In this article, we'll be answering some common questions about privacy for businesses.
This is a very important area for any business, particularly if it has a strong online presence. The legal requirements are increasingly demanding and can get complicated.
In this article we'll be covering:
- Why privacy law is important
- Some of the terminology involved in online privacy
- The purpose and importance of a Privacy Policy
- Some key requirements under the strict privacy laws of the European Union (EU) and California
Read the entire FAQ straight through as an informative overview, or skip around in the table of contents to find specific questions you may have and read the answers.
- 1. What are privacy laws?
- 2. Why are privacy and security important?
- 3. What is considered personal data?
- 4. How do you keep data safe and secure?
- 5. What is a website Privacy Policy?
- 6. Is it a legal requirement to display a Privacy Policy on a website?
- 7. What does a Privacy Policy tell you?
- 8. What is the difference between a Privacy Policy and a Privacy Notice
- 9. What is the GDPR regulation?
- 10. Does the GDPR require a Privacy Policy?
- 11. What are the six principles of the GDPR?
- 12. What is the California Consumer Privacy Act 2018?
- 13. What does the CCPA do?
What are privacy laws?
Privacy laws (and data protection laws) are all about protecting people's personal data from being exploited.
Some important privacy laws include:
- The California Online Privacy Protection Act (CalOPPA) in the United States
- The General Data Protection Regulation (GDPR) in the European Union
- The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
More and more privacy laws are being developed, with many more expected in the future.
Privacy laws can cover business activities such as:
- Collecting information about individuals (personal data)
- Direct marketing
- Tracking people's behavior
"Tracking people's behavior" used to be the activity of state surveillance agencies and private investigators. Now, people's behavior is tracked (both online and in the "real world") by businesses hoping to learn something about the sorts of products people might wish to buy.
Privacy law is now an important consideration for practically every business. This is partly a result of the proliferation of "behavioral marketing," enabled via technology such as cookies and GPS analysis.
But even if your business doesn't engage in such practices, privacy law could apply to your employee records, customer lists, and even your website's log files. If you collect even just an email address from potential customers, privacy laws will apply to you.
Why are privacy and security important?
Privacy and security are important for many reasons.
Privacy is a fundamental human right. It has been acknowledged, to some degree, by practically every society in the world.
As well as national and regional data protection and privacy laws, a fundamental right to privacy is recognized in:
- The United Nations Declaration of Human Rights
- The European Convention on Human Rights
- The European Union Charter of Fundamental Rights
As people's lives move more and more online, they are revealing more and more information about themselves to an ever-wider network of businesses and organizations.
Many people are happy to share a great deal of personal information publicly, for example on social media. But they have a right to keep other information private.
The importance of security is inseparable from the importance of privacy. There's no effective way to keep private information private unless it's secure.
What is considered personal data?
Many different types of information are considered personal data (also called "personal information" or "personally identifiable information"). The definition is different depending on local law, but the tendency is for lawmakers to categorize more and more types of information in this way.
Probably the broadest definition of "personal data" can be found in the EU GDPR. at Article 4:
"'Personal data' means any information relating to an identified or identifiable natural person"
This brings the following sorts of information under the definition of personal data:
- A name
- An ID number
- Location data
- Online identifiers such as cookies, IP addresses, login credentials
- Information about a person's physical, genetic, or social identity
The list is potentially endless. Any information that could, in theory, be used to identify someone must be treated as personal data under the GDPR.
This definition is increasingly being adopted in other places, too. For example, the recently-passed California Consumer Privacy Act 2018 (CCPA) provides a definition of "personal information" that is almost identical to the GDPR's definition of "personal data."
How do you keep data safe and secure?
There are many measures that your business can take to keep personal data secure, including:
- Using TLS/SSL protocols when collecting or transferring personal data
- Applying encryption methods to personal data in storage
- Maintaining effective access controls and authentication methods among staff
It's also important that you know how to recognize and respond to a data breach. A data breach means the loss or unauthorized access of personal data.
Having policies in place, such as a Data Breach Policy and a Data Protection Policy, can help your company protect personal data against a data breach.
What is a website Privacy Policy?
A website Privacy Policy is a statement of a company's practices around the processing of personal data. It should provide, among other things:
- Information about what types of personal data the company collects
- The reasons for which the company collects personal data
- How the company uses, stores and shares personal data
Having a Privacy Policy is an essential way to provide transparent information about your company. It will help you to build trust with your customers, manage your data protection practices, and (most importantly) comply with the law.
The precise contents of a Privacy Policy will vary depending on the legal requirements of the jurisdictions in which the company or website operates.
Is it a legal requirement to display a Privacy Policy on a website?
Yes, in most cases it is a legal requirement to display a Privacy Policy on a website.
The requirement for a company to display a Privacy Policy on its website is common to many privacy laws. Commercial companies, websites, and apps that collect personal data are required to display a Privacy Policy in jurisdictions such as:
- The United States (so long as the website is accessible in California)
- All EU countries
- Canada
- Australia
In fact, there are few industrialized economies where a Privacy Policy is not required.
- Click on the "Start the Privacy Policy Generator" button.
- At Step 1, select the Website option and click "Next step":
- Answer the questions about your website and click "Next step" when finished:
- Answer the questions about your business practices and click "Next step" when finished:
- Enter your email address where you'd like your policy sent, select translation versions and click "Generate My Privacy Policy." You'll be able to instantly access and download your new Privacy Policy:
What does a Privacy Policy tell you?
A Privacy Policy tells you how a company collects personal data (or "personal information") and what it does with the personal data in its possession. Beyond this, the requirements for what a Privacy Policy must contain will vary depending on the business context, and national or regional law.
For example, under the California Online Privacy Protection Act (CalOPPA), operators of commercial websites are required to reveal:
- The categories of personal information that the company/website operator collects
- How this personal information might be shared
- How users can review this information
- How the website responds to Do Not Track (DNT) requests from users' browsers
- The effective date of the Policy
What is the difference between a Privacy Policy and a Privacy Notice
The difference between a "Privacy Policy" and a "Privacy Notice" is semantic. A Privacy Policy and a Privacy Notice amount to the same thing.
- The California Online Privacy Protection Act (CalOPPA) refers to a "Privacy Policy"
- The UK's Data Protection Authority, the ICO, uses the term "Privacy Notice"
- The institutions of the European Union use the term "Privacy Statement"
All these documents serve the same function. They provide information about the data protection and privacy practices of the organization that created them.
What is the GDPR regulation?
The GDPR is an EU data protection law that regulates the processing of personal data. GDPR stands for General Data Protection Regulation. The regulation came into force in May of 2018. It was designed to ensure that the data protection law of all EU countries was aligned.
The passing of the GDPR has forced businesses all over the world to think carefully about their data protection practices. Practically all businesses process personal data on a day-to-day basis.
The GDPR means that businesses need to consider things such as:
- How they collect personal data
- Whether they have a legal basis for collecting personal data
- Who they are sharing personal data with
This GDPR's reach even extends to companies that are not based in the EU, so long as they:
- Offer goods and services to people in the EU. This applies to anyone that, for example, ships products to EU customers, or provides an app that is available to EU users, or
- Monitor the behavior of people in the EU. This applies to any company that, for example, runs a targeted advertising campaign (involving cookies) that affects individuals in the EU.
The GDPR is an extensive law that touches on all aspects of data protection and privacy. It's enforced by a strict regime of fines and other penalties, and it's pretty easy to violate it (even by accident).
Any business operating in the EU will need to familiarise itself with the GDPR.
Does the GDPR require a Privacy Policy?
The GDPR requires any company (or any organization or individual) that processes the personal data of people in the EU to have a Privacy Policy.
The GDPR sets out its requirements for the information that must be provided by a Privacy Policy across Articles 12-14. These are very extensive and require a company to disclose practically every aspect of its data protection practices, including:
- The types of personal data it processes (i.e. collects, stores, shares, or otherwise uses)
- How it collects personal data
- Its legal basis for processing personal data
- The types of organizations with whom it shares personal data
- How individuals can exercise their rights over their personal data
- How long it stores personal data
A Privacy Policy must be written in clear and accessible language that users can understand (including children if the company aims its products or services at children).
It should be presented to individuals at the point that their personal data is to be collected, such as when a user subscribes to an email newsletter or creates an account with you:
Your Privacy Policy must always be made accessible, such as in a website footer or mobile app's About menu:
What are the six principles of the GDPR?
The six principles of the GDPR are a set of fundamental values that should underpin the processing of all personal data. They are set forth at Article 5 of the GDPR and are as follows:
- Lawfulness, fairness and transparency - Always obey the law; only process personal data in a way that people would reasonably expect; always provide clear information about your practices
- Purpose limitation - Only process personal data for a specified purpose
- Data minimization - Don't collect personal data you don't need
- Accuracy - Ensure the personal data in your possession is accurate and up-to-date
- Storage limitation - Don't keep personal data for longer than you need it
- Integrity and confidentiality - Keep personal data secure
The GDPR divides companies into "data controllers" and "data processors." All data controllers and data processors must abide by these six principles.
A seventh principle is given for data controllers: accountability. Data controllers must be able to demonstrate their accountability for compliance with the six principles of the GDPR.
What is the California Consumer Privacy Act 2018?
The California Consumer Privacy Act 2018 (CCPA) is an important privacy law that came into force on January 1st 2020. It applies to any business operating in California that:
- Is operated for profit, and
- Decides why and how personal information (personal data) is processed, and
- Has at least one of the following characteristics:
- It has an annual gross revenue of at least $25 million, or
- It buys, sells, receives or shares personal information from at least 50,000 consumers, households or devices per year, or
- Makes at least 50 percent of its annual revenue from selling personal information
Only businesses fitting the description above need to comply with the CCPA.
What does the CCPA do?
The CCPA provides consumers in California with certain rights over their personal information:
- The right to disclosure: Businesses must provide a detailed Privacy Policy
- The right to deletion: Consumers may request that the personal information businesses hold on them is erased
- The right to access: Consumers may request a copy of their personal information
- The right to opt out: Consumers may opt out of the sale of their personal information
- The right to non-discrimination: Consumers must not suffer any detriment for exercising these rights
The CCPA also introduces a new regime of fines which can be imposed where a business suffers a data breach. These fines are up to $7,500 per violation. This can really add up if a large number of consumers are affected.
Under the CCPA, consumers are also able to pursue civil claims against businesses who mistreat their personal data.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.