russia. One is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, from 2005, and the Law of the Russian Federation “On Personal Data” which applies to operators who use automated equipment for gathering personal data.
User consent is required prior to gathering, processing, modifying or altering, using, or even destroying the subject’s data. This rule does not apply however if the information is required by law, or if it is necessary.
Slovenia
Slovenia’s Personal Data Protection Act requires you to obtain legal and valid consent from the subject before collecting data. The consent is only considered valid if the person is aware of your identity and the purpose of collecting the information. They also need to be informed that data will be processed in a legal and fair manner.
South Africa
South Africa’s Electronic Communications and Transactions Act is the law that is applicable to any personal data which is collected through the website. The act consists of nine principles which you must fulfill prior to collecting personal information from an individual. Also, just like with previous cases, your information needs to be given to the subject and the act warrants his or her consent in order for you to gain the rights to access their personal information.
South Korea
According to the Act on Promotion of Information and Communications Network Utilization and Data Protection in South Korea, any personal information that is acquired by the communication services provider warrants legal consent from the user. If the consent is to be considered valid, you need to give all the necessary information like in all of the previous examples.
The Framework Act on Telecommunications defines information and communication services as the following – “services that mediate a third party’s communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party’s telecommunications.”
Spain
In Spain, personal information is regarded as one of the constitutional rights and you need to supply the user with fair processing information as well as your personal information in order to receive their consent and for it to be valid. They also need to know if leaving their personal information is voluntary or mandatory, as well as the consequences of providing that information to you.
Switzerland
Switzerland’s Federal Act on Data Protection allows for personal information to be collected only in good faith, and if the user is aware of the purpose for this request. You must also provide the subject with your personal details or personal data. In both cases, personal data is defined as – “all information relating to an identified or identifiable person.”
Taiwan
The Computer-Processed Personal Data Protection Law defines personal data as information related to individuals which includes their name, date of birth, and even social activates, or any kind of detail which allows for that individual to be identified. The collection of personal data must be conducted in good faith and you must also take into consideration the user’s rights. This implies that you as an organization need to give them your personal information as well, which includes your name address and all other details, along with methods and the purpose of collecting this data.
United Kingdom
The Information Commissioner’s Office is responsible for upholding the privacy laws in the UK and it requires very much the same procedure for gathering data as the ones mentioned so far, but also to explain the mechanism behind the browser cookies you are using for this purpose.
United States
In the US, privacy laws are not strictly regulated by federal laws as in other cases mentioned in the text. However, the US does leave up to the state to decide on the strictness of their privacy policy. In other words, laws differ depending on the state as well as the industry which implements them.
The FTC (Federal Trade Commission) is in charge of regulating business privacy laws, and they are not required to have a privacy policy, but they are prohibited from using deceptive methods. They also have the Children’s Online Privacy Protection Rule (COPPA), which deals with websites that collect information from children who are under 13 years old. The first law in the US that warrants you to post a privacy policy on your website is the California Online Privacy Protection Act (CalOPPA), and it applies to any website in California that collects data from users in California.
CalOPPA requires that policy from websites that collect personal data to contain the following information:
- The type of personal data you are collecting
- Naming any third parties that will have access to it
- How users can review and change the collected data
- How you’ll update users regarding the alterations to the privacy policy
- Your privacy policy’s effective date
So, if you collect data from anyone in California you need to comply with laws.
As you can see, privacy policies and laws from different states and countries are, in their essence, very similar. There are minor differences, and some are more strict than others, but when you are creating your privacy policy, make sure that it is compatible with the laws in your country.