Our current generators
Privacy Laws in Different Countries and How to Comply With Them
Even though privacy laws or policies are legal documents, you should ensure that these texts are crafted so that they are easy to understand and accurate. It would be extremely unwise to use obscuring or hidden clauses within the text or to make it too vague since it can affect your credibility as a platform.
Why privacy laws are important
Privacy laws are important for a couple of reasons. Primarily, they are an absolute necessity for some industries, like banking, medical professionals, lawyers, etc. Basically, the professions that incorporate privacy laws are obliged to maintain them both online and off. Furthermore, anyone who is in a regulated industry must have privacy laws that cover all of the issues, under the regulations of the industry, because they can suffer suspensions or fines otherwise.
Privacy laws by country
Privacy laws that apply to your website are usually affected by the acting privacy laws in your country. Recently, in over 80 countries, these privacy laws have been enacted in order to increase or improve information privacy and security. Here, we will go over some of these privacy laws.
The Argentina Personal Data Protection Act that was brought in October 2000 applies to individuals as well as legal entities within the territory of Argentina who operate with personal information. Personal information includes any sort of data which relates to individuals; basic information like name, occupation, address, or date of birth.
Personal data does, however, include browser cookies; in the event that you use them to track user activity. So, in Argentina, it is only legal to use them if the user has provided an informed consent, which implies you need to tell them the purpose for gathering the data using browser cookies.
Furthermore, the user has the right to demand personal data deletion at any given time. Also, there is still a debate whether IP addresses should be considered as personal information, so just to be sure, ask for consent for that as well.
Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) provides an insight into how you should collect, store and use the personal data of your online users or subscribers, for the purpose of digital marketing. The act states that you must make these privacy policies accessible to your users and that the document is easy to read and understand. So, make sure you provide specific and direct information, and if you need any additional guidelines, you can look up the Privacy Toolkit and Fact Sheet.
According to Colombia’s Regulatory Decree 1377, the providers are obliged to inform the users as to why they are collecting the data. Again, it is illegal to obtain this type of data without prior consent, and the policy must also include the description of the purpose and methods of data processing. Additionally, you must supply users with their rights over data and go over how those rights are exercised.
As you can see, there is a certain pattern here regarding privacy laws, and the same rules apply for the Czech Republic. Act No. 101/2000 Coll., on the Protection of Personal Data is the name of their policy for data protection and it has a conduct that you should adhere to when collecting personal data. You need to ensure your policy is easy to follow without any ambiguous language and, again, you are going to need user consent before gathering personal information.
The Act on Processing of Personal Data was passed in 2000, and it appointed the Danish Data Protection Agency to enforce these privacy laws. In the event they discover any privacy law violations, they are authorized to issue a ban or enforcement notice. Again, the company needs explicit consent from the user in order to collect data, and they need to ask for their consent again, in case they want to disclose this information to third parties for the purposes of digital marketing.
The Personal Data Protection Act of 2003 in Estonia also demands that personal information is obtained in an honest and legal fashion. Once again, you are going to need the user’s consent before gaining access to personal data and collecting it, and you will also have to inform them about the reason for collecting the data in the first place.
The privacy law in the European Union is regulated throughout The European Union Data Protection Directive of 1998. According to the data protection directive, the information must be obtained in a way that is fair and lawful. To elaborate, the data can only be collected for specified and legitimate purposes, and the explanation of the purposes must be provided. Users need to give consent in an unambiguous and explicit way. You are also obliged to inform the users if their data is going to be shared with third parties.
In Finland, privacy law is defined in The Personal Data Act, and it is considered as one of the basic rights. If you want to gather personal information in Finland, the Act necessitates that you have a clear purpose for that, and you are not allowed to use it for any other purpose. Again, user consent is required prior to data gathering, and the user needs to be provided with a data file that describes the gathering process as well as explains the purpose behind data gathering. There are certain restrictions as well that apply in the event that you are collecting data for personalized marketing or e-mail marketing, and your database is limited to basic information and contact information.
Data privacy in France is regulated using The Data Protection Act (DPA) of 1978, which was revised in the year 2004. This act also addresses collecting personal data for the purposes of sending e-mails, or the collection of any information which is used to identify a person. The act applies to all of those who are collecting data in France, which is why French Data Protection Authority was able to sue Google for privacy law violation. It goes without saying that, just like with the other laws we mentioned, you need the consent of the user before even collecting their personal information.
The Processing of Personal Data laws in Greece is there to ensure the privacy of individuals who rely on electronic communication. After asking for the consent of a particular user, you will be allowed to obtain his or her personal data. You also need to inform the user about the type of data you will get, and tell them for what purpose the data is going to be used. Lastly, the users are allowed to withdraw their consent at any time they want.
Hong Kong’s Personal Data Ordinance is the acting privacy law in Hong Kong and it points out how users must be informed about data collection and the ways that data can be used (if it is shared with a third party for example). The act has certain principles that state how personal data policies, along with practices, must be publicly available and transparent. In the event of privacy law violation, you can be charged with a fee that goes up to HK$50,000, or even spend two years in prison, so it is definitely a matter you should take seriously, considering how easily your users can sue you.
The privacy of personal data in Hungary is protected by an act with a very long name – Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. It was created with the purpose to make sure the individuals have control over their personal information. Just like with our previous acts, this one also requires you to have user consent before collecting and handling their personal information. In the event of act violation, you are prone to be sued by the users and you will be liable to pay for any damage that you have caused by misusing their personal data.
Even though Iceland has the same principals regarding information and consent, its policy is a bit stricter than the others. Iceland has been labeled as the Switzerland of data due to this strictness and it all explained and stated in the Data Protection Act of 2000. Not only does it require you to make users aware of data collection, but also how the processing is being conducted and how you are going to protect the collected data. Users can also withdraw the consent at any given time and in the event of act violation, you can even end up in prison for 3 years.
It is similar to other policies so far, but again a bit stricter in terms of electronic marketing. The Data Protection Code demands that you need consent before even tracking your user and using data for advertising or marketing communications. Users need to be provided with specific information before gathering or processing their personal facts, and you also need to include a purpose behind such a request. Much like with France, Italy threatened Google for violating Italian privacy regulations and requested a fee of up to one million euros.
The Personal Information Protection Act is created for protecting the rights of the individuals regarding their personal information. Personal information, however, has a very broad definition in this act and it even extends to the data found in the public directory. Other limitations are pretty much exactly the same; it requires prior consent and a detailed explanation of the reason for gathering intel.
As far as Latvia is concerned, the law pretty much abides the basic formula. Privacy regulations are quite common and under the established rules. Collecting and using data requires consent as well as from you to provide users with specifics regarding its use and implementation. You must also inform them if any third party will also have access to the data you are collecting. The name of the act is The Personal Data Protection Law of Latvia.
On the 2nd of August, an act was created for the purpose of protection and processing of personal data. As far as its name is concerned, it is a bit unconventional – Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data. It also states how you need consent to provide users with detailed information about why the data is being collected and the name of the parties who will have access to it.
In Matla, one of the fundamental human rights is the right to privacy, and for that reason, the Data Protection Act of 2001 was created. The difference between this act and most other acts here is that it requires extra steps for providing consent. To be specific, for the user’s consent to be valid, you must provide them with information about your identity and place of residence, you must also give them a reason for collecting data and the list of other data recipients, and ask them if their participation is in fact voluntary. They also have rights to access that data as well as erase it.
In Mexico, the Federal Law for the Protection of Personal Data Possessed by Private Persons is there to regulate and protect the privacy of one’s personal information. The reasons for collecting data must align with the ones stated in this policy and you also need to have consent if you want any type of personal information that is not publicly available. Additionally, you are obliged to tell users what their rights are concerning the data you collected.
In Morocco’s Data Protection Act personal data is defined as information of any nature, which allows one to identify certain individuals. Providing users with a reason behind data gathering and having their consent is once again obligatory. However, the act will not require you to do this in the event that the individual has personally made the information public. Once again, in order for the consent to be considered valid, you are required to provide the users with your specific and personal information. In the event you break the law, you can be punished either financially, or even with imprisonment.
New Zealand’s Privacy Act of 1993 demands that, when collecting this type of data, you are obliged to seek any nonpublic personal information straight from the individual. The user whose information you require needs to know your name and the purpose for requesting this data. You must also tell them whether the information is required by law, or if it is optional, and they need to be aware of their own rights regarding that data. A complaint by the user can trigger an investigation and you’ll be placed under scrutiny to ascertain if you collected the data in accordance with the privacy law.
There are no exceptions as far as Norway is concerned Norway’s Personal Data Act gives you an obligation to collect data directly from the user after you have acquired his or her consent. The purpose behind collecting data and its visibility to third parties must also be provided, as well as the identities of you and possible third parties.
The Philippines are known for their strict privacy law; in fact, it is the strictest one in the region. You still need to do the common procedures mentioned in the most of the acts above, but there is also the Republic Act No. 10173. According to this act, individuals are allowed to know your personal identity, your purpose for collecting data, and they have the right know how the data is being processed and also the identities of the third parties, if any, who will have access to it.
Poland’s Act of the Protection of Personal Data from the year 1997 demands that prior to data processing, you must obtain the subject’s consent, otherwise collecting information is prohibited. Additionally, just like with previous examples, you must provide your personal information like name and address, along with the purpose of collecting data. The subject must also know his or her rights and whether the participation is necessary or voluntary.
Act on the Protection of Personal Data in Portugal states that the processing of data must be done in a transparent manner, with full respect towards the user’s privacy. In order to collect personal information, you must have a specific and legitimate purpose for doing so, and you will also need the subject’s consent. You must also give your information to the user, as well as information about all other data recipients.
In Romania, privacy law regulations are very similar to the common practices mentioned so far. Consent, purpose, and your identification must be provided to the subject prior to requesting data processing, and if you are interested to find out more specific you may read in-depth information about their privacy laws.
There are two legal documents that are used for regulating privacy in Russia. One is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, from 2005, and the Law of the Russian Federation “On Personal Data” which applies to operators who use automated equipment for gathering personal data.
User consent is required prior to gathering, processing, modifying or altering, using, or even destroying the subject’s data. This rule does not apply however if the information is required by law, or if it is necessary.
Slovenia’s Personal Data Protection Act requires you to obtain legal and valid consent from the subject before collecting data. The consent is only considered valid if the person is aware of your identity and the purpose of collecting the information. They also need to be informed that data will be processed in a legal and fair manner.
South Africa’s Electronic Communications and Transactions Act is the law that is applicable to any personal data which is collected through the website. The act consists of nine principles which you must fulfill prior to collecting personal information from an individual. Also, just like with previous cases, your information needs to be given to the subject and the act warrants his or her consent in order for you to gain the rights to access their personal information.
According to the Act on Promotion of Information and Communications Network Utilization and Data Protection in South Korea, any personal information that is acquired by the communication services provider warrants legal consent from the user. If the consent is to be considered valid, you need to give all the necessary information like in all of the previous examples.
The Framework Act on Telecommunications defines information and communication services as the following – “services that mediate a third party’s communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party’s telecommunications.”
In Spain, personal information is regarded as one of the constitutional rights and you need to supply the user with fair processing information as well as your personal information in order to receive their consent and for it to be valid. They also need to know if leaving their personal information is voluntary or mandatory, as well as the consequences of providing that information to you.
Switzerland’s Federal Act on Data Protection allows for personal information to be collected only in good faith, and if the user is aware of the purpose for this request. You must also provide the subject with your personal details or personal data. In both cases, personal data is defined as – “all information relating to an identified or identifiable person.”
The Computer-Processed Personal Data Protection Law defines personal data as information related to individuals which includes their name, date of birth, and even social activates, or any kind of detail which allows for that individual to be identified. The collection of personal data must be conducted in good faith and you must also take into consideration the user’s rights. This implies that you as an organization need to give them your personal information as well, which includes your name address and all other details, along with methods and the purpose of collecting this data.
The Information Commissioner’s Office is responsible for upholding the privacy laws in the UK and it requires very much the same procedure for gathering data as the ones mentioned so far, but also to explain the mechanism behind the browser cookies you are using for this purpose.
CalOPPA requires that policy from websites that collect personal data to contain the following information:
- The type of personal data you are collecting
- Naming any third parties that will have access to it
- How users can review and change the collected data
So, if you collect data from anyone in California you need to comply with laws.
This page is designed to help businesses, especially BBB Accredited Businesses, create an online privacy notice for use on the Internet. A privacy notice should be based on the following five elements:
- Notice (what personal information is being collected on the site)
- Choice (what options the customer has about how/whether personal data is collected and used)
- Access (how a customer can see what data has been collected and change/correct it if necessary)
- Security (state how any data that is collected is stored/protected)
Whatever final notice you develop is up to you, and will be your responsibility to maintain. The Better Business Bureau does not recommend any one set of privacy practices, nor any single privacy notice.
Below is a sample privacy notice that you may want to use as a guide for your privacy notice. Note that there is a place for your company name or URL in the first paragraph and a place for your phone number and email address in the last paragraph. Please make sure to personalize these. DO NOT simply cut-and-paste this policy as is.
- What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
- What choices are available to you regarding the use of your data.
- The security procedures in place to protect the misuse of your information.
- How you can correct any inaccuracies in the information.
Information Collection, Use, and Sharing
We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.
We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.
Your Access to and Control Over Information
You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:
- See what data we have about you, if any.
- Change/correct any data we have about you.
- Have us delete any data we have about you.
- Express any concern you have about our use of your data.
We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.
Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.
The above notice (or policy) probably does not describe your privacy practices exactly. You need to personalize your statement to fit your business practices. Following are some sample clauses that you can use to help describe other specific practices that fit your business model.
In order to use this website, a user must first complete the registration form. During registration a user is required to give certain information (such as name and email address). This information is used to contact you about the products/services on our site in which you have expressed interest. At your option, you may also provide demographic information (such as gender or age) about yourself, but it is not required.If you take and fill orders on your site, insert a paragraph like this in your privacy notice:
If you share information collected on your site with other parties, insert one or more of these paragraphs in your privacy notice:
We share aggregated demographic information with our partners and advertisers. This is not linked to any personal information that can identify any individual person.
We use an outside shipping company to ship orders, and a credit card processing company to bill users for goods and services. These companies do not retain, share, store or use personally identifiable information for any secondary purposes beyond filling your order.
We partner with another party to provide specific services. When the user signs up for these services, we will share names, or other contact information that is necessary for the third party to provide these services. These parties are not allowed to use personally identifiable information except for the purpose of providing these services.
If your site has links to other sites, you might insert a paragraph like this in your privacy notice:
This website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects personally identifiable information.
If you ever collect data through surveys or contests on your site, you might insert a paragraph like this in your privacy notice:
Surveys & Contests
From time-to-time our site requests information via surveys or contests. Participation in these surveys or contests is completely voluntary and you may choose whether or not to participate and therefore disclose this information. Information requested may include contact information (such as name and shipping address), and demographic information (such as zip code, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the use and satisfaction of this site.
Also looking for a Terms and Conditions Template? Check out termsandconditionstemplate.net
The accuracy of the generated document on this website is not legally binding. Use at your own risk.
What Is It?
How Can You Use It?
You want to focus on company name or website name, the name of the site owner, company CEO, or web manager, and a few important details about purchases, service charges, and so on. Other than a few tweaks, a good template won’t require much else from you.
Is It Necessary?
General Data Protection Regulation (GDPR)
Google Play Store
Apple App Store
Plus many more
Welcome to FreePrivacyPolicy.com
- California Online Privacy Protection Act (CalOPPA)
- General Data Protection Regulation (GDPR)
- Personal Identifiable Information (PII)
- Federal Trade Commission Fair Information Practices
In this article you will find information about:
- Why you should have one
- Guidelines for creating a policy
- Link to an automated policy generator
- What cookies are
- What info is collected
- What is done with the information
- How to reject / delete / accept cookies
- Explain there are no harmful technical consequences/risks
- Create a better electronic environment on the internet
- Laws / legislation may pertain to your business
By letting people know what info is collected and what is done with that information, you can create a transparent environment in which people / consumers are more confident. You can eliminate stress and concerns about abuse of personal info.
Various legislations and legal guidelines, for example in the US and in the UK, are being developed and may affect your website, depending on what information you collect, how you do it, and what you do with it. The European Union has developed similar guidelines that contain a bit too much legal rhetoric to be completely useful.
See resource list below for reference websites.
Your policy should be written in plain readable language. Consider the policy to be a part of your site. Design the policy and publish it like the rest of your site. Design it as if you actually want people to read it. Make it short, friendly & intuitive. It should be easily accessible throughout your site.
Tell your visitors why tracking cookies are good, why the information is beneficial, that it is used to improve websites and their content. Give an example. If you are collecting information, tell them what you do with that information. Give people an opportunity not to have their info collected, for example by blocking cookies. Explain how people can block cookies. Also explain that cookies are not harmful and cannot introduce viruses or extract personal contact information.
Why all the fuss?
There is an important distinction to be made here between cookies and spyware. Spyware collects information about your surfing habits across the internet and sends this information out from your computer. Cookies collect information about your surfing habits only on the site of the provider of the cookie, in other words just on one site.
From our research it appears that most people are concerned that their personal information may be passed on. In this case, there is an important distinction to make between Two Types of Information which are collected:
- Personally identifiable info/ personal contact info
- Clickstream/ navigation info
Specific to concerns about cookies, the information being collected does not contain personally identifiable information. Clickstreams are used to see if people return to the same sites, and identify patterns.
When databases are combined, for example a membership & login base, with a clickstream tracking system, it is possible to combine personal information, such as an email address, with clickstreams. This is where the main cause for concern seems to lie.
The companies that do this; with the resources to combine clickstreams, past purchases, and personal information, are household names, such as amazon.com, ebay, bbc, yahoo, etc.
Legislation in the UK:
Obviously there is a very real concern for a lot of people that their privacy is being abused. We would like to respond to these concerns, primarily through education, but also by opening up a dialogue on any related questions or ideas. Please feel free to write us, or post feedback on our support center.
Privacy Policies are Legally Required
Examples of personal information might include:
- Dates of birth
- Email addresses
- Billing and shipping addresses
- Phone numbers
- Bank details
- Social security numbers
- The types of information collected by the website or app
- The purpose for collecting the data
- Data storage, security and access
- Details of data transfers
- Affiliated websites or organizations
Business Name and Contact Details
Here is an example from Whole Foods:
Types of Personal Data You Collect
You are required to itemize the various types of personal data you collect from users directly and indirectly.
Budweiser provides a nice example:
Why You Collect Personal Data
Privacy laws require you to collect only the personal data you need, and to explain why you need it.
Here’s an example from Nestlé:
How the Data is Used
Here’s how Airbnb does this:
How You Share Data with Third Parties
Most websites use one or more third party tools to enhance site performance and user experience. Examples might include Google Analytics to understand website visitors, or AdSense for personalized advertising.
See how Instagram does this:
How to Opt Out of Data Collection
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
Privacy Laws in the US
- The Americans With Disabilities Act
- The Cable Communications Policy Act of 1984
- The Children’s Internet Protection Act of 2001 (updated in 2013)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The Children’s Online Privacy Protection Act (COPPA)
- The California Online Privacy Protection Act (CalOPPA)
CalOPPA’s purpose is to provide protection of personal data collected from California residents. While CalOPPA is a state law and not a federal law, it very likely affects your website regardless of where you operate from because of the chance your website will attract California residents.
CalOPPA classifies “personally identifiable information” as:
- First and last names
- Physical addresses
- Email addresses
- Telephone numbers
- Social Security numbers
- Any other contact information shared with a business either physically or online
- Details of physical appearance (height, weight, hair color)
- Any other information stored online that may identify an individual
- Details of exactly what types of personal data are collected through the website or app
- Any affiliated organizations this data may be shared with
- A clear explanation of how users can request amendments to any personal data that is collected
- What happens if a user makes a “Do Not Track” request
- Details of third parties who collect personal data through the website or app
Include a “Do Not Track” Clause
“Do Not Track” — DNT for short — is a setting that can be activated on certain browsers to block behavioral tracking from third party services like Google Adwords.
Under CalOPPA, it is not mandatory for a website or app to follow a DNT request. However, websites must inform users if their website or app will respond to a DNT request or not.
Here’s how Whole Foods lets users know that DNT requests will not be honored and provides a link to additional information about the topic:
- Be clearly visible and easily accessible for visitors to your website or users of your app
- Contain the word “privacy” in the display link
Here is an example from Amazon where a Privacy Notice is clearly linked in the website footer:
Privacy Laws in the EU
On May 25, 2018, the EU Data Protection Regulation (GDPR) replaced the existing EU Data Protection Directive which had been enforced since 1995.
The EU Data Protection Directive regulated the gathering and handling of personal information in the EU and protects it from misuse.
GDPR applies to both EU and international companies collecting personal data from EU citizens.
GDPR requires that:
- All personal data must be processed in an ethical manner.
- Data should be collected for predetermined reasons only, and the data must be used for these reasons alone.
- Data must be accurate and updated when requested.
- With the exception of specific circumstances, such as scientific research data, the user must be identified only for as long as needed.
- The business collecting data is responsible for monitoring its own adherence to GDPR regulation through the appointment of a Data Protection Officer.
- The user must be able to contact the business collecting the data and its Data Protection Officer.
- Users must be made aware of the reasons why their data is being gathered and the length of time that it will be stored.
- Users must be advised of their right to access, update or request removal of their personal data.
- There will be a supervisory body to deal with users’ complaints and the contact information for this body must be provided.
- Users must be informed if their data is to be shared with any third parties or affiliated organizations, or if it will be transferred outside of the EU.
- Any other information the user needs to know to ensure fair processing of their personal data.
If your website or app collects personal data from EU citizens, then you are required to comply with GDPR.
Here’s a good example of how IKEA gets consent to collect personal information. Users must check a box when creating a profile that says they agree to having their personal information saved:
The GDPR represents a big change for data protection. This is true for both EU-based and non-EU businesses that collect personal data from EU citizens.
The enforcement of GDPR is much stricter than with previous regulations and will carry greater penalties for non-compliance.
Privacy Laws in Canada
Privacy Laws in Australia
One of its key features is a list of 13 Privacy Principles that govern the gathering and processing of personal data.
Privacy Laws in the UK
Personal data is protected in the UK by the Data Protection Act (DPA). Like Australia’s Privacy Act, at its heart are 8 Core Principles of Data Protection which all companies collecting personal data online in the UK must adhere to:
Privacy Policies Required by Third-party Services
Campaign Monitor’s Terms of Service includes this clause covering personal information:
StudioPress discloses all third-party services that collect user information through their website as follows:
- State that you use Google Analytics to track user behavior
- Explain how data is collected and processed
Here’s an example of a cookie banner from Net-A-Porter:
The advertising features covered by these additional requirements include:
- Google Display Network Impression Reporting
- Google Analytics Demographics and Interest Reporting
- The Google Analytics Advertising tools that you use, and how and why you use these features.
- Your Cookies Policy, including a notice that cookies are used by third-parties to display relevant advertising to the user.
- Instructions on how users can opt-out of the Google Analytics Advertising features through Google’s Ad Settings.
- Information on Google’s DoubleClick cookies.
- Instructions on how users can opt-out of the use of DoubleClick cookies through Google’s Ad Settings.
Additional Requirements for EU Businesses
The above points apply to all websites and apps that use Google AdSense. However, there are additional requirements for EU-based companies that use this service.
- The different types of cookies that are used
- Details of any cookies from third parties that may be used
- Why cookies are used and how they are placed on devices
As with other cookie alerts, this is usually done through a pop-up or banner that clearly explains that cookies are in use and directs the user to further information on this matter.
Consent to place cookies must be obtained from the user actively, meaning users must click a button or check or box or take some other action to confirm they consent.
Active consent, also called informed consent, involves requiring the user to confirm consent with a checkbox or an “I agree” button.
Here is an example of active consent for cookies from Wembley that includes a user-friendly explanation of the type of cookie used and why. The blue “I’m Happy With This” button is what distinguishes this type of consent from passive consent.
Passive consent to place cookies on a user’s device is no longer allowed. Here is an example of passive consent for cookies from Calvin Klein’s website:
Everything you need to know about GDPR
GDPR gives companies a new set of rules for sharing data online
Privacy Policies are Mandatory by Law
Privacy Policies are agreements where you need to specify what personal data you collect from your users.
What kind of personal data is personal enough to identify an individual? There’s a lot that can fall into that category:
- Email address
- First and last names
- City or town plus country
- Social security number
Anonymous data (that doesn’t include personal data) can also be classified as “personally identifiable information” if used in connection with another type of data that can result in identifying an individual.
*Editor’s note: The video above has outdated content regarding EU laws. The article content is updated as of November 21, 2018. We apologize for any inconvenience this may cause.
In United States
There are several laws, including federal and state laws, that have provisions on data privacy. The FTC, the Federal Trade Commission, regulates data protection on all consumers in the USA.
- The Americans With Disability Act
- The Cable Communications Policy Act of 1984
- The Children’s Online Privacy Protection Act (COPPA)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The California Online Privacy Protection Act (CalOPPA)
This Act regulates the handling of personal information of individuals and mentions the collection, use, storage and disclosure of personal information.
It groups 13 Privacy Principles that each company that’s required to comply with the Privacy Act should follow.
In the UK
The Data Protection Act 1998 (or DPA) is the law on privacy in the United Kingdom.
Companies that must comply with UK’s DPA act must follow the 8 principles, condensed here:
- Any kind of personal data from users must be collected in a specified and lawful way. The data also cannot be processed in any way that’s incompatible with that purpose.
- The personal data you collect should be adequate, relevant and not excessive in relation to the purpose for which you’re collecting the personal data.
- The personal data should be kept up to date and accurate.
- Any kind of personal data collected from users should not be kept longer than is necessary for the purpose which it was collected for.
PIPEDA, the Personal Information Protection and Electronic Documents Act, is the law of Canada on protecting user data.
Under the PIPEDA Act, personal information means:
any identifiable information about an individual whether recorded or not and it applies to the collection, use, and disclosure of personal information by organizations during commercial activities.
“Organizations” include associations, partnerships, persons and trade unions. “Bricks-and-mortar” and e-commerce businesses are covered by the Act.
In the European Union (EU)
The General Data Protection Regulation (GDPR) regulates the processing of personal data within the European Union. This directive has strict, global requirements for companies who deal with residents of the EU.
In other countries
India incorporates data protection provisions in its Information Technology (IT) Act 2000.
Singapore, Malaysia, South Korea and Vietnam
- In Singapore it’s the Personal Data Protection Act 2012 (PDPA).
- It’s also called the Personal Data Protection Act (PDPA) in Malaysia. Malaysia’s PDPA Act came into force in November 2013.
- In South Korea it’s called Personal Information Protection Act and it came into force in 2012.
- In Vietnam, it’s Article 21 of the Law on Information Technology
- At Step 1, select the Website option and click “Next step”:
- Answer the questions about your website and click “Next step” when finished:
- Answer the questions about your business practices and click “Next step” when finished:
*Editor’s note: The presentation above has outdated content regarding EU laws. The article content is updated as of November 21, 2018. We apologize for any inconvenience this may cause.
Requirements from third-parties
- Android Apps have the same requirement. The Developer Distribution Agreement from the Google Play Store requires you to have privacy procedures and notices in place.
Dec 9, 2018
3 Things You Should Know About Europe’s Sweeping New Data Privacy Law
It’s one of the biggest data privacy laws in over 20 years. The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. These regulations will impact businesses that utilize personal data of EU citizens, even if the company does not have a physical presence in Europe. This means that the GDPR will be applicable for US websites as well.
If you are a US company with a website and you receive traffic from European Union visitors, regardless whether you market your products or services to European markets, listen up.
Here’s what every US business needs to know about the new data privacy rules, GDPR requirements and deadlines.
What is GDPR and Why Should I Care?
GDPR, which stands for General Data Protection Regulation, was passed back in May 2016. In an effort to establish “digital rights” for European Union citizens, the EU gave websites two years to comply with the new set of personal data protection and privacy rules.
GDPR Goes Into Effect May 25, 2018.
No matter where you are based, the GDPR will apply to any organization that collects and stores personal data* on European Union users on their website as of May 25, 2018.
What Does Personal Data Include Under GDPR?
According to the European Commission, personal data* includes, “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
- Identification information: name, telephone, physical and email address and government ID numbers
- Website data: location, IP address, cookie histories and RFID tags
- Health, mental and genetic data
- Biometric data
- Racial, cultural or ethnic data
- Political opinions
- Sexual orientation
- Tagged photos
How will GDPR Impact US Websites?
Considered data controllers, all US business websites that collect personal information will be held accountable for any data collected, processed or dispersed on an EU citizen.
If an infringement of a customers’ information occurs on a US website or a breach of security is not reported correctly, organizations could risk steep financial and legal penalties. If you don’t do anything to comply, you’re looking at potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
Steps to Ensure GDPR Compliance for US Websites
As you can imagine, compliance will be difficult for small (even large) U.S. businesses who operate websites and may receive web visits from European residents.
GDPR requires companies that collect personal data on their websites to first ask for consent.
For example, let’s say you run an advertisement promoting a white paper. But in order for users to access your piece of content, you ask them to complete a form with their name and email address.
What can be done with this captured data?
You no longer have the right to keep their details on your US website since the “transaction” has been fulfilled by sending them the white paper. Unless you make some changes…
Thankfully we have some tips to help you get started with GDPR website compliance right away:
- Edit all forms by asking for their company name and adding a description of what the user is signing up for
- Ensure all forms and other data collection methods on websites are explicitly opt-in (note, a tick-box must not be pre-ticked)
- Make it easy for users to opt-out or unsubscribe
- Add a cookie alert banner
If you already have a form that has a pre-ticked box, you’ll need to update that before May 25 to reflect the above.
Now, what about all that personal information that’s already stored within US. websites?
By law, organizations are not allowed to market to anyone on that list who did not explicitly agree to be marketed to. So, before May 25, send all of your contacts an email with a form asking them to re-consent to receiving your newsletter and product or service offerings.
As a Facebook advertiser, GDPR has changed the rules for collecting, processing and storing data on EU individuals. Additionally, those using Facebook pixels on a website and/or custom audiences are also liable to comply with GDPR regulations.
Marketers may continue to advertise on Facebook, but they are responsible for ensuring GDPR compliance. Complying with GDPR within Facebook means that brands must first gain users’ consent before utilizing their information, inform subscribers on how their data will be used and show or delete users’ information, if requested.
One of the key requirements of the GDPR regulation is that user consent must be “freely given, specific, informed and unambiguous.” This means that if your business collects personal data, such as names and email addresses and has been sending email newsletters or promotions without confirming their consent, you could be in hot water.
Mailchimp offers simple tools related to consent to help businesses stay compliant with the latest GDPR laws.
- Start a new GDPR-compliant list for all future email campaigns.
- Design GDPR-friendly forms that are consistent with your brand.
- Respond quickly to data requests from contacts.
- Stay protected with transparent data policies.
Google Analytics GDPR
The changes brought on by GDPR directly impacts online marketing efforts, particularly those used for Google Analytics. Every businesses must adapt to the new requirements, which can be tricky at first.
To ensure your business is using Analytics in compliance with GDPR, start by auditing all current data, anonymize potentially personal identifying information (PII) on users, such as an IP address and obtain explicit consent before moving forward with loading the Google Analytics script. Pop-ups or widgets offer first-time visitors – as well as returning visitors – the opportunity to opt in/out.
The physical location of an organization does not impact GDPR compliance; it is the physical location of the individual whose data is being collected, processed or stored that matters. Even if you’re a US company, chances are probably that you have European Union residents in your database.
GDPR covers all of the European Union (EU) Member States, which includes: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The United Kingdom, including Channel Isles, England, Northern Ireland, Scotland and Wales, is still part of the EU, thus governed by GDPR.
GDPR also includes European Economic Area Countries, such as Iceland, Lichtenstein, and Norway as well as dependent territories/countries that are technically in the EU – though not in Europe – governed by GDPR. These include: Azores, Canary Islands, Guadeloupe, French Guiana, Madeira, Martinique, Mayotte, Reunion and Saint Martin.
GDPR For Dummies
In the most simple terms, the General Data Protection Regulation (GDPR) is a game-changing data privacy law that has set guidelines for collecting and processing personal information of individuals within the European Union (EU). It is the biggest change in data protection laws in the past 20 years.
The rule enforces the following:
- The right for people to lawfully agree with companies to use their private information
- The right for users to have their private information no longer accessible by a company
- The right to for individuals to allow their private information to become public or not
Those who don’t comply with the GDPR law may face a fine of up to 20,000,000 euros, or up to 4% of the company’s profits from the previous year, whichever is higher.
Simply put, GDPR is a regulation that businesses must take seriously.
California Consumer Privacy Act
Following in the footsteps of GDPR, California approved a new regulation set to go into effect January 1, 2020. The California Consumer Privacy Act is very similar to the GDPR law, providing residents living in CA the right to control the data that companies collect on them.
To prepare for this new regulation, businesses must first become aware. Check. And then start identifying potential data risks, keeping only the personal information necessary to service direct business and legal needs.
GDPR Article 28: What Processors Need To Do
According to Article 28, a data processor must be GDPR compliant; processing data according to the requirements of the data controller. Under the GDPR, processor refers to a legal person, public authority, agency or other body which processes personal data on behalf of the controller. The controller is “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” Two common examples of a controller are a business obtaining client or employee details or a school holding student records.
These requirements must be specified in a controller/processor contract and must also contribute to any compliance audits.
Facebook and Google Hit with GDPR Lawsuits
On the first day that the GDPR law went into effect, both Facebook (WhatsApp) and Google (Android operating system) were hit with lawsuits accusing them of coercing users into sharing their personal data through terms and conditions.
The lawsuits suggest that both companies were in breach of GDPR because they followed a “take it or leave it approach” to gaining users consent. Both Facebook and Google claim that the necessary steps have been taken to ensure compliance with the new regulations.
Google’s GDPR Lawsuit: Just the Tip of the Iceberg
As one of the largest handlers and processors of people’s data in the world, it’s not a surprise that Google was one of the first to be hit with a record fine for breaching the GDPR. But it’s not just global businesses that need to be aware. Almost all large companies, as well as many small to medium sized businesses must be prepared for the GDPR and modify business models and provision of services.
Amazon, Netflix, Spotify, YouTube Accused of Breaking Data Regulations
In January, a data privacy activist, noyb, targeted YouTube, Netflix, Amazon, Apple, Spotify, and Soundcloud, alleging that they’re all in violation of GDPR. According to the GDPR, data must be both machine-readable and easily understood by customers. Noyb said that only some of the data was “intelligible,” as some parts were supplied in a format that could not be understood by individuals.
Also, each of these “streaming giants” failed to supply additional information to which people are entitled, such as a list of other companies with whom their data was shared.
Shopify GDPR: What Online Store Owners Need to Know
While every business is different, GDPR compliance remains the same for shop owners. First, regardless of where a business is based, GDPR applies to all companies that offer products or services to consumers located in Europe. The law empowers Europeans to have a say in exactly how their data is being used. As a result, store owners should only collect the data they need, not assume compliance, and make terms and conditions really (really) clear.
Put it all out in the open. It’s the simplest (and safest) ways to stay protected from concerns about GDPR compliance.
GDPR WordPress: What You Need To Know
Unsure how GDPR is impacting your WordPress site? If you are storing or processing data, such as contact forms, analytics, online marketing, membership sites, online stores, etc., it’s vital to ensure your website is GDPR compliant.
Consider adding an extra layer of transparency, especially if you are storing information for marketing purposes. Do this by getting explicit consent from users via a simple consent checkbox with a clear explanation and also complying with data-deletion requests.
WordPress GDPR Plugin
Several WordPress plugins can help to automate compliance for GDPR. From privacy preference management, data breach notification logs and telemetry trackers for visualizing website data, this plugin is designed to assist Controllers, Data Processors, and Data Protection Officers (DPO) in their efforts to meet the obligations enacted under the GDPR.
However, be aware that due to the dynamic nature of websites, no single plugin can offer 100% compliance. Therefore, it is advised to double check all settings, refine consent management and assess unique responsibilities to meet obligations required by law.
7 GDPR Principles
When collecting, processing and/or managing personal information data, organizations must follow seven key principles, according to GDPR. These principles should lie at the heart of your approach to processing personal data.
- Consent- You need clear and affirmative action from individuals to process their personal data.
- Right to Access – Individuals have the right to know what data you have of theirs and what you are going to do with it. You must be prepared to provide them an electronic copy upon request.
- Right to Erasure – Individuals have the right to require the deletion of their data at any time.
- Data Portability – Individuals have the right to require organizations transmit their data to another company.
- Breach Notification – In the event of a data breach, individuals must be notified with 72 hours.
- Privacy by Design – Data protection measures must be incorporated into the design of systems from the very beginning, not just added later. And companies can only hold and process the data unless absolutely necessary (data minimalization). They must also limit access to that data.
- Data Protection Officers – Large-scale data processing companies must hire a Data Protection Officer, who acts independently in order to assess regulatory compliance.
GDPR and Salesforce
Ensuring that your Salesforce is GDPR compliant for e-commerce begins with reviewing existing customer data you have on file, monitoring the customer data you collect, and establishing a strategy.
Always document compliance, copies of privacy notices and consent forms; conduct regular risk assessments to review controls and processes; and notify data controllers of any data breaches as soon as they occur.
While every business is different, data collection and storage practices (including marketing and sales processes) must comply with GDPR. If you use tools like Hubspot or Salesforce, make sure you have a system for recording consent. Include the how and when you received it and any updates made to consent information.
The GDPR regulation builds in two new rights for data subjects: a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows data subjects to demand a copy of their data in a common format. In other words, your contacts should be able to easily opt in or out of different kinds of communication (email, SMS, phone messages, marketing messages, etc.).
The Cost of Non-Compliance
It pays to play nice. If you take steps to mitigate any possible damage, warnings may be issued. However, negligence or any attempt to hide bad practices can lead to steep penalties.
As stated above, expect to see fines of up to 20 million Euros ($22,734,300) or 4 percent of annual global turnover, whichever of both is highest.
Understanding which infringements these penalties apply to could be key to your business avoiding fines. If you receive a written warning, take it seriously, as you most likely won’t get one again.
According to the FAQ page, Twitter complies with the GDPR by using the Twitter International Company (an Irish commercial entity) as the controller of data outside the United States. In addition, Twitter International Company has Data Transfer and Processing Agreements with Twitter, Inc., within the U.S., and its affiliates, which allow Twitter, Inc., to process personal data.
In other words, if you are using Twitter for business (or Instagram, Facebook, LinkedIn, etc.), ensure your organization is taking good care of the data you’re working with and that you are providing clear consent for the data gathered.
Opt-In: GDPR-Friendly Email Marketing
One of the biggest questions when it comes to GDPR and email marketing is the contact list and if you can keep emailing those who were on your mailing list prior to May 25, 2018.
If your mailing list includes subscribers who were automatically opted-in – whether through a pre-checked box or via a purchased mailing list, then you will need to gain consent from them again. Recital 32 states, “Silence, pre-ticked boxes or inactivity should not constitute consent.”
In addition, make it easy for them to withdraw consent. And explain how. According to Article 7(3), “The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”
Unsure how to regain consent? Just ask! Just remember to get permission and store record of it when you do.
Consent doesn’t just mean gaining affirmative consent. It also requires your organization to make it easier for people to understand what their consent actually means. As you might imagine, urging your audience to actively consent to having their data used for marketing purposes is much easier said than done.
GDPR Unsubscribe Rules
If contacts want to unsubscribe from emails and newsletters, make it easy for them. The unsubscribe process must be clear and simple with a visible unsubscribe link in every email where you subscriber can do the following:
- Unsubscribe to that particular marketing communication
- Easily unsubscribe to all of your communications
- Contact a specific return email address
GDPR Website Checklist
According to GDPR, websites must notify visitors that they are using cookies, location data and any other personal information that users are about to provide.
Are you ready? Here are a few points that website owners should take care of to be GDPR compliant:
- Offer the option to withdraw consent (opt-out).
- Provide a separate consent from the Terms & Conditions.
- Ask for less information.
- Ensure nothing is checked off by default.
- Boost overall security of the website through an SSL certificate.
- Secure the company data with a Data Protection Officer.
- Notify users if a website has integrated a 3rd party tool to track IP addresses.
- Gain clear consent to process data for cookies.
- In the event of a data breach, have a procedure in place to notify all users.
As you can see, this transition is going to be tricky. If you need help making your US websites GDPR compliant, get in touch ASAP to see how CMDS can help.