- It is imperative – this cannot be over emphasized – that you work very closely with an attorney and/or information technology services to ensure that only the appropriate information is being collected based on location of IP address and other factors. There are very specific rules to be followed in the collection of personal information based on US/state laws and European Union laws – especially in relation to children under 13 years of age.
- European Union laws – GDPR – are very similar to some of the US policies but they not the same! They too must be reviewed and in compliance. Again, consult information technology professionals and an attorney to interpret the laws properly. Much of this compliance will be behind the scenes and must be dealt with in specific ways.
- Failure to properly protect, collect, and retain this information can result in significant fines.
- You’ll want to ensure your business customer support contact information such as phone number, email address, location, and any other relevant information is accessible for inquiries regarding GDPR and stored information as well. They are your legal obligations.
- You should work to understand the privacy practices that your service providers and third party services, as well as the advertising, and marketing, and sales partners who you work with and whose services you implement on your website as they are accessing/storing information from users on your site regardless of the web browser/operating system being used in most cases.
- Some larger businesses have appointed data protection officers to head up this effort, depending on the scale of their business and breadth of operations. These team members are often in charge of evaluating practices, protection, security vulnerabilities, whether or not PII is being captured and location of information being stored, the retention period of stored data, whether there’s been unauthorized access to that information, and how the company responds to inquiries and requests around things like GDPR.
In the US, privacy laws are left to each state and industry, not the federal government. This is why the Health Insurance Portability and Accountability Act (HIPAA) that protects the medical information of US citizens is one of the only federal privacy laws out there. Also institutions engaged in the financial sector are required by this the Gramm-Leach-Bliley Act to provide accurate and clear statements about how they share information.
It can be confusing for US and foreign companies to comply with so many state laws. However, there are a few important ones you should pay close attention to:
California has the largest and most robust privacy laws of any state in the US. The California Online Privacy Protection Act (CalOPPA) protects the transmission and collection of the personal data of California residents. CalOPPA’s jurisdiction extends outside of California to the US and any company that collects data from California residents.
- What data is collected
- Why the data is collected
- How companies handle Do Not Track Signals
California recently added to its list of privacy laws by enacting the California Consumer Privacy Act (CCPA). The CCPA created new consumer rights in the collection of data by for-profit businesses. Required updates to privacy policies include the option to opt-out of data collection, a disclosure of the sources of the collected information, and lists of data sold and data disclosed for business purposes in the last 12 months.
New York‘s Shield Act protects the private data of New York residents that are collected by New York and foreign companies. The New York act gives companies leeway on how to safeguard personal data, but policies must comply with the Act’s standards. The Shield Act extends to biometric data, emails, and financial accounts.
Washington‘s Privacy Act (WPA) has yet to be passed by the state, but if approved the act would have some similar requirements to California’s CCPA. The WPA requires opt-out options, notification of categories of data collected, and large security practices.
Other Business Documents:
ApproveMe.com has many contract and business templates available. A secure method to get an agreement signed is online. Online signatures of the parties are legally binding. This is a convenient way to expedite the process and eliminate stress for both you and the client. You can use ApproveMe.com to ensure you have a legally binding signature.
Additional information may be found at the sites below:
Your Signing experience is worth celebrating!
ApproveMe, is easy document signing for busy people. Built on the belief that every new agreement with a customer or client should be celebrated.
This privacy statement is applicable to ______________ [insert company name] and all its affiliates.
The policy is to respect and protect the privacy of our users.
The ______________ [insert company name] (hereafter referred to as “Company” or “__________.com”) does not collect personally identifiable information about individuals except when such individuals specifically provide such information on a voluntary basis. For example, such personally identifiable information may be gathered from a contest or sweepstakes registration, the registration process for subscription sites or services and in connection with content submissions, community postings (e.g., chat and message boards), suggestions, voting/polling activities and transactional areas.
Personally identifiable information on individual users will not be sold or otherwise transferred to unaffiliated third parties without the approval of the user at the time of collection. At such points of collection, the user will have the opportunity to indicate whether he or she would like to “opt out” of receiving promotional and/or marketing information about other products, services and offerings from the Company and/or any third parties.
While the Company does not anticipate a large number of children accessing our website, we are committed to protecting the privacy of children who use our sites and applications. Our Company has established practices compliant with the U.S. Children’s Online Privacy Protection Act (“COPPA”) regarding children’s personal information.
_________________.com is sharing personally identifiable information with Google Analytics (acting as its site traffic gathering agent for this limited purpose) for the sole purpose of gathering statistical data on visitors to the site and the pages viewed by those visitors. If you wish to opt out, visit Google Analytics’ privacy center. [insert this information if you are using any kind of analytics for gathering information…and insert the appropriate website/company you are using]
Further, notwithstanding any opt out of promotional information by the user, the Company reserves the right to contact a subscriber regarding account status, changes to the subscriber agreement and other matters relevant to the underlying service and/or the information collected.
The Company may disclose user information in special cases when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be causing injury to or interference with (either intentionally or unintentionally) the Company’s rights or property, other Company users, or anyone else that could be harmed by such activities. The Company may disclose user information when we believe in good faith that the law requires it.
Additionally, users should be aware that when they voluntarily disclose personally identifiable information (e.g., user name, e-mail address) on the bulletin boards or in the chat areas of the Company’s sites, that information, along with any substantive information disclosed in the user’s communication, can be collected and correlated and used by third parties and may result in unsolicited messages from other posters or third parties. Such activities are beyond the control of the Company.
Upon request, the Company will allow any user to “opt out” of further promotional contacts at any time. Additionally upon request, the Company will use reasonable efforts to allow users to update/correct personal information previously submitted which the user states is erroneous to the extent such activities will not compromise privacy or security interests. Also, upon a user’s request, the Company will use commercially reasonable efforts to functionally delete the user and his or her personal information from its database; however, it may be impossible to delete a user’s entry without some residual information because of backups and records of deletions.
The foregoing policies are effective as of ________________ [insert effective date]. The Company reserves the right to change this policy at any time by notifying users of the existence of a new privacy statement. This statement and the policies outlined herein are not intended to and do not create any contractual or other legal rights in or on behalf of any party.
If you have questions or concerns regarding this Web site’s privacy statement, contact the Company. [insert/create hyperlink to company’s customer service or info email box]
As our Company is headquartered in the United States, we adhere most closely with applicable federal and state laws. We do, however, value our non-US users. The Company has implemented policies to adhere to the European Union’s General Data Protection Regulation (“GDPR”) which includes strict data protection principles that organizations must follow in order to protect the personal information they collect about their clients or people who visit their websites. While many rules and actions may be the same in the US and EU, there may be specific instances of policy differences. If you are concerned about how your personal information is being collected in connection with GDPR, please use this contact information and reach out to the Company. [insert/create hyperlink to company’s customer service or info email box].
ApproveMe. Send Contracts in Minutes.
Unlock the power of eSignature on your website using your branding today!Get Started Now