Countless people surf the internet all over the world at any given time. It’s not really surprising considering that the internet has become such a huge part of our lives already. Today, the internet has made it easier for us to work with various people located in different parts of the world, to do everything from shopping at online stores that are based in different countries, or even just to say hello to a childhood friend or family member who lives across the globe.
With the astronomical rise of the people using the internet on a daily basis, one important aspect that has received much attention is data privacy. Websites and apps that people use every day can collect, monitor, or use data and information from its visitors. While internet data privacy may not have been given a lot of focus early on, it has become very important today.
Table of Contents
These kinds of information, which are also referred to as “Personally Identifiable Information” or PII, are not only limited to first and last names of persons. PII likewise extends to any other information or data that can be used to identify a user. A few examples are the following:
- Telephone Numbers
- Email Addresses
- Shipping Addresses
- Billing Addresses
- Birth Dates
- Social Security Numbers
- Social Media User Details
Other types of anonymous data can even fall under the definition of “Personally Identifiable Information” if such information is used together with other data that would result in being able to identify a person. This can include certain kinds of IP addresses, for example, that are protected as personal information under the privacy laws in place today.
In the United States, there are both federal and state laws that are focused on data privacy. Some of the US laws which have an impact on data privacy are the following:
- The California Online Privacy Protection Act (CalOPPA)
- The California Consumer Privacy Act (CCPA)
- The Children’s Online Privacy Protection Act (COPPA)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The Cable Communications Policy Act of 1984
- It is posted on the homepage or the first significant page after accessing the website.
- contain the word “privacy”;
- be written in capital letters or be equal to or greater in size than the other surrounding text on the page; or
- written in a larger type than the surrounding text, or uses a type, font or color that is in contrast with the surrounding text, or is clearly distinguishable from the surrounding text of the same size by way of symbols or other similar means.
In the land down under, the primary law that governs data privacy is the Privacy Act of 1988. This law includes thirteen (13) Australian Privacy Principles or APP’s that businesses would need to follow in order to comply with the Privacy Act. While the Privacy Act was initially limited to cover Australian government agencies only, its coverage was expanded in the year 2000 to include entities or businesses with a gross income of more than AUD 3 Million.
- What specific types of personal information are being collected and stored
- The process of how the entity collects and stores this information
- The reason why the data or information is collected, held and disclosed to third parties if the latter is applicable
- The process of how users can access or correct personal data about them
- The process of how a user can complain about any breach of the Privacy Act’s Privacy Principles or other binding codes as well as how such complaints are going to be handled
- Whether or not the entity is likely to disclose users’ information to an overseas recipient. If the answer is yes, the countries where such recipients are likely to be located should also be stated, if the same is practical.
UNITED KINGDOM (UK)
The law regarding data privacy for residents in the United Kingdom, on the other hand, is the Data Protection Act of 1998 or the DPA. The DPA mandates how business entities may legally use and handle personal data or information from its users.
In order to comply with the provisions of the DPA, businesses would need to comply with the following guidelines:
- Any personal information or data from users must be collected lawfully and in a specified manner.
- The collected information cannot be processed in a manner that is not compatible with the stated purpose.
- The data being collected should not be excessive when considering the purpose for which a user’s personal information is being collected. It should also be relevant and adequate.
- The user’s personal information must be accurate and up to date.
- The personal data or information being collected must not be kept or stored for a period that is longer than what is necessary for the stated purpose.
- What kind of personal data is being collected from users
- What lawful purpose is the data being collected for
- How is the collected data being used in relation to the stated purpose
- How long the data will be stored as well as how it will be kept safe and secure
- The rights that users have and how they can exercise them
In Canada, the foremost privacy law that is geared towards the protection of any information of its citizens is the Personal Information Protection and Electronic Documents Act or PIPEDA. Organizations or individuals engaged in any commercial activity are those covered by PIPEDA. The law defines commercial activity as any particular transaction, act, or conduct or any regular course of conduct that is of a commercial character. This includes selling, bartering or leasing of donor, membership, or other fundraising lists.
The PIPEDA requires that covered entities that operate in Canada get the consent of users when collecting, using or disclosing their personal information. In addition to that, any personal information collected from users may only be used by the covered entity for the express purpose for which the said data was collected. Any use of the data by the entity other than the original purpose would require further consent from their users. Furthermore, the users should be assured that the entity collecting the data will reasonably protect such data or information.
Under the PIPEDA, the term personal information refers to “any identifiable information about an individual whether recorded or not and it applies to the collection, use, and disclosure of personal information by organizations during commercial activities.”
PIPEDA revolves around ten “fair information principles” which covered entities must comply with. These principles are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
EUROPEAN UNION (EU)
In countries belonging to the European Union or the EU, the primary data legislation is the General Data Protection Regulation or the GDPR. This law took effect in May 2018 and it is considered by many as one of the world’s toughest data privacy laws.
Two of the basic goals of the GDPR are informing users about how their data and information are being used and transparency. The GDPR is commonly described as an important step toward giving citizens and residents of the EU more control over how their information or data are used by businesses and organizations.
If your website or app handles personal information of persons who are in the EU, compliance with the GDPR is required. This is regardless of where your business or company is actually be based. Complying with the GDPR is something that covered entities should really focus on as violations of its provisions can carry very hefty penalties.
- The kinds of personal information being processed
- How such personal information is processed
- The legal basis for the processing of personal data
- The period of time the covered entity will retain the personal data for and what occurs after the said retention period
- Whether the website will share personal information with third parties
- Whether the covered entity will transfer the collected personal information overseas. If such is the case, what safeguards are in place for it.
- The 8 User Rights that the website’s users have and the process of how they can exercise them
- The Contact information at least of the covered entity as well as its Data Protection Officer or EU representative if applicable.