For example, CalOPPA regulates any app or website that collects personal data from residents of California. As such, even a website based outside of California must comply with with the rules set forth by CalOPPA if they collect data from residents of California.
This article will discuss the main laws regarding Privacy Policies and how they may affect your app or website. It will also discuss rules set forth by popular third-party services.
The California Online Privacy Protection Act, or CalOPPA, is one of the first and most comprehensive sets of rules regarding Privacy Policies in the United States. CalOPPA has been used as a model across the world for other countries creating their own online privacy laws.
CalOPPA also dictates that any website or app that collects data from residents of California must comply with certain guidelines. Chances are your app or website has users in the US, which means it probably also has users in California, which means being compliant with CalOPPA is a necessity for the vast majority of Privacy Policies.
Below is a list of regulations set forth by CalOPPA that you should comply with at a minimum:
These five factors do not encompass the entirety of the rules set forth by CalOPPA, but they are five of the key points that every website must have to be compliant. You should read the full law for a complete understanding and to ensure compliance with the latest amendments.
The General Data Protection Regulation, or GDPR, becomes enforceable in May of 2018. The GDPR effectively replaces the 1995 Data Protection Directive (Directive 95/46/EC) as the primary regulation regarding online privacy rights for residents of the EU.
The GDPR continues the effort to form a unified set of laws to protect all citizens across the EU. This will not only offer better protection to individuals, but also make it easier for companies to be compliant with a single set of rules rather than separate laws in each country.
Below are some key changes found in the GDPR:
These key changes are important for any website with users in the EU. You must be compliant with all of these new changes by May 2018.
These key points do not represent all of the regulations covered by the GDPR, but rather the changes that will become enforceable in May 2018. Any website collecting data from users in the EU are required to be compliant with the entirety of the GDPR, which includes many of the rules set forth by previous privacy laws.
The Personal Information Protection and Electronic Documents Act, or PIPEDA, is the Canadian law that covers personal data and privacy. PIPEDA is in essence the Canadian equivalent of the EU's GDPR.
PIPEDA gives individuals the following rights:
PIPEDA requires companies to:
These key points are the core aspects of PIPEDA, but this list is not meant to be complete or exhaustive. Canadian companies or websites that serve Canadian users should ensure they are compliant with all facets of PIPEDA, as well as other Canadian privacy laws that may apply.
Privacy Act 1988 is the primary Australian law covering online privacy. It regulates how personal data can be collected, when it can be collected, and who can collect it.
Privacy Act 1988 stipulates the following:
As of an amendment in 2000, these regulations cover the private sector and the transfer of personal data out of Australia, as well.
In addition to Privacy Act 1988 and its amendments, there are state and territorial laws in some parts of Australia that also regulate online privacy. Ensure you are compliant with all relevant laws that pertain to your app or website, whether your company is physically located in Australia or simply has users there.
Data Protection Act 1998, or DPA, is a law in the UK that protects personal data stored in paper filing and computer systems. It follows after the EU Data Protection Directive 1995 which covers some aspects of processing, protection, and movement of personal data. DPA 1998 effectively supersedes the Data Protection Act 1984 and Access to Personal Files Act 1987.
DPA gives individuals certain rights in regard to controlling their personal data. These rights are outlined by eight principles:
These principles form the backbone of DPA 1998, but you should read and understand the entirety of the law in order to guarantee compliance if you fall under the jurisdiction of these regulations.
In addition to laws, many third-party services also have their own sets of requirements that you must follow in order to utilize their services.
Google Analytics is the most popular internet analytics tool. Google Analytics is used to track and report website traffic, as well as a host of other features. Google Analytics is important to Privacy Policies for two reasons.
Here's an example from Lukie Games:
The Apple App Store requires that apps made available via their service comply with all relevant privacy laws in addition to some guidelines set forth by the App Store itself.
You can find full details in their Review Guidelines, but below is a summary of the core guidelines pertaining to Privacy Policies for basic apps on the Apple App Store:
Additional guidelines are given for apps related to health information, apps intended for kids, intellectual property concerns, gambling, and VPN services. Be sure you are compliant with all relevant laws in addition to the requirements set forth by the App Store.