Are Privacy Policies Required By Law? | The Facts and Laws in Different Countries

You’ve undoubtedly seen the term privacy policies as you surf a website or app. These are legal requirements for online hosts to handle the personal data of website visitors responsibly.

We understand — often, these are texts we skip. But there are essential things to know that concern YOUR sensitive data.

Remember that these privacy laws legally protect you!

Are Privacy Policies Required By Law?

Yes. Each country’s privacy law encapsulates legal obligations regarding data privacy, data protection, data collection, etc. The differences lie in the specific federal and state laws.

Privacy laws protect individuals’ personally identifiable information. As the term puts it, these are primarily confidential and personal details to the user. Examples are:

  • Full legal names
  • Birthdays
  • Location data and physical address
  • IP addresses
  • Email address
  • Biometric data
  • Government information (i.e., social security number)
  • Images

Since modern technology and algorithms can now access data and collect personal information easily, cases of breaching privacy practices have become rampant.

These data privacy laws serve as safeguards to continue browsing a website or app safely without risking our personal information.

The Privacy Laws in Different Countries

Privacy Laws in Different Countries

As mentioned above, different countries have varying laws that cover privacy policies. We’ll discuss some of the globally known ones below:

Privacy Laws in the United States (US)

USA flag

There are no overarching state or federal laws for data privacy in the United States, particularly for business purposes. But there are multiple laws fit for specific circumstances.

Some of these laws are as follows:

1. The California Online Privacy Protection Act (CALOPPA)

CALOPPA is a legal framework that requires online services to have privacy policies that transparently disclose what they do with the personal data collected.

Businesses must have a CALOPPA-compliant privacy policy to protect California residents from data breaches.

Privacy policies ensure that their personally identifiable information is safe through:

  • Disclosing the type of personal information collected
  • Explaining how the website processes data
  • Inform users to whom the information is shared upon collecting personal information
  • Clear directives for personal information change
  • Keeping users up to date with changes in privacy policies (and how the website will inform the users about them)
  • Including the third-party services involved in the privacy statement

Although the CALOPPA is only for Californians, its effect requires all commercial websites to comply because California residents may use the website or app.

2. The Children’s Online Privacy Protection Act (COPPA)

COPPA is an act specifically for children’s websites. Additionally, even if your website isn’t solely for children, you should still comply if you have anything that will attract children.

Examples are animations and attractive advertisements geared toward kids aged 12 and below. The Federal Trade Commission has a metric for assessment.

Operators must disclose the following:

  • Name and address of operators
  • What kind of customer data is collected
  • How the operators handle personal data
  • Notice to parents and request for parental consent
  • Involvement of third-party services

Most importantly, COPPA must grant parents the right to change or delete any personal information that the operator has and avoid data collection methodologies that invite data falsification.

3. California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act is a recently enacted law for businesses.

Similar to other data privacy laws, the CCPA requires business websites to post a privacy notice that discloses:

  • What type of information is being collected
  • How the information collected is processed
  • The rights of the website or app visitor to their personal information

If you’re familiar with GDPR, the CCPA is basically its US counterpart that’s newer.

4. Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA is more for healthcare service providers. They need to write down their privacy practices as a form of notice.

This is intended to protect the medical information of individuals. It gives the patients control over data transfers and use.

5. Colorado Privacy Act

The Colorado Privacy Act will be enacted in the year 2023. It’s similar to the California data protection laws, but for Colorado residents.

It gives the residents the right to keep their personal information safe and choose to be excluded from selling their data to advertisers.

6. Connecticut Privacy Act

Connecticut has a Connecticut Personal Data Privacy and Online Monitoring Act that obligates businesses to secure consumers’ personal data.

The data controllers must be regulated as a company collects personal information. Similar to the other federal laws, this encompasses business beyond Connecticut, as it’s still possible for a resident to use the site.

7. Gramm-Leach-Bliley Act (GLBA)

The GLBA was signed in the year 1999. It’s meant for financial institutions that collect personal data.

Since this is more sensitive information, the GLBA mandates these institutions to protect the security and data of the clients.

Under the GLBA, users can know how data is shared and their withdrawal rights.

8. Federal Trade Commission Act

Though not directly a privacy law, the Federal Trade Commission Act is a federal law that discourages deceptive marketing practices.

If a website collects personally identifiable information and does not transparently disclose what they do with them and unethically sells them to marketers, the act considers this a violation.

Privacy Laws in the United Kingdom (UK)

England flag

Unlike the US, the United Kingdom has an all-encompassing data privacy law that mandates privacy policies for companies. It’s called the Data Protection Act 1998 (DPA).

If this law applies to you, we suggest doing thorough research on compliance. But here’s a summarized version with all the essential points:

1. The Data Collection Process Must Be Legal

When collecting data, companies must be transparent and honest about retrieving the information.

Keeping personal information without the users’ knowledge or “tricking” them into giving their information violates this act.

2. The Personal Data Collected Must Only Be Within the Intended Use

Most websites retrieve data for important reasons, such as delivery details, registration, etc.

Companies shouldn’t collect excessive personal information that’s irrelevant to the purpose.

If users find the data gathering intrusive, the DPA grants them rights to protect themselves.

3. The Company Must Only Keep the Personal Data Within a Timeframe

When companies collect personal information, it is usually stored in a database for reference.

The Data Protection Act mandates that they only keep it for the duration of the intended purpose and must discard them afterward.

This also avoids data selling and protects the users in case hackers get hold of the database.

4. The Personal Data Must Be Accurate and Updated

Since personal data is crucial to the person’s identification, these must be kept accurate and updated. Misinformation can lead to confusion and further conflicts.

5. The Company Must Disclose What They Do with the Personal Information Collected

Privacy policies must disclose what they do with personal data early and be truthful about it.

It’s essential to let users know how their personal information will be used and processed.

This way, users will be given a chance to grant consent whether they agree to the usage. They can choose not to proceed if they feel unsafe.

Privacy Laws in the European Union (EU)

The European Union has the most known regulation. Although it’s meant to protect EU citizens only, its broad reach requires most global companies to comply.

General Data Protection Regulation

The GDPR was enacted in 2018 with strict but precise regulations. A GDPR-compliant privacy policy must have the following:

  • The type of personal information gathered and processed
  • How the personal data is processed (and its legal basis)
  • The duration for which the personal data is kept
  • Whether or not personal information is shared with third-party services
  • How companies share data with others and their security measures
  • The user’s rights and how they can be enforced

The GDPR replaced the Data Protection Directive with more straightforward processes and vigorous enforcement.

In a way, GDPR and CCPA are similar. But the former is broader and involves even non-businesses organizations. The latter is solely for California business purposes only.

The GDPR also mandates companies to have a data protection officer who can ensure that they store and collect personal information ethically and within regulations.

Privacy Laws in Canada

Canada flag

The primary law in Canada for personal information protection is the PIPEDA. It’s an easy-to-understand law with clear directives.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA defines personal information as anything that can identify an individual, recorded or not, and the law is concerned with their commercial usage by companies.

The main requirement of PIPEDA is to have privacy policies that highlight consent. As the Privacy Commissioner of Canada puts it, it’s the best way to gain public trust.

As the company collects personal information, it is suggested to have the following:

  • A clear description of the business (avoid jargon and legal terms)
  • The user’s rights on how they can manage their personal information
  • A transparent list of the data being retrieved from the users
  • Updated policy provisions
  • Contact information for when the user encounters concerns
  • The unambiguous wording of the policy

Privacy Laws in Australia

New zealand flag

Australia’s privacy act encompasses all applicable laws involving collecting, storing, and using personal information.

Australia’s Privacy Act of 1988

The law has 13 main principles. We’ll summarize what they talk about below:

  • The personal information retrieved and stored
  • The purpose why the information is gathered
  • The rights of the individuals to the information (how they can access, edit, and check their information)
  • The remedies provided to the user for breach concerns
  • How the company plans to share the data with third-party and overseas services

Privacy Laws in China

China Flag circle

The privacy laws of China were only recently enacted in 2021. Like GDPR and CCPA, the PIPL is meant to protect China residents.

Personal Information Protection Law (PIPL)

The PIPL requires businesses to have a privacy policy that includes the following:

  • The type of information retrieved
  • The officer who’s handling the data and their contact information
  • Information on who shares the data
  • The users’ rights

Privacy Laws in Other Countries

As mentioned, each country has a law tackling users’ personal information security. Some examples are as follows:


Brazil has the Brazilian General Data Protection Law or Lei Geral de Proteção de Dados (LGPD). The law requires privacy policies to disclose the following:

  • The processing of personal information and its purpose
  • The contact details of the data controller
  • How will the information be shared with others
  • The rights of the users


Singapore has the Personal Data Protection Act 2012 (PDPA) that umbrellas everything related to personal information.

A unique feature of the PDPA is the Do Not Call (DNC) Registry. It’s a directory of people who don’t want to be included in the list of marketers.

All Singaporean organizations must follow the PDPA and protect the users’ information.

South Korea

In South Korea, they have the Personal Information Protection Act (PIPA). It’s a law with strict regulations about collecting and using personal data.

The scope of PIPA is broad and includes individuals, agencies, and more prominent entities as long as it involves personal information.


Malaysia has its version of the Personal Data Protection Act (PDPA) under the Ministry of Communications and Multimedia Commission (MCMC).

The act’s purpose is to oversee the processing of personal data and ensure no misuse, especially in the commercial aspect.

Privacy Policy Requirements From Third-Party Services

There are now many third-party services that also have access to personal data. Besides businesses, these services are also required to have privacy policies.

Because of these third parties, some operators are still required to follow internet privacy laws even though they’re not within the personal information law of the countries.

Google Analytics

Google Analytics is one of the essential third-party services with good privacy policies. Google Analytics requires websites to have privacy policies even if no data gathering is involved.

Websites need to clarify how they process information, such as cookies and terms and conditions.

You’ve probably visited websites with pop-ups asking you to “accept cookies.” Google Analytics probably powers those.

Google AdSense

Like Google Analytics, Google AdSense-powered websites must have a “clearly labeled and easily accessible” privacy policy.

The privacy policies must disclose how Google AdSense handles the following:

  • Cookies
  • Device-specific information
  • Location information
  • Information that’s stored, collected, and accessed


As we know, Apple is one of the companies that have the most information about its users. From face ID to biometrics, they store a LOT of personal data.

This is why it’s crucial to have safety measures in place where personal information is appropriately used and secured. True enough, all iOS apps must have privacy policies and comply with Apple’s guidelines.

Frequently Asked Questions

What States Require a Privacy Policy?

There are currently 5 states with comprehensive and detailed laws about privacy policies. These are as follows: California, Colorado, Connecticut, Utah, and Virginia.

Since privacy policy laws are relatively new, particularly in the United States, other states still don’t have many regulations.

However, because the laws of these states are broad and comprehensive, it also overlaps with some state residents. But the rights and protection are more limited to the residents.

How Are Privacy Laws in the US Different From Those in Europe?

The primarily similar laws in the US and Europe are the CCPA and GDPR, respectively. The main difference lies in the scope of these laws.

California’s CCPA is newly enacted and only covers business sectors. Meanwhile, Europe’s GDPR is broader in scope and involves other organizations that collect personal data.

In a way, the GDPR has been in place longer and is more comprehensive.

What Happens if You Don’t Have a Privacy Policy?

Since these privacy policies are under existing protection laws, there could be severe legal repercussions should concerns and breaches arise.

A privacy policy is a formally written document that states all crucial points about personal information. It’s a safety measure both for operators and users.

With thousands and millions of website visitors, operators must manage a lot of information. Failure to do so will cause lawsuits, which will incur losses for the companies.

Besides law compliance, a privacy policy is also a way to protect all stakeholders. We highly recommend having this in place.

Do I Need a Privacy Policy Even if I Don’t Collect Data?

Generally, it’s not always required if you don’t collect data.

However, most third-party services require it for safety measures. You can still indicate in the privacy policy if you don’t collect personal data.

These policies aim to inform users what they should expect and how their data is handled. So, having these in place is safer even if you don’t retrieve data.

What Is an Example of a Violation of the Right to Privacy?

There are many ways to violate the right to privacy, from small-scale to more extensive. The most common is leaking these data to others.

Some operators sell data to advertisers or more prominent companies for a profit. Marketers will benefit highly since they can use them to convert sales.

Doing this is a clear violation because the user did not consent to share their information.

It also poses a security threat, especially if it involves personally identifiable information such as mobile numbers, home addresses, etc.


With the rise of online services and technology, accessing data is very much possible, including personal information that shouldn’t be shared without consent.

But with the convenience of using such websites also comes the ease of threatening safety. That’s why such laws and privacy policies are enacted to protect both users and operators.

So, the next time you see these pop up on your screen, you might think twice before skipping them or clicking “accept all” without thoroughly reading them!