Internet Privacy Laws

Many countries have laws in place to regulate the use of citizens’ data and protect their citizens’ privacy. Each law is different in scope, who it protects, and the severity of punishment, so it’s best to acquaint yourself with the various laws and ensure you are compliant. Depending upon where you conduct business, you may be at risk for a nasty fine if you do not follow these rules. 

As laws differ between countries and sometimes even states/territories, it’s hard to pull together an exhaustive list of all the privacy regulations that could affect our wide range of readers. Instead, we’re focusing on four laws with a great impact on businesses across the US, Canada and Europe.

This is a fast-evolving and complex area that differs from company-to-company, so make sure you do your own research and consult a legal professional for specifics. 

 

General Data Protection Regulation (GDPR)

What is GDPR?

GDPR is an EU regulation governing privacy laws for all EU citizens. 

What companies are affected? 

All companies, in all countries, that process or hold personal data of any EU citizens need to be GDPR-compliant. If you have even one EU resident in your CRM, you are subject to GDPR.

What are the main requirements?
GDPR has 99 articles (full text here), but the points below will most significantly affect marketers.

  1. Clear consent and opt-in from EU contacts to be processed (i.e., stored in your CRM) and contacted. The person must expressly opt-in to specific email types to be contacted.
  2. Only collect the information needed to accomplish the task initiated by and consented to by the contact. If you don’t expressly need to know the contact’s industry to send him/her weekly blog posts, you can’t ask. 
  3. If an EU citizen requests access to the data you have on him/her, you must give them access to all data and information on how it’s being used within 30 days. You need to have a method in place to provide this access.
  4. At any time, the EU citizen can request to have any or all of his/her information permanently deleted.
  5. Data breaches must be reported within 72 hours of becoming aware of the breach.

What are the consequences of non-compliance?

There are tiered fines in place for GDPR breaches, ranging up to 20 million Euro or 4% of annual global revenue.

Learn More About GDPR

 

Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM)

What is CAN-SPAM?

The CAN-SPAM Act establishes requirements for commercial messages (i.e. emails) sent by any US company. Note that there are similar, and often stricter, laws in place regulating email in other countries.

What companies are affected?

All companies based in the United States.

What are the main requirements?

  1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information must be accurate and identify the person or business who initiated the message.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  3. Include a valid mailing address for your company
  4. Give an opt-out method- and comply with any requests within 10 business days

What are the consequences of non-compliance?

Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $42,530.

Learn More About CAN-SPAM

 

The Personal Information Protection and Electronic Documents Act (PIPEDA)

What is PIPEDA?

PIPEDA is a Canadian law governing the collection, usage or disclosure of an individual’s personal information. This law was updated November 1, 2018, with new requirements.

What companies are affected?

Private-sector and federally regulated businesses located in Canada. However, some provinces have similar laws that are in place instead of PIPEDA (Alberta, British Columbia and Quebec).

What are the main requirements?

The top requirements are below. However, PIPEDA is based on 10 fair information principles that form additional rules.

  1. Obtain an individual’s consent when collecting, using or disclosing personal information.
  2. Individuals have the right to access their personal information held by an organization.
  3. Personal information can be used only for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent.
  4. Data breaches must be reported, and safeguards need to be put in place to protect data.

What are the consequences of non-compliance?

Fines up to $100,000 will be enacted for non-compliance.

Learn More About PIPEDA

 

California Consumer Privacy Act (CCPA)

What is CCPA?

CCPA is a new California state law regulating how California residents’ data is collected, used and shared. It will come into effect January 1, 2020.

What companies are affected?

Any company doing business in California that meets one of the following:

  • Greater than $25 million in annual gross revenue
  • Buys, receives, sells or shares the personal information of 50,000+ consumers, households, or devices
  • Earns more than half of its annual revenue from selling consumers' personal information.

What are the main requirements?

  1. Include a “Right to Say No to Sale of Personal Information” link on the companies homepage to opt-out of the sale of personal info.
  2. Designate methods for submitting data access requests.
  3. Update privacy policies with newly required information, including a description of California residents' rights.

What are the consequences of non-compliance?

A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.

Learn More About CCPA


 

Online privacy is taken very seriously by many countries and states/territories, with strict penalties for non-compliance. Some best practices are:

  • Only contact people who have expressly opted-in to messages from your company
  • Allow contacts to enroll to subscription types, and only send the types of information they are interested in
  • If you’re unsure of a contact lists origin or age, don’t use it! The consequences could be very severe
  • Don’t buy or sell contact data
  • Ensure cookie policies are up-to-date, include a link to the full privacy policy and include options to accept or decline
  • Give contacts a way to unsubscribe or to request full deletion of their information
  • Stay up-to-date on privacy regulations, and update your company’s processes as needed