What laws require websites to have a Privacy Policy?

Unless you are at Target, you want to make sure that you actually need what you are buying. This concept especially applies to business expenses such as software. Is it a legal requirement to have a Privacy Policy on a website? Do you really need to have a Privacy Policy for your website? What laws require websites to have a Privacy Policy? You most likely do as a Privacy Policy is required by law for most websites that collect Personally Identifiable Information (PII) such as names, emails, phone numbers, and addresses. In this blog post, we will explore what laws require websites to have a Privacy Policy and who they apply to so that you can make an informed decision as to whether your website needs a Privacy Policy. 

California Online Privacy Protection Act of 2003 (“CalOPPA”)

CalOPPA is a privacy law that protects the privacy rights of residents of California by requiring operators of websites that collect the PII of California residents to have a Privacy Policy on such websites. If your website collects the PII of California residents, your website needs to have a CalOPPA compliant Privacy Policy. Note that the law does not distinguish where the operator is located. Whether CalOPPA applies depends on where the visitor resides, meaning that it could apply to potentially any website in the world, requiring you to have a Privacy Policy or face large fines. 

California Consumer Privacy Act (“CCPA”) 

The CCPA is another law that protects the privacy rights of California residents by requiring certain websites to have a Privacy Policy that makes very specific disclosures. The CCPA applies to for-profit entities that do business in California, collects, shares or sells the personal information of California residents, and meets one or more of the following: 

  • Has annual gross revenues of $25,000,000 or more; 
  • Buys, receives, sells or shares the PII of at least 50,000 California consumers, households or devices; or 
  • Derives at least 50% of its annual revenue from selling the PII of California consumers. 

Does the CCPA apply to child companies if the parent company is required to comply with this law? 

The CCPA does apply to any entity that controls or is controlled by a business that meets the requirements above and shares common branding so yes, it could apply to subsidiaries or child companies. In this case, “control” is defined as: 

  • Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; 
  • Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or 
  • The power to exercise a controlling influence over the management of a company. 

Common branding means a shared name, service mark or trademark. If your business meets these conditions, then you would be required to comply with the law if your parent company is required to comply as well. 

Does the CCPA apply to not for profits? 

The CCPA defines “business” as a sole proprietorship, partnership, limited liability company, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners. Therefore, it appears that the CCPA does not apply to not for profit organizations. 

Who is exempt from the CCPA? 

The following types of businesses and transactions are exempt from the requirements of the CCPA: 

  • Employee information used solely in the context of the employee-employer relationship; 
  • Vehicle or vehicle ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer; 
  • Protected Health Information collected by covered entities and business associates subject to HIPAA; 
  • Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects; 
  • Financial information subject to the Gramm-Leach-Bliley Act; 
  • Consumer reporting information covered by the Fair Credit Reporting Act; 
  • Driver information covered by the Driver’s Privacy Protection Act of 1994. 

Can smaller companies be required to comply with the CCPA by their clients or vendors? 

Vendor management is a large part of CCPA compliance. If the law does not apply to you by statute, make sure that you check your contracts to see whether your clients or vendors require you to comply with the CCPA via contract. 

Nevada Revised Statutes Chapter 603A 

Nevada’s privacy law requires the operators of websites to have a Privacy Policy that makes certain disclosures. The law defines operators as any person who: 

  • Owns and operates a website for commercial purposes; 
  • Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website; and 
  • Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution. 

If you have a website that collects the personally identifiable information of Nevada consumers and you have customers who reside in Nevada, your website needs to have a compliant Privacy Policy or you could face fines for non-compliance. 

Delaware Online Privacy and Protection Act (“DOPPA”)

DOPPA is a privacy law that protects the privacy rights of Delaware residents by requiring certain websites to have a Privacy Policy that makes specific disclosures. This law applies to any person who owns a website that collects personally identifiable information through that website about individual users residing in Delaware. Since anyone from anywhere can submit their PII on websites with a contact form, this law could apply to virtually any website in the world. Failure to have a DOPPA compliant Privacy Policy could lead to fines so it is imperative that your website is compliant with DOPPA requirements. 

General Data Protection Regulation (“GDPR”)

GDPR is a privacy law that protects the privacy rights of residents of the European Union. GDPR has a reach far outside of the EU and applies to you if you: 

  • Are located in the European Union; 
  • Offer goods or services to European Union residents, regardless of your location; 
  • Monitor the behavior of European Union residents, regardless of your location. 

If GDPR applies to you, you need to have a GDPR compliant Privacy Policy that makes all of the required disclosures. GDPR is one of the most actively enforced privacy laws in the world, with hundreds of companies, large and small, being fined for non-compliance with this privacy law. 

Personal Information Protection and Electronic Documents Act (“PIPEDA”)

PIPEDA is a privacy law that protects the privacy rights of residents of Canada by requiring certain websites to have a compliant Privacy Policy. PIPEDA applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. PIPEDA defines commercial activity as any conduct that is of a commercial character. Canadian courts and the Canada Office of the Privacy Commissioner have concluded that PIPEDA can also apply to non-Canadian companies that collect, use or disclose the PII of Canadian residents, which means that the law could apply to any website in the world. If your website collects the PII Of Canadian residents, you need to ensure that you have a PIPEDA compliant Privacy Policy. 

Australia Privacy Act of 1988

The Australia Privacy Act 1988 protects the privacy rights of residents of Australia by requiring certain websites to have a compliant Privacy Policy that makes very specific disclosures. This law applies to Australian organizations with annual turnover of more than AUD $3,000,000. It also applies to the following organizations even if they have turnover that is lease than AUD $3,000,000 per year: 

  • Private sector healthcare providers; 
  • Businesses that sell or purchase personal information; 
  • Credit reporting bodies; 
  • Contracted service providers for Australian government contracts; 
  • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009; 
  • Businesses that have opted in to comply with the law; 
  • Businesses that are related to a business covered by the law; and 
  • Businesses prescribed by the Privacy Regulation 2013. 

The Australia Privacy act 1988 requires such the websites of such companies to have a compliant Privacy Policy, with failure to comply potentially leading to fines and lawsuits. 

It is clear from the laws above that it is a legal requirement to have a Privacy Policy for most websites that collect PII through a contact form or similar means. While the laws mentioned above are already in effect, more than a dozen states have proposed their own privacy bills, each with unique requirements for a Privacy Policy and what it must contain and unique penalties for failing to comply. The US federal legislature has also proposed numerous privacy bills that would affect many businesses, large and small. Having a compliant Privacy Policy is a key requirement of both current privacy laws and proposed state privacy bills. Use Termageddon’s Privacy Policy generator to help you get compliant and avoid privacy-related fines and lawsuits.