Usually the trigger is the collection or sharing of personal information like names, emails, images or any other means of identifying a returning user (the way ad networks serve targeted advertising for example). “Commercial” is an often used trigger for privacy policies, which is generally defined broadly in order for it to cover a wide range of cases.
The term “Operator of a commercial Web site or online service” usually includes a very wide spectrum of people, as well as app developers (as communicated by the Attorney General of California).
Under CalOPPA, the collection of Personally Identifiable Information is very broadly defined to cover “individually identifiable information about an individual consumer” and includes a consumer’s first and last name, home or other physical address, email address, telephone number, and Social Security number.
In addition, PII includes any other identifying information that permits the physical or online contacting of a specific California consumer, as well as other user-related information maintained in personally identifiable form.
CalOPPA is potentially quite disruptive in reach and is not limited to California’s borders. Even if your Web site or online service isn’t run from California, it may still impact and collect personal information from customers who are California residents. And hence it is very likely that the regulations of the CalOPPA extend to you as well.
If your service is also made for children you must comply with the Children’s Online Privacy Protection Act (COPPA), which requires that operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13: must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
Europe has a very well developed privacy law sector. The relevant legal framework in the European Union is the General Data Protection Regulation (GDPR) and the ePrivacy directive (2002/58/EC, as revised by 2009/136/EC) also known as Cookie Law.
Generally speaking, under these laws users that fall within their scope need to be informed about the personal data processing/collection occurring via websites/online/apps. Personal data in the European sense has been defined very broadly:
Personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
What you can learn from these two examples is that the legal landscape and legislations involved can be confusing. Our approach to help you stay compliant no matter where you are is very simple:
Copy and paste is one way used by many to avoid paying thousands of $/€ (and more…) to get legal counsel.
Additionally, from time to time laws are amended and updated. It’s therefore also important to ensure that your policies meet the latest requirements.
For these reasons, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is specific to your particular situation, up to date and being maintained remotely by our legal team.