Privacy Laws in Different Countries and How to Comply With Them

A privacy law or privacy policy is a legal text that is used to notify users or visitors of a particular website, or how their personal information will be used. In other words, if you are running a website that requires its users to leave their personal information, you should also have a privacy policy on that website.

Even though privacy laws or policies are legal documents, you should ensure that these texts are crafted so that they are easy to understand and accurate. It would be extremely unwise to use obscuring or hidden clauses within the text or to make it too vague since it can affect your credibility as a platform.

Basically, your privacy policy should have an introductory section that tells visitors some essential details about your organization. It should contain explanations that speak about the type of information you are collecting and also the method you use (ex. if it Is automated or if they need to fill in forms, etc.).

Lastly, you need to include storage information that is used to clarify how the information will be stored and where this database will be located. It would be ideal for visitors to know that their private information is stored in a safe and secure environment.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 150,000 businesses.

Why are privacy laws important?

Privacy laws are important for a couple of reasons. Primarily, they are an absolute necessity for some industries, like banking, medical professionals, lawyers, etc. Basically, the professions that incorporate privacy laws are obliged to maintain them both online and off.

Furthermore, anyone who is in a regulated industry must have privacy laws that cover all of the issues, under the regulations of the industry, because they can suffer suspensions or fines otherwise.

In the event that you are not obliged to have a privacy law, it still does not mean you shouldn’t have a privacy policy on your website. Simply having one makes you seem more legit. You’ll come off as a more secure provider, which really helps with customer acquisition.

It is something you should want to have regardless of whether you need it or not; otherwise, you’ll simply lose potential customers to your competitors who have implemented the policy.

Lastly, if you need to create a privacy policy, there are certain things you should never do throughout this process. You should never steal, or use the same privacy policy as your competition, considering how it can result in copyright violation.

You should not assume that your competitor’s privacy laws are sufficient to meet your demands since you don’t know when exactly have your competitors adopted their policy and under which circumstances.

You should not write the policy yourself unless you are proficient in this department, and even then, it would be wise to seek and an extra pair of eyes and wits to help you out. Finally, remember that having no policy is, in fact, better than having a bad privacy policy.

Privacy laws by country

Privacy laws that apply to your website are usually affected by the acting privacy laws in your country. Recently, in over 80 countries, these privacy laws have been enacted in order to increase or improve information privacy and security. Here, we will go over some of these privacy laws.


The Argentina Personal Data Protection Act that was brought in October 2000 applies to individuals as well as legal entities within the territory of Argentina who operate with personal information. Personal information includes any sort of data that relates to individuals; basic information like name, occupation, address, or date of birth.

Personal data does, however, include browser cookies; in the event that you use them to track user activity. So, in Argentina, it is only legal to use them if the user has provided informed consent, which implies you need to tell them the purpose of gathering the data using browser cookies.

Furthermore, the user has the right to demand personal data deletion at any given time. Also, there is still a debate about whether IP addresses should be considered as personal information, so just to be sure, ask for consent for that as well.


Australia’s Privacy Principles (APP) is a privacy law in Australia that consists of 13 principles that serve as guidelines for managing personal information.

These principles demand that the information is handled in a transparent manner, which implies that you have to have an up-to-date privacy policy on your website and that you know how to manage personal information.

According to these principles and Australian law, your privacy policy needs to elaborate on how and why the data will be collected, and also to explain the consequences of refusing to provide personal information. So, make sure you include all of these details in order to avoid future issues and complaints.


In 2014, the Brazilian Internet Act was passed and it delves into policies on the collection, treatment, as well as the use of personal data on the Internet.

According to the act, in Brazil, before you acquire someone’s personal data, you must have that person’s consent, and individuals who are under 16 years old are not eligible to give consent at all, whereas those between 16 to 18 years old need to have assistance from their parents or legal guardian.

It also necessitates the providers to have a clear and easy-to-understand privacy policy so that users cannot feel wronged in any way.


The Bahamas have a privacy policy that protects the personal data of its citizens in the public sector as well as the private sector. According to their Data Protection Act 2003, the law appoints someone as a data protection commissioner to the Office of Data protection, and this is done in order to ensure the safety of personal data.

However, this act does not meet the standards of the European Union, even though it was created in the first place solely for that purpose.

The problem is that the person appointed as the Data Protection Officer is not required to be in the office, and any group or organization is not required to notify the Office of Data Protection in the event of breaching privacy. The act lacks many enforcements and, as such, it is not a reliable privacy policy.


Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) provides an insight into how you should collect, store and use the personal data of your online users or subscribers, for the purpose of digital marketing.

The act states that you must make these privacy policies accessible to your users and that the document is easy to read and understand. So, make sure you provide specific and direct information, and if you need any additional guidelines, you can look up the Privacy Toolkit and Fact Sheet.


According to Colombia’s Regulatory Decree 1377, the providers are obliged to inform the users as to why they are collecting the data. Again, it is illegal to obtain this type of data without prior consent, and the policy must also include the description of the purpose and methods of data processing.

Additionally, you must supply users with their rights over data and go over how those rights are exercised.

Czech Republic

As you can see, there is a certain pattern here regarding privacy laws, and the same rules apply to the Czech Republic. Act No. 101/2000 Coll., on the Protection of Personal Data is the name of their policy for data protection and it has conduct that you should adhere to when collecting personal data.

You need to ensure your policy is easy to follow without any ambiguous language and, again, you are going to need user consent before gathering personal information.


The Act on Processing of Personal Data was passed in 2000, and it appointed the Danish Data Protection Agency to enforce these privacy laws. In the event they discover any privacy law violations, they are authorized to issue a ban or enforcement notice.

Again, the company needs explicit consent from the user in order to collect data, and they need to ask for their consent again, in case they want to disclose this information to third parties for the purposes of digital marketing.


The Personal Data Protection Act of 2003 in Estonia also demands that personal information is obtained in an honest and legal fashion. Once again, you are going to need the user’s consent before gaining access to personal data and collecting it, and you will also have to inform them about the reason for collecting the data in the first place.

European Union

The privacy law in the European Union is regulated throughout the European Union Data Protection Directive of 1998. According to the data protection directive, the information must be obtained in a way that is fair and lawful.

To elaborate, the data can only be collected for specified and legitimate purposes, and an explanation of the purposes must be provided. Users need to give consent in an unambiguous and explicit way. You are also obliged to inform the users if their data is going to be shared with third parties.


In Finland, privacy law is defined in The Personal Data Act, and it is considered as one of the basic rights. If you want to gather personal information in Finland, the Act necessitates that you have a clear purpose for that, and you are not allowed to use it for any other purpose.

User consent is required prior to data gathering, and the user needs to be provided with a data file that describes the gathering process as well as explains the purpose behind data gathering.

There are certain restrictions as well that apply in the event that you are collecting data for personalized marketing or e-mail marketing, and your database is limited to basic information and contact information.


Data privacy in France is regulated using The Data Protection Act (DPA) of 1978, which was revised in the year 2004. This act also addresses collecting personal data for the purposes of sending e-mails, or the collection of any information which is used to identify a person.

The act applies to all of those who are collecting data in France, which is why the French Data Protection Authority was able to sue Google for privacy law violations.

It goes without saying that, just like with the other laws we mentioned, you need the consent of the user before even collecting their personal information.


Germany has the Federal Data Protection Act of 2001, which prohibits you to gather personal data without authentic user consent (this also includes IP address). So, you need to get the data from the subject directly and are also not allowed to obtain it from another party, like buying email lists, etc.

Also, you are only allowed to use the data for the specific purpose you have mentioned in your privacy policy. The law applies to anyone who is collecting data on German soil and there are 16 different data protection agencies that enforce these laws.


The Processing of Personal Data laws in Greece is there to ensure the privacy of individuals who rely on electronic communication. After asking for the consent of a particular user, you will be allowed to obtain his or her personal data.

You also need to inform the user about the type of data you will get, and tell them for what purpose the data is going to be used. Lastly, the users are allowed to withdraw their consent at any time they want.

Hong Kong

Hong Kong’s Personal Data Ordinance is the acting privacy law in Hong Kong and it points out how users must be informed about data collection and the ways that data can be used (if it is shared with a third party for example).

The act has certain principles that state how personal data policies, along with practices, must be publicly available and transparent.

In the event of privacy law violation, you can be charged with a fee that goes up to HK$50,000, or even spend two years in prison, so it is definitely a matter you should take seriously, considering how easily your users can sue you.


The privacy of personal data in Hungary is protected by an act with a very long name – Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. It was created with the purpose to make sure the individuals have control over their personal information.

Just like with our previous acts, this one also requires you to have user consent before collecting and handling their personal information.

In the event of act violation, you are prone to be sued by the users and you will be liable to pay for any damage that you have caused by misusing their personal data.


Even though Iceland has the same principles regarding information and consent, its policy is a bit stricter than the others. Iceland has been labeled as the Switzerland of data due to this strictness and it all explained and stated in the Data Protection Act of 2000.

Not only does it require you to make users aware of data collection, but also how the processing is being conducted and how you are going to protect the collected data. Users can also withdraw the consent at any given time and in the event of an act violation, you can even end up in prison for 3 years.


There are two acts for privacy regulation in Ireland. One of them is the Data Protection Act 1988 and ePrivacy Regulations 2011 (S.I. 336 of 2011) for regulating privacy in the field of electronic communication.

In Ireland, there is a difference between an organization’s Privacy Policy and a public Privacy Statement.

Basically, a privacy policy is a legal document that elaborates on how an organization applies the 8 data protection principles and a privacy statement is website documentation that clarifies how the data is being collected and handled on that website.

Websites have a legal obligation to include privacy policy statements and they can be fined up to 100,000 euros for neglecting this duty.


The Information Technology Act demands that websites in India have a privacy policy published and accessible to their users, regardless of whether you dealing with sensitive data or not.

Much like other policies, it needs to describe the type of data you are collecting, the purpose behind the collection, and security practices implemented for protecting that data. Sensitive data like passwords or financial information can only be collected with the user’s consent.


It is similar to other policies so far, but again a bit stricter in terms of electronic marketing. The Data Protection Code demands that you need consent before even tracking your user and using data for advertising or marketing communications.

Users need to be provided with specific information before gathering or processing their personal facts, and you also need to include a purpose behind such a request. Much like with France, Italy threatened Google for violating Italian privacy regulations and requested a fee of up to one million euros.


The Personal Information Protection Act is created for protecting the rights of individuals regarding their personal information. Personal information, however, has a very broad definition in this act and it even extends to the data found in the public directory.

Other limitations are pretty much exactly the same; it requires prior consent and a detailed explanation of the reason for gathering intel.


As far as Latvia is concerned, the law pretty much abides by the basic formula. Privacy regulations are quite common and under the established rules. Collecting and using data requires consent as well as from you to provide users with specifics regarding its use and implementation.

You must also inform them if any third party will also have access to the data you are collecting. The name of the act is The Personal Data Protection Law of Latvia.


On the 2nd of August, an act was created for the purpose of protection and processing of personal data. As far as its name is concerned, it is a bit unconventional – Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data.

It also states how you need consent to provide users with detailed information about why the data is being collected and the name of the parties who will have access to it.


In Malta, one of the fundamental human rights is the right to privacy, and for that reason, the Data Protection Act of 2001 was created. The difference between this act and most other acts here is that it requires extra steps for providing consent.

To be specific, for the user’s consent to be valid, you must provide them with information about your identity and place of residence, you must also give them a reason for collecting data and the list of other data recipients, and ask them if their participation is in fact voluntary.

They also have the right to access that data as well as erase it.


In Mexico, the Federal Law for the Protection of Personal Data Possessed by Private Persons is there to regulate and protect the privacy of one’s personal information.

The reasons for collecting data must align with the ones stated in this policy and you also need to have consent if you want any type of personal information that is not publicly available. Additionally, you are obliged to tell users what their rights are concerning the data you collected.


In Morocco’s Data Protection Act personal data is defined as information of any nature, which allows one to identify certain individuals. Providing users with a reason behind data gathering and having their consent is once again obligatory.

However, the act will not require you to do this in the event that the individual has personally made the information public. Once again, in order for the consent to be considered valid, you are required to provide the users with your specific and personal information.

In the event you break the law, you can be punished either financially, or even with imprisonment.

New Zealand

New Zealand’s Privacy Act of 1993 demands that, when collecting this type of data, you are obliged to seek any nonpublic personal information straight from the individual. The user whose information you require needs to know your name and the purpose for requesting this data.

You must also tell them whether the information is required by law, or if it is optional, and they need to be aware of their own rights regarding that data. A complaint by the user can trigger an investigation and you’ll be placed under scrutiny to ascertain if you collected the data in accordance with the privacy law.


There are no exceptions as far as Norway is concerned Norway’s Personal Data Act gives you an obligation to collect data directly from the user after you have acquired his or her consent.

The purpose behind collecting data and its visibility to third parties must also be provided, as well as the identities of you and any third parties.

The Philippines

The Philippines are known for their strict privacy law. In fact, it is the strictest one in the region. You still need to do the common procedures mentioned in most of the acts above, but there is also the Republic Act No. 10173.

According to this act, individuals are allowed to know their personal identifications, the purpose for collecting data, and they have the right know-how the data is being processed and also the identities of the third parties, if any, who will have access to it.


Poland’s Act of the Protection of Personal Data from the year 1997 demands that prior to data processing, you must obtain the subject’s consent, otherwise collecting information is prohibited.

Additionally, just like with previous examples, you must provide your personal information like name and address, along with the purpose of collecting data. The subject must also know his or her rights and whether participation is necessary or voluntary.


Act on the Protection of Personal Data in Portugal states that the processing of data must be done in a transparent manner, with full respect for the user’s privacy. In order to collect personal information, you must have a specific and legitimate purpose for doing so, and you will also need the subject’s consent.

You must also give your information to the user, as well as information about all other data recipients.


In Romania, privacy law regulations are very similar to the common practices mentioned so far.

Consent, purpose, and identification must be provided to the subject prior to requesting data processing.


There are two legal documents that are used for regulating privacy in Russia.

One is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, from 2005, and the Law of the Russian Federation “On Personal Data” which applies to operators who use automated equipment for gathering personal data.

User consent is required prior to the gathering, processing, modifying, or altering, using, or even destroying the subject’s data.

This rule does not apply however if the information is required by law, or if it is necessary.


Slovenia’s Personal Data Protection Act requires you to obtain legal and valid consent from the subject before collecting data. The consent is only considered valid if the person is aware of your identity and the purpose of collecting the information.

They also need to be informed that data will be processed in a legal and fair manner.

South Africa

South Africa’s Electronic Communications and Transactions Act is the law that is applicable to any personal data which is collected through the website. The act consists of nine principles that you must fulfill prior to collecting personal information from an individual.

Also, just like with previous cases, your information needs to be given to the subject and the act warrants his or her consent in order for you to gain the right to access their personal information.

South Korea

According to the Act on Promotion of Information and Communications Network Utilization and Data Protection in South Korea, any personal information that is acquired by the communication services provider warrants legal consent from the user.

If the consent is to be considered valid, you need to give all the necessary information like in all of the previous examples.

The Framework Act on Telecommunications defines information and communication services as the following – “services that mediate a third party’s communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party’s telecommunications.”


In Spain, personal information is regarded as one of the constitutional rights and you need to supply the user with fair processing information as well as your personal information in order to receive their consent and for it to be valid.

They also need to know if leaving their personal information is voluntary or mandatory, as well as the consequences of providing that information to you.


Switzerland’s Federal Act on Data Protection allows for personal information to be collected only in good faith, and if the user is aware of the purpose for this request. You must also provide the subject with your personal details or personal data.

In both cases, personal data is defined as – “all information relating to an identified or identifiable person.”


The Computer-Processed Personal Data Protection Law defines personal data as information related to individuals which includes their name, date of birth, and even social activates, or any kind of detail which allows for that individual to be identified.

The collection of personal data must be conducted in good faith and you must also take into consideration the user’s rights.

This implies that you as an organization need to give them your personal information as well, which includes your name address, and all other details, along with methods and the purpose of collecting this data.

United Kingdom

The Information Commissioner’s Office is responsible for upholding the privacy laws in the UK and it requires very much the same procedure for gathering data as the ones mentioned so far, but also to explain the mechanism behind the browser cookies you are using for this purpose.

United States

In the US, privacy laws are not strictly regulated by federal laws as in other cases mentioned in the text. However, the US does leave it up to the state to decide on the strictness of their privacy policy. In other words, laws differ depending on the state as well as the industry which implements them.

The FTC (Federal Trade Commission) is in charge of regulating business privacy laws, and they are not required to have a privacy policy, but they are prohibited from using deceptive methods.

They also have the Children’s Online Privacy Protection Rule (COPPA), which deals with websites that collect information from children who are under 13 years old.

The first law in the US that warrants you to post a privacy policy on your website is the California Online Privacy Protection Act (CalOPPA), and it applies to any website in California that collects data from users in California.

CalOPPA requires that policy from websites that collect personal data to contain the following information:

  • The type of personal data you are collecting
  • Naming any third parties that will have access to it
  • How users can review and change the collected data
  • How you’ll update users regarding the alterations to the privacy policy
  • Your privacy policy’s effective date

So, if you collect data from anyone in California you need to comply with laws.

As you can see, privacy policies and laws from different states and countries are, in their essence, very similar.

There are minor differences, and some are more strict than others, but when you are creating your privacy policy, make sure that it is compatible with the laws in your country.

Olivia Adams

Article by

Olivia is an experienced data privacy compliance consultant with years of experience. Throughout her career, she helped hundreds of small to mid-size businesses with comprehensive advice on compliance with privacy laws.