As the world becomes more dependent on digital products and services, data privacy has increasingly become a top priority for many countries and regions. As a result, many regions have put in place robust and enforceable data regulations by which businesses are expected to comply. In most cases, non-compliance with these regulations can not only lead to major financial consequences, but it can also lead to significant and lasting damage to public trust and the reputation of your organization. It is, therefore, important to ensure that your business meets its legal obligations.
General Legal Requirements
In general, users need to be informed of:
- Website/app owner details
- Your notification process for policy changes
- What data is being collected
- Third-party access to their data (who the third-parties are and what data they’re collecting)
- Their rights in regards to their data.
You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.
Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent . Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.
Determining your law of reference
Generally, the laws of a particular region apply if:
- You base your operations there; or
- You use processing services or servers based in the region; or
- Your service targets users from that region
This effectively means that regional regulations may apply to your business whether it’s located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here.
In the US, there is no single comprehensive national body of data regulations; there are, however, various laws on a state level as well as industry guidelines and specific federal laws in place. Since online site/app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations. With this in mind, the most robust data law framework is implemented by the state of California. The California Online Privacy Protection Act (CalOPPA), implemented in 2004, was the first state law to make privacy policies mandatory and it applies to person or company whose website/app processes the personal data of California residents.
In addition to the generally required disclosures above, CalOPPA also requires that you:
- Notify affected users in the occurrence of security breaches that impact their data
In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
Special Care Regarding Children
If your service is knowingly collecting, using, or disclosing personal information from children under 13, then special regulations apply to those data processing activities.
Children’s Online Privacy Protection Act (COPPA) is a US federal law implemented to better protect the personal data and rights of children under 13 years of age. Under this law, if you operate a website or online service which is directed to children under 13, or you have actual knowledge that you’re collecting personal information from children under 13, you must give notice to parents and get their verifiable consent before collecting, using, or disclosing the information, and must keep the information collected secure. “Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (e.g. checking a form of government-issued ID against an applicable database).
What is meant by the “personal information” of children
“Personal information” within this context refers to the child’s:
- Name or ID information (eg. social security number)
- Location info including physical address, geolocation data or IP address
- Any contact information including phone numbers and email addresses
- Device identifiers
- Media containing the child’s image or voice, including photos, videos or audio files
You can read more about US law here and more about COPPA here.
In the EU the General Data Protection Regulation (GDPR) was introduced in an effort to centralize data protection for people in the EU and becomes enforceable in May 2018. At its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).
In general the GDPR requires that you:
Have a lawful basis. The GDPR requires that you have at least one lawful basis for processing user data. There are 6 lawful bases outlined under the GDPR.
Aquire verifiable consent. Under the GDPR, consent is one of several “lawful bases” for processing user data and as such, it must be “freely given, specific, informed and explicit”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.
Records of consent should at least contain the following information:
- The Identity of the user giving consent;
- When they consented;
- What disclosures were made (what they were told) at the time they consented;
- Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
- Whether they have withdrawn consent or not
Consent is not the ONLY reason that an organization can process user data; it is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. With that said, there will always be data processing activities where consent is the only or best option.
Inform users in regards to data processing and honor their rights. Under the GDPR users have mandated rights that must be honored. These include:
- The right to be informed: In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
- The right of access: Users have the right to access to their personal data and information about how their personal data is being processed.
- The right to rectification: Users have the right to have their personal data rectified if it is inaccurate or incomplete.
- The right to object: Under the GDPR, users have the right to object to certain activities in relation to their personal data.
- The right to data portability: Users have the right to obtain (in a machine readable format) and use their personal data for their own purposes.
- The right to erasure: When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
- The right to restrict processing: Users have the right to restrict the processing of their personal data in specific cases.
- Rights related to automated decision making and profiling: Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.
Meet specific requirements if transferring data outside of the EAA. The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.
Implement privacy by design and default. Under the GDPR, data protection should be included from the onset of design and development of the business processes and infrastructure.
Disclose security breaches. Under the gDPR, you are required to inform the supervisory authority of security breaches involving user data within 72 hours of becoming aware of it. In most cases you’re also required to inform affected users (with a few exceptions).
Appoint a DPO (where certain conditions are met). Under the GDPR you may be required to appoint a Data Collection Officer in several specific cases including situations where large-scale, systematic processing of user data occurs and where special categories of data are being processed.
Maintain records of processing activities (where certain conditions are met). The GDPR may require that you keep and maintain up-to-date records of the particular data processing activities you’re carrying out in several specific cases. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.
Carry out a DPIA (where certain conditions are met). In cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.
You can read more about the GDPR here.
ePrivacy (Cookie Law)
Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or Cookie Law) was implemented to address this concern.
The banner must:
- Briefly explain the purpose of the installation of cookies that the site uses
- Be sufficiently conspicuous so as to make to make it noticeable
- Describe in detail the purpose of installation of cookies
Blocking cookies before consent:
In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.
Consent to cookies can be provided by several actions. Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page.
Exemptions to the consent requirement:
In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR. The upcoming regulation is expected to still uphold the same values as the directive.
You can read more about The Cookie Law here.
Situational Legal Requirements
In addition to the disclosures and requirements outlined above (and subject to your law of reference), if operating an e-commerce website or app, you’re further subject to the applicable consumer rights laws and applicable industry rules.
Under most countries’ laws, when selling to consumers, you need to inform customers of the following:
- Returns/Refund details
- Warranty/ Guarantee information (where applicable)
- Safety information, including instructions for proper use (where applicable)
- Terms of delivery of product/ service
- Seller contact details (e.g. email address)
In the US, there is no one national law in regards to returns/refunds for purchases made online as in most cases, this is implemented on a state-by-state basis, however, under several state-laws, if no refund or return notice was made visible to consumers before purchase, consumers are automatically granted extended return/refund rights. In cases where the item purchased is defective, an implied warranty may apply in lieu of a written warranty. Written warranties should at least adhere to industry standards of fairness.
While e-commerce disclosure requirements remain largely enforceable on a state-by-state basis in the US, it is standard in many cases to include this information via the Terms and Conditions document; returns and refund disclosures, are often also included on dedicated site/ app content areas that are easily accessible from the product description page.
Under EU law, sellers must replace, repair, refund or reduce the price of purchases made on defective items.
Consumers also have an unconditional ‘right to withdraw‘ (“cooling off period”) for up to 14 days. This means that consumers may cancel or withdraw from distance contract (sales occurring online, over the phone, mail order, from a door-to-door salesperson) for any reason for up to 14 days after receiving the product (in the cases involving goods) or after signing and paying (in cases involving services).
It’s worth noting that 14 days is the minimum; in specific countries, national rules may extend this period.
This right to withdraw does not apply in all situations. Some exemptions are:
- Event and travel tickets & car rental reservations
- Sealed media items such as CDs which have been unsealed by the receipient.
- Digital content that has been already been downloaded by the consumer
- Made to order or distinctly personalized items (eg. personalized crafted jewelry box)
- Goods bought from a private individual rather than a company
- Services where contract conclusion coincides with service completion (eg. hiring a mechanic to do an urgent onsite repair)
Consumers located in the EU are also protected by a default legal 2 year guarantee on items purchased at no additional cost to the consumer. This guarantee applies It’s worth noting that the 2-year guarantee is the minimum; in specific countries, national rules may extend this period. These rules usually apply to any company selling to EU residents but may vary for international sellers on a case-by-case basis. It is worth noting, however, that in recent cases US courts have chosen to uphold the applicable EU law.
EU law also mandatorily requires that sellers inform consumers of the European Online Dispute Resolution (ODR) platform via direct link. The ODR, or “online dispute resolution” is a process that allows consumers based in the EU to easily file complaints (in regards to online sales) against companies also established in the EU. This means that ODR requirements can also apply to US companies that have any kind of physical presence in the EU.
E-commerce disclosure requirements in the EU may fall under one or a combination of national laws, standard contract requirements and EU directives. In regards to the latter, online merchants are required to disclose:
- The technical step involved in placing an order in a “clear, comprehensible and unambiguous manner”
- The terms and conditions under which the sale process is concluded
While these rules typically do not apply to sales between private individuals, it is strongly advised that you read the relevant regional consumer rights laws.
Emails and Newsletters
Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
You can read more about legal requirements regarding Newsletters and Email lists here.
Under EU GDPR regulations, consent is one of the Lawful Bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
You can learn more about legal requirements regarding children here.
Other Legal Considerations
Setting Terms and protecting your business
The T&C document is essentially a legally binding agreement; therefore not only is it important to have one in place, but it’s also necessary to ensure that it meets legal requirements. Generally, standard contract terms will apply and under the most laws, contracts used by traders must be fair. This means that the document must be up-to-date with all applicable regulations, precise, visible and easily understandable so that users can both easily see it and agree to it. The “agreeing action” should be done in an unambiguous way (e.g. clicking a checkbox with a visible link to the document before being able to create an account or use the service).
While the full content may vary based on the particulars of your business, the Terms and Conditions should at least include the following:
- Identification of the business.
- Description the service that your site/ app provides.
- Information on risk allocation, liability, and disclaimers.
- Warranty/ Guarantee information (where applicable)
- Safety information, including instructions for proper use (where applicable)
- Terms of delivery of product/ service
- Rights of use (if applicable)
- Conditions of use/ purchase (eg. age requirements, location-based restrictions)
- Refund policy/ exchange/ termination of service and related info
- Info related to methods of payment
- Any additional applicable terms
You can learn more about Terms and Conditions here.
Another example is that of Amazon. Here’s an excerpt of what they had to say:
We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.
From time to time third party requirements can change in response to internal or regional regulations. It is, therefore, necessary to ensure that your policies meet the latest requirements in order to avoid potential penalties or interruption of service.
You can read more about Google‘s requirements here, and Amazon‘s here.
Consequences of non-compliance
The legal ramifications of non-compliance include:
Non-compliance with CalOPPA or COPPA may lead to government officials bringing suit or seeking civil penalties against you. In one example, the owners of the Imbee website were fined US$130,000 for COPPA violations of allowing children under 13 to register without parental consent. Similar fines can apply under other state and federal laws.
Non-compliance with GDPR requirements can carry fines up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
Sanctions & Audits
Potential sanctions may be implemented against organizations found to be in violation of regulations. These sanctions include official reprimands (for first-time violations) and periodic data protection audits. The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of the data subject of the inquiry. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
Both the GDPR and CalOPPA give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Loss of Services
Here is an example from Amazon Web Services Partner Network’s Terms and Conditionsin regards to consent:
For any Third-Party Data you provide to AWS, you represent and warrant that you have received all necessary consents for (a) you to share the Third Party Data with AWS and its Affiliates, and (b) AWS and its Affiliates to use the Third-Party Data to contact its subject(s) to market our goods and services and the Program.
How iubenda can help you with compliance
Here at iubenda, we believe in the importance of a comprehensive approach to data law compliance. We keep track of the major legislations and build solutions with the strictest regulations in mind— giving you full options to customize as needed. This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers, building trust and credibility. Read more about our features.
Here’s what you need to get started with full compliance:
As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
Complying with the EU Cookie Law
Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law. There are four parts of this:
- Cookie banner which you can get with the iubenda Cookie solution.
- Facilitating consent — giving the user the information and option to give, refuse or withdraw consent.
- Preemptively blocking cookie-installing scripts prior to obtaining user consent.
Our Cookie solution complies with provisions of the ePrivacy Directive (Cookie Law). It allows you to easily inform users and obtain their consent while including the option to preemptively block any scripts that install cookies prior to user consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.
For more information on our cookie solution click here.
Protecting you or your business with proper Terms and Conditions
Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.
What to read next:
Still have questions? Shoot us a message or attend one of our free webinars here.