As the world becomes more dependent on digital products and services, data privacy has increasingly become a top priority for many countries and regions. As a result, many regions have put in place robust and enforceable data regulations by which businesses are expected to comply.
In most cases, non-compliance with these regulations can not only lead to major financial consequences, but it can also lead to significant and lasting damage to public trust and the reputation of your organization. It is, therefore, important to ensure that your business meets its legal obligations.
This privacy information must be up-to-date, understandable, unambiguous, and easily accessible throughout the website or app. Some component requirements may vary based on the type of processing activity, region, user age or business type. It is, therefore, worth noting that in addition to the general points outlined here, you may have further responsibilities depending on your law of reference. You can read more situation specific information in the sections below.
In general, users need to be informed of:
You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
One such law is the California Consumer Privacy Act (CCPA). Under the CCPA, users will need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure will need to be visible from the homepage of the site and must include an opt-out (DNSMPI) link. You can read more about the CCPA and when it applies here.
Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.
Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent. Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.
Generally, the laws of a particular region apply if:
This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here.
In the US, there is no single comprehensive national body of data regulations; there are, however, various laws on a state level as well as industry guidelines and specific federal laws in place. Since online site/app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations. With this in mind, the most robust data law framework is implemented by the state of California. The California Online Privacy Protection Act (CalOPPA), implemented in 2004, was the first state law to make privacy policies mandatory and it applies to person or company whose website/app processes the personal data of California residents.
In addition to the generally required disclosures above, CalOPPA also requires that you:
In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
If your service is knowingly collecting, using, or disclosing personal information from children under 13, then special regulations apply to those data processing activities.
Children’s Online Privacy Protection Act (COPPA) is a US federal law implemented to better protect the personal data and rights of children under 13 years of age.
Under this law, if you operate a website or online service which is directed to children under 13, or you have actual knowledge that you’re collecting personal information from children under 13, you must give notice to parents and get their verifiable consent before collecting, using, or disclosing the information, and must keep the information collected secure.
“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (e.g. checking a form of government-issued ID against an applicable database).
“Personal information” within this context refers to the child’s:
In the EU the General Data Protection Regulation (GDPR) was introduced in an effort to centralize data protection for people in the EU and become fully enforceable in May 2018. At its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).
The GDPR can apply where:
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not.
Note: The protections of the GDPR also extend to users outside the EU if the data controller is EU based. Therefore, if you are an EU-based data controller you must, by default, apply GDPR standards to ALL your users.
The conditions of applicability of the GDPR are set from a material and a territorial point of view. To determine, whether or not a specific processing activity is exempt from its applicability, we have to consider both aspects.
The GDPR applies to the processing of personal data. Therefore, it does not apply to company data, such as a company name and address. Be careful here, however, because normally “natural persons” work in a company, any data referring to them would, therefore, be deemed “personal”, regardless of whether they are processed in a Business to Customer (B2C) or Business to Business (B2B) context.
Furthermore, personal data may not fall under the scope of the GDPR in several other scenarios including where they are processed by a natural person for a purely personal or household activity. You can read more about this in the dedicated guide here.
In addition to and notwithstanding the above, we’ve already mentioned under which conditions the GDPR applies. Consequently, for a processing activity not to be subjected to the GDPR from a territorial point of view, the following must apply cumulatively:
See examples in the dedicated guide here.
In general, the GDPR requires that you:
Have a lawful basis. The GDPR requires that you have at least one lawful basis for processing user data. There are 6 lawful bases outlined under the GDPR.
Aquire verifiable consent. Under the GDPR, consent is one of several legal/ lawful bases for processing user data and as such, it must be “freely given, specific, informed and explicit”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.
Records of consent should at least contain the following information:
Consent is not the ONLY reason that an organization can process user data; it is only one of the “legal bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. With that said, there will always be data processing activities where consent is the only or best option.
Under the GDPR users have statutory rights in regards to their data. Not only must you as the controller honor those rights, but you must also inform users about them. Such rights include:
Meet specific requirements if transferring data outside of the EAA. The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.
Implement privacy by design and default. Under the GDPR, data protection should be included from the onset of design and development of the business processes and infrastructure.
Disclose security breaches. Under the GDPR, you are required to inform the supervisory authority of security breaches involving user data within 72 hours of becoming aware of it. In many cases you’re also required to inform affected users.
Appoint a DPO (where certain conditions are met). Under certain conditions, you may be required to appoint a Data Protection Officer, who will have the task to oversee all processing activities and monitor compliance with applicable law. Cases for mandatory appointment include situations where large-scale, systematic processing of user data occurs and where special categories of data (i.e. sensitive data) are being processed.
Maintain records of processing activities. As stipulated in Article 30, the GDPR requires that you keep and maintain “full and extensive” up-to-date records of the particular data processing activities. Full and extensive records of processing are expressly required in cases where your data processing activities are not occasional, where they could result in a risk to the rights and freedoms of others, where they involve the handling of “special categories of data” or where your organization has more than 250 employees — this effectively covers almost all data controllers and processors. However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone. Read more about how to maintain compliant records for controllers and processor in our GDPR guide.
Carry out a DPIA (where certain conditions are met). In cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.
💡 You can read more about the GDPR here.
Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or Cookie Law) was implemented to address this concern.
💡 To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.
The banner must:
In compliance with the general principles of privacy legislation, which prevent processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.
Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page. In many cases, clicking on “ok”, closing the banner or continued navigation of a cookie-installing website can be considered active consent to the placing of cookies — provided that users had been previously and clearly informed about this consequence.
*This exemption is may not be applicable for all regions and is therefore subject to specific local regulations.
The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user.
A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.
Other examples of these technical cookies would be user-centric session-based cookies used to detect authentication abuses, load-balancing session cookies, and Multimedia player session cookies related to and necessary for the provision of services requested by the user.
So does this mean that I don’t need to have a Cookie Banner in such cases?
In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR. The upcoming regulation is expected to still uphold the same values as the directive.
💡 You can read more about the Cookie Law here.
In addition to the disclosures and requirements outlined above (and subject to your law of reference), if operating an e-commerce website or app, you’re further subject to the applicable commercial laws and industry rules.
Generally, those involved in B2B commercial transactions will be subject to whichever contract, industry and national guidelines are applicable. However, participating in B2B commerce often requires that personal data be processed (be it that of employees or otherwise), in such cases, and where the processing falls within its scope, the GDPR applies and takes precedence.
Under most countries’ consumer laws, when selling to consumers, in addition to the default required privacy disclosures, you’ll need to inform customers of the following:
In the US, there is no one national law in regards to returns/refunds for purchases made online as in most cases, this is implemented on a state-by-state basis, however, under several state-laws, if no refund or return notice was made visible to consumers before purchase, consumers are automatically granted extended return/refund rights. In cases where the item purchased is defective, an implied warranty may apply in lieu of a written warranty. Written warranties should at least adhere to industry standards of fairness.
While e-commerce disclosure requirements remain largely enforceable on a state-by-state basis in the US, it is standard in many cases to include this information via the Terms and Conditions document; returns and refund disclosures, are often also included on dedicated site/ app content areas that are easily accessible from the product description page.
EU consumer law applies to contracts or other legal relationships between consumers (on one side) and professionals, businesses, companies on the other (B2C). It does not apply to B2B (e.g. a supermarket places an order with its fruit supplier) or C2C relationships (e.g. I sell my old bike over eBay).
Among other things, under EU consumer law, consumers have an unconditional right to withdraw (“cooling off period”) of 14 days. This means that consumers may cancel or withdraw from distance contract (sales occurring online, over the phone, mail order) for any or no reason for 14 days after receiving the product (in the cases involving goods).
It’s worth noting that 14 days is the statutory minimum; in specific countries, national rules may extend this period, or single providers may extend is contractually.
This right to withdraw does not apply in all situations.
Some common exemptions are:
Consumers located in the EU are also protected by a default legal 2 year guarantee on products purchased at no additional cost. Here again: 2-years is the statutory minimum; in specific countries, national rules may extend this period, and it can be extended also contractually.
These rules usually apply to any company selling to EU residents but may vary for international sellers on a case-by-case basis. It is worth noting, however, that in recent cases US courts have chosen to uphold the applicable EU law.
So what’s the difference between returning a product on the grounds of withdrawal and returning it on the grounds of a guarantee?
|Withdrawal right||Legal guarantee|
|Applies for 14 days after receipt of the product or signing of the contract||Applies for 24 months after receiving the product|
|You don’t need to have any reason for exercising this right — you can simply change your mind||You may only return a product on guarantee grounds because it’s faulty or otherwise unsuitable for the purposes it has been sold and purchased for|
|You may have to bear the costs of returning the product (but it must be specified)||You may not be required to bear any cost (it’s “the seller’s fault” if the product is faulty)|
|Applies with some exceptions (some of which are mentioned above)||Always applies to products, never applies to services|
EU law also mandatorily requires that sellers inform consumers of the European Online Dispute Resolution (ODR) platform via direct link. The ODR, or “online dispute resolution” is a process that allows consumers based in the EU to easily file complaints (in regards to online sales) against companies also established in the EU. This means that ODR requirements can also apply to US companies that have any kind of physical presence in the EU.
Generally, privately owned websites (or similarly private social network profiles, blogs etc.) that merely have a private and personal purpose are not subject to additional regulations, however, various EU and national acts require online commercial operators to disclose certain information.
In order to be deemed “commercial”, it is not necessary that you actually “sell” anything — a personal website may easily be considered commercial if, for instance, it generates considerable traffic an thereby creates relevant advertising revenue (e.g influencers) — however, if you do “sell” products or services, the information duties increase.
If you sell directly to consumers (B2C), you’ll face additional information duties including but not limited to those listed above, as well as linking to the EU online resolution platform for consumers, listing precise delivery times, making disclosures regarding prices and applicable taxes as outlined in Directive 83/2011/EU.
An e-mail address is considered personal data. Therefore, whenever dealing with e-mail addresses, privacy law is triggered. As we have mentioned already, under most legislations you’re required to inform extensively about the processing activities, their purposes and the rights of users.
Generally, such legislations apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list, as in such a case you may not know the recipient’s country of residence.
For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
Under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
💡 You can read more about legal requirements regarding Newsletters and Email lists here.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
Under EU GDPR regulations, consent is one of the lawful bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.
💡 You can learn more about legal requirements regarding children here.
The T&C document is essentially a legally binding agreement; therefore not only is it important to have one in place, but it’s also necessary to ensure that it meets legal requirements.
Generally, standard contract terms will apply and under the most laws, contracts used by traders must be fair. This means that the document must be up-to-date with all applicable regulations, precise, visible and easily understandable so that users can both easily see it and agree to it.
The “agreeing action” should be done in an unambiguous way (e.g. clicking a checkbox with a visible link to the document before being able to create an account or use the service).
While the full content may vary based on the particulars of your business, the Terms and Conditions should at least include the following:
Third-party apps and services also need to follow the law. As organizations themselves, they too can be exposed to major reputational damage, fines, and sanctions if their legal obligations are not met. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards.
Third-party apps and services also need to follow the law. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards
Another example is that of Amazon. Here’s an excerpt of what they had to say:
We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.
From time to time third party requirements can change in response to internal or regional regulations. It is, therefore, necessary to ensure that your policies meet the latest requirements in order to avoid potential penalties or interruption of service.
The legal ramifications of non-compliance include:
Non-compliance with CalOPPA or COPPA may lead to government officials bringing suit or seeking civil penalties against you. In one example, the owners of the Imbee website were fined US$130,000 for COPPA violations of allowing children under 13 to register without parental consent.
Similar fines can apply under other state and federal laws. Non-compliance with GDPR requirements can carry fines up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
Disciplinary measures may be implemented against you if you are found to be in violation of regulations. These measures may include but are not limited to official reprimands (for first-time violations) and periodic data protection audits. The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations.
So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of the data subject of the inquiry. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
Non-compliance with consumer or competition law (acts of unfair competition) may also entail fines by the competent (mostly national) authorities.
It is a general principle of civil law, that you have to compensate any unjust damage you’ve caused to someone else, in particular by violating a legal prescription. Among other acts, both the GDPR and the CalOPPA grant individual users the right to claim compensation for any damages resulting from a violation of their rights. The same reasoning would apply to any other applicable act or law, such as the EU’s consumer protection provisions.
Remember that liability for damages applies in all relationships: also a business partner may be entitled to compensation if you violated a legal provision. For example, selling counterfeit goods via a partner platform like Amazon might result in the company taking legal action against you alongside the customers who purchased the counterfeit goods.
Here is an example from Amazon Web Services Partner Network’s Terms and Conditions in regards to consent:
For any Third-Party Data you provide to AWS, you represent and warrant that you have received all necessary consents for (a) you to share the Third Party Data with AWS and its Affiliates, and (b) AWS and its Affiliates to use the Third-Party Data to contact its subject(s) to market our goods and services and the Program.
Lastly, but perhaps most significantly, where certain conditions are met, it’s possible to face consequences via criminal law. If, for instance, you wilfully breach or ignore data protection provisions for commercial purposes (e.g. you sell peoples’ personal data without telling them) you may face severe consequences. However, criminal law is largely a national issue: conditions and consequences must be checked on a case-by-case basis.
We believe in the importance of a comprehensive approach to data law compliance, for this reason, we keep track of the major legislations and build solutions with the strictest regulations in mind — giving you full options to customize as needed.
This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers, building trust and credibility.
We keep track of the major legislations and build solutions with the strictest regulations in mind
Here’s what you need to get started with full compliance:
As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law.
There are 4 parts of this:
Our Cookie Solution complies with provisions of the ePrivacy Directive (Cookie Law). It allows you to easily inform users and obtain their consent while including the option to preemptively block any scripts that install cookies prior to user consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.
💡 For more information on our Cookie Solution click here.
Though not always legally required, terms & conditions are pragmatically required. It governs the contractual relationship between you and your users and sets the way in which your product, service or content may be used, in a legally binding way.
It is therefore vital that this contract be precise and up-to-date with all applicable regulations. It should include the general conditions for use of your service with special attention to “limitation of liability” clauses and disclaimers.
Our Terms & Conditions generator helps you to easily generate and manage Terms and Conditions that are professional, customizable from over 100 clauses, available in 8 languages, drafted by an international legal team and up to date with the main international legislations.
It is powerful, precise, and capable of handling even the most complex, individual scenarios and customization needs.
It comes with:
The solution is optimized for everything from e-commerce, blogs, and apps, to complex scenarios like marketplace and, SaaS.
Getting started is easy. Simply activate the Terms and Conditions (uses 1 Ultra license) within your dashboard and start generating.
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected.
These records must show:
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:
Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations.
It allows you to create records of processing activity:
Please note: Even if your processing activities somehow fall outside of the situations mentioned previously in this guide, your information duties to users (Articles 13 & 14) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone
Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.
→ Have your questions answered live and learn more about both the Consent Solution and Internal Privacy Management Solution by attending one of our free English webinars.
Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.