Global Privacy Laws Explained

Privacy is such an important aspect of our lives, both on and offline. But when it comes to the expansion of the Internet and all the things we can do, see, purchase and experience online, privacy has become even more sensitive for both consumers and business owners.

As such, there are a number of privacy laws that affect businesses, websites and their operators worldwide.

This article will detail what is involved with each of these laws, as well as whether you need to be compliant, how you can comply, and the penalties involved with failure to do so.

COPPA

The Children's Online Privacy Protection Act (COPPA), is an important law in the United States. It aims to protect privacy of children under 13 years of age, specifically from the collection of their personal information online.

Given that COPPA applies to children under 13 years old, it works by providing the parents of those children with more control over the collection (whether it's voluntary or mandatory) of their personal information.

COPPA applies to you and your business/website if the products and/or services you provide are directed towards children under 13 years old, and you collect, use or disclose their personal information.

This legislation also applies to general audience websites that cater to people of all ages, but also might be used by those under 13 years old, especially if those websites collect personal information from other websites or online services that cater to children.

COPPA legislation defines a website or online service to be, in addition to general websites, any of the following:

• Mobile apps with internet connectivity
• Internet-enabled gaming platforms
• Plugins
• Advertising
• Internet-enabled location-based services
• Voice-over services
• Toys or other Internet of Things devices with internet connectivity

Under the rules of COPPA, personal information applies to a number of different things including names, addresses, phone numbers, geolocation information and many others.

Here's what the Federal Trade Commission (FTC) states in its FAQ for complying with COPPA:

According to COPPA, collecting information applies to requesting or prompting the submission of any of the above information (even if it's not mandatory), allowing such information to be publicly available (such as through an open chat or forum service), and/or passively tracking the online activity of children.

It also relates to those companies and websites that operate outside the US but cater to children within the US. Therefore, if there's even the slightest chance that your products and services will reach US children, you must comply with COPPA.

So, if COPPA applies to you and your company, you can ensure compliance by following a few rules.

1. Have a clear, concise Privacy Policy that details your information collection practices. This should include everything from the purpose of the collection to any third-party services this information may be shared with, as well as the purpose behind this sharing.
2. Receive explicit, verifiable parental consent from every minor that uses the service before collecting any personal information.
3. Provide parents with the opportunity to consent to your own collection and internal use of their child's personal information while denying any further disclosure of that information to any other third-party services.
4. Allow parents consistent, easy access to their children's information, as well as the choice to edit or delete that information.
5. Give those parents the chance to stop further use and/or collection of their children's information. Basically, allow them to revoke consent.
6. Ensure your company maintains confidentiality and security of the collected information.
7. Ensure any personal information that is collected is done so for a specific, reasonable purpose and that this purpose is not abused or exploited.

If your company is found in violation of the rules of COPPA, it can be fined by the courts for an amount up to $41,484 dollars for each individual violation.

Other factors will also come into play regarding the severity of penalties. These factors are things like:

• The egregiousness of the violation
• Any previous violations
• How many users (children) were involved in the violation
• The size of the company
• How the information was used and/or shared

CalOPPA

The California Online Privacy Protection Act (CalOPPA) is a US law out of California that regulates what is included in the Privacy Policies of commercial websites and other online services.

CalOPPA has been in effect since 2004 and applies to any business that collects personal information from any resident of California.

So, as with other legislation, this means that even if you're located in another country, such as Australia or the EU, you're required to abide by the CalOPPA guidelines if there's the chance of processing information from California residents.

This legislation applies to both online commercial websites and mobile applications that can be used on smartphones and tablets that collect personally identifiable information from their users.

Here's how the Consumer Federation of California Education Foundation defines what "personally identifiable information" is for purposes of CalOPPA:

CalOPPA focuses mainly on the implementation of a strong Privacy Policy. In order to be compliant, a policy has to include the following:

• The different kinds of personally identifiable information collected by the company
• Any third-party services this information will be shared with, and why
• Details on how consumers can review and change their previously collected information
• How the company intends to notify users on any changes or amendments to the Privacy Policy
• The effective date of the Privacy Policy

Under CalOPPA, the regulations regarding Privacy Policies can seem quite strict, going so far as to dictate the styling of the Privacy Policy hyperlink displayed on the homepage of the website.

These hyperlink stylings include being conspicuous and easily identifiable, larger in size and different in design (such as the typeface and size) when compared to any text around it.

Here's how the Consumer Federation of California Education Foundation answers the question of what a "conspicuous" Privacy Policy entails:

If you're found to be noncompliant with CalOPPA regulation, there's a 30-day grace period in which you can create or edit your Privacy Policy to get compliant.

However, if you fail to do so within that time frame you leave yourself and/or your company open to potential penalties and legal proceedings.

While CalOPPA doesn't have any enforcement provisions, businesses in breach of the rules can be held responsible for acts of "unfair competition" if they're found to be willfully negligent and noncompliant.

Do Not Track

The 'Do Not Track' amendment (DNT) was brought into the CalOPPA law in early 2014, and requires businesses to divulge how they intend to respond to user's DNT browser requests.

You might want to track your user's online activities for a number of reasons, whether it's purely for site analytics, to learn more about the effectiveness and functionality of your site, or to provide advertisements tailored more towards each individual visitor.

A Do Not Track request is a setting that comes with web browsers (like Opera, Firefox and Google Chrome) that allows users to choose whether they want their online activity tracked or not.

Once this setting is turned on, the browser will send a signal to websites, ad networks, plug-ins and more, that essentially ask them to stop tracking that user's activity.

If you're met with a DNT request from a user's browser, how you decide to respond to that is up to you. Given that there's not yet any governance when it comes to how businesses respond to DNT requests, you can essentially choose to ignore or approve the request.

That's why it's called a DNT request rather than a secure setting, because the operator of any visited websites actually has the final say in whether they concede to the request or not.

The only thing you absolutely must do is disclose the way you intend to respond within your Privacy Policy. Failing to do this will put you in a position of non-compliance with CalOPPA, which can lead to severe penalties and leave you open to potential legal issues.

Here's an example of how to disclose how you respond to DNT settings in a clause within your Privacy Policy:

So remember, you don't actually have to respond to DNT requests, but you are required to include that intended response in your Privacy Policy.

An important thing to note here is that if a user sees that you don't intend to honor any DNT requests, they might be put-off from dealing with your site entirely. So, if tracking isn't a major part of your online service, it can be a clever business move to fulfill any DNT requests that come your way.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a robust privacy law that was created by the European Union (EU) in 2016 and became effective in 2018. It was designed to replace the 1995 Data Protection Directive 95/46EC as of the 25th of May, 2018.

The purpose of the GDPR is to update digital security for the citizens of the EU by giving them a higher level of control on the personal information they share online.

Though the GDPR is a law originating from the EU, it applies to businesses all over the world. If there's even the slightest chance that your website might collect the personal information of someone from one of the EU member states, then you're required to comply.

Here's how Article 4 of the GDPR defines "personal data."

The GDPR implements newer areas of focus, such as privacy rights, data security, data control and governance.

The main things you should be aware of are:

• Non-compliance penalties
• The fines for failing to comply with GDPR regulations can equal 2 percent of the global annual revenue for lower level infringements, and 4 percent of the global annual revenue for upper level infringements.
• Mandatory notification of breach
• If any breach of data has happened or has been suspected, you must inform the proper authorities within 72 hours of the breach's discovery.
• User consent
• Consent requirements have been greatly enhanced and improved. If you must obtain consent for how you collect or process user information (such as for sending marketing communications or using certain types of cookies), you must obtain clear, explicit consent. Implied, browsewrap-style consent is no longer adequate.
• Right to access
• This critical part of the GDPR allows users to access the information that has been collected from them and stored by online companies. It will allow them to submit a Subject Access Request (SAR), to which the company must be able to provide complete electronic copies of all collected data within a timely manner.
• Right to be forgotten
• Under this stipulation, any individual can request an online website to both delete their collected data, and stop sharing it with third party services.
• Inclusion of Data Protection Officers (DPO)
• If your company meets certain criteria, you will need to appoint a Data Protection Officer to oversee the processes and ensure you remain compliant with the GDPR.

EU Cookies Directive

The EU Cookies Directive is an amendment to the e-Privacy Directive, as part of the EU's move to strengthen the online privacy of all its citizens.

It was brought into effect in May 2011, and its basic ruling is that every website that is based in the EU, owned by EU businesses or aimed towards EU citizens must let users know that they use cookies.

A cookie is essentially a small computer file that is stored on a user's computer. They hold data pertaining to a specific website and/or client, in order to better tailor those websites to the particular user.

There are a number of different types of cookies, such as session cookies, permanent cookies and third-party cookies.

While cookies are generally considered to be harmless yet useful inclusions, it's important to provide users with an option to decline the use of them as they browse your site.

This will mean users may not be able to enjoy your site to the fullest capabilities, but will provide them with a slightly higher level of control and protection about their information.

Being fully compliant with the EU Cookies Directive is quite simple. You just have to inform all users of your intent to use cookies as soon as they visit your site, which can be done by pop-up windows or similar notifications.

This notification must provide users with a brief description of the reason behind using cookies, a link to a more detailed Cookies Policy and/or Privacy Policy, and give them the opportunity to easily refuse.

Furthermore, the notice should be written in a way that is easy for anyone to understand, so avoid using overly technical jargon that could invite confusion to users.

Here's an example of a cookies notice that pops up on HP's website. Notice how it briefly lets users know what cookies are used for and includes a link to the Privacy Statement:

Before your website places certain types of cookies onto a user's device, you must receive explicit consent from that user.

This can be done simply by placing a checkbox or other method of acknowledgment onto your banner or notification, which will allow users to mark whether they choose to give that consent or not.

The penalties for non-compliance with the EU Cookies Directive depends on the local regulations of where you're located. This is due to the fact that the Directive is not actually a legal law, so it does not contain any specific penalties.

However, non-compliance can still mean you can be faced with hefty fines with your local laws, so it's best to ensure you are up to date with the requirements of the Cookies Directive.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a law that was introduced in Canada back in April 2000, with the aim to govern private sector organizations regarding their collection of consumer personal information.

PIPEDA aims to provide more strength and security to consumers when they share their personal information through e-commerce and online businesses.

In order to be compliant with PIPEDA, there are 10 fair information principles that you must adhere to. These are:

1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection of information
5. Limiting use, disclosure and retention of information
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10. Challenging compliance

These principles help give individuals more knowledge about the reason behind the collection, use and disclosure of their information by organizations, the people in charge of protecting that information, access to viewing the information at their own discretion, and the ability to raise any issues about the handling of their information if they feel it's not up to standard.

Under PIPEDA, organizations are legally required to gain consent to the collection, use and disclosure of any user information prior to the collection. They must also provide individuals with their product or service, regardless of whether they consent to that collection.

Here's how the Office of the Privacy Commissioner of Canada explains some of this:

If your company is found to be in breach of the requirements of PIPEDA, you must inform the relevant authorities as soon as you become aware of said breach. Failure to do so can invite fines of up to $100,000 per violation if your organization is found to have knowingly violated the legislation.

PIPEDA also requires a Privacy Policy with specific disclosures included within it. If you do business in Canada, make sure you're familiar with PIPEDA's requirements.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that enables the protection and safeguarding of medical information.

HIPAA brought several new standards into effect that aimed to improve efficiency, minimize paperwork, streamline eligibility checks and billing payments and speed up the transfer of patient data within the various healthcare sectors.

There have also been additions made to HIPAA that further protect an individual's patient data by placing restrictions on the different uses and disclosure of health information.

Given that HIPAA deals with extremely sensitive patient health information, the penalties for violating the legislation are steep.

The more patients that are involved in any breach, the higher the fines will be. Such fines are considered to be one of two categories:

"Reasonable Cause" which carries lower fines (between $100-$50,000) and no jail time.

"Wilful Neglect" which leads to higher fines ($10,000-$50,000) and potential jail time and criminal charges.

In conclusion, privacy laws vary all around the world, but it's important to know which ones apply to your organization and which ones don't. As technology evolves and changes over time, it's also imperative that you keep up to date with any changes and amendments to these privacy laws, as noncompliance can be quite costly.