Are Privacy Policies Required By Law? | The Facts and Laws in Different Countries

The Privacy Laws in Different Countries

As mentioned above, different countries have varying laws that cover privacy policies. We’ll discuss some of the globally known ones below:

Privacy Laws in the United States (US)

There are no overarching state or federal laws for data privacy in the United States, particularly for business purposes. But there are multiple laws fit for specific circumstances.

Some of these laws are as follows:

1. The California Online Privacy Protection Act (CALOPPA)

CALOPPA is a legal framework that requires online services to have privacy policies that transparently disclose what they do with the personal data collected.

Businesses must have a CALOPPA-compliant privacy policy to protect California residents from data breaches.

Privacy policies ensure that their personally identifiable information is safe through:

• Disclosing the type of personal information collected
• Explaining how the website processes data
• Inform users to whom the information is shared upon collecting personal information
• Clear directives for personal information change
• Keeping users up to date with changes in privacy policies (and how the website will inform the users about them)
• Including the third-party services involved in the privacy statement

Although the CALOPPA is only for Californians, its effect requires all commercial websites to comply because California residents may use the website or app.

2. The Children’s Online Privacy Protection Act (COPPA)

COPPA is an act specifically for children’s websites. Additionally, even if your website isn’t solely for children, you should still comply if you have anything that will attract children.

Examples are animations and attractive advertisements geared toward kids aged 12 and below. The Federal Trade Commission has a metric for assessment.

Operators must disclose the following:

• Name and address of operators
• What kind of customer data is collected
• How the operators handle personal data
• Notice to parents and request for parental consent
• Involvement of third-party services

Most importantly, COPPA must grant parents the right to change or delete any personal information that the operator has and avoid data collection methodologies that invite data falsification.

3. California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act is a recently enacted law for businesses.

Similar to other data privacy laws, the CCPA requires business websites to post a privacy notice that discloses:

• What type of information is being collected
• How the information collected is processed
• The rights of the website or app visitor to their personal information

If you’re familiar with GDPR, the CCPA is basically its US counterpart that’s newer.

4. Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA is more for healthcare service providers. They need to write down their privacy practices as a form of notice.

This is intended to protect the medical information of individuals. It gives the patients control over data transfers and use.

5. Colorado Privacy Act

The Colorado Privacy Act will be enacted in the year 2023. It’s similar to the California data protection laws, but for Colorado residents.

It gives the residents the right to keep their personal information safe and choose to be excluded from selling their data to advertisers.

6. Connecticut Privacy Act

Connecticut has a Connecticut Personal Data Privacy and Online Monitoring Act that obligates businesses to secure consumers’ personal data.

The data controllers must be regulated as a company collects personal information. Similar to the other federal laws, this encompasses business beyond Connecticut, as it’s still possible for a resident to use the site.

7. Gramm-Leach-Bliley Act (GLBA)

The GLBA was signed in the year 1999. It’s meant for financial institutions that collect personal data.

Since this is more sensitive information, the GLBA mandates these institutions to protect the security and data of the clients.

Under the GLBA, users can know how data is shared and their withdrawal rights.

8. Federal Trade Commission Act

Though not directly a privacy law, the Federal Trade Commission Act is a federal law that discourages deceptive marketing practices.

If a website collects personally identifiable information and does not transparently disclose what they do with them and unethically sells them to marketers, the act considers this a violation.

Privacy Laws in the United Kingdom (UK)

Unlike the US, the United Kingdom has an all-encompassing data privacy law that mandates privacy policies for companies. It’s called the Data Protection Act 1998 (DPA).

If this law applies to you, we suggest doing thorough research on compliance. But here’s a summarized version with all the essential points:

1. The Data Collection Process Must Be Legal

When collecting data, companies must be transparent and honest about retrieving the information.

Keeping personal information without the users’ knowledge or “tricking” them into giving their information violates this act.

2. The Personal Data Collected Must Only Be Within the Intended Use

Most websites retrieve data for important reasons, such as delivery details, registration, etc.

Companies shouldn’t collect excessive personal information that’s irrelevant to the purpose.

If users find the data gathering intrusive, the DPA grants them rights to protect themselves.

3. The Company Must Only Keep the Personal Data Within a Timeframe

When companies collect personal information, it is usually stored in a database for reference.

The Data Protection Act mandates that they only keep it for the duration of the intended purpose and must discard them afterward.

This also avoids data selling and protects the users in case hackers get hold of the database.

4. The Personal Data Must Be Accurate and Updated

Since personal data is crucial to the person’s identification, these must be kept accurate and updated. Misinformation can lead to confusion and further conflicts.

5. The Company Must Disclose What They Do with the Personal Information Collected

Privacy policies must disclose what they do with personal data early and be truthful about it.

It’s essential to let users know how their personal information will be used and processed.

This way, users will be given a chance to grant consent whether they agree to the usage. They can choose not to proceed if they feel unsafe.

Privacy Laws in the European Union (EU)

The European Union has the most known regulation. Although it’s meant to protect EU citizens only, its broad reach requires most global companies to comply.

General Data Protection Regulation

The GDPR was enacted in 2018 with strict but precise regulations. A GDPR-compliant privacy policy must have the following:

• The type of personal information gathered and processed
• How the personal data is processed (and its legal basis)
• The duration for which the personal data is kept
• Whether or not personal information is shared with third-party services
• How companies share data with others and their security measures
• The user’s rights and how they can be enforced

The GDPR replaced the Data Protection Directive with more straightforward processes and vigorous enforcement.

In a way, GDPR and CCPA are similar. But the former is broader and involves even non-businesses organizations. The latter is solely for California business purposes only.

The GDPR also mandates companies to have a data protection officer who can ensure that they store and collect personal information ethically and within regulations.

Privacy Laws in Canada

The primary law in Canada for personal information protection is the PIPEDA. It’s an easy-to-understand law with clear directives.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA defines personal information as anything that can identify an individual, recorded or not, and the law is concerned with their commercial usage by companies.

The main requirement of PIPEDA is to have privacy policies that highlight consent. As the Privacy Commissioner of Canada puts it, it’s the best way to gain public trust.

As the company collects personal information, it is suggested to have the following:

• A clear description of the business (avoid jargon and legal terms)
• The user’s rights on how they can manage their personal information
• A transparent list of the data being retrieved from the users
• Updated policy provisions
• Contact information for when the user encounters concerns
• The unambiguous wording of the policy

Privacy Laws in Australia

Australia’s privacy act encompasses all applicable laws involving collecting, storing, and using personal information.

Australia’s Privacy Act of 1988

The law has 13 main principles. We’ll summarize what they talk about below:

• The personal information retrieved and stored
• The purpose why the information is gathered
• The rights of the individuals to the information (how they can access, edit, and check their information)
• The remedies provided to the user for breach concerns
• How the company plans to share the data with third-party and overseas services

Privacy Laws in China

The privacy laws of China were only recently enacted in 2021. Like GDPR and CCPA, the PIPL is meant to protect China residents.

Personal Information Protection Law (PIPL)

The PIPL requires businesses to have a privacy policy that includes the following:

• The type of information retrieved
• The officer who’s handling the data and their contact information
• Information on who shares the data
• The users’ rights