Privacy law in general is in a state of somewhat confusion due to the fact that the internet has no borders, and yet each individual country (and state) has varying restrictions and requirements in place, many of which apply to website operators outside of their boundaries. The lack of any overarching federal law regulating privacy in the US means that we have ended up with a patchwork of privacy laws, each with their own nuances, definitions, and penalties. Here are a few to be familiar with:
Personally Identifiable Information (PII)
The single most important term you need to become familiar with when setting up your own website to interact with users, customers, clients, etc. is “personally identifiable information,” or “PII” as it is usually shortened to. This special set of information is what most states’ and countries’ privacy laws concern themselves the most with. Different jurisdictions have different definitions for what they consider PII, but a good rule of thumb is that if you have collected a person’s name and another identifying piece of information about them (a driver’s license number, physical address, email address, etc.), you now have PII in your possession. When you collect PII, you are generally subject to the privacy laws of whatever state or country that person is a citizen of. This means that you need to consider the impact of these laws (or have counsel investigate the legal requirements) before you start collecting PII from citizens of a particular country.
Privacy Policies are essentially legally binding promises that you make concerning your practices for handling the personal information of your website’s users. Some states (California, for example) have laws that require website operators to post Privacy Policies on their website as soon as they begin collecting PII about citizens of that state. Failure to do so will result in unwanted attention from the Attorney General, the Federal Trade Commission (FTC), and possibly even private citizens.
Collecting PII from foreign countries
As mentioned above, different countries have different requirements. As much as we would like to treat it as such, the internet is not one borderless realm where anything goes (at least not anymore). Depending on where you operate, or where you are collecting PII from, different sets of laws apply to your collection, handling, and storage of PII.
The European Union, in particular, creates significant compliance headaches for US companies collecting PII about EU citizens and transferring it back to servers in the US. Under EU Data Privacy Directives (and the upcoming General Data Protection Regulation), US companies are technically prohibited from transferring EU citizens’ PII to the US due to concerns about the US Government’s bulk data collection practices. In order to do so, US companies must certify, under a program called the EU-US Privacy Shield, that they provide the same adequate level of protection as is required under EU law. If you are collecting PII from non-US citizens, you should have counsel look into any specific requirements these countries may have.
The journey of running your own business, or even just your own website, is undoubtedly a complex one especially when it comes to legalities. We hope this breakdown helps it all feel more approachable and understandable!
Disclaimer : Although this article may be considered advertising under applicable law and ethical rules, the information in this article is presented for informational purposes only. Nothing herein should be taken as legal advice and this content does not form an attorney-client relationship. If you would like further information, Wilkinson Mazzeo would love to hear from you, so please feel free to reach out with any questions!
Photos by: Valerie Denise Photos