Expanding your business operations across international borders opens up a world of opportunity, but it's not without its legal complexities.
For one, you'll have to consider which country's law will govern your contractual relationship with customers (i.e., the "choice of law"). Another related consideration is the cross-border requirements of global privacy laws that can apply regardless of your business's location.
To help you make sense of it all, this article examines the choice of law considerations for cross-border activities. We'll also look at a few privacy laws to account for as well as relevant disclosures to include in your Terms and Conditions and Privacy Policy.
TermsFeed is the world's leading generator of legal agreements for websites and apps. With TermsFeed, you can generate:
- 1. Understanding Choice of Law: The Basics
- 2. Why Choice of Law Matters in Cross-Border Operations
- 3. Privacy Laws and Cross-Border Operations
- 3.1. General Data Protection Regulation (GDPR) - EU/EEA
- 3.2. California Privacy Laws - CalOPPA and CCPA/CPRA
- 3.2.1. CalOPPA
- 3.2.2. CCPA/CPRA
- 3.3. Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
- 3.4. The Privacy Act of 1988 - Australia
- 3.5. Personal Information Protection Law (PIPL) - China
- 4. Key Considerations When Deciding Choice of Law for Cross-Border Operations
- 5. How to Draft Your Choice of Law Clause
- 5.1. In Your Terms and Conditions
- 5.2. In Your Privacy Policy
- 6. Summary
Understanding Choice of Law: The Basics
When you sell products or services online, your business enters into contracts with customers who may be located in different regions.
Even within the same country, states and provinces often have their own distinct legal frameworks that govern how contracts are interpreted and how disputes are resolved.
This diversity complicates things since multiple legal systems could claim authority over the same transaction. That's where the choice of law (also known as governing law or applicable law) comes in.
Typically included in a Terms and Conditions agreement, the choice of law is a preemptive decision about which law(s) will govern your contract with customers.
Think of it as setting the ground rules before a game. Both parties agree upfront on which laws determine their rights, obligations, and dispute resolution process.
Here's an example of what this clause looks like from Amazon:
Keep in mind that the choice of law only covers your direct contractual agreement with the customer. It doesn't override other legal commitments (e.g., data privacy obligations) imposed by applicable laws.
Why Choice of Law Matters in Cross-Border Operations
Without a clear choice of law, your business could face the costly and time-consuming challenge of navigating conflicting foreign legal systems. By contrast, including a choice of law provision in your contract removes uncertainty about which rules apply.
The stakes change dramatically when your business operates across international borders. Laws vary so much between countries that a perfectly valid contract in one might be completely unenforceable in another.
This predictability helps your business:
- Handle disputes more efficiently
- Plan operations with clear legal boundaries
- Build trust with customers through transparent legal terms
- Reduce legal costs and delays by avoiding conflicts over applicable laws
Here's an example of a choice of law clause drafted for international business operations from Adobe:
Adobe provides a relatively robust choice of law provision. This is because the company uses different contracting entities to oversee its operations based on where customers reside.
For businesses with simpler cross-border operations (e.g., shipping, ecommerce, etc.), a concise statement of the choice of law, jurisdiction, and dispute resolution terms will suffice.
Here's an example from The Washington Post:
Keep in mind that some countries can specifically require your dealings with their residents to be governed by their local laws.
Because of this, it's important to be familiar with the contract law in your customers' countries and adapt accordingly. You can also note this in your Terms and Conditions like Dropbox does here:
Privacy Laws and Cross-Border Operations
Privacy laws are an exception to the choice of law provision. Unlike with the choice of law, you can't preemptively choose which privacy laws to follow.
As long as you collect or handle the personal data (think names, home addresses, phone numbers, financial details, etc.) of customers in other countries, you must comply with their privacy laws even if your choice of law claims the laws of your home country.
In many cases, simply having a website or app that targets customers in a region (e.g., supports their local currency) may be enough to trigger privacy obligations for your business and privacy rights for customers.
With that said, let's briefly look at a few of the most prominent and far-reaching privacy laws to take note of during your cross-border operations.
General Data Protection Regulation (GDPR) - EU/EEA
The GDPR is the gold standard of privacy laws and has one of the broadest scopes globally. It applies extraterritorially, meaning it covers businesses regardless of their physical location.
More specifically, the GDPR applies to any business that targets EU residents to sell products or services, collect and process their personal data, or monitor their behavior.
Among its many requirements, the GDPR requires businesses to:
- Obtain explicit consent for data collection
- Establish a lawful basis before processing personal data
- Uphold privacy principles like data minimization and purpose limitation
- Implement robust data protection mechanisms and report breaches within 72 hours
- Help exercise consumer rights, including the right to request access, correction, deletion, and portability of their personal data
When it comes to cross-border operations, the GDPR imposes additional obligations for data transfers outside the EU.
In short, if your international business dealings involve transferring EU residents' personal data to non-EU countries, you'll need to implement safeguards like adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).
Here's how Spotify notes its EU data transfer safeguards in its Privacy Policy:
Note that GDPR violations can result in substantial fines of up to €20 million or 4% of your business's global annual turnover - whichever is higher.
California Privacy Laws - CalOPPA and CCPA/CPRA
At the time of writing, the United States doesn't have a federal privacy law. Instead, individual states have enacted their own laws to protect their residents' data and regulate the practices of applicable businesses.
As one of the first states to enact several world-renowned privacy laws, California is considered a leader in this sphere. Let's briefly check out its main privacy laws.
CalOPPA
The California Online Privacy Protection Act (CalOPPA) requires all commercial websites and online services (even beyond the U.S.) that collect personally identifiable information from Californians to publish a clear and conspicuous Privacy Policy.
Specifically, CalOPPA requires that your Privacy Policy outlines what personal data you collect, how it is used, whether you share it with third parties, and how you respond to "Do Not Track" requests.
The law also requires that you promptly inform customers of changes to your Privacy Policy. Keep in mind that non-compliance with CalOPPA attracts a maximum penalty of $2,500 per violation.
CCPA/CPRA
Like CalOPPA, the California Consumer Privacy Act, and its amendment, the California Privacy Rights Act (CCPA/CPRA) also has an extraterritorial reach but imposes much more comprehensive requirements on applicable businesses.
It specifically applies to for-profit businesses that collect or process the personal information of California residents and meet specific thresholds:
- Generate over $25 million in annual revenue
- Buy/sell/share personal data of 100,000 or more consumers annually
- Derive 50% or more of its revenue from selling consumer personal information
Under the CCPA/CPRA, Californians have several rights, including the right to know, access, delete, and opt out of the sale or sharing of their personal information.
Businesses, on the other hand, must provide clear notices about their data processing practices and respond to consumer requests within specified timeframes (among other obligations). CCPA/CPRA penalties can get as high as $7,500 per intentional violation.
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that governs how private sector organizations collect, use, and disclose personal information. It applies extraterritorially if your commercial activities have a "real and substantial connection to Canada."
Among other requirements, PIPEDA requires businesses to uphold ten "fair information principles," obtain valid consent when necessary, and honor consumers' rights to access, correct, and delete their personal information.
While PIPEDA doesn't include rules for cross-border data transfers, the federal Privacy Commissioner's guidelines require businesses to inform consumers that their personal information may be transferred outside Canada and accessed by the authorities of the receiving country.
As an incentive against non-compliance, PIPEDA allows for potential fines of up to CAD 100,000 for violations.
The Privacy Act of 1988 - Australia
The Privacy Act of 1988 is the primary legislation regulating privacy protections in Australia. It applies to public and private sector organizations doing business in Australia or offering products and services to its residents.
The Privacy Act is built around 13 Australian Privacy Principles (APPs), which cover everything from observing Privacy by Design principles to obtaining consent for sensitive information to implementing adequate data security measures.
For cross-border data transfers, the 8th APP requires accountability. Businesses must ensure that any Australian's personal data transferred overseas remains protected. If a foreign recipient mishandles data or suffers a data breach, the sending organization can be held responsible.
Personal Information Protection Law (PIPL) - China
The Personal Information Protection Law (PIPL) is China's comprehensive privacy law that regulates the collection and processing of personal data. It applies extraterritorially, affecting any business that handles Chinese residents' data, regardless of location.
Among other requirements, the PIPL requires localization of critical personal data within Chinese borders and explicit consent for sensitive data.
A unique provision under the PIPL is the need for organizations to conduct security assessments before transferring personal information outside China. Companies must also designate a representative within China to handle data protection responsibilities.
Potential penalties are substantial, with fines of up to RMB 50 million or 5% of the previous year's annual revenue.
Key Considerations When Deciding Choice of Law for Cross-Border Operations
While you do have the freedom to choose which country's law governs your international business dealings, you can't simply pick any you prefer. Courts look for meaningful connections between your choice of law and your business operations.
In other words, your choice of law needs to make sense based on where and how you do business. A U.S. company selling mainly to U.S. customers can't select Malaysian law without any actual connection there.
Usually, your home country makes the most practical choice. Local laws may be more familiar to you and your legal counsel, making dispute resolution easier.
That said, you can choose another country's law if it offers clear benefits and reflects meaningful business ties. When it comes to cross-border operations, the following can constitute a relevant connection for your choice of law:
- Your customer's location
- Where the transaction occurs
- The delivery location of your product or service
- The location of your server or data storage center (if your business operates online)
To make an informed choice, we recommend consulting a legal expert familiar with international business law before deciding on your choice of law.
How to Draft Your Choice of Law Clause
A well-drafted choice of law clause works to protect your business interests in cross-border transactions while maintaining enforceability.
Here's how to draft this clause in legal agreements like your Terms and Conditions and Privacy Policy.
In Your Terms and Conditions
Your Terms and Conditions agreement is the legal document that contains your business's house rules. It's also the ideal place to include your choice of law clause.
When drafting the clause, you'll need to address three critical areas:
- The Choice of Law: Clearly state which country's or region's laws will govern the agreement. Even a simple statement like "This agreement is governed by the laws of Ireland" works well. To make your clause enforceable, remember to choose a law connected to your business operations, such as where your company is incorporated or where the transaction occurs.
- The Jurisdiction: Next, clarify which courts will hear disputes. Your chosen jurisdiction should ideally align with your choice of law. It's impractical, for instance, to apply Japanese law but require disputes to be resolved in a Florida court.
-
Dispute Resolution Options: Decide whether disputes should first go through mediation or arbitration before reaching a court. Also, include relevant details:
- Who bears the legal costs
- Whether the resolution will be binding
- Where arbitration or mediation will take place
Here's how Adidas presents its applicable law and jurisdiction clause in its Terms and Conditions:
And here's how Spotify's French Terms agreement presents its applicable law, mandatory arbitration, and jurisdiction, using a table to keep things crystal clear:
Again, it's important to consult a legal expert familiar with cross-border agreements. This way, you can be sure your choice of law is both enforceable and benefits your business.
In Your Privacy Policy
While you typically won't find a choice of law clause in a Privacy Policy, you may find a dispute resolution clause, which pretty much echoes the dispute resolution terms in a choice of law clause.
All you have to do here is clearly explain your process for handling disputes and include a way for customers to submit their complaints.
Here's an example of how this clause might look from Oracle:
And here's another example from ProQuest:
Summary
A choice of law provision removes the guesswork about which laws govern your business, which is especially vital in cross-border operations. It provides clarity, reduces uncertainty, and supports smoother international partnerships.
Including this clause in your Terms and Conditions also helps your customers understand what to expect before doing business with you. That said, your choice of law can't be arbitrary. It needs to connect to your business in a meaningful way.
Privacy laws are an exception. Unlike with the choice of law, compliance with applicable privacy laws isn't negotiable or subject to choice.
A few major privacy laws to consider when facilitating cross-border operations include The EU's GDPR, CalOPPA, CCPA/CPRA, Canada's PIPEDA, Australia's Privacy Act of 1988, and China's PIPL.
Keep in mind that non-compliance with these laws can be costly, sometimes even amounting to millions of dollars.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.