Corporate & Transactional
Provided the policy is well drafted, it should protect the company from claims that it misused personal information or misled the user about the company’s collection or use of the data.
Privacy Compliance in the United States and European Union
Different laws around privacy in other countries can complicate compliance for business owners with a digital presence.
The United States and Privacy
Laws in the United States relating to online privacy are much less strict than in the European Union. Important federal privacy laws apply to specific types of businesses in the United States.
- The Children’s Online Privacy Protection Act (COPPA)
- The Health Insurance Information Privacy Act (HIPAA)
- The Gramm-Leach-Bliley Act (a law regulating financial institutions)
These privacy laws apply to specific businesses and will not apply to everyone.
Some states have their own privacy laws. For example, California has its own state privacy laws, including
Additionally, direct marketing businesses in the United States are regulated by a federal law known as CAN-SPAM.
The EU has been very proactive as regards online privacy. The privacy regulation applies to all countries that are part of the EU and the United Kingdom.
The two primary privacy laws in the EU are
- The General Data Protection Regulation (known as the GDPR)
- The ePrivacy Directive (also called the Cookies Directive)
The standard of compliance in the EU is set much higher than elsewhere. Therefore, if business owners comply with these stricter rules, they will probably comply with them everywhere else.
A startup business must comply with EU privacy law if it offers goods and services in the territory of the EU. It also applies to the business if it involves monitoring customer behavior in the EU. The fact that the company operates in the United States does not release it from the necessity to comply with EU regulations.
- Who is the company’s target market?
- What methods of marketing does the company intend to use?
- What service is the company providing?
- Which countries will it serve?
It is also important to consider performing a data audit of the business. This should include answering the following questions:
- What inbound personal data does the company gather digitally?
- What specific other types of data does the company collect?
- Why does it collect the data?
- Where is this data stored?
- Who else receives this data? (i.e. marketing companies, web servers, etc.)