Widener University School of Law graduate, Managing Legal Editor at TermsFeed.
On this page
- 4. Summary
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Privacy Policies are where you disclose your practices when it comes to your collection, use and handling of the personal data of your users. They provide information and transparency.
What kind of personal data is personal enough to identify an individual? There's a lot that can fall into that category, and here are just a few examples:
- Email addresses
- First and last names
- Social security numbers
- Social media handles and profile images
Anonymous data (that doesn't include personal data) can also be classified as "personally identifiable information" if used in connection with another type of data that can result in identifying an individual. For example, some types of IP addresses are legally protected personal information under modern privacy laws.
*Editor's note: The video above has outdated content regarding EU laws. The article content is updated as of July 16, 2019. We apologize for any inconvenience this may cause.
There are privacy laws in countries all around the world. Here are a few of the ones that have the farthest reach and widest impact on businesses all over the world.
The FTC (Federal Trade Commission) regulates data protection for all consumers in the USA, and the following laws all have privacy implications:
- The Americans With Disability Act
- The Cable Communications Policy Act of 1984
- The Children's Online Privacy Protection Act (COPPA)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The California Online Privacy Protection Act (CalOPPA)
- The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA)
- Maryland's Personal Information Protection Act (PIPA)
- Virginia's Consumer Data Protection Act (VCDPA)
- Louisiana's Database Security Breach Notification Law
- New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD)
There are also biometrics laws that add a new level of protection to consumer privacy and data. Some of these laws include:
- Utah: Genetic Information Privacy Act (GIPA)
- Texas: Capture or Use of Biometric Identifier Act (CUBI)
- Arizona: HB 2478
- Oregon: Consumer Information Protection Act (OCIPA)
- Washington State: HB 1493
- Illinois: Biometric Information Privacy Act (BIPA)
The CCPA went into affect on January 1, 2020, with the CPRA amendments to it taking effect on January 1, 2023. It affects what certain businesses that reach California residents have to disclose in their Privacy Policies. Transparency is key here, as is granting extra rights to users when it comes to controlling what happens with their personal information.
The CPRA amendment to the CCPA has some specific requirements for businesses that fall under its scope.
The CPRA expanded the requirements of the CCPA, so it comes with additional requirements and obligations.
This Act regulates the handling of personal information of individuals and mentions the collection, use, storage and disclosure of personal information.
It groups 13 Privacy Principles that each company that's required to comply with the Privacy Act should follow.
- What kinds of personal information the business collects and holds
- How this information is collected and held
- Why this information is collected, held and (if applicable) disclosed to third parties
- How individuals can access and correct any personal information held about them
- How individual can complain about a breach of the Australian Privacy Principles or other binding code, and how complaints will be handled
- Whether the business is likely to disclose personal information to any overseas recipients, and if so, the countries where these recipients are likely to be located, if practical
Companies that must comply with UK's DPA act must follow the 8 principles, condensed here:
- Any kind of personal data from users must be collected in a specified and lawful way. The data also cannot be processed in any way that's incompatible with that purpose.
- The personal data you collect should be adequate, relevant and not excessive in relation to the purpose for which you're collecting the personal data.
- The personal data should be kept up to date and accurate.
- Any kind of personal data collected from users should not be kept longer than is necessary for the purpose which it was collected for.
- What personal information you collect, and under what specific lawful purpose
- How you use the data in accordance with such a purpose
- What rights users have and how they can exert them
- How long you keep data, generally
- How you keep collected data safe and secure
PIPEDA, the Personal Information Protection and Electronic Documents Act, is the main law of Canada for protecting user data.
Under PIPEDA, personal information means:
any identifiable information about an individual whether recorded or not and it applies to the collection, use, and disclosure of personal information by organizations during commercial activities.
Any business that falls under PIPEDA's scope is required to make information available to the public about the way it handles personal information.
- Be very clear and specific about what your business actually does. Make sure your readers can understand what you disclose, and that you aren't just disclosing generalities. Don't use legalese, and keep it simple.
- Disclose any choices you offer when it comes to user's controlling how their personal information is used. For example, if you allow opt-outs for personal marketing, make it clear you offer this and how a user can actually opt out.
- Make it clear how users can access what personal information you have about them, and how they can request corrections or deletions of the data.
- Keep your Policy updated so it always accurately reflects your actual practices.
- Make it easy to contact you with questions.
There's also the Digital Charter, which helps individuals take control over their personal information in an increasingly digital world.
The General Data Protection Regulation (GDPR) regulates the processing of personal data within the European Union. This regulation has strict, global requirements for companies who have users located within the EU.
- What types of personal information you process
- How you process it
- Your legal basis for processing it
- How long you retain it for and what happens after the retention period
- Whether or not you share personal information with third parties
- Whether you transfer personal information overseas and if so, what safeguards you have in place
- The 8 User Rights your users have and how they can exert them
- Contact information for at least your company as well as your DPO or EU representative where applicable
Consent is huge under the GDPR, so if this regulation applies to you you'll want to get familiar with how your consent requirements will change.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
Brazil's main privacy law is its Brazilian General Data Protection Law (LGPD). The LGPD affects businesses around the world if they collect personal information from people located in Brazil.
- Why the personal information is being processed
- Why the processing is taking place, and its duration
- The data controller's identity and contact information
- Whether the personal information will be shared, and if so, for what purposes
- What the responsibilities are of the data controllers and processors that will process the personal information
- Information about the individual's rights when it comes to their personal information
China's Personal Information Protection Law (PIPL) took effect on November 1, 2021. One of the big aspects of this law is the privacy rights it grants to individuals in China.
- The name and contact information for your company's personal information handler
- Information about third parties who may receive data transfers
- What rights individuals have under PIPL and how to exercise them
- What types of personal information you collect, why you collect it, how you store it, and for how long
- In Singapore it's the Personal Data Protection Act 2012 (PDPA).
- It's also called the Personal Data Protection Act (PDPA) in Malaysia. Malaysia's PDPA Act came into force in November 2013.
- In South Korea it's called Personal Information Protection Act and it came into force in 2012.
- In Vietnam, it's Article 21 of the Law on Information Technology
Because these laws aren't quite as robust as some from the EU and the United States at the moment, you can pretty much ensure you're complying with them by making sure you comply with the requirements of the GDPR or CalOPPA.
For example, if your app collects personal information, the following third-party privacy requirements will apply:
*Editor's note: The presentation above has outdated content regarding EU laws. The article content is updated as of July 16, 2019. We apologize for any inconvenience this may cause.
Many of the laws have overlapping requirements, which means if you're compliant with one you may be compliant with another. However, you must still become aware of any jurisdictional laws you must adhere to for full compliance.