What You Need to Know About Data Privacy Laws

  • by Noah Ramirez, JD / CIPP
What You Need to Know About Data Privacy Laws

Most websites collect information about their users, either submitted by the user himself, or collected automatically, through cookies and other technologies. Business owners need information in order to deliver their products, advertise their services, communicate with customers and prospective customers, and improve their website functionality. Customers and visitors to your site are naturally concerned about what happens to their information - how it is stored, who has access to it, and what safeguards protect their privacy.

Virtually every country has enacted some sort of data privacy laws to regulate how information is collected, how data subjects are informed, and what control a data subject has over his information once it is transferred. Failure to follow applicable data privacy may lead to fines, lawsuits, and even to prohibition of a site’s use in certain jurisdictions. Navigating these laws and regulations can be daunting, but all website operators should be familiar with data privacy laws that affect their users. Some of these include:

U.S. Data Privacy Laws

There is no one comprehensive federal law that governs data privacy in the United States. The Federal Trade Commission Act (15 U.S.C. § 41 et seq.), for example does not specifically regulate what information should be included in website privacy policies, but it does prohibit “deceptive practices”, such as failing to follow a published privacy policy, failing to provide sufficient security for personal data, and engaging in misleading advertising practices. Other federal laws that govern the collection of information online include the Children’s Online Privacy Protection Act (15 U.S.C. §6501 et seq.), governing the collection of information about minors, the Health Insurance Portability and Accounting Act (HIPAA - P.L.104-191), which governs the collection of health information, the Gramm Leach Bliley Act (15 U.S.C. § 6802 et seq.) governing personal information collected by banks and financial institutions, and the Fair Credit Reporting Act (15 U.S.C. § 1681), which regulates the collection and use of credit information.

State Privacy Laws

Currently, 25 U.S. States have their own data privacy laws governing the collection, storage, and use of data collected from their residents. Some of these apply only to governmental entities, some apply only to private entities, and some apply to both. The most comprehensive state data privacy legislation, the California Consumer Privacy Act (CCPA), was signed into law on June 28, 2018, and goes into effect on January 1, 2020. The CCPA will impose certain duties on entities or persons that collect information about or from a California resident. These duties will include informing data subjects when and how information is collected, and giving them the ability to access, correct, and delete such information. This information must be disclosed in a privacy policy displayed on the website of the entity collecting the data.

International Privacy Laws

The most comprehensive data protection legislation enacted to date is the General Data Protection Regulation (GDPR), governing the collection, use, transmission, and security of data collected from residents of any of the 28 countries of the European Union, regardless of the location of the entity collecting the data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some important requirements of the GDPR include:

Consent: Data subjects must be given the opportunity to give clear, unambiguous consent prior to the collection of personal data. This includes information collected through the use of cookies. Some information not usually considered “personal information” in the United States, such as the user’s computer IP address, is considered to be “personal data” for purposes of the GDPR.

Data Breach Notification: Organizations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users’ personal information in most cases.

Data Subjects’ rights to control personal data: Data subjects must be notified of their rights with regard to their personal data, including the right to access, correct and delete personal information.

These rights should be communicated to data subjects in a clear, easy to access privacy policy on the organization’s website.

How Important is a Privacy Policy?

Any website that collects any personal information (and even those that do not collect any personal information) should have a privacy policy that explains to their users exactly what information is collected, how it is used, how it may be shared, and how it is secured. In order to be fully compliant with American and European data privacy laws, all data subjects should be given the opportunity to consent to the collection of personal information. While much information about users is provided voluntarily when they sign up for newsletters, complete forms, or send email requests, information gathered from third parties and through the use of cookies should also be disclosed, and users should be given the opportunity to consent to, block, or disable cookies.

Making Your Company Compliant With Data Privacy Laws

Even if your company is based in a jurisdiction that has not implemented comprehensive data privacy legislation, it is important to consider where your potential users might reside and what regulations apply. If you intend to do any business in California or in the European Union, you should be familiar with the requirements of the upcoming CCPA and with the GDPR.

Data protection is becoming more and more important, and will affect users’ decisions about where they do their online browsing and shopping. Increasingly, a company’s reputation for responsible handling of personal data will be an asset that can lead to greater website traffic, more conversions, and a positive impact on profits.


Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.