Your business may be in Virginia, but when it comes to online privacy laws, it may be governed by California and Europe.
A website often has a privacy policy, usually linked at the bottom. The policy handles topics including the use of cookies and web beacons and whether the business shares with third parties personally identifying information it gathers about web surfers.
No federal law generally requires businesses to have privacy policies for websites and mobile apps. Beware, however, that other governments require businesses to have privacy policies. These laws may govern many Virginia-based businesses and may be enforced against them.
California leads the way. In 2004, it enacted the California Online Privacy Protection Act. CalOPPA requires a business to have a privacy policy containing certain disclosures. It applies to any commercial website that collects personally identifying information about a consumer residing in California.
Businesses that fail to comply can be sued by the California government for substantial damages. Yet perhaps it’s unlikely that government would expend the effort to sue a Virginia-based business unless it’s a large or national one.
California recently upped the ante by enacting the California Consumer Privacy Act, or CCPA. This law goes into effect Jan. 1 and gives Californians the right to force businesses to disclose categories of personal information gathered about them and, in many cases, to require deletion of it. It also requires businesses to post on their websites an opportunity for web surfers to opt out of the sale of their personal information. As with CalOPPA, the California government potentially can collect large damage awards for noncompliance.
The law applies only to large businesses, such as ones with gross annual revenue over $25 million, and ones that annually buy, sell, receive or share personal information about 50,000 or more consumers.
Then there is Europe. You may have heard of the European Union’s General Data Privacy Regulation. The GDPR not only mandates a privacy policy but also extensively regulates the handling of personally identifying information by a business, regardless of whether that personal information is gathered online or by other means.
The EU government claims the power to fine a business for a violation up to the greater of 20 million euros or 4% of its gross annual revenue. The EU law protects individuals living in the EU. It doesn’t cover citizens of EU countries while in the U.S. The big question is whether your U.S.-based business is governed by the GDPR if it doesn’t have a physical location in the EU.
In theory, your U.S. business is covered if it sells products or services to individuals in the EU (such as by online or catalog order) or if it gathers (online or otherwise) personal information from individuals in the EU. Yet, if the EU government imposed a fine on your U.S. business for a violation, it’s unclear how it could collect the fine.
Overall, what should your business do about these privacy laws? First, because of CalOPPA, your business probably should have a privacy policy if it has a website or app.
Second, the worst mistake to make regarding a privacy policy is to not follow it. That’s when the federal government nails you and perhaps a state government, too. It’s a mistake to just copy someone else’s policy rather than getting one fitted to your business.
Third, figure out if you’re covered by the CCPA or GDPR. If you are, you have a lot of work to do.
