Privacy Policies Are Legally Required

If you handle data about identifiable individuals, you very likely come under at least one privacy law. Many of these laws directly or indirectly require that you publish a Privacy Policy. You need to check all of these laws, particularly if you do business online, as your physical location isn't necessarily the only criteria.

Here's what you need to know about the key laws that require a Privacy Policy, as well as how some third parties require you to follow these laws, thus requiring a Privacy Policy if you use their platforms.

What is a Privacy Policy?

A Privacy Policy is a legal document that discloses details about what personal data you collect, how and why you use it, what the individual's data rights are, and more.

In this guide, we've used the term Privacy Policy."Some laws use other terms such as Privacy Notice or Privacy Statement. Some don't use a specific term but rather detail what information you must publish. Whatever the wording and the specific detail, the general concept is the same.

U.S. Federal Laws and Privacy Policies

Children's Online Privacy Protection Rule (COPPA)

COPPA is a federal regulation that affects any website that meets all of the following criteria:

• Operates commercially in the U.S.
• Collects personal information, and
• Either targets users aged under 13 or knows that people aged under 13 use the site

If you fall under the scope of the COPPA, you must:

• Get a parent or guardian's permission to collect data from someone aged under 13
• Publish an "online notice of [your] information practices with regard to children" (ie a Privacy Policy) on the site
• Clearly link to this notice from your home page, from any point where you collect data from children, and from the request for parental permission

The notice (Privacy Policy) must include:

• Your name, address, phone number and email address
• What data you collect, how you use it, and how you disclose it
• The parent's right to tell you to delete collected data and stop collecting new data

Rocket Club has a clause in its Privacy Policy to address COPPA and the privacy of children. This clause notes how it handles parental consent, parental access rights, and information from children under the age of 13. Here's an excerpt:

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act is a long-standing federal law that applies to financial institutions. That's defined as a business that is "significantly engaged" in financial activities with individuals.

The rules apply differently to your customers (people you have an ongoing and direct financial relationship with) and consumers (people you have one-off interactions with). For example, a credit card holder is a customer while somebody who uses a wire transfer company is a consumer.

Under the act you must always give a "Privacy Notice" (ie a Privacy Policy) to customers. You must also give a Privacy Notice to consumers before you share personal data with a third party.

The privacy notice must detail:

• The types of information you collect
• The types of information you disclose information
• The types of third party to whom you disclose
• Whether you rely on any exceptions to the normal rules, for example when sharing data for joint marketing, processing a transaction, or fraud prevention
• The ways you secure the data

You should make the Privacy Notice "clear and conspicuous" and easy to find on your website.

Bankrate not only explicitly labels its Privacy Notice as such, but opens with a clear overview of what it involves and contains:

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is an extremely detailed law covering the way an organization uses, shares and protects personal data. It broadly applies to:

• Healthcare providers
• Health plans
• Healthcare clearinghouses
• Business associates that carry out work using personal information, for example healthcare insurance claims processing or billing

HIPAA specifically requires that you give a "notice of privacy practices." You must give this notice to new patients when they enroll in a health plan and then remind them at least once every three years that they have the right to see it. You must also display the notice prominently in a place where patients can see it as well as on your website.

The "notice of privacy practices" must detail:

• The ways HIPAA allows you to use personal data
• The fact the patient must give permission before you use personal data in any other way
• Your duty to secure the data
• The patient's privacy rights
• How and where the patient can get further information or file a complaint

Penn Medicine has a HIPAA Notice of Privacy Practices that addresses these points. Here's an excerpt that shows how protected health information may be used:

And here's one that addresses the rights of the patients:

Now let's explore some state laws in the United States and what they require when it comes to your Privacy Policy.

State Laws That Require a Privacy Policy

Privacy laws are becoming increasingly popular in state legislatures, with several new or enhanced laws taking effect in 2023. These are some that may affect you.

Note that we've only covered what these laws say about your Privacy Policies. If you discover you fall under the scope of one of these laws, make sure to check the full details of what else you can and cannot do regarding personal data.

California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

These two state laws combine to set out data privacy rules. The CPRA amended and expanded the CCPA.

You fall under the scope of the CCPA (CPRA) if any of three criteria apply:

• Your annual revenue is more than $25 million
• You buy, sell or share personal data relating to at least 100,000 California consumers or households in a one-year period, or
• At least half of your revenue comes from selling or sharing personal data about California consumers

It doesn't matter where you are based.

The primary Privacy Policy requirement of the CCPA (CPRA) is to give information about how you use 112 categories of data:

• Identifiers such as names or addresses
• Other information that identifies an individual and isn't already public knowledge
• Information about protected characteristics that it's illegal to use for discrimination (Examples include age, race, religion and sexual orientation)
• Commercial information such as purchase history
• Biometric information
• Internet activity such as browsing or search history
• Geolocation information
• Images, videos, audio and other sensory information
• Employment-related data
• Education data that isn't already publicly available
• Profiling data such as inferences about somebody's purchasing tastes
• Sensitive personal information

Your Privacy Policy must give a category-by-category breakdown of whether you have done each of the following in the previous 12 months:

• Collected data
• Used data
• Shared data

When you collect data, you must also give the individual a category-by-category breakdown of how you will collect, use and share their data, and how long you will store it for.

Your Privacy Policy must also list the individual's data rights under the CCPA (CPRA).

You also need a dedicated page where customers can opt out of you selling their data. The CCPA (CPRA) says you must link to this page from your home page. You could go above this legal minimum (thus building trust) by also linking from your Privacy Policy.

Our CCPA (CPRA) Privacy Policy checklist can help you when drafting your own or updating yours for compliance.

You will also need a dedicated page or pages where customers can opt out of you selling their data and limit your use of their sensitive data. This is referred to as a "Do Not Sell My Personal Information" page. The CCPA (CPRA) says you must link to this page or pages from your home page. You could go above this legal minimum (thus building trust) by also linking from your Privacy Policy.

Adobe uses a dedicated Privacy Policy for California residents that deals with rights created by the CCPA (CPRA):

If your Privacy Policy is currently compliant with the CCPA but needs updates for the CPRA expansion, check out our feature article here: How to Update Your CCPA Privacy Policy for the CPRA.

Virginia's Consumer Data Protection Act (CDPA)

The CDPA took effect on 1 January 2023. It mirrors the same broad concepts as California's laws, but with some key differences:

• It affects you if you process data about more than 100,000 Virginia consumers in a one-year period.
• If you make more than half your money from selling personal data regarding Virginia consumers, this threshold falls to 25,000.

It doesn't matter where you are based or what your annual revenue is. Nonprofits are exempt.

The CDPA uses a "purpose" principle:

• When collecting data, you must state the purpose for which you'll use it.
• You can only use the data for this purpose.
• You can only collect the data if it is both necessary for, and relevant to, this purpose.

You must also publish a CDPA-compliant Privacy Policy that addresses your overall data use, including:

• The types of data you collect
• The types of data you share with third parties
• The various purposes for which you collect data

You don't have to use specific categories for this as long as you go into enough detail that people can work out how you'll use their personal information.

The Privacy Policy must also tell people:

• How to exercise their data rights and, if necessary, how to appeal against your response
• Whether you sell their data to third parties
• Whether you use their data for targeted ads

You should also note that the individual has the right to tell you not to sell their data or use it for targeted ads.

Colorado Privacy Act (CPA)

This law takes effect on 1 July 2023. It uses the same thresholds as Virginia's CDPA: It applies if you process data about more than 100,000 Colorado consumers in a one-year period. If you make more than half your money from selling personal data regarding Colorado consumers, this threshold falls to 25,000.

Again, it doesn't matter where you are based or what your annual revenue is. Unlike with California and Virginia's laws, Colorado has no exemption for nonprofits.

The CPA says you must have a "reasonably accessible, clear and meaningful privacy notice." The policy's content requirements are similar to those in Virginia, namely:

• The types of data you collect
• The types of data you share with third parties
• The various purposes for which you collect data
• How to exercise data rights and, if necessary, how to appeal against your response
• Whether you sell their data to third parties and how to opt out of this
• Whether you use their data for targeted ads and how to opt out of this

Connecticut Data Privacy Act (CTDPA)

This law takes effect from 1 July 2023. It has the same main threshold as the California and Virginia laws: It applies if you process personal data of more than 100,000 Connecticut consumers in a one-year period.

However, the reduced threshold of 25,000 consumers applies if you make at least 25% of your revenue from selling personal data about Connecticut consumers (not 50% as with the California and Virginia laws).

Again, your location does not matter. Nonprofits are exempt.

If the CTDPA applies, you must have a Privacy Policy that includes:

• The types of data you use
• The purpose or purposes for which you process data
• The types of data you share with third parties
• How consumers can exercise their data rights and appeal against how you respond
• A way consumers can contact you online such as an email address

In a similar way to California's law, the CTDPA says you must have a dedicated page for opting out of data sales (and also targeted advertising). You must link to this from your home page. For added transparency and trust, you could link to it from your Privacy Policy.

Utah Consumer Privacy Act (UCPA)

This law takes effect on 31 December 2023. Unlike other state laws, it only applies where two criteria both apply:

• You have an annual revenue of at least $25 million, and
• You process personal data about at least 100,000 Utah residents in a year (reduced to 25,000 if more than half your revenue comes from selling personal data about Utah residents)

Your location doesn't matter. Nonprofits are exempt.

If the UCPA applies, you must have a Privacy Policy that includes:

• The types of data you collect
• The purposes for which you use data
• Whether you share the data with third parties

You must also specifically inform a consumer if you sell their data or it is used for targeted advertising.

International Laws That Require a Privacy Policy

Several laws around the world require you to publish a Privacy Policy. In some cases, these laws may apply to your business even if you aren't based in the country in question.

As with the state laws, we've only covered the Privacy Policy requirements in this guide. If you are covered by one of these laws, make sure to check the full details of other requirements that may affect you.

General Data Protection Regulation (GDPR)

The GDPR is European Union legislation that has full legal force in all 27 EU countries. Although the United Kingdom is no longer an EU member, at the time of writing similar measures still apply through its national laws.

You must follow the GDPR if you process personal data and any of the following apply:

• Your business has a presence in an EU country
• The data is about somebody in an EU country, or
• The processing physically takes place in an EU country (for example, at a data center)

If the GDPR applies, you must provide certain information to the data subject (the person the data is about) "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."

In practice, this means having a Privacy Policy that includes the following details:

• Your identity and the contact details for your data protection officer
• The purposes for which you process data
• The lawful basis you rely on for processing (such as consent or legitimate interests)
• Who, if anyone, you share data with
• Whether you plan to send the data to a non-EU country and, if so, how you will make sure it remains protected to GDPR standards
• How long you keep personal data or how you decide how long to keep it
• A reminder that the data subject has rights, and what they are/how to exercise them
• Whether the data is legally or contractually required
• Whether you use personal data for automated decision-making or profiling

Mintz takes an interesting approach of having a dedicated GDPR Privacy Notice to explicitly comply with the GDPR's requirements, then linking to its worldwide privacy notice for full details where relevant:

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal law that applies to most businesses in Canada that are not already covered by a similar provincial, territorial or industry-specific law. The law is based on 10 "fair information principles" including "openness."

The Office of the Privacy Commissioner of Canada explains that complying with this principle means your "personal information management practices must be clear and easy to understand. They must be readily available."

It goes on to explain that this requires a Privacy Policy that should include:

• The name and contact details of the person at your organization who is responsible for your privacy practices
• The name and contact details of the person to whom people can make data access requests
• How people can make a data access request
• How people can make a complaint
• What personal information you disclose to third parties and subsidiaries

Australia's Privacy Act

Australia's Privacy Act covers:

• Most Australian government agencies
• Businesses with a turnover of at least $3 million (AUD)
• Health service providers in the private sector
• Credit reporting bodies

It also covers any organization processing data in the following contexts:

• Carrying out an Australian government contract
• Buying or selling personal data
• Using data relating to consumer credit reporting, anti-money laundering, tax file numbers, spent convictions and residential tenancy databases

If you fall under any of these criteria, the Privacy Act applies whenever you handle data about an Australian resident, regardless of your location.

Under the Privacy Act you must comply with the principle of "Open and Transparent Management of Information."

This requires a Privacy Policy addressing the following points of information:

• What types of personal data you collect or hold
• How and why you collect or hold data
• How people can see the data you hold about them and ask you to correct mistakes
• How people can file a complaint if they believe you've breached the Privacy Act
• Whether you are likely to share personal data with somebody outside of Australia and, if so, in which countries

Standards Australia gives a clear list in its Privacy Policy of why it uses personal data:

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD)

You must follow this Brazilian law if you process personal data for business purposes in any of four scenarios:

• The data subject lives in Brazil
• The data processing is in Brazil
• The data collection is in Brazil, or
• The data processing is done as part of offering or providing goods or services in Brazil

Note that your location doesn't matter.

The LGPD doesn't specifically require a dedicated Privacy Policy but does set out seven pieces of information that you must communicate to data subjects. And, the easiest way to do this is via a Privacy Policy:

• The specific purpose for which you use the data
• How you will use the data and for how long
• Details of your dedicated data protection officer
• Your contact information
• Who you share data with and the purpose for which they use it
• The security measures you use to prevent and mitigate data breaches
• The data subject's rights under the LGPD

A Privacy Policy is usually the most efficient way to communicate this information, particularly when you collect the same general information from every customer and use it in the same general ways.

Third Parties That Require a Privacy Policy

If you use a third-party service in a way that involves handling personal data, such as analytics software or a payment processor, the service provider may make it a contractual requirement that you publish a Privacy Policy for end users.

Always check the Terms of Use for any third-party service you use, particularly in industries such as app and software distribution and email newsletter tools, to see if you're required to have a Privacy Policy.

Google Play Store

Any app in the Google Play Store must have an accompanying Privacy Policy, whether or not you handle personal or sensitive data.

Your app listing must link to your Privacy Policy. It must be on an active web page and must cover:

• Your name and identity
• Contact details or a direct link for making enquiries
• The types of personal or sensitive data you collect, use or share
• Who, if anyone, you share personal or sensitive data with
• How you protect personal or sensitive data
• How long you keep data and when and how you delete it

You will also need to complete a Data Safety Form. This asks specific questions, with the answers appearing underneath the Play Store app listing. Note that this form is as well as, not instead of, your Privacy Policy.

The listing for the Terraforming Mars app shows the Data safety answers:

Apple App Store

Apple has a similar two-step process for app privacy information to Google. First, you need to complete a questionnaire in the App Store Connect tool. The answers to this will appear as part of your App Store listing. Second, you need to link to a publicly accessible Privacy Policy.

Apple doesn't give specifics about what must or should be in the policy.

You can optionally link to a publicly accessible privacy management page where users can manage their personal data, for example by requesting you delete or change it.

The App Store listing for ShopRite shows the privacy question answers and the link to the developer's Privacy Policy:

Google AdSense

If you carry advertising through Google AdSense, you must have a Privacy Policy on your site or app. The AdSense Terms and Conditions agreement says this must be clearly labeled and easily accessible. It must include:

"...clear and comprehensive information about cookies, device-specific information, location information and other information stored on, accessed on, or collected from end users' devices in connection with [Google's search and advertising tools], including, as applicable, information about end users' options for cookie management."

Check out our guide to creating a Google AdSense-compliant Privacy Policy for more information and guidance.

Summary

Here's what you need to know about legal requirements for Privacy Policies.

Many data protection laws explicitly or implicitly require a Privacy Policy. That's a public document covering points such as what personal data you use, why and how you use it, and what rights people have over their data.

Federal laws that could apply to you include:

• COPPA (sites targeting or knowingly serving under-13s)
• Gramm-Leach-Bliley Act (financial institutions)
• HIPAA (health organizations)

A number of states have laws requiring a Privacy Policy, including:

• California
• Colorado
• Connecticut
• Utah
• Virginia

Specific criteria will vary, but generally state laws apply if you handle data about a large number of people in the state or you make a big portion of your revenue from selling personal data about people in the state.

The following international laws require a Privacy Policy. Other than PIPEDA, they can all apply if you process data about people in the relevant countries, regardless of your location:

• GDPR (European Union)
• PIPEDA (Canada)
• Privacy Act (Australia)
• LGPD (Brazil)

Many third-party services have contractual requirements to have a Privacy Policy if you handle customer data. Examples include::

• Google Play Store
• Apple App Store
• Google Adsense