Compliance can often be a bit confusing and it’s not uncommon for more than one regulation or law to apply at the same time. Feeling a little overwhelmed? No need! In this short post, we’ll take a look at the most important privacy laws and how, using a simple rule of thumb you, you can quickly tell which laws apply to you.
If you target US-based persons, the Federal CAN-SPAM Act and California’s CCPA and CalOPPA may be most relevant to you. California’s CalOPPA and the CCPA (California’s most well-know privacy laws) currently make-up the most comprehensive legal privacy framework in place on a state level in the US, whilethe CAN-SPAM Act is one of the few data-privacy related laws that exist on a Federal level in the United States.
- Must clearly inform users of what info is collected and who it’s shared with.
- Must state how your business responds to Do Not Track signals from Web browsers.
Under the California Consumer Protection Act (CCPA) California-based consumers are granted additional rights such as the right to be informed and the right to access any data you’ve collected about them. However, one of the most talked-about rights granted to users is the right to Opt-out.
The CCPA gives users the right to opt-out of any processing that is considered to be a sale of their data under the law. Sale, under the CCPA’s definition, is quite broad and can mean sharing the data for any kind of profit (monetary or not). Californian users that visit your site or app must be notified of your “selling” activities in regards to their data and must be informed of their right to opt-out. Minors, on the other hand, are given the right to opt-in under CCPA rules, and therefore, valid consent must be collected before processing the data of children. You can read more about the CCPA here.
Both the CCPA and CalOPPA are likely relevant to you if you have California-based users, regardless of where you are based.
The Federal CAN-SPAM Act
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing), sets the rules for sending commercial email and commercial messages on a Federal level.
Under the Act, you do not need the consent of US-based users in order to add them to your mailing list or send them commercial messages. However, the law mandates that you must meet CAN-SPAM disclosure requirements and give users an easy way to opt-out of further contact. More on email compliance here.
If you or at least some of your users are based in the EU, the GDPR and ePrivacy (Cookie Law) are relevant to you – regardless of where you’re based.
The General Data Protection Regulation (GDPR), is probably the most famous global privacy law. It applies to you where any of the following conditions are met:
- you’re based in the EU, regardless of where your users are based; or
- you are not based in the EU but offer goods or services (even if the offer is free) to EU-based persons; or
- you are not based in the EU but you monitor (e.g. analytics) the behaviour of EU-based persons.
At its most basic, the General Data Protection Regulation specifies how and when personal data should be lawfully processed.
Personal data under the GDPR refers to any data that relates to a living person, and even includes fragmented data that can be pieced together to identify a person, and IP addresses.
Under the GDPR you can only process personal data where there is at least one legal basis for doing so. There are six legal bases under the GDPR; however, please keep in mind that legal bases shouldn’t be “picked” at random, as they must legitimately apply to your situation.
Therefore, there will always be situations under the GDPR for which the legal basis of consent is the safest, best or only option. This makes consent it one of the most discussed aspects of the GDPR.
Consent under the GPDR must always be informed, opt-in, freely-given and verifiable (meaning you must be able to prove that you collected valid consent). Read more about the GDPR here.
The EU’s ePrivacy Directive (Cookie Law) sets the rules for electronic privacy, including email marketing and cookie usage. The ePrivacy works alongside the GDPR, and is still in force today. If you have EU-based users the ePrivacy (or Cookie Law) applies whether or not your business is based in the EU.
The ePrivacy Directive/Cookie Law states that you must have the informed consent of EU-based users before you can store cookies on a user’s device and/or tracking them.
A cookie is a small piece of data that is sent from a website or app and often stored on a user’s computer via their web browser. Many of the apps, widgets and services you use on your website (e.g. analytics, social logins, share buttons, payment services) run cookie scripts or similar technologies.
Multiple regions/ other countries
Generally, where the laws of multiple countries apply, including countries outside the US or EU, it’s often safest to apply the strictest applicable standards (currently GDPR standards). However, be sure to look out for any legally or technically specific requirements of the other laws that might also apply.
For example, in cases where both the GDPR and CCPA , while following GDPR guidelines will, in principle, mean that you’re meeting many of the CCPA’s requirements, the CCPA has its own distinct disclosure requirements such as the Notice of Collection, which will need to be specifically addressed).
Determining which laws apply to you
As a general rule of thumb, you should comply with the laws of the country in which you base your operations, as well as those of the country (or countries) your site targets.
With features like geo-detection and one-click legislation activation, iubenda can help you meet global data privacy law requirements in minutes. Learn more about our solutions here.