Most websites collect information about their users, either submitted by the users or collected automatically through cookies and other technologies. Business owners need information to deliver their products, advertise their services, communicate with customers and prospective customers, and improve their website functionality. Customers and visitors to your site are naturally concerned about what happens to their personal information - how it is stored, who has access to it, and what safeguards are in place protect their privacy.
Virtually every country has enacted some sort of data privacy laws to regulate how information is collected, how data subjects are informed, and what control a data subject has over his information once it is transferred. Failure to follow applicable data privacy may lead to fines, lawsuits, and even prohibition of a site's use in certain jurisdictions. Navigating these laws and regulations can be daunting, but all website operators should be familiar with data privacy laws that affect their users. Some of these include:
US Data Privacy LawsThere is no one comprehensive federal law that governs data privacy in the United States. There's a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.
The Federal Trade Commission Act (15 USC § 41 et seq.) has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." While the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforces privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take action against organizations that...
- Failing to implement and maintain reasonable data security measures.
- Failing to abide by any applicable self-regulatory principles of the organization's industry.
- Making inaccurate privacy and security representations (lying) to consumers and in privacy policies.
- Failing to provide sufficient security for personal data.
- Violating consumer data privacy rights by collecting, processing, or sharing consumer information is a violation of the FTC's consumer privacy framework or national privacy laws and regulations.
- Engaging in misleading advertising practices.
- The Children's Online Privacy Protection Act (15 USC §6501 et seq.), also known as COPPA, which governs the collection of information about minors.
- The Health Insurance Portability and Accounting Act (HIPAA - P.L.104-191), which governs the collection of health information.
- The Gramm Leach Bliley Act (15 USC § 6802 et seq.) governing personal information collected by banks and financial institutions.
- The Fair Credit Reporting Act (15 USC § 1681), which regulates the collection and use of credit information.
State Data Privacy LawsIn addition to federal laws and regulations, the US has hundreds of data privacy and data security laws among its states, territories, and localities. Currently, 25 US state attorney generals oversee data privacy laws governing the collection, storage, safeguarding, disposal, and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, some apply only to private entities, and some apply to both.
New York SHIELD ActIn July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable. This law broadens the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information.
Other State-Level Data Privacy LawsCalifornia and New York are the first states to enact broad legislation that create national impact, but many other US states are also considering data privacy laws. They won't look the same as the CCPA or the SHIELD Act, but they'll likely contain similar requirements for the state's specific needs.
As you can imagine, the beehive of state and federal privacy laws in the US are too complex to summarize fully. We're unlikely to see an overarching federal law soon (even though support is growing for one). Hence, as an organization that collects and processes personal data, it's essential to partner with a service like Osano to keep you compliant in this challenging environment.
International Data Privacy Law: the GDPRThe most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity's location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some important requirements of the GDPR include:
Data Breach NotificationOrganizations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users' personal information in most cases.
- The right to be informed. Data subjects must be informed about the collection and use of their personal data when the data is obtained.
- The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what's being processed, and with whom it is shared.
- The right of rectification. If a data subject's data is inaccurate or incomplete, they have the right to ask you to rectify it.
- The right of erasure. Data subjects have the right to request the erasure of personal data related to them on certain grounds within 30 days.
- The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
- The right to data portability. Data subjects can have their data transferred from one electronic system to another at any time safely and securely without disrupting its usability.
- The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply where legal or official authority is carried out, a task is carried out for public interest, or when the organization needs to process data to provide you with a service for which you signed up.
Making Your Company Compliant With Data Privacy LawsEven if your company is based in a jurisdiction that has not implemented comprehensive data privacy legislation, it is essential to consider where your potential users might reside and what regulations apply. If you intend to do any business in California, New York, or the European Union, you should be familiar with the requirements of the CCPA, SHIELD Act, and the GDPR. In most cases, it's simpler and less expensive for your organization to adhere to these standards for all of your customers rather than applying different rules based on location.
Data protection is becoming more important and will affect users' decisions about where they do their online browsing and shopping. Increasingly, a company's reputation for the responsible handling of personal data will be an asset that can lead to more website traffic, conversions, and a positive impact on profits.
If you're ready to take your data privacy laws seriously, sign up with Osano. Osano is an easy-to-use data privacy platform that instantly makes your website compliant with the CCPA, SHIELD Act, GDPR, and other privacy laws. Osano is "compliance in a box," immediately helping your website comply with data privacy laws. Get compliant now.