Data protection and privacy law are critical matters because personal data is lucrative. Even if your startup does not plan to profit directly from personal data, you will almost certainly have to collect and use data to conduct your business. Much of this data will be considered personal data – and affect your legal obligations accordingly. And Google’s own insistence on websites making plain such policies constitutes something of a data privacy law in itself, in effect, insofar as most businesses depend on the search engine for much if not most or even all of their sales leads.
The Data Privacy Law Landscape in the US: The Skim
Most data protection laws, regardless of jurisdiction, require that notice be provided to users about the ways in which their data is being used, and which data is being collected. As a general rule, this notice should be provided at the time of data collection. In the EU, it is also required that users be notified about their rights with respect to their data. In terms of the newly enacted GDPR, these rights include the right to be forgotten – a user must be able to request that you delete all record and data related to him/her, and you must be able to comply.
It is important to note that differences between jurisdictions do not only pertain to the rules regarding how personal data must be protected, but also the definition of personal data. For example, monitoring information (e.g.: gathered employee-monitoring services) is considered personal data in the EU, but not the US. Some data privacy laws applies only to “controllers” of data within their jurisdiction. This means that you won’t have to comply if your business does not operate there. In other cases, such as with the GDPR, data privacy laws applies if you collect personal data from users in that jurisdiction, regardless of where you operate.
Internet privacy lawyers