But why do you need one? What will happen if you don't have one? And does anyone even read those things?
Let's find out.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- It's a requirement under privacy law
- Many third-party services you use require it
- It shows that you're professional, responsible, and respect your users' privacy
- European Union: General Data Protection Regulation (GDPR)
- United Kingdom: Data Protection Act 2018
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia: Privacy Act 1988
- Brazil: Brazilian General Data Protection Law (LGPD) (not yet in force)
- China: Personal Information Security Specification
- India: Personal Data Protection Bill (PDPB) (not yet in force)
- Japan: Act on the Protection of Personal Information (APPI)
- Nigeria: Nigerian Data Protection Regulation 2019 (NDPR)
- South Africa: Protection of Personal Information Act (POPI Act)
Almost all of these laws apply to foreign businesses operating within the relevant jurisdiction. So, for example, if you ship to the EU or to California, you'll need to obey EU or California privacy law even if you don't have any physical presence in those regions.
For more information, see our article: Privacy Laws By Country.
- Play Store
- Firebase API
- Google Ads
- Google Analytics
- Facebook Pixel
- Conversions API
- App Events via Facebook SDK
- Offline Conversions
- App Events API
- iOS SDK
- App Store
- Adobe Analytics
- Matomo Analytics
When Operating a Website
Most websites collect some sort of personal information. Bear in mind that many types of data qualify as "personal information."
Increasingly, privacy laws define "personal information" as any information that can be linked, directly or indirectly, to an identifiable individual.
Many, if not most, websites collect the following types of data, all of which may qualify as "personal information:"
- IP addresses
- Cookie data
- Device ID
- Browsing history
- Data about how people use your website and interact with ads
- California Online Privacy Protection Act (CalOPPA) (when stored in combination with other, directly identifying types of personal information)
- California Consumer Privacy Act (CCPA/CPRA)
- The EU's General Data Protection Regulation (GDPR)
- The UK's Data Protection Act 2018
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
For more information, see our article: What is Personal Information Under Privacy Laws?
When Developing or Publishing a Mobile App
Mobile apps typically collect a lot of data. Some of this data can be particularly sensitive, such as when using location and camera permissions.
Here's the relevant section of Apple's App Store Review Guidelines:
When Maintaining a Mailing List
Pretty much every legal jurisdiction has a law specifically regulating commercial email and prohibiting "spam." Examples include:
- United States: CAN-SPAM Act
- European Union: ePrivacy Directive
- United Kingdom: Privacy and Electronic Communications Regulations (PECRs)
- Canada: Canada's Anti-Spam Law (CASL)
- Australia: Spam Act 2003
These laws impose rules that prohibit unsolicited email marketing and require businesses to allow users to unsubscribe from mailing lists.
Here's an example from Central London Orchestra:
- CalOPPA: Civil penalties of up to $2,500 per consumer, per violation
The CCPA (CPRA):
Civil penalties of up to:
- $7,500 per intentional violation
- $2,500 per unintentional violation
- Damages for private claimants of between $100 and $750 per consumer, per incident
- COPPA: Civil penalties of up to $43,280 per violation
- The GDPR: Civil penalties of up to €20 million ($22 million) or 4 percent of total worldwide turnover (whichever is greater)
- PIPEDA: Civil penalties of up to $100,000 CAD (approximately $73,000 USD) per violation