The Internet makes long-distance transactions possible for even the smallest businesses. When you sell apps through the App Store or Google or run an online ecommerce storefront, there is a chance that someone will buy from you across international lines.

This leads to the problem of knowing which laws to follow if your UK company sells to an American customer, or vice versa. If you are located in one place, it is important to know if the laws of your customer's home country apply to you.

Here's an overview on how laws affect you when your business is located in one country but operates in another.

Many larger companies register as foreign businesses, meaning they formed in one jurisdiction but operate in several others.

For example, Amazon formed in Seattle, Washington, but has offices and warehouses throughout the world. While the head of operations remains in Seattle, its warehouse in Swansea, Wales, would be considered a foreign business under UK corporate law.

You do not have to be registered as a foreign business to operate in another country. That is only required if you have a regular presence, such as in the Amazon example above.

However, if you reasonably know that people from other nations will visit your website or buy your app,you must know which laws affect you.

Legal Requirements

If you are registered as a foreign business, you must follow all federal, state, provincial and local laws that apply to your operations. This includes any requirements regarding yearly filings and fees to keep your registration intact.

This is not the case for businesses that are limited to being online in a location. You only have to register as a foreign business if you maintain an office, warehouse or other site in a location.

For example, if you sell your app to British citizens while living in Canada, you do not have to follow the laws on customer notifications on returns or refunds. As long as you do not move your office there, you can limit dispute resolution and other legal requirements to your home jurisdiction.

You should always include a Governing Law clause in your Terms and Conditions agreement to do this.

This clause is where you set out the law that will govern any legal disputes between yourself and your customers/users. When your users agree to your Terms and Conditions, they'll be agreeing to your Governing Law clause.

Here's an example from Spotify's Terms and Conditions of Use. It sets forth that the laws of the state of California will govern the agreements. This means that a user in China can't apply Chinese interpretation to the agreement and relationship between Spotify and himself.

Spotify's Terms and Conditions: Governing Law clause

But there is an exception to this -- privacy laws. You do not have to maintain a physical presence in a country to be held to their privacy standards. Simply having an internet presence that's accessible by users in a country may trigger your requirement to follow that country's privacy laws.

That is why before you start distributing products and services online, you must assure your data protection practices and Privacy Policy are fully intact.

Privacy Laws and the Internet

Privacy laws place requirements on all entities collecting personally identifiable information, no matter their location.

Personally identifiable information includes:

  • First and last names
  • Street addresses
  • Email
  • Telephone number
  • Social Security or other identifying numbers, including driver's licenses
  • Birthdates
  • Physical descriptions
  • Any other information that allows individuals to be specifically identified

Online privacy protection laws are present in nearly all countries. Complying with these laws avoids penalties and reassures your customer base that their personal information is being handled appropriately.

US State Laws

The US does not have a federal privacy law, but numerous states have enacted their own laws. Since it is nearly impossible to do business in the US and avoid certain states, it is best to assume you need to comply with these laws if they affect foreign businesses.

The California Online Privacy Protection Act (CalOPPA) was the first state law addressing online privacy protection. In its definitions, it indicates that the law applies to any entity that collects personally identifiable information. Where your business is registered or located does not matter. If you transact business with California residents, you must comply with CalOPPA.

The act focuses on giving notice and making Privacy Policies available to users. Your Privacy Policy should explain what information you collect, how you collect, and if you share it with anyone. Consumers should be able to access that document through a conspicuous link on your website.

The Delaware Online Privacy Protection Act (DOPPA) also requires a conspicuously posted Privacy Policy. Like CalOPPA, it applies to all website operators and anyone who distributes a mobile app or cloud service that collects personally identifiable information. Also like CalOPPA, this applies to all companies and not just those incorporated in Delaware or the U.S.

Nevada passed a law that went into effect on October 1, 2017. It has the same requirements as the California and Delaware laws. While it applies to any online activity directly affect Nevada citizens, there is no way to prevent that from happening--even if you do not intend to reach Nevada.

So, it is best to comply with the law by maintaining a conspicuous Privacy Policy that explains your information practices.

Federal and International Privacy Laws

Laws with a national and international reach are mixed on whether they affect foreign businesses. Like the American laws, they require data security and notice to consumers when entities collect personally identifiable information.

The UK is an exception to the international reach of privacy laws. Its Data Protection Act 1988 only applies to data controllers established in the UK. This includes entities that register as an overseas business. The same is true if a business stores its data in servers in the UK or sets up its cloud equipment there. However if an entity merely has an online presence in the UK, then the requirements are not applicable.

The Privacy Act 1988 and its privacy principles apply to all business entities regardless of where they are located or incorporated. These principles enforce Privacy by Design and special handling of sensitive information, which addresses areas like sexual orientation, ethnicity, and political beliefs. If you collect this information and see your website or app expanding across the Pacific, it is a good idea to review those principles.

Canada's Personal Information Protection and Electronic Documents Act applies to all business transactions, regardless of location or registration status. This is another law you must review if your products reach into Canada.

The General Data Protection Regulation (GDPR) in the EU applies to any company that processes and holds personal data collected by EU residents, regardless of the location of the business. So, if you run a U.S. company that sells apps to those living in an EU state, you must check your privacy policies to see if they comply.

It is nearly impossible to contain the international reach of app sales and online transactions. Therefore, here are some best practices to assure compliance around the globe.

Best Practices

First, if you collect personal information of any type, you must have a clear and conspicuous Privacy Policy. Any jurisdiction with a privacy law contains this basic requirement and that is especially true with the GDPR. The Privacy Policy informs consumers of your practices so they can make an informed decision on whether to purchase your products or use your services.

Second, it is no longer enough to assume the terms of your Privacy Policy are accepted just because a user makes use of your website or app. The GDPR also requires affirmative acceptance of your privacy terms. For other laws, this is just a good precaution.

Unlike passive acceptance which does not directly present users with your Privacy Policy, affirmative acceptance is much more direct. The best way to ensure affirmative acceptance is with clickwrap.

This is how clickwrap works:

You provide a link to your policy at signup, checkout or account creation. The user then must acknowledge your Privacy Policy before going forward.

Here is an example of clickwrap from the New Statesman Tech:

Tech New Statesman: Example of checked checkbox for clickwrap when users read Privacy Policy

Finally, consider language. If you are certain of the international presence of your website, consider translating your agreements in different languages. It is often a good idea to offer consumers a chance to view your website in their first language and provide translations to them as well.

The online world expands across borders and with that, companies must consider the laws of the states and countries they perform business with. Fortunately, many laws are similar, especially when it comes to privacy protection.

Start with these general best practice and as your presence expands, consider fine-tuning your Privacy Policy and other agreements to assure compliance no matter who accesses your app or website from anywhere in the world.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy