Unless you are at Target, you want to make sure that you actually need what you are buying. This concept especially applies to business expenses such as software. Do you really need to generate a Privacy Policy and pay for a service such as ours? You most likely do, and not just because having a Privacy Policy is the right thing to do, but also because it’s required by law for most websites that collect personal information. But what are those laws, and do they apply to you? Glad you asked! Here’s the breakdown. 

General Data Protection Regulation

The European Union’s General Data Protection Regulation (“GDPR”) requires websites to obtain consent from the user prior to collecting their data. Consent can be given in a written manner and the request for consent must be intelligible, easily accessible, and using clear and plain language. By “request for consent”, the law means a Privacy Policy. Thus, website owners are required to have a Privacy Policy according to the GDPR. See the below Article 7 of GDPR for the original language.

Consent for GDPR

GDPR applies to you if you: 

  • Are located in the European Union; 
  • Offer goods or services to European Union residents, regardless of your location; 
  • Monitor the behavior of European Union residents, regardless of your location; or 
  • Process and hold the personal data of European Union residents, regardless of your location. 

If the above applies to you then you are required to have a Privacy Policy or you will face heavy fines and penalties.

California Online Privacy Protection Act of 2003

The California Online Privacy Protection Act of 2003 (“CalOPPA”) requires the proprietors of commercial websites to have a Privacy Policy as well. This law applies to operators of commercial websites or online services that collect personally identifiable information about consumers residing in California who use or visit such a commercial website. Here’s the original text of the law that shows this requirement.

CalOPPA requires the disclosure of a Privacy Policy.

 

Note that the law does not distinguish where the operator is actually located. Whether the law applies or not depends on where the visitor is located, meaning that it could potentially affect any website in the United States. Also, this law does not have a revenue requirement, meaning that it would apply to small businesses, as well as large ones. 

California Consumer Privacy Act

The California Consumer Privacy Act (“CCPA”) is a new California law that goes into effect on January 1st, 2019. The law requires the website owner to have a Privacy Policy that includes a description of the consumer’s rights pursuant to the law and a link to the “Do Not Sell My Personal Information” web page.

CCPA requires a Privacy Policy

The CCPA applies to any for-profit business that: 

  • Has annual gross revenues of over $250,000,000; 
  • Annually buys, receives, sells or shares the personal information of 50,000 or more California residents, households or devices; or 
  • Derives 50% or more of its annual revenue from selling the personal information of California residents. 

Note again that the law does not distinguish as to where the business is located, but, rather, where the consumers are located. If the CCPA applies to you, you need to have a compliant Privacy Policy and should be prepared for enforcement as soon as July 1st, 2020. 

Nevada privacy law

The Nevada privacy law (Chapter 603A of the Nevada Revised Statutes) requires some websites to have a Privacy Policy. This law was recently amended (SB 220) to require the disclosure of whether the personal information of Nevada residents will be sold and the disclosure of a request address through which a user may submit a request prohibiting the sale of their personal information. Here’s the text of the original law that shows the requirement to have a Privacy Policy.

Nevada privacy law requires a Privacy Policy

The Nevada privacy law and its amendment applies to “operators” which are defined as any person who: 

  • Owns and operates a website or online service for business purposes; 
  • Collects and maintains the personal information of consumers who reside in Nevada nad use or visit the Internet website or online service; and 
  • Purposefully directs its activities towards Nevada, consummates a transaction with the state of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. 

Note again that the law does not require your business to be physically located in Nevada for it to apply to you. This law also does not have a revenue requirement, meaning that it would apply to small businesses, as well as large. 

More laws are coming

While these four laws noted above are in place right now or are going into effect very soon require you to have a Privacy Policy, the fact is that there are more laws coming. There are over a dozen states right now that have proposed new privacy laws that would also require you to have a Privacy Policy and will have new disclosures that you will need to make in such Privacy Policy. These new laws will impose additional requirements and heavy penalties for non-compliance. If this is overwhelming, don’t sweat! Generate your Privacy Policy with Termageddon today – we’ll automatically update it when the laws change! 

 

Protect yo’ self, 

Team Termageddon