In this article, we'll be answering some common questions about privacy for businesses.
This is a very important area for any business, particularly if it has a strong online presence. The legal requirements are increasingly demanding and can get complicated.
In this article we'll be covering:
- Why privacy law is important
- Some of the terminology involved in online privacy
- Some key requirements under the strict privacy laws of the European Union (EU) and California
Read the entire FAQ straight through as an informative overview, or skip around in the table of contents to find specific questions you may have and read the answers.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What are privacy laws?
- 2. Why are privacy and security important?
- 3. What is considered personal data?
- 4. How do you keep data safe and secure?
- 9. What is the GDPR regulation?
- 11. What are the six principles of the GDPR?
- 12. What is the California Consumer Privacy Act (CCPA/CPRA)?
- 13. What does the CCPA (CPRA) do?
What are privacy laws?
Privacy laws (and data protection laws) are all about protecting people's personal data from being exploited.
Some important privacy laws include:
- The California Online Privacy Protection Act (CalOPPA) in the United States
- The General Data Protection Regulation (GDPR) in the European Union
- The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
More and more privacy laws are being developed, with many more expected in the future. See our article "Privacy Laws By Country" for an up-to-date directory.
Privacy laws can cover business activities such as:
- Collecting information about individuals (personal data)
- Direct marketing
- Tracking people's behavior
"Tracking people's behavior" used to be the activity of state surveillance agencies and private investigators. Now, people's behavior is tracked (both online and in the "real world") by businesses hoping to learn something about the sorts of products people might wish to buy.
Privacy law is now an important consideration for practically every business. This is partly a result of the proliferation of "behavioral marketing," enabled via technology such as cookies and GPS analysis.
But even if your business doesn't engage in such practices, privacy law could apply to your employee records, customer lists, and even your website's log files. If you collect even just an email address from potential customers, privacy laws will apply to you.
Why are privacy and security important?
Privacy and security are important for many reasons.
Privacy is a fundamental human right. It has been acknowledged, to some degree, by practically every society in the world.
As well as national and regional data protection and privacy laws, a fundamental right to privacy is recognized in:
- The United Nations Declaration of Human Rights
- The European Convention on Human Rights
- The European Union Charter of Fundamental Rights
As people's lives move more and more online, they are revealing more and more information about themselves to an ever-wider network of businesses and organizations.
Many people are happy to share a great deal of personal information publicly, for example on social media. But they have a right to keep other information private.
The importance of security is inseparable from the importance of privacy. There's no effective way to keep private information private unless it's secure.
What is considered personal data?
Many different types of information are considered personal data (also called "personal information" or "personally identifiable information"). The definition is different depending on local law, but the tendency is for lawmakers to categorize more and more types of information in this way.
Probably the broadest definition of "personal data" can be found in the EU GDPR. at Article 4:
"'Personal data' means any information relating to an identified or identifiable natural person"
This brings the following sorts of information under the definition of personal data:
- A name
- An ID number
- Location data
- Online identifiers such as cookies, IP addresses, login credentials
- Information about a person's physical, genetic, or social identity
The list is potentially endless. Any information that could, in theory, be used to identify someone must be treated as personal data under the GDPR.
This definition is increasingly being adopted in other places, too. For example, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides a definition of "personal information" that is almost identical to the GDPR's definition of "personal data."
How do you keep data safe and secure?
There are many measures that your business can take to keep personal data secure, including:
- Using TLS/SSL protocols when collecting or transferring personal data
- Applying encryption methods to personal data in storage
- Maintaining effective access controls and authentication methods among staff
It's also important that you know how to recognize and respond to a data breach. A data breach means the loss or unauthorized access of personal data.
- Information about what types of personal data the company collects
- The reasons for which the company collects personal data
- How the company uses, stores and shares personal data
- The United States (so long as the website is accessible in California)
- All EU countries
For example, under the California Online Privacy Protection Act (CalOPPA), operators of commercial websites are required to reveal:
- The categories of personal information that the company/website operator collects
- How this personal information might be shared
- How users can review this information
- How the website responds to Do Not Track (DNT) requests from users' browsers
- The effective date of the Policy
- The UK's Data Protection Authority, the ICO, uses the term "Privacy Notice"
- The institutions of the European Union use the term "Privacy Statement"
All these documents serve the same function. They provide information about the data protection and privacy practices of the organization that created them.
What is the GDPR regulation?
The GDPR is an EU data protection law that regulates the processing of personal data. GDPR stands for General Data Protection Regulation. The regulation came into force in May of 2018. It was designed to ensure that the data protection law of all EU countries was aligned.
The passing of the GDPR has forced businesses all over the world to think carefully about their data protection practices. Practically all businesses process personal data on a day-to-day basis.
The GDPR means that businesses need to consider things such as:
- How they collect personal data
- Whether they have a legal basis for collecting personal data
- Who they are sharing personal data with
This GDPR's reach even extends to companies that are not based in the EU, so long as they:
- Offer goods and services to people in the EU. This applies to anyone that, for example, ships products to EU customers, or provides an app that is available to EU users, or
- Monitor the behavior of people in the EU. This applies to any company that, for example, runs a targeted advertising campaign (involving cookies) that affects individuals in the EU.
The GDPR is an extensive law that touches on all aspects of data protection and privacy. It's enforced by a strict regime of fines and other penalties, and it's pretty easy to violate it (even by accident).
Any business operating in the EU will need to familiarise itself with the GDPR.
- The types of personal data it processes (i.e. collects, stores, shares, or otherwise uses)
- How it collects personal data
- Its legal basis for processing personal data
- The types of organizations with whom it shares personal data
- How individuals can exercise their rights over their personal data
- How long it stores personal data
It should be presented to individuals at the point that their personal data is to be collected, such as when a user subscribes to an email newsletter or creates an account with you:
What are the six principles of the GDPR?
- Lawfulness, fairness and transparency - Always obey the law; only process personal data in a way that people would reasonably expect; always provide clear information about your practices
- Purpose limitation - Only process personal data for a specified purpose
- Data minimization - Don't collect personal data you don't need
- Accuracy - Ensure the personal data in your possession is accurate and up-to-date
- Storage limitation - Don't keep personal data for longer than you need it
- Integrity and confidentiality - Keep personal data secure
The GDPR divides companies into "data controllers" and "data processors." All data controllers and data processors must abide by these six principles.
A seventh principle is given for data controllers: accountability. Data controllers must be able to demonstrate their accountability for compliance with the six principles of the GDPR.
What is the California Consumer Privacy Act (CCPA/CPRA)?
The California Consumer Privacy Act (CCPA) is an important privacy law that came into force on January 1st 2020. It was updated by the CPRA, with the amendments and updates taking effect on January 1st, 2023.
It applies to any business operating in California that:
- Is operated for profit, and
- Decides why and how personal information (personal data) is processed, and
- Has at least one of the following characteristics:
- It has an annual gross revenue of at least $25 million, or
- It buys, sells, receives or shares personal information from at least 100,000 consumers, households or devices per year, or
- Makes at least 50 percent of its annual revenue from selling or sharing personal information
Only businesses fitting the description above need to comply with the CCPA (CPRA).
What does the CCPA (CPRA) do?
The CCPA (CPRA) provides consumers in California with certain rights over their personal information:
- The right to deletion: Consumers may request that the personal information businesses hold on them is erased
- The right to access: Consumers may request a copy of their personal information
- The right to opt out: Consumers may opt out of the selling, sharing and processing of their personal information
- The right to non-discrimination: Consumers must not suffer any detriment for exercising these rights
- The right to opt in (for minors)
- The right to data portability
- The right to correct any errors in their information
The CCPA (CPRA) also introduces a new regime of fines which can be imposed where a business suffers a data breach. These fines are up to $7,500 per violation. This can really add up if a large number of consumers are affected.
Under the CCPA (CPRA), consumers are also able to pursue civil claims against businesses who mistreat their personal data.