Usually the trigger is the collection or sharing of personal information like names, emails, images or any other means of identifying a returning user (the way ad networks serve targeted advertising for example). "Commercial" is an often used trigger for privacy policies, which is generally defined broadly in order for it to cover a wide range of cases.
The term "Operator of a commercial Web site or online service" usually includes a very wide spectrum of people, as well as app developers (as communicated by the Attorney General of California).
Under CalOPPA, the collection of Personally Identifiable Information is very broadly defined to cover “individually identifiable information about an individual consumer” and includes a consumer’s first and last name, home or other physical address, email address, telephone number, and Social Security number.
In addition, PII includes any other identifying information that permits the physical or online contacting of a specific California consumer, as well as other user-related information maintained in personally identifiable form.
CalOPPA is potentially quite disruptive in reach and is not limited to California's borders. Even if your Web site or online service isn't run from California, it may still impact and collect personal information from customers who are California residents. And hence it is very likely that the regulations of the CalOPPA extend to you as well.
If your service is also made for children you must comply with the Children’s Online Privacy Protection Act (COPPA), which requires that operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13: must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
Europe has a very well developed privacy law sector. The relevant legal framework in the European Union is the Data Protection Directive (95/46/EC) and the ePrivacy directive (2002/58/EC, as revised by 2009/136/EC). Those regulations need to be transformed into Member States law, making sure that minimum privacy requirements are met across the European states.
According to these regulations the European user needs to be informed about the personal data processing/collection occurring via websites/online/apps. Personal data in the European sense has been defined very broadly:
Personal data shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
What you can learn from these two examples is that the legal landscape and legislations involved can be confusing. Our approach to help you stay compliant no matter where you are is very simple:
Copy and paste is one way used by many to avoid paying thousands of $/€ (and more…) to get legal counsel.
You can find a lot of templates that help you getting started. But finding a real good template is hard. And who is going to tell you that it's good and not hopelessly outdated?