Privacy Laws in Different Countries and How to Comply With Them
Even though privacy laws or policies are legal documents, you should ensure that these texts are crafted so that they are easy to understand and accurate. It would be extremely unwise to use obscuring or hidden clauses within the text or to make it too vague since it can affect your credibility as a platform.
Lastly, you need to include storage information that is used to clarify how the information will be stored and where this database will be located. It would be ideal for visitors to know that their private information is stored in a safe and secure environment.
Table of contents
- Why are privacy laws important?
- Privacy laws by country
- Czech Republic
- European Union
- Hong Kong
- New Zealand
- The Philippines
- South Africa
- South Korea
- United Kingdom
- United States
Why are privacy laws important?
Privacy laws are important for a couple of reasons. Primarily, they are an absolute necessity for some industries, like banking, medical professionals, lawyers, etc. Basically, the professions that incorporate privacy laws are obliged to maintain them both online and off.
Furthermore, anyone who is in a regulated industry must-have privacy laws that cover all of the issues, under the regulations of the industry, because they can suffer suspensions or fines otherwise.
It is something you should want to have regardless of whether you need it or not; otherwise, you'll simply lose potential customers to your competitors who have implemented the policy.
You should not assume that your competitor's privacy laws are sufficient to meet your demands since you don't know when exactly have your competitors adopted their policy and under which circumstances.
Privacy laws by country
Privacy laws that apply to your website are usually affected by the acting privacy laws in your country. Recently, in over 80 countries, these privacy laws have been enacted in order to increase or improve information privacy and security. Here, we will go over some of these privacy laws.
The Argentina Personal Data Protection Act that was brought in October 2000 applies to individuals as well as legal entities within the territory of Argentina who operate with personal information. Personal information includes any sort of data that relates to individuals; basic information like name, occupation, address, or date of birth.
Personal data does, however, include browser cookies; in the event that you use them to track user activity. So, in Argentina, it is only legal to use them if the user has provided an informed consent, which implies you need to tell them the purpose of gathering the data using browser cookies.
Furthermore, the user has the right to demand personal data deletion at any given time. Also, there is still a debate about whether IP addresses should be considered as personal information, so just to be sure, ask for consent for that as well.
Australia's Privacy Principles (APP) is a privacy law in Australia that consists of 13 principles that serve as guidelines for managing personal information.
In 2014, the Brazilian Internet Act was passed and it delves into policies on the collection, treatment, as well as the use of personal data on the Internet.
According to the act, in Brazil, before you acquire someone's personal data, you must have that person's consent, and individuals who are under 16 years old are not eligible to give consent at all, whereas those between 16 to 18 years old need to have assistance from their parents or legal guardian.
However, this act does not meet the standards of the European Union, even though it was created in the first place solely for that purpose.
Canada's Personal Information Protection and Electronic Data Act (PIPEDA) provides an insight into how you should collect, store and use the personal data of your online users or subscribers, for the purpose of digital marketing.
The act states that you must make these privacy policies accessible to your users and that the document is easy to read and understand. So, make sure you provide specific and direct information, and if you need any additional guidelines, you can look up the Privacy Toolkit and Fact Sheet.
According to Colombia's Regulatory Decree 1377, the providers are obliged to inform the users as to why they are collecting the data. Again, it is illegal to obtain this type of data without prior consent, and the policy must also include the description of the purpose and methods of data processing.
Additionally, you must supply users with their rights over data and go over how those rights are exercised.
As you can see, there is a certain pattern here regarding privacy laws, and the same rules apply to the Czech Republic. Act No. 101/2000 Coll., on the Protection of Personal Data is the name of their policy for data protection and it has conduct that you should adhere to when collecting personal data.
You need to ensure your policy is easy to follow without any ambiguous language and, again, you are going to need user consent before gathering personal information.
The Act on Processing of Personal Data was passed in 2000, and it appointed the Danish Data Protection Agency to enforce these privacy laws. In the event they discover any privacy law violations, they are authorized to issue a ban or enforcement notice.
Again, the company needs explicit consent from the user in order to collect data, and they need to ask for their consent again, in case they want to disclose this information to third parties for the purposes of digital marketing.
The Personal Data Protection Act of 2003 in Estonia also demands that personal information is obtained in an honest and legal fashion. Once again, you are going to need the user's consent before gaining access to personal data and collecting it, and you will also have to inform them about the reason for collecting the data in the first place.
The privacy law in the European Union is regulated throughout the European Union Data Protection Directive of 1998. According to the data protection directive, the information must be obtained in a way that is fair and lawful.
To elaborate, the data can only be collected for specified and legitimate purposes, and the explanation of the purposes must be provided. Users need to give consent in an unambiguous and explicit way. You are also obliged to inform the users if their data is going to be shared with third parties.
In Finland, privacy law is defined in The Personal Data Act, and it is considered as one of the basic rights. If you want to gather personal information in Finland, the Act necessitates that you have a clear purpose for that, and you are not allowed to use it for any other purpose.
User consent is required prior to data gathering, and the user needs to be provided with a data file that describes the gathering process as well as explains the purpose behind data gathering.
There are certain restrictions as well that apply in the event that you are collecting data for personalized marketing or e-mail marketing, and your database is limited to basic information and contact information.
Data privacy in France is regulated using The Data Protection Act (DPA) of 1978, which was revised in the year 2004. This act also addresses collecting personal data for the purposes of sending e-mails, or the collection of any information which is used to identify a person.
The act applies to all of those who are collecting data in France, which is why the French Data Protection Authority was able to sue Google for privacy law violations.
It goes without saying that, just like with the other laws we mentioned, you need the consent of the user before even collecting their personal information.
Germany has the Federal Data Protection Act of 2001, which prohibits you to gather personal data without authentic user consent (this also includes IP address). So, you need to get the data from the subject directly and are also not allowed to obtain it from another party, like buying email lists, etc.
The Processing of Personal Data laws in Greece is there to ensure the privacy of individuals who rely on electronic communication. After asking for the consent of a particular user, you will be allowed to obtain his or her personal data.
You also need to inform the user about the type of data you will get, and tell them for what purpose the data is going to be used. Lastly, the users are allowed to withdraw their consent at any time they want.
Hong Kong's Personal Data Ordinance is the acting privacy law in Hong Kong and it points out how users must be informed about data collection and the ways that data can be used (if it is shared with a third party for example).
The act has certain principles that state how personal data policies, along with practices, must be publicly available and transparent.
In the event of privacy law violation, you can be charged with a fee that goes up to HK$50,000, or even spend two years in prison, so it is definitely a matter you should take seriously, considering how easily your users can sue you.
The privacy of personal data in Hungary is protected by an act with a very long name - Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. It was created with the purpose to make sure the individuals have control over their personal information.
Just like with our previous acts, this one also requires you to have user consent before collecting and handling their personal information.
In the event of act violation, you are prone to be sued by the users and you will be liable to pay for any damage that you have caused by misusing their personal data.
Even though Iceland has the same principals regarding information and consent, its policy is a bit stricter than the others. Iceland has been labeled as the Switzerland of data due to this strictness and it all explained and stated in the Data Protection Act of 2000.
Not only does it require you to make users aware of data collection, but also how the processing is being conducted and how you are going to protect the collected data. Users can also withdraw the consent at any given time and in the event of act violation, you can even end up in prison for 3 years.
There are two acts for privacy regulation in Ireland. One of them is the Data Protection Act 1988 and ePrivacy Regulations 2011 (S.I. 336 of 2011) for regulating privacy in the field of electronic communication.
Much like other policies, it needs to describe the type of data you are collecting, the purpose behind the collection, and security practices implemented for protecting that data. Sensitive data like passwords or financial information can only be collected with the user's consent.
It is similar to other policies so far, but again a bit stricter in terms of electronic marketing. The Data Protection Code demands that you need consent before even tracking your user and using data for advertising or marketing communications.
Users need to be provided with specific information before gathering or processing their personal facts, and you also need to include a purpose behind such a request. Much like with France, Italy threatened Google for violating Italian privacy regulations and requested a fee of up to one million euros.
The Personal Information Protection Act is created for protecting the rights of individuals regarding their personal information. Personal information, however, has a very broad definition in this act and it even extends to the data found in the public directory.
Other limitations are pretty much exactly the same; it requires prior consent and a detailed explanation of the reason for gathering intel.
As far as Latvia is concerned, the law pretty much abides the basic formula. Privacy regulations are quite common and under the established rules. Collecting and using data requires consent as well as from you to provide users with specifics regarding its use and implementation.
You must also inform them if any third party will also have access to the data you are collecting. The name of the act is The Personal Data Protection Law of Latvia.
On the 2nd of August, an act was created for the purpose of protection and processing of personal data. As far as its name is concerned, it is a bit unconventional - Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data.
It also states how you need consent to provide users with detailed information about why the data is being collected and the name of the parties who will have access to it.
In Malta, one of the fundamental human rights is the right to privacy, and for that reason, the Data Protection Act of 2001 was created. The difference between this act and most other acts here is that it requires extra steps for providing consent.
To be specific, for the user's consent to be valid, you must provide them with information about your identity and place of residence, you must also give them a reason for collecting data and the list of other data recipients, and ask them if their participation is in fact voluntary.
They also have the right to access that data as well as erase it.
In Mexico, the Federal Law for the Protection of Personal Data Possessed by Private Persons is there to regulate and protect the privacy of one's personal information.
The reasons for collecting data must align with the ones stated in this policy and you also need to have consent if you want any type of personal information that is not publicly available. Additionally, you are obliged to tell users what their rights are concerning the data you collected.
In Morocco's Data Protection Act personal data is defined as information of any nature, which allows one to identify certain individuals. Providing users with a reason behind data gathering and having their consent is once again obligatory.
However, the act will not require you to do this in the event that the individual has personally made the information public. Once again, in order for the consent to be considered valid, you are required to provide the users with your specific and personal information.
In the event you break the law, you can be punished either financially, or even with imprisonment.
New Zealand's Privacy Act of 1993 demands that, when collecting this type of data, you are obliged to seek any nonpublic personal information straight from the individual. The user whose information you require needs to know your name and the purpose for requesting this data.
You must also tell them whether the information is required by law, or if it is optional, and they need to be aware of their own rights regarding that data. A complaint by the user can trigger an investigation and you'll be placed under scrutiny to ascertain if you collected the data in accordance with the privacy law.
There are no exceptions as far as Norway is concerned Norway's Personal Data Act gives you an obligation to collect data directly from the user after you have acquired his or her consent.
The purpose behind collecting data and its visibility to third parties must also be provided, as well as the identities of you and any third parties.
The Philippines are known for their strict privacy law; in fact, it is the strictest one in the region. You still need to do the common procedures mentioned in most of the acts above, but there is also the Republic Act No. 10173.
According to this act, individuals are allowed to know your personal identity, your purpose for collecting data, and they have the right know-how the data is being processed and also the identities of the third parties, if any, who will have access to it.
Poland's Act of the Protection of Personal Data from the year 1997 demands that prior to data processing, you must obtain the subject's consent, otherwise collecting information is prohibited.
Additionally, just like with previous examples, you must provide your personal information like name and address, along with the purpose of collecting data. The subject must also know his or her rights and whether participation is necessary or voluntary.
Act on the Protection of Personal Data in Portugal states that the processing of data must be done in a transparent manner, with full respect towards the user's privacy. In order to collect personal information, you must have a specific and legitimate purpose for doing so, and you will also need the subject's consent.
You must also give your information to the user, as well as information about all other data recipients.
In Romania, privacy law regulations are very similar to the common practices mentioned so far.
Consent, purpose, and identification must be provided to the subject prior to requesting data processing, and if you are interested to find out more specific you may read in-depth information about their privacy laws.
There are two legal documents that are used for regulating privacy in Russia.
One is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, from 2005, and the Law of the Russian Federation "On Personal Data" which applies to operators who use automated equipment for gathering personal data.
User consent is required prior to the gathering, processing, modifying, or altering, using, or even destroying the subject's data.
This rule does not apply however if the information is required by law, or if it is necessary.
Slovenia's Personal Data Protection Act requires you to obtain legal and valid consent from the subject before collecting data. The consent is only considered valid if the person is aware of your identity and the purpose of collecting the information.
They also need to be informed that data will be processed in a legal and fair manner.
South Africa's Electronic Communications and Transactions Act is the law that is applicable to any personal data which is collected through the website. The act consists of nine principles that you must fulfill prior to collecting personal information from an individual.
Also, just like with previous cases, your information needs to be given to the subject and the act warrants his or her consent in order for you to gain the right to access their personal information.
According to the Act on Promotion of Information and Communications Network Utilization and Data Protection in South Korea, any personal information that is acquired by the communication services provider warrants legal consent from the user.
If the consent is to be considered valid, you need to give all the necessary information like in all of the previous examples.
The Framework Act on Telecommunications defines information and communication services as the following - "services that mediate a third party's communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party's telecommunications."
In Spain, personal information is regarded as one of the constitutional rights and you need to supply the user with fair processing information as well as your personal information in order to receive their consent and for it to be valid.
They also need to know if leaving their personal information is voluntary or mandatory, as well as the consequences of providing that information to you.
Switzerland's Federal Act on Data Protection allows for personal information to be collected only in good faith, and if the user is aware of the purpose for this request. You must also provide the subject with your personal details or personal data.
In both cases, personal data is defined as - "all information relating to an identified or identifiable person."
The Computer-Processed Personal Data Protection Law defines personal data like information related to individuals which include their name, date of birth, and even social activates, or any kind of detail which allows for that individual to be identified.
The collection of personal data must be conducted in good faith and you must also take into consideration the user's rights.
This implies that you as an organization need to give them your personal information as well, which includes your name address and all other details, along with methods and the purpose of collecting this data.
The Information Commissioner's Office is responsible for upholding the privacy laws in the UK and it requires very much the same procedure for gathering data as the ones mentioned so far, but also to explain the mechanism behind the browser cookies you are using for this purpose.
They also have the Children's Online Privacy Protection Rule (COPPA), which deals with websites that collect information from children who are under 13 years old.
CalOPPA requires that policy from websites that collect personal data to contain the following information:
- The type of personal data you are collecting
- Naming any third parties that will have access to it
- How users can review and change the collected data
So, if you collect data from anyone in California you need to comply with laws.
As you can see, privacy policies and laws from different states and countries are, in their essence, very similar.
- Updated on September 9, 2020