As the world becomes more dependent on digital products and services, data privacy has increasingly become a top priority for many countries and regions. As a result, many regions have put in place robust and enforceable data regulations by which businesses are expected to comply.

In most cases, non-compliance with these regulations can not only lead to major financial consequences, but it can also lead to significant and lasting damage to public trust and the reputation of your organization. It is, therefore, important to ensure that your business meets its legal obligations.

Under the vast majority of legislations, if you’re processing personal data you’re generally required to make disclosures related to your data processing activities via a comprehensive privacy policy, ensure that there are effective security measures in place for protecting personal data and implement methods for receiving user consent or facilitating its withdrawal.

This privacy information must be up-to-date, understandable, unambiguous, and easily accessible throughout the website or app. Some component requirements may vary based on the type of processing activity, region, user age or business type. It is, therefore, worth noting that in addition to the general points outlined here, you may have further responsibilities depending on your law of reference. You can read more situation specific information in the sections below.

In general, users need to be informed of:

• Website/app owner details
• The effective date of your privacy policy
• Your notification process for policy changes
• What data is being collected
• Third-party access to their data (who the third-parties are and what data they’re collecting)
• Their rights in regards to their data.

You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
 

One such law is the California Consumer Privacy Act (CCPA). Under the CCPA, users will need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure will need to be visible from the homepage of the site and must include an opt-out (DNSMPI) link. You can read more about CCPA compliance here.

Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.

Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent. Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.