Iubenda logo
Start generating


Table of Contents

Legal Requirements Overview

As the world becomes more dependent on digital products and services, data privacy has increasingly become a top priority for many countries and regions. As a result, many regions have put in place robust and enforceable data regulations by which businesses are expected to comply.

In most cases, non-compliance with these regulations can not only lead to major financial consequences, but it can also lead to significant and lasting damage to public trust and the reputation of your organization. It is, therefore, important to ensure that your business meets its legal obligations.

General Legal Requirements

Major Components

Under the vast majority of legislations, if you’re processing personal data you’re generally required to make disclosures related to your data processing activities via a comprehensive privacy policy, ensure that there are effective security measures in place for protecting personal data and implement methods for receiving user consent or facilitating its withdrawal.

This privacy information must be up-to-date, understandable, unambiguous, and easily accessible throughout the website or app. Some component requirements may vary based on the type of processing activity, region, user age or business type. It is, therefore, worth noting that in addition to the general points outlined here, you may have further responsibilities depending on your law of reference. You can read more situation specific information in the sections below.


In general, users need to be informed of:

  • Website/app owner details
  • The effective date of your privacy policy
  • Your notification process for policy changes
  • What data is being collected
  • Third-party access to their data (who the third-parties are and what data they’re collecting)
  • Their rights in regards to their data.

You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
One such law is the California Consumer Privacy Act (CCPA). Under the CCPA, users need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure needs to be visible from the homepage of the site and must include an opt-out (DNSMPI) link. You can read more about CCPA compliance here.


Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.

Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent. Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.

Determining your law of reference

Generally, the laws of a particular region apply if:

  • You base your operations there; or
  • You use processing services or servers based in the region; or
  • Your service targets users from that region

This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here.

Region-Specific Requirements – US law

In the US, there is no single comprehensive national body of data regulations; there are, however, various laws on a state level as well as industry guidelines and specific federal laws in place. Since online site/app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations. With this in mind, the most robust data law framework is implemented by the state of California. The California Online Privacy Protection Act (CalOPPA), implemented in 2004, was the first state law to make privacy policies mandatory and it applies to person or company whose website/app processes the personal data of California residents.

In addition to the generally required disclosures above, CalOPPA also requires that you:

  • Conspicuously post your privacy policy on the homepage of your website/ app
  • Include in your privacy policy a description of the process by which users can request changes to personal data (if such a process exists)
  • Include in your privacy policy a statement on how “Do Not Track” requests are handled
  • Notify affected users in the occurrence of security breaches that impact their data

In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.

Special Care Regarding Children

If your service is knowingly collecting, using, or disclosing personal information from children under 13, then special regulations apply to those data processing activities.

Children’s Online Privacy Protection Act (COPPA) is a US federal law implemented to better protect the personal data and rights of children under 13 years of age.

Under this law, if you operate a website or online service which is directed to children under 13, or you have actual knowledge that you’re collecting personal information from children under 13, you must give notice to parents and get their verifiable consent before collecting, using, or disclosing the information, and must keep the information collected secure.

“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (e.g. checking a form of government-issued ID against an applicable database).

What is meant by the “personal information” of children

“Personal information” within this context refers to the child’s:

  • Name or ID information (eg. social security number)
  • Location info including physical address, geolocation data or IP address
  • Any contact information including phone numbers and email addresses
  • Device identifiers
  • Media containing the child’s image or voice, including photos, videos or audio files

💡 Learn more about legal requirements regarding children and COPPA.

Region-Specific Requirements – EU law


In the EU the General Data Protection Regulation (GDPR) was introduced in an effort to centralize data protection for people in the EU and became fully enforceable in May 2018. At its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).

Where it applies

The GDPR can apply where:

  • An entity’s base of operations is in the EU (this applies whether the processing takes place in the EU or not);
  • An entity not established in the EU offers goods or services (even if the offer is for free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
  • An entity is not established in the EU but it monitors the behaviour of people who are in the EU, provided that such behaviour takes place in the EU.

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not.

Note: The protections of the GDPR also extend to users outside the EU if the data controller is EU based. Therefore, if you are an EU-based data controller you must, by default, apply GDPR standards to ALL your users.

Where it does not apply

The conditions of applicability of the GDPR are set from a material and a territorial point of view. To determine, whether or not a specific processing activity is exempt from its applicability, we have to consider both aspects.

Material point of view

The GDPR applies to the processing of personal data. Therefore, it does not apply to company data, such as a company name and address. Be careful here, however, because normally “natural persons” work in a company, any data referring to them would, therefore, be deemed “personal”, regardless of whether they are processed in a Business to Customer (B2C) or Business to Business (B2B) context.

Furthermore, personal data may not fall under the scope of the GDPR in several other scenarios including where they are processed by a natural person for a purely personal or household activity. You can read more about this in the dedicated guide here.

Territorial point of view

In addition to and notwithstanding the above, we’ve already mentioned under which conditions the GDPR applies. Consequently, for a processing activity not to be subjected to the GDPR from a territorial point of view, the following must apply cumulatively:

  • the controller (or processor) is not based within the EU. Note: Always remember that the controller (or processor) could also be an EU-branch office of a non-EU corporation: in that case, even if the branch office were to have no legal personality, the GDPR would fully apply;
  • the processing does not relate to the offering of goods or services (even for free) to data subjects in the Union or the monitoring of their behavior as far as it takes place within the Union;
  • the controller is not based in an extra-EU place, where EU law applies due to international public law.

See examples in the dedicated guide here.

Ask our experts live

View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.

Attend our free webinars

GDPR Requirements

In general, the GDPR requires that you:

Have a lawful basis. The GDPR requires that you have at least one lawful basis for processing user data. There are 6 lawful bases outlined under the GDPR.

Acquire verifiable consent. Under the GDPR, consent is one of several legal/ lawful bases for processing user data and as such, it must be “freely given, specific, informed and explicit”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).

The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.

Records of consent should at least contain the following information:

  • The identity of the user giving consent;
  • When they consented;
  • What disclosures were made (what they were told) at the time they consented;
  • Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
  • Whether they have withdrawn consent or not

Consent is not the ONLY reason that an organization can process user data; it is only one of the “legal bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. With that said, there will always be data processing activities where consent is the only or best option.

Many Data Protection Authorities across the EU have strengthened their requirements and aligned their rules on cookies and trackers with the requirements of the GDPR. More specifically, it’s required that you record and store proofs of your users’ preferences.

The Cookie and Consent Preference Log is now available in our Privacy Controls and Cookie Solution. Click here for more info on how to activate the Cookie and Consent Preference Log within your Privacy Controls and Cookie Solution.

Data Subjects’ rights

Under the GDPR users have statutory rights in regards to their data. Not only must you as the controller honor those rights, but you must also inform users about them. Such rights include:

  • The right to be informed
    In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/app.
  • The right of access
    Users have the right to access to their personal data and information about how their personal data is being processed.
  • The right to rectification
    Users have the right to have their personal data rectified if it is inaccurate or incomplete.
  • The right to object
    Under the GDPR, users have the right to object to certain activities in relation to their personal data.
  • The right to data portability
    Under certain conditions, users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
  • The right to erasure
    When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
  • The right to restrict processing
    Users have the right to restrict the processing of their personal data in specific cases.
  • Rights related to automated decision making and profiling
    Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Meet specific requirements if transferring data outside of the EEA. The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.

Implement privacy by design and default. Under the GDPR, data protection should be included from the onset of design and development of the business processes and infrastructure.

Disclose security breaches. Under the GDPR, you are required to inform the supervisory authority of security breaches involving user data within 72 hours of becoming aware of it. In many cases you’re also required to inform affected users.

Appoint a DPO (where certain conditions are met). Under certain conditions, you may be required to appoint a Data Protection Officer, who will have the task to oversee all processing activities and monitor compliance with applicable law. Cases for mandatory appointment include situations where large-scale, systematic processing of user data occurs and where special categories of data (i.e. sensitive data) are being processed.

Maintain records of processing activities. As stipulated in Article 30, the GDPR requires that you keep and maintain “full and extensive” up-to-date records of the particular data processing activities. Full and extensive records of processing are expressly required in cases where your data processing activities are not occasional, where they could result in a risk to the rights and freedoms of others, where they involve the handling of “special categories of data” or where your organization has more than 250 employees — this effectively covers almost all data controllers and processors. However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone. Read more about how to maintain compliant records for controllers and processors in our GDPR guide.

Carry out a DPIA (where certain conditions are met). In cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.

Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or Cookie Law) was implemented to address this concern.

Under the Cookie law, organizations that target users from the EU must inform users about data collection activities and give them the option to choose whether it’s allowed or not. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must first obtain valid consent prior to the installation of those cookies, except where those cookies fall into the category of exempt cookies.

💡 To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.

Cookie banner

So in practice, you’ll need to show a banner at the user’s first visit, implement a cookie policy that contains all required information, and provide or inform users of the means by which they can refuse (or withdraw consent to) the processing. Prior to informed and explicit consent, no cookies – except for exempt cookies – can be installed.

The banner must:

  • briefly explain the purpose of the installation of cookies that the site uses;
  • be sufficiently conspicuous so as to make it noticeable;
  • link to (a cookie policy) or make available details of cookie purpose, usage and related third-party activity;
  • clearly state which actions will indicate consent.

Cookie policy

The Cookie Policy must:

  • describe in detail the purpose of installation of cookies;
  • indicate all the third parties who install or that could install cookies, with a link to the respective privacy policy, the cookie policy, and any consent forms;
  • inform the user of how they can exercise their right to refuse/withdraw consent.

Blocking cookies before consent

In compliance with the general principles of privacy legislation, which prevent processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.

Consent to cookies can be provided by several actions

Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page. In many cases, clicking on “ok”, closing the banner or continued navigation of a cookie-installing website can be considered active consent to the placing of cookies — provided that users had been previously and clearly informed about this consequence.

Exemptions to the consent requirement

Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you’re still required to inform users about your use of cookies – see caution box below). The exemptions are as follows:

  • Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
  • Statistical cookies managed directly by you (not third-parties), providing that the data is not used for profiling *
  • Anonymized statistical third-party cookies (e.g. Google Analytics) *

*This exemption may not be applicable for all regions and is therefore subject to specific local regulations.


The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user.
A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

Other examples of these technical cookies would be user-centric session-based cookies used to detect authentication abuses, load-balancing session cookies, and Multimedia player session cookies related to and necessary for the provision of services requested by the user.

So does this mean that I don’t need to have a Cookie Banner in such cases?

Firstly, it’s critical to note that even where this exception to the consent requirement applies, you’ll still need to inform the user of your use of cookies via a cookie policy.The banner is not necessarily required in this specific instance if the cookie policy is easily accessible and visible from every page of the site.

In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR. The upcoming regulation is expected to still uphold the same values as the directive.

Situational Legal Requirements


These requirements are typically addressed via a valid, up-to-date terms and conditions document (also called ToS – terms of service, terms of use, or EULA – end user license agreement).

In addition to the disclosures and requirements outlined above (and subject to your law of reference), if operating an e-commerce website or app, you’re further subject to the applicable commercial laws and industry rules.

Regarding B2B commerce

Generally, those involved in B2B commercial transactions will be subject to whichever contract, industry and national guidelines are applicable. However, participating in B2B commerce often requires that personal data be processed (be it that of employees or otherwise), in such cases, and where the processing falls within its scope, the GDPR applies and takes precedence.

Regarding B2C commerce

Under most countries’ consumer laws, when selling to consumers, in addition to the default required privacy disclosures, you’ll need to inform customers of the following:

  • Returns/Refund details;
  • Warranty/ Guarantee information (where applicable);
  • Safety information, including instructions for proper use (where applicable);
  • Terms of delivery of product/ service;
  • Identifying information such as a legal address and business name;
  • Rights of consumers (such as withdrawal rights), where applicable;
  • Seller contact details (e.g. email address).

US law

In the US, there is no one national law in regards to returns/refunds for purchases made online as in most cases, this is implemented on a state-by-state basis, however, under several state-laws, if no refund or return notice was made visible to consumers before purchase, consumers are automatically granted extended return/refund rights. In cases where the item purchased is defective, an implied warranty may apply in lieu of a written warranty. Written warranties should at least adhere to industry standards of fairness.

While e-commerce disclosure requirements remain largely enforceable on a state-by-state basis in the US, it is standard in many cases to include this information via the Terms and Conditions document; returns and refund disclosures, are often also included on dedicated site/ app content areas that are easily accessible from the product description page.

EU law

EU consumer law applies to contracts or other legal relationships between consumers (on one side) and professionals, businesses, companies on the other (B2C). It does not apply to B2B (e.g. a supermarket places an order with its fruit supplier) or C2C relationships (e.g. I sell my old bike over eBay).

Among other things, under EU consumer law, consumers have an unconditional right to withdraw (“cooling off period”) of 14 days. This means that consumers may cancel or withdraw from distance contract (sales occurring online, over the phone, mail order) for any or no reason for 14 days after receiving the product (in the cases involving goods).

It’s worth noting that 14 days is the statutory minimum; in specific countries, national rules may extend this period, or single providers may extend is contractually.

This right to withdraw does not apply in all situations.

Some common exemptions are:

  • Event and travel tickets & car rental reservations, but more in general any contract related to leisure activities, if the it provides for a specific date or period of performance;
  • Sealed media items such as CDs which have been unsealed by the recipient;
  • Digital content as soon as it’s downloaded by the consumer;
  • Made to order or distinctly personalized items (eg. a tailored dress);
  • Under some additional conditions, any contract about the delivery of a service, etc.

Consumers located in the EU are also protected by a default legal 2 year guarantee on products purchased at no additional cost. Here again: 2-years is the statutory minimum; in specific countries, national rules may extend this period, and it can be extended also contractually.

These rules usually apply to any company selling to EU residents but may vary for international sellers on a case-by-case basis. It is worth noting, however, that in recent cases US courts have chosen to uphold the applicable EU law.

So what’s the difference between returning a product on the grounds of withdrawal and returning it on the grounds of a guarantee?

Withdrawal rightLegal guarantee
Applies for 14 days after receipt of the product or signing of the contractApplies for 24 months after receiving the product
You don’t need to have any reason for exercising this right — you can simply change your mindYou may only return a product on guarantee grounds because it’s faulty or otherwise unsuitable for the purposes it has been sold and purchased for
You may have to bear the costs of returning the product (but it must be specified)You may not be required to bear any cost (it’s “the seller’s fault” if the product is faulty)
Applies with some exceptions (some of which are mentioned above)Always applies to products, never applies to services

EU law also mandatorily requires that sellers inform consumers of the European Online Dispute Resolution (ODR) platform via direct link. The ODR, or “online dispute resolution” is a process that allows consumers based in the EU to easily file complaints (in regards to online sales) against companies also established in the EU. This means that ODR requirements can also apply to US companies that have any kind of physical presence in the EU.

Note: UK businesses and UK consumers can no longer access the ODR platform after Brexit.

Generally, privately owned websites (or similarly private social network profiles, blogs etc.) that merely have a private and personal purpose are not subject to additional regulations, however, various EU and national acts require online commercial operators to disclose certain information.

In order to be deemed “commercial”, it is not necessary that you actually “sell” anything — a personal website may easily be considered commercial if, for instance, it generates considerable traffic an thereby creates relevant advertising revenue (e.g influencers) — however, if you do “sell” products or services, the information duties increase.

If you sell directly to consumers (B2C), you’ll face additional information duties including but not limited to those listed above, as well as linking to the EU online resolution platform for consumers, listing precise delivery times, making disclosures regarding prices and applicable taxes as outlined in Directive 83/2011/EU.

Emails and Newsletters

An e-mail address is considered personal data. Therefore, whenever dealing with e-mail addresses, privacy law is triggered. As we have mentioned already, under most legislations you’re required to inform extensively about the processing activities, their purposes and the rights of users.

Generally, such legislations apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list, as in such a case you may not know the recipient’s country of residence.

For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.

US law

Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.

EU law

Under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.

💡 You can read more about legal requirements regarding Newsletters and Email lists here.


US law

Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.

A central requirement of this Act is having a COPPA-compliant privacy policy in place. You can read more about compliance in the sections below and learn more about COPPA here.

EU law

Under EU GDPR regulations, consent is one of the lawful bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.

? You can learn more about legal requirements regarding children here.

Other Legal Considerations

Setting Terms and protecting your business

Though not always legally required, a Terms & Conditions (T&C) document (also known as a Terms of Service, End-user license agreement or a Terms of Use agreement) is often necessary for the sake of practicality and safety. It allows you to regulate the contractual relationship between you and your users and is therefore essential for, among other things, setting the terms of use and protecting you from potential liabilities.

The T&C document is essentially a legally binding agreement; therefore not only is it important to have one in place, but it’s also necessary to ensure that it meets legal requirements.

Generally, standard contract terms will apply and under the most laws, contracts used by traders must be fair. This means that the document must be up-to-date with all applicable regulations, precise, visible and easily understandable so that users can both easily see it and agree to it.

The “agreeing action” should be done in an unambiguous way (e.g. clicking a checkbox with a visible link to the document before being able to create an account or use the service).

While the full content may vary based on the particulars of your business, the Terms and Conditions should at least include the following:

  • Identification of the business
  • Description the service that your site/app provides
  • Information on risk allocation, liability, and disclaimers
  • Warranty/Guarantee information (where applicable)
  • The existence of a withdrawal right (if applicable)
  • Safety information, including instructions for proper use (where applicable)
  • Terms of delivery of product/service
  • Rights of use (if applicable)
  • Conditions of use/ purchase (eg. age requirements, location-based restrictions)
  • Refund policy/exchange/termination of service and related info
  • Info related to methods of payment
  • Any additional applicable terms

? You can learn more about Terms and Conditions here and how to create them.

Third-party Requirements

Third-party apps and services also need to follow the law. As organizations themselves, they too can be exposed to major reputational damage, fines, and sanctions if their legal obligations are not met. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards.

Generally, they require that organizations that use their services have in place a compliant privacy policy (and cooky policy if cookies are in use) that discloses relevant details about the relationship and services rendered.

Third-party apps and services also need to follow the law. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards

One example is Google. In order to access certain services and tools (for example, AdSense, Google Analytics, Google Play store), Google requires that you have a comprehensive and up-to-date privacy policy in place. Here’s an excerpt from the Google Analytics terms of use:

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data”, and “You must not circumvent any privacy features (e.g, an opt-out) that are part of the Service.”

Another example is that of Amazon. Here’s an excerpt of what they had to say:

We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.

From time to time third party requirements can change in response to internal or regional regulations. It is, therefore, necessary to ensure that your policies meet the latest requirements in order to avoid potential penalties or interruption of service.

? You can read more about Google‘s requirements here, and Amazon‘s here.

Consequences of non-compliance

The legal ramifications of non-compliance include:


Non-compliance with CalOPPA or COPPA may lead to government officials bringing suit or seeking civil penalties against you. In one example, the owners of the Imbee website were fined US$130,000 for COPPA violations of allowing children under 13 to register without parental consent.

Similar fines can apply under other state and federal laws. Non-compliance with GDPR requirements can carry fines up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).

Disciplinary measures

Disciplinary measures may be implemented against you if you are found to be in violation of regulations. These measures may include but are not limited to official reprimands (for first-time violations) and periodic data protection audits. The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations.

So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of the data subject of the inquiry. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.

Non-compliance with consumer or competition law (acts of unfair competition) may also entail fines by the competent (mostly national) authorities.

Liability damages

It is a general principle of civil law, that you have to compensate any unjust damage you’ve caused to someone else, in particular by violating a legal prescription. Among other acts, both the GDPR and the CalOPPA grant individual users the right to claim compensation for any damages resulting from a violation of their rights. The same reasoning would apply to any other applicable act or law, such as the EU’s consumer protection provisions.

Remember that liability for damages applies in all relationships: also a business partner may be entitled to compensation if you violated a legal provision. For example, selling counterfeit goods via a partner platform like Amazon might result in the company taking legal action against you alongside the customers who purchased the counterfeit goods.

Loss of services and contractual penalties

Some third-party services (including marketplaces and app stores) may make compliance with specific regulations a part of their terms of use; violation of their terms may lead to service termination or potentially, permanent bans.

Here is an example from Amazon Web Services Partner Network’s Terms and Conditions in regards to consent:

For any Third-Party Data you provide to AWS, you represent and warrant that you have received all necessary consents for (a) you to share the Third Party Data with AWS and its Affiliates, and (b) AWS and its Affiliates to use the Third-Party Data to contact its subject(s) to market our goods and services and the Program.

Criminal law

Lastly, but perhaps most significantly, where certain conditions are met, it’s possible to face consequences via criminal law. If, for instance, you wilfully breach or ignore data protection provisions for commercial purposes (e.g. you sell peoples’ personal data without telling them) you may face severe consequences. However, criminal law is largely a national issue: conditions and consequences must be checked on a case-by-case basis.

How iubenda can help you with compliance

We believe in the importance of a comprehensive approach to data law compliance, for this reason, we keep track of the major legislations and build solutions with the strictest regulations in mind — giving you full options to customize as needed.

This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers, building trust and credibility.

We keep track of the major legislations and build solutions with the strictest regulations in mind

Here’s what you need to get started with full compliance:

Informing users about personal data with a privacy policy

As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.

Our Privacy Policy Generator is affordable, available in several languages, lawyer crafted, customizable and self-updating (as it’s monitored remotely by our lawyers). It easily allows you to create a beautiful, precise privacy policy and seamlessly integrate it with your website or app. You can simply add any of several pre-created clauses at the click of a button or easily write your own custom clauses.

The privacy policy also comes with the option to include a cookie policy (it’s necessary to include it if your website or app is using cookies). The policies are customized to your needs and remotely maintained by a legal team.


? For more information on how to generate your privacy policy click here

Complying with the EU Cookie Law

Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law.

There are 4 parts of this:

  1. Cookie policy, which you can find included as an option in the privacy policy generator mentioned above.
  2. Cookie banner which you can get with the iubenda Privacy Controls and Cookie Solution.
  3. Facilitating consent — giving the user the information and option to give, refuse or withdraw consent.
  4. Preemptively blocking (prior blocking) cookie-installing scripts prior to obtaining user consent.

Our Privacy Controls and Cookie Solution complies with provisions of the ePrivacy Directive (Cookie Law). It allows you to easily inform users and obtain their consent while including the option to preemptively block any scripts that install cookies prior to user consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.

→ Have your questions answered live and learn more about both the Privacy and Cookie Policy Generator and the Privacy Controls and Cookie Solution by attending one of our free English webinars.

? For more information on our Privacy Controls and Cookie Solution, click here.

Protecting you or your business with proper Terms and Conditions

Though not always legally required, terms & conditions are pragmatically required. It governs the contractual relationship between you and your users and sets the way in which your product, service or content may be used, in a legally binding way.

It is therefore vital that this contract be precise and up-to-date with all applicable regulations. It should include the general conditions for use of your service with special attention to “limitation of liability” clauses and disclaimers.

Our Terms & Conditions generator helps you to easily generate and manage Terms and Conditions that are professional, customizable from over 100 clauses, available in 8 languages, drafted by an international legal team and up to date with the main international legislations.

It is powerful, precise, and capable of handling even the most complex, individual scenarios and customization needs.

It comes with:

  • guided set-up;
  • hundreds of possible personalizations;
  • legislation monitoring;
  • plug-and-go integrations for popular store platforms such as Shopify and WooCommerce;
  • pre-defined scenarios: buildable text modules for marketplace, affiliate programs, copyright, e-commerce, mobile, and more.

The solution is optimized for everything from e-commerce, blogs, and apps, to complex scenarios like marketplace and, SaaS.

Getting started is easy. Simply activate the Terms and Conditions (uses 1 Ultra license) within your dashboard and start generating.

💡 For a list of the full features of the Terms and Conditions Generator, click here or read the guide here.

Managing consent and maintaining detailed records related to it

In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected.

These records must show:

  • when consent was provided;
  • who provided the consent;
  • what their preferences were at the time of the collection;
  • which legal or privacy notice they were presented with at the time of the consent collection;
  • which consent collection form they were presented with at the time of the collection.

Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.

To use, simply activate the Consent Database and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.

💡 For a list of the full features of the Consent Database click here or read the guide here.

Internal Privacy Management

Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:

  • which data you collect;
  • for which purposes it was collected;
  • the legal basis for processing;
  • data retention policy for each processing activity;
  • the parties involved (both inside and outside your organization);
  • security measures;
  • data transfer outside of the EU, if any; and
  • other related details which may apply company-wide, including data of employees.

Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations.

It allows you to create records of processing activity:

  • add processing activities from 1700+ pre-made options;
  • divide them by area (sub-divisions within which data processing activities are the same);
  • assign processors and other member roles; and
  • document legal bases and other GDPR-required records.

Please note: Even if your processing activities somehow fall outside of the situations mentioned previously in this guide, your information duties to users (Articles 13 & 14) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone

Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.

→ Have your questions answered live and learn more about both the Consent Database and Internal Privacy Management Solution by attending one of our free English webinars.

Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.

See also