What laws require websites to have a Privacy Policy?

Upcoming privacy laws and how you can protect your business

What laws require websites to have a Privacy Policy?

Unless you are at Target, you want to make sure that you actually need what you are buying. As much as we’d like to sale our services to every website out there, the truth is not every website is required by law to have a Privacy Policy and therefore spending money on one would be completely unnecessary. That being said, many modern websites are required by law to have a Privacy Policy. So, which of these categories does your website fall under?

If your website collects Personally Identifiable Information (PII) such as names, emails, phone numbers, and addresses, then it’s almost certain that you will need a Privacy Policy on your website. You’ll also need to make sure that this Privacy Policy contains each of the unique disclosures that each privacy law requires. If this sounds scary, just know that Privacy Policy Generators like Termageddon can make it easy to figure out if you do/don’t need a Privacy Policy and then will help you create and update your policies as Privacy Laws change.

In this blog post, we will explore what laws require websites to have a Privacy Policy and who they apply to so that you can make an informed decision as to whether your website needs a Privacy Policy. 

Fines for violations of privacy laws start at $2,500 per violation (per website visitor).

California Online Privacy Protection Act of 2003 (“CalOPPA”)

CalOPPA is a privacy law that protects the privacy rights of residents of California by requiring operators of websites that collect the PII of California residents to have a Privacy Policy on such websites. If your website collects the PII of California residents, your website needs to have a CalOPPA compliant Privacy Policy. Note that the law does not distinguish where the operator is located. Whether CalOPPA applies depends on where the visitor resides, meaning that it could apply to potentially any website in the world, requiring you to have a Privacy Policy or face potential fines. 

The California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is a consumer privacy law that was approved on November 3, 2020 and goes into effect in 2023.

The CPRA replaces and builds upon the California Consumer Privacy Act (CCPA) that went into effect in 2020 by adding additional privacy rights for Californians, including:

  • Consumers’ right to correct inaccurate personal information 
  • Consumer’s right to opt out of the sharing of certain personal information
  • Consumers’ right to receive the personal information in a portable and readily usable format
  • Consumers’ right to transmit personal information to another entity
  • Consumers’ right to limit the use and disclosure of sensitive personal information
  • Expanded private right of action for breaches involving email accounts

Who does CPRA apply to?

The CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors: 

  1. Have annual gross revenue of more than $25,000,000; 
  2. Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or 
  3. Annually buy, sell or share the personal information of 100,000 or more California consumers or households.

Businesses that receive the personal information of residents of California from their clients may also need to comply with this law via contract, even if they do not meet the criteria listed above. 

Nevada Revised Statutes Chapter 603A 

Nevada’s privacy law requires the operators of websites to have a Privacy Policy that makes certain disclosures. The law defines operators as any person who: 

  • Owns and operates a website for commercial purposes; 
  • Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website; and 
  • Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution. 

If you have a website that collects the personally identifiable information of Nevada consumers and you have customers who reside in Nevada, your website needs to have a compliant Privacy Policy or you could face fines for non-compliance. 

Delaware Online Privacy and Protection Act (“DOPPA”)

DOPPA is a privacy law that protects the privacy rights of Delaware residents by requiring certain websites to have a Privacy Policy that makes specific disclosures. This law applies to any person who owns a website that collects personally identifiable information through that website about individual users residing in Delaware. Since anyone from anywhere can submit their PII on websites with a contact form, this law could apply to virtually any website in the world. Failure to have a DOPPA compliant Privacy Policy could lead to fines so it is imperative that your website is compliant with DOPPA requirements. 

Virginia Consumer Data Protection Act (“VCDPA”)

VCDPA is a privacy law that goes into effect on January 1, 2023 and that protects the privacy of residents of Virginia by providing residents of the state with new privacy rights, requiring certain websites to have a Privacy Policy that makes specific disclosures, and imposing heavy penalties for failing to comply. VCDPA applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:

  • During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
  • Control or process the personal data of at least 25,000 consumers, and derive 50% of gross revenue from the sale of personal data.

If VCDPA applies to you, it is important that you ensure that your Privacy Policy has all of the disclosures required by this new law prior to the effective date to avoid being fined for non-compliance.

Colorado Privacy Act

The Colorado Privacy Act is a privacy law that goes into effect on July 1, 2023 and that protects the privacy of residents of Colorado. As with other privacy laws, the Colorado Privacy Act has a broad reach and applies to controllers of personal data that: conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:

  • Control or process the personal data of 100,000 or more Colorado consumers during the calendar year; or
  • Derive revenue or receive a discount from the sale of personal data and collect or process the personal data of 25,000 ore more Colorado consumers.

If your business meets one of the thresholds above, then you need to ensure that your website has a Colorado Privacy Act compliant Privacy Policy prior to its effective date.

Utah Consumer Privacy Act

The Utah Consumer Privacy Act goes into effect on December 31, 2023 and protects the privacy of residents of Utah. This privacy law applies to persons who do business in Utah or that product a product or service that is targeted to to consumers that are located in Utah and that meet the following criteria:

  • Has annual revenue of $25,000,000 or more; and
  • Meets one of the following thresholds:
  • During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
  • Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.

Connecticut SB6

Connecticut SB6 is a privacy law that goes into effect on July 1, 2023 and that provides certain privacy rights to residents of Connecticut. This privacy law applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:

  • Controlled or processes the personal data of 100,000 or more Connecticut residents; or
  • Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.

 

Iowa SF262

Iowa SF262 will go into effect on January 1, 2025 and will provide residents of Iowa with new privacy rights, and require businesses to have a Privacy Policy that makes the disclosures required by this law. Iowa SF262 applies to any person conducting business in Iowa or producing products or services that are targeted to residents of Iowa and that meet one of the following requirements: 

  • Controls or processes the personal data of at least 100,000 Iowa residents per year; or
  • Controls or processes the personal data of at least 25,000 Iowa residents and derives over 50% of gross revenue from the sale of personal data per year. 

The law does not apply to employee data and specifically exempts nonprofit organizations. 

Indiana SB5

Indiana SB5 will go into effect on July 1, 2026 and businesses that need to comply with this law should start their preparations now to ensure that they are compliant by the effective date. The comprehensive state privacy law requires certain businesses to have a Privacy Policy that has specific disclosures, provides privacy rights to residents of Indiana, and requires businesses to meet specific requirements to protect privacy.

Indiana SB5 was enacted to protect the privacy of residents of Indiana, and, due to the nature of the Internet, it can apply to you even if your business is not located in Indiana. Indiana SB5 applies to any person that does business in Indiana or that produces products or services that are targeted to residents of Indiana and that during a year: 

  • Controls or processes the personal data of at least 100,000 residents of Indiana; or
  • Controls or processes the personal data of at least 25,000 residents of Indiana and derives more than 50% of gross revenue from the sale of personal data. 

The law does specifically exempt nonprofit organizations, higher education institutions, financial institutions and public utilities. 

 

Tennessee HB1181

The Tennessee Information Protection Act (TIPA) will go into effect on July 1, 2025 so businesses who need to comply should start their compliance efforts now. TIPA was passed to protect the privacy of residents of Tennessee by providing them with privacy rights and imposing certain requirements, such as having a Privacy Policy upon businesses.

TIPA applies to persons that conduct business in Tennessee or that produce products or services that are targeted to residents of the state and that:

  • During a calendar year, control or process the personal information of at least 100,000 residents of Tennessee; or
  • Control or process the personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information.

It is important to note that TIPA applies to businesses that are located in Tennessee, as well as businesses that are not so business in other states must still pay attention to and comply with this law if it applies to them.

 

Montana (MCDPA)

The Montana Consumer Data Privacy Act (MCDPA) will go into effect on October 1, 2024, imposing requirements such as having a Privacy Policy on businesses that need to comply with this law. 

The MCDPA applies to persons that do business in Montana or that produce products or services that are targeted to residents of Montana and meet one or more of the following factors: 

  • Control or process the personal data of not less than 50,000 Montana residents (excluding personal data controlled or processed solely for completing payment transactions); or 
  • Control or process the personal data of not less than 25,000 Montana residents and derive more than 25% of gross revenue from the sale of personal data. 

The law exempts nonprofit organizations, higher education institutions, national securities associations, financial institutions and entities that need to comply with HIPAA. 

Texas (TDPSA)

The Texas Data Privacy and Security Act will go into effect on July 1, 2024, imposing requirements such as having a Privacy Policy on businesses that need to comply with this law. 

The Texas Data Privacy and Security Act is similar to other privacy laws in the sense that a business does not need to be located in the State for the law to apply. The TDPSA applies to any person that conducts business in Texas or produces a product or service consumed by residents of Texas and that processes or engages in the sale of personal data.

It is important to note that a few types of organizations will not be subject to this law, including: nonprofit organizations; and small businesses, as defined by the United States Small Business Administration. The Small Business Administration defines “small business” as either an independent business with less than 500 employees or a business that makes under a certain amount of gross revenue per year. While small businesses are exempt from most of the requirements of the TDPSA, according to the law, small businesses may not engage in the sale of sensitive personal data without receiving prior consent from the consumer.

Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (previously Oregon SB619) will go into effect on July 1, 2024, imposing requirements such as having a Privacy Policy on businesses that need to comply with this law. 

Oregon Consumer Privacy Act is similar to other privacy laws in the sense that a business does not need to be located in the State for the law to apply. Oregon’s privacy law applies to any person that conducts business in Oregon or that provides products or services to residents of Oregon and that, during a calendar year:

  • Processes or controls the personal data of 100,000 or more residents of Oregon; or
  • Processes or controls the personal data of 25,000 or more residents of Oregon and derives 25% or more of annual gross revenue from the sale of personal data.

In addition, the law can apply to businesses that do not meet the criteria above if they have signed a contract for the processing of data with a company that does need to comply with this law.

 

Delaware Personal Data Privacy Act (DPDPA)

The Delaware Personal Data Privacy Act will go into effect on January 1, 2025, imposing requirements such as having a Privacy Policy on businesses that need to comply with this law. 

The DPDPA applies to any person that conducts business in Delaware or that produces products or services that are targeted to residents of Delaware and that during the preceding calendar year: 

  • Controlled or processed the personal data of not less than 35,000 residents of Delaware; or 
  • Controlled or processed the personal data of not less than 100,000 residents of Delaware and derived more than 20% of their gross revenue from the sale of personal data. 

It is important to note that similar to other privacy laws, your business does not need to be located in Delaware for this privacy law to apply to you. The DPDPA exempts nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking but does not exempt nonprofits working in other areas. 

General Data Protection Regulation (“GDPR”)

GDPR is a privacy law that protects the privacy rights of residents of the European Union. GDPR has a reach far outside of the EU and applies to you if you: 

  • Are located in the European Union; 
  • Offer goods or services to European Union residents, regardless of your location; 
  • Monitor the behavior of European Union residents, regardless of your location. 

If GDPR applies to you, you need to have a GDPR compliant Privacy Policy that makes all of the required disclosures. GDPR is one of the most actively enforced privacy laws in the world, with hundreds of companies, large and small, being fined for non-compliance with this privacy law. 

UK’s Data Protection Act (UK DPA)

UK DPA is a privacy law that protects the privacy rights of residents of the United Kingdom. UK DPA has a reach far outside of the UK and applies to you if you: 

  • Are located in the United Kingdom; 
  • Offer goods or services to UK residents, regardless of your location; 
  • Monitor the behavior of UK residents, regardless of your location. 

If UK DPA applies to you, you need to have a UK DPA compliant Privacy Policy that makes all of the required disclosures.

Personal Information Protection and Electronic Documents Act (“PIPEDA”)

PIPEDA is a privacy law that protects the privacy rights of residents of Canada by requiring certain websites to have a compliant Privacy Policy. PIPEDA applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. PIPEDA defines commercial activity as any conduct that is of a commercial character. Canadian courts and the Canada Office of the Privacy Commissioner have concluded that PIPEDA can also apply to non-Canadian companies that collect, use or disclose the PII of Canadian residents, which means that the law could apply to any website in the world. If your website collects the PII Of Canadian residents, you need to ensure that you have a PIPEDA compliant Privacy Policy. 

Quebec Bill 64

Quebec Bill 64 protects the privacy rights of residents of Quebec, Canada, by requiring certain websites to have a compliant Privacy Policy. This law goes into effect on September 1st, 2023 and applies to persons who collect, hold, use or share the personal information of residents of Quebec in the course of carrying on an enterprise within the meaning of Article 1525 of the Quebec Civil Code. Article 1525 defines “enterprise” as “the carrying on by one or more persons of an economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property or providing a service.” This means that Quebec Bill 64 will apply to both for-profit and nonprofit organizations that collect, hold, use or share the personal information of residents of Quebec. If your website does collect, hold, use or share the personal information of Quebec residents, you will need to update your Privacy Policy prior to the effective date of this law to include all of the required disclosures.

Australia Privacy Act of 1988

The Australia Privacy Act 1988 protects the privacy rights of residents of Australia by requiring certain websites to have a compliant Privacy Policy that makes very specific disclosures. This law applies to Australian organizations with annual turnover of more than AUD $3,000,000. It also applies to the following organizations even if they have turnover that is less than AUD $3,000,000 per year: 

  • Private sector healthcare providers; 
  • Businesses that sell or purchase personal information; 
  • Credit reporting bodies; 
  • Contracted service providers for Australian government contracts; 
  • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009; 
  • Businesses that have opted in to comply with the law; 
  • Businesses that are related to a business covered by the law; and 
  • Businesses prescribed by the Privacy Regulation 2013. 

In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia. In assessing whether an entity carries on business in Australia, the following factors need to be considered:

  • The entity has a place of business in Australia;
  • People who undertake business acts for the entity are located in Australia;
  • The entity has a website that offers goods or services to Australian consumers;
  • Australia is one of the countries on the drop-down menu appearing on the entity’s website;
  • Web content that forms part of carrying on the business was uploaded by or on behalf of the entity, in Australia;
  • Business or purchase orders are assessed or acted upon in Australia; or
  • The entity is the registered proprietor of trademarks in Australia.

The Australia Privacy act 1988 requires such the websites of such companies to have a compliant Privacy Policy, with failure to comply potentially leading to fines and lawsuits. 

It is clear from the laws above that it is a legal requirement to have a Privacy Policy for most websites that collect PII through a contact form or similar means. While the laws mentioned above are already in effect, more than a dozen states have proposed their own privacy bills, each with unique requirements for a Privacy Policy and what it must contain and unique penalties for failing to comply. The US federal legislature has also proposed numerous privacy bills that would affect many businesses, large and small. Having a compliant Privacy Policy is a key requirement of both current privacy laws and proposed state privacy bills. Use Termageddon’s Privacy Policy generator to help you get compliant and avoid privacy-related fines and lawsuits.

Set up your policies in 15 minutes or less. Protect your business today!