In the digital age, businesses rely on data collection to communicate, advertise, and sell to consumers. As a result, there has been a heightened focus on the protection of users’ data and privacy laws have been enacted all over the world. Failure to comply with these laws can lead to tough consequences including fines and lawsuits.
Navigating these policies can be challenging so it is important to learn about the privacy laws and how they affect your business. Although we can’t provide legal guidance, we can provide some educational resources to start your research. This guide provides an overview of the major privacy laws so you can ensure that your mobile apps and games are in compliance.
GDPR — European Union
The General Data Protection Regulation (GDPR) is the most expansive data protection legislation to date because it applies to businesses all over the world. Though it was created to protect EU citizens, any entities that collect information from anyone of the EU states will be required to comply. Since its creation in 2016, GDPR has set a precedent for data protection laws that several countries have since followed. Requirements must be followed to avoid penalties of up to 4% of global annual revenue. Here are some of the requirements to be aware of:
- User Consent
Clear and explicit consent must be given. This includes information collected through the use of cookies. While some information is not usually considered “personal information” in the United States, it could be considered “personal data” for purposes of the GDPR. - Data Breach Notification
If any breach of data has happened or has been suspected, companies must inform authorities and data subjects within 72 hours of the breach’s discovery. - Users’ rights to control personal data
Data subjects must be notified of their rights with regard to their personal data, including the right to access, correct, and delete personal information. They will be allowed to submit a Subject Access Request (SAR) which would require the company to provide complete electronic copies of all collected data within a timely manner.
CCPA — United States
Currently, the United States does not have a comprehensive federal law that governs data privacy for the entire country. In 2004, CalOppa broke ground as the first state law in the United States requiring online entities to include a privacy policy on their website. Since then, twenty-five states have enacted their own laws for the collection, storage, and use of data.
In order to further protect private data, the California Consumer Protection Act (CCPA) went into effect at the start of the year and is the most comprehensive U.S. state privacy law to date. Although this is a state law, its reach is national (and possibly international) because it affects any business made available to California residents and meets at least one of the law’s thresholds. Check out these tips to ensure CCPA compliance:
- Update your privacy notice.
The most urgent thing to do is to provide consumers and any California-based employees notice of their rights with respect to their data. This includes identifying the categories of Personal Information that is collected, the purpose of collection, and the practices used to receive this data. Businesses are also required to provide a description of the consumers’ rights, the methods for consumers to exercise them, the methods by which the business will verify the consumers’ identity, and the ability for consumers to opt-out of the sale of their information. - Offer consumers the chance to opt-out.
Your company website must have a conspicuous link within your privacy and on the bottom of your homepage that says “Do Not Sell My Information.” - Train employees on a process for fielding requests.
Create a well-documented process to make sure employees are trained to handle consumer requests in a manner that is consistent with CCPA.
PIPEDA — Canada
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in 2000 and set requirements for how organizations must handle personal information of Canadian residents. The law mandates that businesses using data for commercial activities must disclose the purpose of the data collection to users and obtain their consent to proceed.
PIPEDA was most recently amended in November 2018 to include mandatory data breach notification and record-keeping laws. If your company is found to be in breach of the requirements of PIPEDA, you must inform the relevant authorities as soon as you become aware of said breach. Failure to report a breach can result in fines of up to $100,000 per violation. Here are the ten principles specified in PIPEDA:
- Accountability
Appoint someone to be in charge of the data you collect and use. - Identify the purposes
Identify the purposes you will collect and use data for and limit your actions to those purposes only. - Consent
Get consent from each user before or at the time of collecting their data, as well as when you want to use their data for a purpose you haven’t got consent for already. - Limiting collection of information
Review your data collection procedures to distinguish between information that you have to collect (for example, so you can provide a service) and information that you aren’t required to collect (for example, to make your operations easier.) - Limiting use, disclosure, and retention of information
Keep the data for a reasonable time and delete it as soon as you don’t need it for the purposes you have got the consent. - Accuracy
Personal information must be kept accurate, complete, and up-to-date to minimize the risk of using outdated information. - Safeguards
Information needs to be protected against unauthorized access, theft, copying, or alteration, including when you are destroying records. The level of security in these safeguards should be appropriate for the level of sensitivity of the information. - Openness
A published Privacy Policy should detail policies and procedures including how information is collected, handled, and stored. - Individual Access
If an individual makes a written request regarding their personal information, you must respond with details of whether you hold personal information about them, what that information is, how you’ve used it, and what third parties you’ve shared it with. - Challenging Compliance
Have procedures in place to receive, consider, and respond to a complaint that you aren’t complying with these principles.
ePrivacy Directive and Regulation — European Union
The ePrivacy Directive of the EU became known as the Cookie Law because it required having a privacy policy, a cookie banner, and prior consent before using cookies. The ePrivacy Regulation has been proposed to replace the ePrivacy Directive. Contrary to an EU Directive, the EU Regulation is a legal act of the European Union that becomes immediately effective as law in all member states simultaneously.
Unlike GDPR, obtaining consent from end-users will be required for the processing of their data, metadata, or equipment terminal data. GDPR only requires consent for the processing of “personal data.” Some of the key points of the Commission’s proposal include:
- Communications content and metadata
Privacy is guaranteed for communications content and metadata. Metadata have a high privacy component and have to be anonymized or deleted if users did not give their consent unless the data is needed for billing. - Stronger rules
All people and businesses in the EU will have the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU. - More effective enforcement
Data protection authorities (already in charge of the rules under GDPR) will be responsible for enforcing the confidentiality rules in the Regulation.
More Global Privacy Laws
The call for data privacy regulation has resulted in legislative changes around the world. Currently, 100 countries in six continents have enacted privacy policies to protect users’ data. With so many to keep track of, we’ve put together a list of privacy laws from several countries with links to help you find more information. While this doesn’t cover every law out there, it is important to conduct frequent research on individual countries’ privacy laws as they evolve almost every year.
PDP — Argentina
The National Directorate of Personal Data Protection was finalized in 2017 and will be replacing the country’s Personal Data Protection Law from 2000. The proposed new law will place the country’s data protection on par with EU data protection and allow Argentinians the right to request the deletion and transfer of their data for the first time.
The Privacy Act of 1988 — Australia
Australia’s Privacy Act 1988 is the key privacy law that governs both the public and private sectors. Although established decades ago, the law has undergone frequent amendments since then and establishes Information Privacy Principles for Australian citizens.
LGPD — Brazil
In August 2018, the Brazilian President, Michel Temer, signed off on the new General Data Privacy Law. The landmark legislation is slated to take effect in August 2020 and will 65 articles with many similarities to the GDPR.
Cyber Security Law — China
The Cyber Security Law, commonly referred to as the China Internet Security Law, was enacted to increase data protection, data localization, and cybersecurity in the interest of national security.
BDSG — Germany
Bundesdatenschutzgesetz or the Federal Data Protection Act 2017 works in tandem with the GDPR to outline the general obligations of personal data collectors and processors. The BDSG sets rigid standards under which businesses are required to adopt and maintain protective measures for data stores in IT systems.
Personal Data Protection Bill — India
The Personal Data Protection Bill sets privacy and data protection standards and introduces mandatory annual data audits. The country seeks to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India.
Data Privacy Act of 2012 — Philippines
While based in the Philippines, this law applies to all businesses that process the data of Philippine citizens and residents. The Data Privacy Act of 2012 requires that when sharing data, the sharing be covered by an agreement that provides adequate safeguards for the rights of data subjects, and that these agreements are subject to review.
POPI — South Africa
The Protection of Personal Information Act applies to all South African organizations and sets conditions for when it is lawful for someone to process someone else’s personal information. It establishes the requirement of customer consent to direct marketing outreach.
Personal Information Protection Act — South Korea
The Personal Information Protection Act requires obtaining prior consent from users before collecting their data. The consent will be valid only if you provide correct information about yourself through your privacy policy. The consent from children younger than 14 has to be given by a guardian.
Please note this does not cover every global privacy policy, but instead some of the most relevant. There are also additional privacy legislation coming down the pipeline within the next couple years. We recommend consulting your legal counsel for guidance and advice.
Join the Conversation
Want to share any best practices regarding privacy policies? Tweet us at @AdColony. For the latest AdColony mobile news and updates, follow @AdColony on Twitter, like us on Facebook, or connect on Linkedin.
