As more states and countries pass privacy laws that can impose heavy fines for non-compliance, many business owners are asking “can you be fined for privacy law non-compliance outside of your state or country?” For example, if you are a business headquartered in Chicago, IL and have never set foot in California, could you be fined for failing to comply with the California Privacy Rights Act (CPRA)? The short answer is “yes” due to the fact that privacy laws have a very broad reach. In this article, we’ll break down who privacy laws apply to and why you still need to comply with privacy laws that have been passed outside of your state or country.
The broad application of privacy laws
Most businesses are familiar with the requirements of their home base, such as the need to have Workers Compensation Insurance, paying for a business license, and filing their annual Corporation or LLC Reports with their state. You are most likely used to complying with the laws, rules and regulations of your area and business owners often do not pay particular attention to the rules of other states or countries.
However, privacy laws are different from other compliance requirements in the sense that they can apply to you even if you are not located in the state or country that has passed that law. This is due to the fact that the Internet has a broad reach – individuals from anywhere could submit their personal information to your website, be tracked via analytics services, or place an order to purchase goods or services on your website. Privacy laws were passed to protect the privacy of residents of particular states or countries and thus have a very broad reach. The justifications for this are as follows:
- If privacy laws applied only to businesses located in certain states or countries, that would negate the privacy protections provided to residents of those states or countries as out of state businesses could very easily just continue to violate the privacy of individuals if the law did not apply to them;
- Businesses that collect, use and disclose personal information of residents of certain states are collecting that information for financial gain, thereby establishing a connection to that state;
- Businesses that do business or engage in transactions with residents of certain states or countries are availing themselves of the privilege of doing business in that state or country, thereby establishing jurisdiction.
To boil it down, if you want to access a new market in terms of consumers residing in a particular state or country, you must follow the requirements of that state or country, including complying with their privacy laws. This requirement is similar to the requirement to collect sales tax. If you conclude a certain number of transactions or make sufficient revenue in a particular state, you will be required to pay taxes to that state, regardless of whether you have ever set foot there. These requirements reflect the nature of the Internet and the fact that it is no longer required to be physically located in a particular area to do business there.
Privacy laws that apply when personal information is collected
Some privacy laws can apply whenever a business website collects the personal information of an individual residing in a particular state or country, even if the business is not located in that state or country or does not even do business in that state or country. These privacy laws include the California Online Privacy and Protection Act (CalOPPA), Delaware Online Privacy and Protection Act (DOPPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and Quebec Law 25 (goes into effect September 1, 2023).
These privacy laws can apply as soon as someone from a particular state or country submits their personal information, such as their name and email address to your website. You may be asking yourself – I’ve never been to Canada, does Canada’s privacy law, PIPEDA, apply to me? The Federal Court of Canada resolved this question by stating that the Privacy Commissioner has jurisdiction under PIPEDA to investigate a complaint against a business located outside of Canada when there is a real and substantial connection between the subject matter, the parties or the territory of Canada. For example, in a complaint against KLM Dutch Airlines, the Office of the Privacy Commissioner of Canada held that it has jurisdiction over KLM Dutch Airlines because KLM collected personal information from Canadian passengers in order to offer its services to Canadian passengers. Thus, KLM Dutch Airlines was found to be subject to the compliance requirements of PIPEDA, even though the company was not headquartered in Canada.
In addition, in 2012, the California Attorney General’s Office sent multiple notices to mobile app developers stating that they need to bring their apps into compliance with CalOPPA. The notices were sent to multiple platforms that were not headquartered in California, such as Amazon (headquartered in Washington), Microsoft (headquartered in Washington), and Research in Motion (headquartered in Canada).
Privacy laws that apply when doing business in a certain state or country
Other privacy laws such as Nevada Revised Statutes Chapter 603A, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, Connecticut SB6, Iowa SF262, Indiana SB5, the Tennessee Information Protection Act, the Montana Consumer Data Privacy Act, and the Australia Privacy Act of 1988 apply to businesses who do business in these states or countries and that meet certain other factors. Doing business in a particular state or country means engaging in transactions with residents of those states or countries (e.g. your customers are located in those states or countries), acting on purchase orders from that state or country, offering goods or services to residents of that state or country, having a place of business there or undertaking business activities in that state or country.
The above privacy laws can apply to businesses doing business in a certain state or country, even if they are not physically located there. For example, Uber was found to be subject to the Australia Privacy Act 1988 because it collected the personal information of Australian users, showed ad campaigns for their service to Australian users, entered into contracts with drivers and riders in Australia, fixing general bugs in their app for Australian consumers, managing a pixel that collected the personal information of Australians, and installed apps onto Australian devices. Uber was found to be in non-compliance with the law even though it was headquartered in San Francisco, CA and not Australia.
In addition, Clearview AI, a company headquartered in New York, was sued in California for allegedly scraping biometric data in violation of the California Consumer Privacy Act (CCPA) the Illinois Biometric Privacy Act (BIPA), and California’s Unfair Competition Law, further demonstrating that companies can be sued or fined for violations of privacy laws, even if they are not located in the state that passed the law.
Offering goods or services or tracking the behavior of residents of certain states or countries
Other privacy laws such as the General Data Protection Regulation (GDPR) and the United Kingdom Data Protection Act 2018 (UK DPA) apply, regardless of the business’s location, when the business:
- Offers goods or services to residents of the European Union or the United Kingdom; or
- Track the behavior of residents of the European Union or the United Kingdom.
Multiple US-based companies have been fined for violations of GDPR or the UK DPA. For example, in January, 2019, the French Data Protection Authority fined Google, a company headquartered in California for violations of GDPR. In addition, the UK Information Commissioner’s Office fined Marriott International, a company headquartered in Maryland, for violations of GDPR due to a data breach. Lastly, Meta, a company headquartered in California, has been fined numerous times for violations of GDPR. Finally, numerous small businesses outside of the European Union and the United Kingdom have been fined for non-compliance, which can be viewed here.