Privacy laws and regulations
While you are deciding what type of data to collect, it is important to determine relevant privacy laws.
Privacy laws around the world have different definitions of Personally Identifiable Information (PII) and sensitive data. For example, some privacy laws consider IP address to be PII and others do not. General Data Protection Regulation (GDPR), Europe's privacy law, is one of the most strict privacy laws around the world. To be conservative, you could implement practices that are compliant with GDPR, and you will likely comply with other privacy laws.
Global privacy laws
Here are a few good sources on privacy laws for many countries around the world:
- Data Protection Laws of the World
- UNCTAD Data Protection and Privacy Legislation Worldwide
- IAPP Global Comprehensive Privacy Law Mapping Chart – (contains only a few countries)
US Laws
In the US, there is no comprehensive privacy law. Every US state has their own privacy laws. California has the strictest privacy laws in the US. If there is a data breach, you’ll need to work with a lawyer to determine the relevant privacy laws.
Here are privacy laws for each state.
GDPR
If you are collecting, storing, or using any data related to EU citizens or residents, you need to implement data protection policies and safeguards that are compliant with GDPR laws. GDPR laws are complicated, and there are high fines (4% of global revenue) for violating the law.
In GDPR, data is considered personal data if it can be used to identify them directly or indirectly. For example: name, email address, location, biometrics, gender, ethnicity, religious beliefs, political opinions, and web cookies.
If you process data, you need to mindful of these data protection requirements:
- Be lawful, transparent, and fair
- Only process data for the reasons specified when you collect it.
- Data minimization!
- Be Accurate
- Only store personal data for as long as you need it
- Ensure security, integrity and confidentiality (ie. use encryption)
- Accountability
People's privacy rights
In GDPR, people have control over how their data is used. People have the right to be informed of how their data is being used, the right to access their data, the right to rectify their data, the right to erase it, the right to restrict processing, the right to data portability, the right to object, and the right to determine whether their data is used in automated decision making.
Data security
- Requires two-factor authentication on accounts where personal data are stored
- End-to-end encryption
- Staff training
- Data privacy policies
- Limiting access to personal data
Data protection by design and by default
You must have consent that is “freely given, specific, informed and unambiguous.”
GDPR has many more requirements. You can find more information here.
If you need further guidance on privacy regulations consult with a local lawyer.