Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
In this article, we'll be answering some common questions about privacy for businesses.
This is a very important area for any business, particularly if it has a strong online presence. The legal requirements are increasingly demanding and can get complicated.
In this article we'll be covering:
Read the entire FAQ straight through as an informative overview, or skip around in the table of contents to find specific questions you may have and read the answers.
Privacy laws (and data protection laws) are all about protecting people's personal data from being exploited.
Some important privacy laws include:
More and more privacy laws are being developed, with many more expected in the future. See our article "Privacy Laws By Country" for an up-to-date directory.
Privacy laws can cover business activities such as:
"Tracking people's behavior" used to be the activity of state surveillance agencies and private investigators. Now, people's behavior is tracked (both online and in the "real world") by businesses hoping to learn something about the sorts of products people might wish to buy.
Privacy law is now an important consideration for practically every business. This is partly a result of the proliferation of "behavioral marketing," enabled via technology such as cookies and GPS analysis.
But even if your business doesn't engage in such practices, privacy law could apply to your employee records, customer lists, and even your website's log files. If you collect even just an email address from potential customers, privacy laws will apply to you.
Privacy and security are important for many reasons.
Privacy is a fundamental human right. It has been acknowledged, to some degree, by practically every society in the world.
As well as national and regional data protection and privacy laws, a fundamental right to privacy is recognized in:
As people's lives move more and more online, they are revealing more and more information about themselves to an ever-wider network of businesses and organizations.
Many people are happy to share a great deal of personal information publicly, for example on social media. But they have a right to keep other information private.
The importance of security is inseparable from the importance of privacy. There's no effective way to keep private information private unless it's secure.
Many different types of information are considered personal data (also called "personal information" or "personally identifiable information"). The definition is different depending on local law, but the tendency is for lawmakers to categorize more and more types of information in this way.
Probably the broadest definition of "personal data" can be found in the EU GDPR. at Article 4:
"'Personal data' means any information relating to an identified or identifiable natural person"
This brings the following sorts of information under the definition of personal data:
The list is potentially endless. Any information that could, in theory, be used to identify someone must be treated as personal data under the GDPR.
This definition is increasingly being adopted in other places, too. For example, the recently-passed California Consumer Privacy Act 2018 (CCPA) provides a definition of "personal information" that is almost identical to the GDPR's definition of "personal data."
There are many measures that your business can take to keep personal data secure, including:
It's also important that you know how to recognize and respond to a data breach. A data breach means the loss or unauthorized access of personal data.
For example, under the California Online Privacy Protection Act (CalOPPA), operators of commercial websites are required to reveal:
All these documents serve the same function. They provide information about the data protection and privacy practices of the organization that created them.
The GDPR is an EU data protection law that regulates the processing of personal data. GDPR stands for General Data Protection Regulation. The regulation came into force in May of 2018. It was designed to ensure that the data protection law of all EU countries was aligned.
The passing of the GDPR has forced businesses all over the world to think carefully about their data protection practices. Practically all businesses process personal data on a day-to-day basis.
The GDPR means that businesses need to consider things such as:
This GDPR's reach even extends to companies that are not based in the EU, so long as they:
The GDPR is an extensive law that touches on all aspects of data protection and privacy. It's enforced by a strict regime of fines and other penalties, and it's pretty easy to violate it (even by accident).
Any business operating in the EU will need to familiarise itself with the GDPR.
It should be presented to individuals at the point that their personal data is to be collected, such as when a user subscribes to an email newsletter or creates an account with you:
The GDPR divides companies into "data controllers" and "data processors." All data controllers and data processors must abide by these six principles.
A seventh principle is given for data controllers: accountability. Data controllers must be able to demonstrate their accountability for compliance with the six principles of the GDPR.
The California Consumer Privacy Act 2018 (CCPA) is an important privacy law that came into force on January 1st 2020. It applies to any business operating in California that:
Only businesses fitting the description above need to comply with the CCPA.
The CCPA provides consumers in California with certain rights over their personal information:
The CCPA also introduces a new regime of fines which can be imposed where a business suffers a data breach. These fines are up to $7,500 per violation. This can really add up if a large number of consumers are affected.
Under the CCPA, consumers are also able to pursue civil claims against businesses who mistreat their personal data.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022