What's Data Privacy Law In Your Country?
When creating the content for your website, legal notices like your Terms of Service, Cookie Notifications, and Privacy Policies are often an afterthought.
Blog posts might be a lot more fun to write, but neglecting to give your readers the right information can get you in legal trouble.
You might think only the giants like Google and Facebook really need a Privacy Policy, or websites that handle sensitive data like credit card numbers or social security numbers.
In reality, many of the countries with modern data privacy laws have rules in place for handling any kind of information that can identify an individual or be used to do so.
Even if you just collect names and email addresses for your newsletter, display a few Google Ads on your site, or use browser cookies to get traffic analytics, you're required by law in many jurisdictions to inform your audience of certain facts and policies of your website.
If you don't, or if you just use a generic Privacy Policy template that doesn't accurately reflect your policies, you could be threatened with legal action from your website visitors or your government, and end up paying huge fines or legal fees - or even face jail time.
Why take the risk? Save yourself the time, trouble, and expense of legal consequences, and get up to speed on your country's privacy policy laws right here.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. Privacy Laws by Country
- 1.1. Argentina
- 1.2. Australia
- 1.3. Brazil
- 1.4. Canada
- 1.5. Chile
- 1.6. Colombia
- 1.7. Czech Republic
- 1.8. Denmark
- 1.9. Estonia
- 1.10. European Union
- 1.11. Finland
- 1.12. France
- 1.13. Germany
- 1.14. Greece
- 1.15. Hong Kong
- 1.16. Hungary
- 1.17. Iceland
- 1.18. Ireland
- 1.19. India
- 1.20. Italy
- 1.21. Japan
- 1.22. Latvia
- 1.23. Lithuania
- 1.24. Luxembourg
- 1.25. Malaysia
- 1.26. Malta
- 1.27. Mexico
- 1.28. Morocco
- 1.29. The Netherlands
- 1.30. New Zealand
- 1.31. Norway
- 1.32. The Philippines
- 1.33. Romania
- 1.34. Poland
- 1.35. Portugal
- 1.36. Singapore
- 1.37. Slovenia
- 1.38. South Africa
- 1.39. South Korea
- 1.40. Spain
- 1.41. Switzerland
- 1.42. Sweden
- 1.43. Taiwan
- 1.44. United States
- 1.45. United Kingdom
Privacy Laws by Country
Laws regarding privacy policy requirements for websites are generally included in information privacy or data protection laws for a country. These laws govern how information on private individuals can be used. A relatively recent legal development, privacy laws have now been enacted in over 80 countries around the world.
Argentina
Argentina's Personal Data Protection Act of 2000 applies to any individual person or legal entity within the territory of Argentina that deals with personal data. Personal data includes any kind of information that relates to individuals, except for basic information such as name, occupation, date of birth, and address.
"Personal data" can, however, include the use of browser cookies. If you track your visitors using an analytics service, or if you use an ad network that uses cookies, then these policies will apply to you.
There is some legal disagreement about whether IP addresses count as personal data, with experts on both sides of the issue. To be on the safe side, you likely want to obtain consent if you collect any information regarding an individual's IP address, or use cookies in any way.
According to Argentina's laws concerning privacy, it's only legal to handle or process personal data if the subject has given prior informed consent. Informed consent means you must tell them the purpose for gathering the data, consequences of refusing to provide the data or providing inaccurate information, and their right to access, correct, and delete the data. Also, any individual can request deletion of their data at any time.
Australia
Australia's Privacy Principles (APP) is a collection of 13 principles guiding the handling of personal information. According to these principles, you must manage personal information in an open and transparent way, which means having a clear and up-to-date Privacy Policy about how you manage personal information.
Privacy Policies, according to Australian law, need to detail why and how you collect personal information, the consequences for not providing personal information, how individuals can access and correct their own information, and how individuals can complain about a breach of the principles.
One of the roles of the Office of the Australian Information Commissioner (OAIC) is to investigate any privacy complaints about the handling of your personal information. Anyone can make a complaint to the office for free at any time, and the office will investigate as soon as possible.
In order to avoid complaints about your handling of personal information, it's important to have a clear and accurate Privacy Policy that includes all the requirements laid out by the APP.
Brazil
Brazil passed the Brazilian Internet Act in 2014 which deals with policies on the collection, maintenance, treatment and use of personal data on the Internet.
Any Brazilian individual and legal entity must obtain someone's prior consent before collecting their personal data online, in any way. Consent can't be given by those under 16 years old, and from 16 to 18 years old they must have assistance from their legal guardian to give consent. So, before collecting any information, be sure to ask whether the user is over 18 years of age.
It also states that your terms and conditions about how you collect, store, and use personal data need to be easily identifiable by your users, which means having an accurate and easy to understand privacy policy.
Canada
Canada's Personal Information Protection and Electronic Data Act (PIPEDA) governs how you can collect, store, and use information about users online in the course of commercial activity. According to the act, you must make information regarding your privacy policies publicly available to customers.
Your Privacy Policy should be easy to find and to understand, and be as specific as possible about how you collect, handle, and use information.
For more information, check out the Privacy Toolkit and Fact Sheet from the Office of the Privacy Commissioner of Canada.
Chile
According to Chile's Act on the Protection of Personal Data, passed in 1998, personal data can only be collected when authorized by the user. You also need to inform users of any sharing of information with third parties (such as if you have an email newsletter provider like MailChimp or AWeber that you share emails with).
However, you don't need to get authorization for basic information like a person's name or date of birth, or if you're only using the data internally to provide services or for statistical or pricing purposes.
Colombia
Colombia's Regulatory Decree 1377 states that you must inform users of the purpose their data will be used for, and you can't use the data for any other purpose without obtaining consent.
Privacy Policies must include a description of the purpose and methods for processing data, the users' rights over their data and the procedures for exercising those rights, and identification of who is responsible for handling the data.
Czech Republic
Act No. 101/2000 Coll., on the Protection of Personal Data governs how personal data is collected by anyone in the Czech Republic.
If you collect any kind of information relating to an identifiable person, you need to inform them of the purpose for collecting the data and the way it's collected, and obtain their consent.
Denmark
Denmark passed the Act on Processing of Personal Data in 2000. The Danish Data Protection Agency supervises and enforces the privacy laws. If they discover violations of the law, they can issue a ban or enforcement notice, or even report the violation to the police.
According to the law, personal data can only be collected if the user gives explicit consent. Also, a company can't disclose personal information to third parties for the purpose of marketing without consent.
Estonia
The Personal Data Protection Act of 2003 in Estonia states the personal data needs to be collected in an honest and legal way. You must obtain consent from users, and inform them of the purpose of collecting their data, and only use it in that way. A Privacy Policy is the key way to inform users.
European Union
The General Data Protection Regulation (GDPR) became enforceable in 2018 and is to date the most robust privacy protection law in the world. It has since inspired other laws around the world to up their requirements and has inspired the creation of new laws.
The GDPR protects people in the EU from unlawful data collection or processing and works to increase consent requirements, provide enhanced user rights and require a Privacy Policy that's written in an easy-to-understand way.
Finland
The Personal Data Act governs the processing of personal data gathered in Finland, where privacy is considered a basic right. Anyone who gathers personal data in Finland must have a clearly defined purpose for gathering the data, and may not use it for any other purpose.
Personal data can only be gathered after obtaining unambiguous consent from the user.
The controller (the person or corporation collecting the data) of the collected data also needs to create a description of the data file, including their name and address and the purpose for collecting the data. This description needs to be made available to anyone.
There are also special restrictions that apply if you're collecting data for the purpose of direct marketing or other personalized mailing related to marketing. Your database must be limited to basic information and contact information (no sensitive data can be collected).
France
The Data Protection Act (DPA) of 1978 (revised in 2004) is the main law protecting data privacy in France. The Postal and Electronics Communications Code also touches on the collection of personal data when it's used for sending electronic messages.
The DPA applies to the collection of any information that can be used to identify a person, which is very broad in scope. The rules apply to anyone collecting data who is located in France or who carries out its activities in an establishment in France (such as if your hosting server or other service provider related to collecting or processing data is located in France). This is why the French Data Protection Authority was able to fine Google for violating their privacy laws.
Before automatically processing any kind of personal data, you must obtain the consent of the subject, and inform them of a number of things, including the purpose of the processing, the identity and address of the data controller, the time period the data will be kept, who can access the data, how the data is secured, etc.
Germany
In Germany, the Federal Data Protection Act of 2001 states that any collection of any kind of personal data (including computer IP addresses) is prohibited unless you get the express consent of the subject. You also have to get the data directly from the subject (it's illegal to buy email lists from third parties, for example).
According to the act's Principle of Transparency section, the subject must be informed of the collection of the data and its purpose. Once the data is collected for a specific purpose, you can't use it for any other purpose without getting additional consent.
These laws apply to any collection of data on German soil, and Federal Data Protection Agency and 16 separate state data protection agencies enforce them.
Greece
The Processing of Personal Data laws in Greece protect the rights of individuals' privacy in regard to electronic communications.
The processing of personal data is only allowed in Greece if you obtain consent after notifying the user of the type of data and the purpose and extent of processing. Consent can be given by electronic means if you ensure that the user is completely aware of the consequences of giving consent. Also, they can withdraw consent at any time.
Hong Kong
Hong Kong's Personal Data Ordinance states that users must be informed of the purpose of any personal data collection, and the classes of persons the data may be transferred to (such as if you use any third-party services for processing data, like a email newsletter service).
The openness principle of the ordinance states that your personal data policies and practices must be made publicly available, including what kind of data you collect and how it's used.
If you're in violation of the Personal Data Ordinance, you could face fines up to HK$50,000 and up to 2 years in prison, and you could be sued by your users as well.
Hungary
In Hungary, the privacy of personal data is protected by Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. Its main purpose is to ensure that individuals have control over their own data.
According to the act, you must obtain a person's consent in order to handle their personal data. You can only collect data with an express purpose, and you must inform the user that handing over their personal data is voluntary.
If you violate the act, then your users may sue you, and you may be liable to pay for any damage you cause by mishandling their data.
Iceland
Iceland has been called the 'Switzerland of data' for its strict privacy laws. The Data Protection Act of 2000 states that data must be obtained for specific purposes, and only after the subject has given unambiguous and informed consent.
In order to give consent, they must be made aware of the type of data collected, the purpose of the collection, how the data processing is conducted, how their data is protected, and that they can withdraw their consent at any time.
Not obeying the act could result in fines or even a prison term up to 3 years.
Ireland
In Ireland, the privacy of personal data is regulated by the Data Protection Act 1988, including a 2003 amendment. There's also the ePrivacy Regulations 2011 (S.I. 336 of 2011), which deals with electronic communication.
Ireland differentiates between an organization's Privacy Policy and their public Privacy Statement. A Privacy Policy is a detailed legal document that explains how the organization applies all the 8 data protection principles of the law.
A Privacy Statement, on the other hand, is a public document on a website that clearly and concisely declares how the organization applies the principles to how they collect personal data (including the use of browser cookies) through their website.
It's a legal requirement for any organization in Ireland to have a public Privacy Statement on its website.
If your website collects any kind of personal information or tracks users with cookies, and you don't have a privacy statement, you could be investigated by the Data Protection Commissioner and fined up to €100,000.
India
In India, the Information Technology Act clearly states that every business must have a privacy policy published on its website, whether or not you deal with sensitive personal data. The Privacy Policy needs to describe what data you collect, the purpose of the data, any third parties it might be disclosed to, and what security practices you use to protect the data.
Certain sensitive data, including passwords or financial information, can't be collected or processed without the prior consent of the user.
Italy
Italy's Data Protection Code states has strict rules for any kind of electronic marketing. According to the code, you must obtain a user's consent before tracking them or using data for advertising or marketing communications. You must provide the users with specific information before collecting or processing their data, including the purpose and methods for processing the data and their individual rights under the law.
The Italian Data Protection Authority protects the rights of individuals regarding the privacy of their personal data. They can impose fines, such as the million-euro fine they threatened Google with for violating Italian privacy regulations.
Japan
In Japan, the Personal Information Protection Act protects the rights of individuals in regard to their personal data. The definition of personal data in the act is very broad, and even applies to information that could be found in a public directory.
The act states that you must describe as specifically as possible the purpose of the personal data you're collecting. Also, in order to share the personal data with any third party (such as an email newsletter service) you must obtain prior consent.
Latvia
The Personal Data Protection Law of Latvia applies to the processing of all kinds of personal data. It states that you may only process personal data after obtaining the consent of the user. When you collect personal data, you must inform them of specific information, including the purpose for collecting their data, any third parties that might have access to their data, and their individual rights to protect their own data under the law.
Lithuania
Lithuania's Law on Legal Protection of Personal Data states that in order to collect and process any kind of personal information that can identify an individual, you must obtain clear consent from the individual first. The law says that consent can only be defined as consent if the individual agrees for their data to be used for a specific purpose known to them, so you need to let users know exactly why you're collecting their data, and how you're going to use it, in order for their consent to be legally valid.
Luxembourg
In Luxembourg, Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data states that users must give informed consent before their data can be collected and processed. The user must be informed of your identity, your purpose for collecting their data, any third parties with access to their data, and their specific rights regarding their data.
Anyone in violation of the law could face prison time between 8 days to 1 year and/or a fine of anywhere from 251 to 125,000 euros.
Malaysia
Malaysia's Personal Data Protection Act 2010 protects any personal data collected in Malaysia from being misused. According to the act, you must obtain the consent of users before collecting their personal data or sharing it with any third parties. In order for their consent to be valid, you must give them written notice of the purpose for the data collection, their rights to request or correct their data, what class of third parties will have access to their data, and whether or not they're required to share their data and the consequences if they don't.
Malta
In Malta, the right to privacy is considered a fundamental human right, and is protected in part by the Data Protection Act of 2001. The act states that personal data can only be collected and processed for specific, explicitly stated and legitimate purposes, and that the user must give their informed and unambiguous consent before it's collected. For their consent to be valid, you must inform them of your identity and residence, the purpose of the data collection, any other recipients of the data, whether their participation is required or voluntary, and all about their applicable rights to access, correct, or erase the data.
Mexico
In Mexico, the Federal Law for the Protection of Personal Data Possessed by Private Persons deals with the privacy of personal data. The law says that you can only collect personal data for the reasons stated in your Privacy Policy, and that you must obtain consent for collecting and processing any personal data that isn't publicly available. You also have an obligation to inform users of their rights regarding the data collected.
Morocco
Morocco's Data Protection Act defines personal data as any information of any nature that can identify an individual person. In order to collect or process any personal data, it needs to be for a specific purpose, and you must obtain the express consent of the user before you collect it, unless the data was already made public by that individual.
For their consent to be valid, you need to inform the person of your identity, the purpose of the data collection, and their rights regarding their own data.
The National Commission for the Protection of Personal Data, established in 2010, conducts investigation and inquiries related to privacy laws. Breaking the law can be punishable by fines or even imprisonment.
The Netherlands
In the Netherlands, the Dutch Personal Data Protection Act states that you must obtain the unambiguous consent of the user before collecting or processing any information that personally identifies them.
New Zealand
According to New Zealand's Privacy Act of 1993, you must collect any non-public personal information directly from the individual, and make sure they're aware of your name and address, the purpose for the data collection, any recipients of that data, whether the collection is required by law or optional, and their rights regarding their own data.
Any user may make a complaint and possibly trigger an investigation into whether you're following the law when collecting their personal data.
Norway
Norway's Personal Data Act states that personal data can only be collected after obtaining the consent of the user. Before asking for consent, you need to inform them of your name and address, the purpose of the data collection, whether the data will be disclosed to third parties and their identities, the fact that their participation is voluntary, and their rights under the law.
The Philippines
The Philippines is known for having "one of the toughest data privacy legislations in the region." In the Philippines, anyone who collects personal data needs to get specific and informed consent from the user first. You must declare the purpose of the data processing before you begin to collect it (or as soon as reasonably possible after).
Under the Republic Act No. 10173, individuals have the right to know your identity, what personal data you're collecting and for what purpose, how it's being processed, who it's being disclosed to, and all their rights regarding their own data.
Romania
In Romania, the law states that you must inform users of their rights when collecting any kind of personal data, including their name. You also need to obtain their "express and unequivocal consent" beforehand.
Poland
Poland's Act of the Protection of Personal Data, passed in 1997, states that the processing of data is only permitted if the data subject has given their consent. You're also obliged to provide your name and address, the purpose of the data collection, any other recipients of the data, the subject's rights, and whether participation is required or voluntary.
Portugal
According to Portugal's Act on the Protection of Personal Data, the processing of data needs to be carried out in a transparent manner, respecting the privacy of your users. Personal data can only be collected for specific and legitimate purposes, and only after obtaining the unambiguous consent of the user. You must also provide the user with specific information including your identity, the purpose of the data processing, any other recipients of the data, etc.
Singapore
In Singapore, personal data is protected under the Personal Data Protection Act. According to the act, you may only collect personal data only with the consent of the individual, and the individual must be informed of the purpose for the data collection.
Slovenia
Slovenia's Personal Data Protection Act states that you must obtain the informed consent of an individual before collecting or processing their personal data. In order for their consent to be valid, you need to inform them of your identity and the purpose of the data collection. You also need to inform them of any other information necessary to ensure that their data is being processed in a lawful and fair manner.
South Africa
South Africa's Electronic Communications and Transactions Act applies to any personal data collected through electronic transactions, such as through a website. The act sets out nine principles that you must agree to in order to collect any personal data, and also requires that you disclose in writing to the subject the specific purpose of the data collection, and obtain their express consent before collecting their data.
South Korea
In South Korea, the Act on Promotion of Information and Communications Network Utilization and Data Protection states that any information and communications service provider needs to obtain the consent of the user before collecting personal information. In order for the consent to be valid, you must provide the user with specific information including your name and contact information, the purpose of the data collection, and the user's rights concerning their own data.
The Framework Act on Telecommunications provides the definition of "information and communications service providers" as "services that mediate a third party's communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party's telecommunications."
Spain
In Spain, the protection of personal data is regarded as a constitutional right. In order to collect any personal data, you need to provide the user with "fair processing information" including your identity and address, the purpose of the data processing, their rights under the law, whether participation is voluntary or mandatory, and any consequences for not providing their personal data.
Switzerland
Switzerland's Federal Act on Data Protection states that any personal data collection or processing must be done in good faith, and that it needs to be evident to the user, especially the purpose of the data collection. In other words, you must inform the user that you're collecting their personal data, and why. Personal data is defined as "all information relating to an identified or identifiable person."
Sweden
In Sweden, the Personal Data Act protects the privacy of personally identifying information, which it loosely defines as any data that, directly or indirectly, is referable to a live person. It states that users are entitled to information concerning processing of their personal data, and that they must give consent before you can collect their data. Consent must be informed, voluntary, specific, and unambiguous.
Anyone who violates the act may be liable to pay fines or even sentenced to criminal penalties.
Taiwan
The Computer-Processed Personal Data Protection Law in Taiwan relates to specific kinds of personal data, including an individual's name, date of birth, "social activities," and any other data that can identify that individual. Data collection needs to be in good faith and in consideration of individuals' rights. Any organization that collects personal data must publish a document that includes specific information including their name and address, the purpose and methods for the data collection, and any other recipients of the data.
United States
In the United States, data privacy isn't as highly legislated on a federal level as most of the other countries on this list. Like with many issues, the federal government leaves a lot of the details up to each state. Laws also differ depending on the industry, which results in a confusing mess of rules and regulations for US website owners to navigate.
The FTC (Federal Trade Commission) regulates business privacy laws. They don't require privacy policies per se, but they do prohibit deceptive practices.
Some federal laws that touch on data privacy include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which deals with health-related information, and the Children's Online Privacy Protection Rule (COPPA), which applies to websites that collect data from children under the age of 13. Some states have more stringent laws than others, such as the California Online Privacy Protection Act (CalOPPA), which is the first law in the United States that specifically requires websites to post a Privacy Policy.
CalOPPA actually applies not just to websites based in California, but to any website that collects personal data from consumers who reside in California. With that in mind, website owners based in the United States are encouraged to err on the side of caution so they don't run into legal trouble inadvertently.
CalOPPA requires that every website that collects personal data from users post a privacy policy that includes:
- The type of personal data collected
- Any third parties you share the data with
- How users can review and change their data that you've collected
- How you'll update users of changes to your Privacy Policy
- Your Privacy Policy's effective date
- How you'll respond to Do Not Track requests
If there's any chance that you'll be collecting personal data from anyone in California, it's best to comply with this law by creating an accurate privacy policy.
A few additional laws to be aware of in the US include the California Consumer Privacy Act (CCPA) and its CPRA amendments, as well as the Washington Privacy Act (WPA).
United Kingdom
In the UK, the mission of the Information Commissioner's Office is to "uphold information rights in the public interest."
The Data Protection Act requires fair processing of personal data, which means that you must be transparent about why you're collecting personal data and how you're going to use it. The law also states that if you use browser cookies, you need to clearly explain what they do and why you're using them, and gain the informed consent of your users.
You Need a Privacy Policy
It may seem like overkill to create a complete Privacy Policy if you're just collecting names and email addresses for your monthly newsletter, but in the Age of Information, it's important to respect the importance of personal data and the privacy rights of your website users. Being transparent about how you collect and protect data will not only keep you out of trouble with the law, but will also help to establish trust with your audience.
The best thing you can do to be compliant with almost any privacy law is to have a transparent, informative Privacy Policy posted on your website or mobile app and keep it easy to read and up to date.