19 June 2020
Businesses operating from the United States looking to ensure compliance with their legal agreements with the law quickly find that there isn't a single omnibus law governing Privacy Policies or a law protecting identifiable personal information that businesses may collect from users.
Lawmakers and regulators in the United States have opted, instead, for a sectoral approach to regulating how consumer information is protected online.
A sectorial approach disperses enforcement authority between industry self-regulation, private remedies for civil actions, and civil and criminal penalties levied by the Federal Trade Commission (FTC).
The Federal Trade Commission's Fair Information Practice is the Commission's attempt to draft best practices for Privacy Policies in the United States.
While the Fair Information Practice principles are not themselves a law or regulation, the principles are based on the FTC's existing enforcement powers, based in laws such as:
The Principles of FTC's Fair Information Practice are:
1. Notice / Awareness.
Users should be aware that their personal information is being collected, what kind of information is being collected, and how will that collected information be used (what for).
2. Choice / Consent.
Users should have some ability to control how their personal information is being used and should have an option to "opt-in" or "opt-out" of tracking.
The text reads:
We will send you transaction confirmation emails and other strictly Service-related announcements on rare occasions when it is necessary to do so. For instance, if our Service is temporarily suspended for maintenance, we might send you an email. Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account.
3. Access / Participation.
Users should have access to review the personal information collected.
4. Integrity / Security.
Website and/or mobile apps developers should take reasonable security measures. Greater security is needed as more sensitive information is collected.
5. Enforcement Redress.
The FTC identified 3 types of enforcement measures:
As the most populous state in the United States and the headquarters of many prominent online companies (Google, Facebook, Apple), compliance with California laws have practically become the norm for operating online businesses in the United States.
Section 22575 of the California Business Code sets out the requirement for Privacy Policies of companies operating in California or which collect identifiable personal information of residents of California.
This means that, if you reside in another state, but collect personal information from users in California, you must comply with California's laws.
- Identification of the categories of personally identifiable information that the operator collects through the website about individual consumers who use or visit its commercial website and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
- Provide a description of the process for an individual consumer who uses its website to review and request changes to any of his or her personally identifiable information that is collected through the website.
- Identify its effective date.
- Disclose, by providing a clear and conspicuous hyperlink, how the operator responds to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information across third-party Websites or online services, if the operator engages in that collection.
- Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service.
While California's Business Code mentions websites mostly, it's important to understand that a online service can be anything that collects personal information from online users:
Similar to the California Business Code, "operator of a website or online service" doesn't specifically means a website, but to any kind of online service: websites, apps, blogs etc.
Do Not Track ("DNT")
The Do Not Track (DNT) header is the proposed HTTP field that sends a request to a web application (website, mobile app) to disable its tracking or cross-site tracking of an individual user.
There are no legal or technological requirements for its use. Websites and advertisers may either honor the request or completely ignore it.
Both state and federal lawmakers in the United States have enacted special requirements on privacy practices (and thus for Privacy Policies) of certain business models, most often for those business models that involve children, minors or students as users.
In Massachusetts, for example, a "Written Information Security Program" ("WISP") is required if a company has personal information of Massachusetts residents, even if the company itself is not present in the state.
SOPIPA prohibits businesses (website or mobile app developers etc.) from the following activities:
(1) Targeted advertising.
(2) Use of information, including persistent unique identifiers, to amass a profile about a K-12 student except in furtherance of K-12 school purposes.
(3) Selling a student's information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.
(4) Disclosing covered information unless the disclosure is made:
(A) In furtherance of the K-12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:
(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that student's classroom or school; and
(ii) Is legally required to comply with subdivision (d);
(B) To ensure legal and regulatory compliance;
(C) To respond to or participate in judicial process;
(D) To protect the safety of users or others or security of the site; or
(E) To a service provider, provided the operator [complies with SOPIPA]
The FTC has published a simple checklist providing 6 steps for COPPA compliance if your business is targeting children under 13 (such as mobile app games for kids):
All privacy laws and best practices have a "reasonable security" component requiring businesses to protect any information that they've collected.
Among the laws mandating some form of "reasonable" security are:
Even if your business happens to operate outside the reach of these particular data security laws, there is a growing consensus that implementation of a formal, written security compliance program is a best practice.
United States vs. EU
For European Union (EU) businesses, the laws regarding privacy (and thus, Privacy Policies) are mainly the Data Protection Directive and the ePrivacy Directive.
When a business directly develops, operates, or distributes a website or a mobile app and is deemed to be a controller (collects personal information), that business is responsible for certifying compliance with the Directive, as well as any additional member state specific laws.
It's important to note what personal information actually is in accordance with these EU Directives:
terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human rights and Fundamental Freedoms
This means that information is considered personal when it's related to an individual who is either directly or indirectly identifiable to the controller or to a third party.
If a certain type of information can identify an individual, it's considered personal data.
If 2 or more types of information, when grouped together, can identify an individual, it's also considered personal data. Taken separately, the information can't identify somebody, but if grouped together, it can identify individuals.
Article 10 of the Data Protection Directive notes that every data subject (user) has a right to know who is processing their personal information, what kind of information is being asked or collected and what's the intended use of the information.
This is distinct from the best practices in regards to Privacy Policies in the United States, which may require notice and consent for transferring personal information to a third party, but not necessarily where the information is going.
Like the United States, which has laws that vary among the states, businesses should also consider the law of the EU member state in which they are providing the website or mobile app.
France and Germany, for example, have more stringent requirements for protecting data than what's required by the Data Protection Directive.
United States vs. Australia
In Australia, the Enhancing Privacy Protection Act (Privacy Act), which was updated in 2014, marked some substantial changes to Australia's existing privacy laws.
The Privacy Act in Australia incorporates 13 Privacy Principles that dictates how personal information must be handled by certain governmental agencies and private sectors (businesses.)
A company of any size, with an annual gross income of more than $3,000,000 is subject to this Privacy Act and its regulations.
Businesses whose income is less than $3,000,000 annually might still be covered by one of the exceptions:
A small business (less than $3,000,000 annually) may still choose to opt-in to be covered by the Act.
If a small business would otherwise not be covered by the Australia's Privacy Act, the business may petition to be covered by the Act to assure their customers that they are committed to privacy. Many small businesses will not be covered by the Privacy Act but might find some benefit in voluntarily choosing to be covered.
If the business is covered by the Act and must adhere to the Australian Privacy Principles, they are considered a "covered entity" for the purposes of the law.
Although best practices in regards to privacy practices and/or Privacy Policies in both the United States and Australia are largely the same, Australia benefits from the clarity of the privacy laws being compiled into a single law, rather than the hodgepodge of administrative and enforcement powers of the FTC.
Australia's threshold for business income when applying their privacy law has no equivalent in the United States, which is more oriented towards the location of the business or consumer.
United States vs. Canada
In Canada, the Personal Information Protection and Electronic Documents Act (or simply PIPEDA) governs the collection and use of personal information from users and how it's protected.
PIPEDA requires businesses operating in Canada to obtain a user's consent when collecting, using or disclosing that user's personal information.
Schedule I of PIPEDA provides 10 Fair Information principles that businesses must follow to remain in compliance.
The personal information that a business collects through its website or mobile app may only be used for the express purpose for which it was collected.
Any additional use outside the scope of the original grant requires further consent from the user. And users must be assured that the business will reasonably protect their personal information.
Generally, the law gives individuals the right to:
- Know why an organization collects, uses or discloses their personal information
- Expect an organization to collect, use or disclose their personal information appropriately, and not use the information for any purpose other than that to which they have consented
- Expect an organization to protect their personal information by taking appropriate security measures
- Expect the personal information an organization holds about them to be accurate, complete and up-to-date
- Obtain access to their personal information and ask for corrections if necessary
- Complain about how an organization handles their personal information if they feel their privacy rights have not been respected
Canada's PIPEDA requires businesses to:
Like Australia and the European Union, the most notable difference between Canada's PIPEDA and privacy laws in the United States is the existence of a single statute and enforcement authority as opposed to the sectorial approach of the United States.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.