Iubenda logo
Start generating

Documentation

Table of Contents

Legal Requirements Overview

As the world becomes more dependent on digital products and services, data privacy has increasingly become a top priority for many countries and regions. As a result, many regions have put in place robust and enforceable data regulations by which businesses are expected to comply.

In most cases, non-compliance with these regulations can not only lead to major financial consequences, but it can also lead to significant and lasting damage to public trust and the reputation of your organization. It is, therefore, important to ensure that your business meets its legal obligations.

General Legal Requirements

Major Components

Under the vast majority of legislations, if you’re processing personal data you’re generally required to make disclosures related to your data processing activities via a comprehensive privacy policy, ensure that there are effective security measures in place for protecting personal data and implement methods for receiving user consent or facilitating its withdrawal.

This privacy information must be up-to-date, understandable, unambiguous, and easily accessible throughout the website or app. Some component requirements may vary based on the type of processing activity, region, user age or business type. It is, therefore, worth noting that in addition to the general points outlined here, you may have further responsibilities depending on your law of reference. You can read more situation specific information in the sections below.

Disclosures

In general, users need to be informed of:

  • Website/app owner details
  • The effective date of your privacy policy
  • Your notification process for policy changes
  • What data is being collected
  • Third-party access to their data (who the third-parties are and what data they’re collecting)
  • Their rights in regards to their data.

You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
 
One such law is the California Consumer Privacy Act (CCPA). Under the CCPA, users need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure needs to be visible from the homepage of the site and must include an opt-out (DNSMPI) link. You can read more about CCPA compliance here.

Consent

Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.

Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent. Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.

Determining your law of reference

Generally, the laws of a particular region apply if:

  • You base your operations there; or
  • You use processing services or servers based in the region; or
  • Your service targets users from that region

This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here.


Region-Specific Requirements – US law

In the US, there is no single comprehensive national body of data regulations; there are, however, various laws on a state level as well as industry guidelines and specific federal laws in place. Since online site/app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations. With this in mind, the most robust data law framework is implemented by the state of California. The California Online Privacy Protection Act (CalOPPA), implemented in 2004, was the first state law to make privacy policies mandatory and it applies to person or company whose website/app processes the personal data of California residents.

In addition to the generally required disclosures above, CalOPPA also requires that you:

  • Conspicuously post your privacy policy on the homepage of your website/ app
  • Include in your privacy policy a description of the process by which users can request changes to personal data (if such a process exists)
  • Include in your privacy policy a statement on how “Do Not Track” requests are handled
  • Notify affected users in the occurrence of security breaches that impact their data

In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.

Special Care Regarding Children

If your service is knowingly collecting, using, or disclosing personal information from children under 13, then special regulations apply to those data processing activities.

Children’s Online Privacy Protection Act (COPPA) is a US federal law implemented to better protect the personal data and rights of children under 13 years of age.

Under this law, if you operate a website or online service which is directed to children under 13, or you have actual knowledge that you’re collecting personal information from children under 13, you must give notice to parents and get their verifiable consent before collecting, using, or disclosing the information, and must keep the information collected secure.

“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (e.g. checking a form of government-issued ID against an applicable database).

What is meant by the “personal information” of children

“Personal information” within this context refers to the child’s:

  • Name or ID information (eg. social security number)
  • Location info including physical address, geolocation data or IP address
  • Any contact information including phone numbers and email addresses
  • Device identifiers
  • Media containing the child’s image or voice, including photos, videos or audio files

💡 Learn more about legal requirements regarding children and COPPA.

Region-Specific Requirements – Europe

GDPR

In the EU the General Data Protection Regulation (GDPR) was introduced in an effort to centralize data protection for people in the EU and became fully enforceable in May 2018. At its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).

Where it applies

The GDPR can apply where:

  • An entity’s base of operations is in the EU (this applies whether the processing takes place in the EU or not);
  • An entity not established in the EU offers goods or services (even if the offer is for free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
  • An entity is not established in the EU but it monitors the behaviour of people who are in the EU, provided that such behaviour takes place in the EU.

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not.

Note: The protections of the GDPR also extend to users outside the EU if the data controller is EU based. Therefore, if you are an EU-based data controller you must, by default, apply GDPR standards to ALL your users.

Where it does not apply

The conditions of applicability of the GDPR are set from a material and a territorial point of view. To determine, whether or not a specific processing activity is exempt from its applicability, we have to consider both aspects.

Material point of view

The GDPR applies to the processing of personal data. Therefore, it does not apply to company data, such as a company name and address. Be careful here, however, because normally “natural persons” work in a company, any data referring to them would, therefore, be deemed “personal”, regardless of whether they are processed in a Business to Customer (B2C) or Business to Business (B2B) context.

Furthermore, personal data may not fall under the scope of the GDPR in several other scenarios including where they are processed by a natural person for a purely personal or household activity. You can read more about this in the dedicated guide here.

Territorial point of view

In addition to and notwithstanding the above, we’ve already mentioned under which conditions the GDPR applies. Consequently, for a processing activity not to be subjected to the GDPR from a territorial point of view, the following must apply cumulatively:

  • the controller (or processor) is not based within the EU. Note: Always remember that the controller (or processor) could also be an EU-branch office of a non-EU corporation: in that case, even if the branch office were to have no legal personality, the GDPR would fully apply;
  • the processing does not relate to the offering of goods or services (even for free) to data subjects in the Union or the monitoring of their behavior as far as it takes place within the Union;
  • the controller is not based in an extra-EU place, where EU law applies due to international public law.

See examples in the dedicated guide here.

🎙️
Ask our experts live

View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.

Attend our free webinars

GDPR Requirements

In general, the GDPR requires that you:

Have a lawful basis. The GDPR requires that you have at least one lawful basis for processing user data. There are 6 lawful bases outlined under the GDPR.

Acquire verifiable consent. Under the GDPR, consent is one of several legal/ lawful bases for processing user data and as such, it must be “freely given, specific, informed and explicit”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).

The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.

Records of consent should at least contain the following information:

  • The identity of the user giving consent;
  • When they consented;
  • What disclosures were made (what they were told) at the time they consented;
  • Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
  • Whether they have withdrawn consent or not

Consent is not the ONLY reason that an organization can process user data; it is only one of the “legal bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. With that said, there will always be data processing activities where consent is the only or best option.

Many Data Protection Authorities across the EU have strengthened their requirements and aligned their rules on cookies and trackers with the requirements of the GDPR. More specifically, it’s required that you record and store proofs of your users’ preferences.

The Cookie and Consent Preference Log is now available in our Privacy Controls and Cookie Solution. Click here for more info on how to activate the Cookie and Consent Preference Log within your Privacy Controls and Cookie Solution.

Data Subjects’ rights

Under the GDPR users have statutory rights in regards to their data. Not only must you as the controller honor those rights, but you must also inform users about them. Such rights include:

  • The right to be informed
    In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/app.
  • The right of access
    Users have the right to access to their personal data and information about how their personal data is being processed.
  • The right to rectification
    Users have the right to have their personal data rectified if it is inaccurate or incomplete.
  • The right to object
    Under the GDPR, users have the right to object to certain activities in relation to their personal data.
  • The right to data portability
    Under certain conditions, users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
  • The right to erasure
    When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
  • The right to restrict processing
    Users have the right to restrict the processing of their personal data in specific cases.
  • Rights related to automated decision making and profiling
    Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Meet specific requirements if transferring data outside of the EEA. The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.

Implement privacy by design and default. Under the GDPR, data protection should be included from the onset of design and development of the business processes and infrastructure.

Disclose security breaches. Under the GDPR, you are required to inform the supervisory authority of security breaches involving user data within 72 hours of becoming aware of it. In many cases you’re also required to inform affected users.

Appoint a DPO (where certain conditions are met). Under certain conditions, you may be required to appoint a Data Protection Officer, who will have the task to oversee all processing activities and monitor compliance with applicable law. Cases for mandatory appointment include situations where large-scale, systematic processing of user data occurs and where special categories of data (i.e. sensitive data) are being processed.

Maintain records of processing activities. As stipulated in Article 30, the GDPR requires that you keep and maintain “full and extensive” up-to-date records of the particular data processing activities. Full and extensive records of processing are expressly required in cases where your data processing activities are not occasional, where they could result in a risk to the rights and freedoms of others, where they involve the handling of “special categories of data” or where your organization has more than 250 employees — this effectively covers almost all data controllers and processors. However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone. Read more about how to maintain compliant records for controllers and processors in our GDPR guide.

Carry out a DPIA (where certain conditions are met). In cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.

Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or Cookie Law) was implemented to address this concern.

Under the Cookie law, organizations that target users from the EU must inform users about data collection activities and give them the option to choose whether it’s allowed or not. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must first obtain valid consent prior to the installation of those cookies, except where those cookies fall into the category of exempt cookies.

💡 To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.

Cookie banner

So in practice, you’ll need to show a banner at the user’s first visit, implement a cookie policy that contains all required information, and provide or inform users of the means by which they can refuse (or withdraw consent to) the processing. Prior to informed and explicit consent, no cookies – except for exempt cookies – can be installed.

The banner must:

  • briefly explain the purpose of the installation of cookies that the site uses;
  • be sufficiently conspicuous so as to make it noticeable;
  • link to (a cookie policy) or make available details of cookie purpose, usage and related third-party activity;
  • clearly state which actions will indicate consent.

Cookie policy

The Cookie Policy must:

  • describe in detail the purpose of installation of cookies;
  • indicate all the third parties who install or that could install cookies, with a link to the respective privacy policy, the cookie policy, and any consent forms;
  • inform the user of how they can exercise their right to refuse/withdraw consent.

Blocking cookies before consent

In compliance with the general principles of privacy legislation, which prevent processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.

Consent to cookies can be provided by several actions

Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page. In many cases, clicking on “ok”, closing the banner or continued navigation of a cookie-installing website can be considered active consent to the placing of cookies — provided that users had been previously and clearly informed about this consequence.

Exemptions to the consent requirement

Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you’re still required to inform users about your use of cookies – see caution box below). The exemptions are as follows:

  • Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
  • Statistical cookies managed directly by you (not third-parties), providing that the data is not used for profiling *
  • Anonymized statistical third-party cookies (e.g. Google Analytics) *

*This exemption may not be applicable for all regions and is therefore subject to specific local regulations.

Caution

The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user.
A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

Other examples of these technical cookies would be user-centric session-based cookies used to detect authentication abuses, load-balancing session cookies, and Multimedia player session cookies related to and necessary for the provision of services requested by the user.

So does this mean that I don’t need to have a Cookie Banner in such cases?

Firstly, it’s critical to note that even where this exception to the consent requirement applies, you’ll still need to inform the user of your use of cookies via a cookie policy.The banner is not necessarily required in this specific instance if the cookie policy is easily accessible and visible from every page of the site.

In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR. The upcoming regulation is expected to still uphold the same values as the directive.

FADP – Switzerland’s Federal Act on Data Protection

Originally established in 1992 and later partially updated in 2019, the FADP governs data privacy in Switzerland. The recent revision, passed on 25 September 2020 and effective from September 2023, integrates newer provisions resembling the GDPR while retaining its distinct Swiss principles.

Key Changes to the FADP

  1. Privacy by Design: Companies are now mandated to develop procedures with data compliance at their core.
  2. Sensitive Data: The definition has expanded to include biometric, genetic, and other information types.
  3. Impact Assessments: Required when there’s a considerable risk to data subjects’ rights or privacy.
  4. Extended Disclosure: Companies must obtain prior consent before processing sensitive personal data or when engaging in high-risk profiling.
  5. Register of Processing Activities: Companies need to maintain this, though some SMEs might be exempted.
  6. Data Breach Reporting: The FDPIC must be informed promptly in case of a data security breach.
  7. Profiling: The law now acknowledges the legal concept of automated personal data processing.
  8. Processing Basis: Processing of personal data is generally considered lawful. Specific legal bases are required under certain circumstances.
  9. Consent Mechanism: Consent from the data subject is mandatory only in select scenarios.
  10. Penalty: Targeted primarily at top-level executives in organizations.

FADP vs. GDPR Main Differences

While there are numerous nuances between the two laws, a few notable differences include:

  • Applicability: FADP covers both organizations inside and outside Switzerland processing Swiss residents’ data. In contrast, GDPR pertains to EU-based organizations or those processing EU residents’ data.
  • Sensitive Data Categories: The FADP’s definition is more expansive than the GDPR.
  • Agreements: Under FADP, data controllers and processors may have an agreement, while GDPR mandates a Data Processing Agreement.
  • Disclosure Obligations: Both laws have data disclosure requirements, but the GDPR mandates a few additional ones.
  • Transferring Data Abroad: FADP and GDPR have different provisions and exceptions.
  • Data Protection Officer: FADP makes this role optional, whereas GDPR mandates it for specific entities.
  • Data Breach Notifications: FADP emphasizes reporting only high-risk breaches, whereas GDPR has a stricter timeline and broader reporting mandate.
  • Penalties: The FADP imposes fines up to CHF 250,000, whereas GDPR can reach up to EUR 20 million or a fraction of the global turnover.

The updated FADP affects:

  • Private individuals processing personal data.
  • Federal agencies. It doesn’t concern individuals processing data strictly for personal purposes.

In conclusion, companies, especially those operating in or with Switzerland, need to familiarize themselves with the FADP’s new stipulations. Platforms like iubenda can assist in ensuring compliance, including having a robust privacy and cookie policy. As international data protection regulations continue to evolve, staying updated and compliant becomes crucial for organizations worldwide.


Situational Legal Requirements

E-commerce

These requirements are typically addressed via a valid, up-to-date terms and conditions document (also called ToS – terms of service, terms of use, or EULA – end user license agreement).

In addition to the disclosures and requirements outlined above (and subject to your law of reference), if operating an e-commerce website or app, you’re further subject to the applicable commercial laws and industry rules.

Regarding B2B commerce

Generally, those involved in B2B commercial transactions will be subject to whichever contract, industry and national guidelines are applicable. However, participating in B2B commerce often requires that personal data be processed (be it that of employees or otherwise), in such cases, and where the processing falls within its scope, the GDPR applies and takes precedence.

Regarding B2C commerce

Under most countries’ consumer laws, when selling to consumers, in addition to the default required privacy disclosures, you’ll need to inform customers of the following:

  • Returns/Refund details;
  • Warranty/ Guarantee information (where applicable);
  • Safety information, including instructions for proper use (where applicable);
  • Terms of delivery of product/ service;
  • Identifying information such as a legal address and business name;
  • Rights of consumers (such as withdrawal rights), where applicable;
  • Seller contact details (e.g. email address).

US law

In general, at least at the federal level, there are no rules in the United States that require businesses to include a terms and conditions document in their websites, as mandatory disclosures are mainly regulated on a state-by-state basis.

While e-commerce disclosure requirements come into consideration primarily at the state level, it is best practice and in businesses’ interest to include certain information in the Terms and Conditions document.

It is advisable for businesses to include provisions that protect their activity, such as limitations of liability, declaration of applicable law and jurisdiction, and a clear delivery and return policy.

How iubenda can help you

iubenda allows you to include different US-specific clauses in your Terms and Conditions:

  • DMCA clauses: the Digital Millennium Copyright Act provides safe harbor for copyright infringement liability to online service providers that meet certain requirements (in order to qualify for safe harbor protection, service providers—for example, those that allow users to post or store material on their systems, search engines, directories, and other information location tools— must, among others, designate an agent to receive notifications of claimed copyright infringements, disclose designated agent’s contact information and add a DMCA-specific policy);
    • How to find the related clause: Content rights → Advanced → DMCA clause
  • Exclusion of countries on a US sanctions list (if you are based or conduct business in the US): you can add a statement ruling out users: a) located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a “State Sponsor of Terrorism”; or b) included in any U.S. Government list of prohibited or restricted parties. Note that, for example, this is a requirement mandated by Apple for apps distributed via the Apple App Store;
    • How to find the related clauses:
      • Mobile app → Base statements → Base clause for apps distributed via the Apple App Store
      • Target audience → Other → Exclude geographies that are on a US sanction/embargo list
  • Price displaying: in general, applicable laws might determine specific requirements on how prices must be displayed. According to US standards, you may specify, for example, whether prices are displayed either inclusive AND exclusive of applicable fees, taxes, and costs, depending on which part of “your application” is being viewed; or exclusive of applicable fees, taxes, and costs;
    • How to find the related clause: Business model, payments and user rights → Purchasing process → Purchasing process and prices → Advanced: purchasing process settings → Customize how prices are displayed → Specify how prices are displayed
  • Marketplace scenarios and marketplace service description: addition for applications targeting the US market;
    • How to find the related clauses:
      • Business model, payments and user rights → Base three-party scenario (“marketplaces”, “three-party scenario”) clauses→ Marketplace scenarios → Base marketplace clauses → Marketplace service description → Describe your marketplace in the service description → “Your application” is a “comparison” service → Addition for applications targeting the US
      • Business model, payments and user rights → Base three-party scenario (“marketplaces”, “three-party scenario”) clauses→ Marketplace scenarios → Base marketplace clauses → Wording/Description addition for applications targeting the US
  • Competent jurisdiction: you may state that the competence to decide any dispute that may arise belongs to the courts of the place where you are based, or other courts of your choosing, or add an arbitration clause. Furthermore, you may also include US-related trial by jury or class action waivers;
    • How to find the related clauses:
      • Common provisions → Governing law and venue → Define venue of jurisdiction
      • Common provisions → Governing law and venue → Define venue of jurisdiction → US users addition against trial by jury or class actions
  • US disclaimers of warranties, limitations of liability, and indemnity clauses;
    • How to find the related clause: Disclaimers of warranties, limitations of liability and indemnity → US practice → Address US users with applicable disclaimers of warranties, limitations of liability and indemnity clauses
  • Severability statement for US-type documents;
    • How to find the related clause: Common provisions → Severability statements → Severability statement addition for US-type documents/users
  • Wording for surviving provisions for US-type documents.
    • How to find the related clause: Common provisions → US related statements → Suggested wording for surviving provisions for US type documents/users

iubenda also offers some general clauses that, even if not US-specific, may be still applicable to the US, if selected. Here are some examples:

  • Clauses related to delivery: you may add different delivery clauses which are useful in order to describe your delivery procedure;
    • How to find the related clause: Business model, payments and user rights → General commerce and business model → Goods → Clauses related to delivery
  • Governing law: you may specify either that the governing law is the one of the place in which your business is located; or, in general, a governing law of your choice, if different. In principle, you may decide which law shall govern your terms and, by consequence, any related dispute (however, please note that, in most jurisdictions, there might be mandatory regulations overriding your choice of law, e.g., consumer laws);
    • How to find the related clause: Common provisions → Governing law and venue → Define governing law
  • Guarantee clauses (extension to non-EU users): in the US, at least at national level, businesses are generally not required to provide a warranty on products. However, in the occurrence of certain circumstances, an implied warranty may apply even in the absence of a written one (written warranties, if given, should at least adhere to industry standards of fairness and the provisions of the Uniform Commercial Code). With iubenda, on a voluntary basis, you may decide to extend the guarantee of conformity according to EU legislation to non-EU consumers. Obviously, this benefit may not prevent those consumers from enjoying any broader guarantee rights pursuant to their applicable law, if any;
    • How to find the related clause: Business model, payments and user rights → General commerce and business model → Goods → Guarantees related to goods → Mandatory guarantee of conformity for goods for European consumers → Advanced
  • Right of withdrawal (extension to non-EU users): in the US, at least at national level, businesses are generally not required to establish a return/refund policy for purchases made online, as in most cases this is implemented on a state-by-state basis. Under several state-laws, if no refund or return notice was made available to consumers before purchase, consumers are automatically granted extensive return/refund rights. Although e-commerce disclosures are still mostly enforced at state level, it is common practice to include this information in your terms and conditions document in many circumstances. With iubenda, you have the option to extend withdrawal rights to non-EU users. Please be informed that this may result in a considerable effort for your business, since you will be obliged to accept returns from potentially all over the world.
    • How to find the related clause: Business model, payments and user rights → User rights ― required by law or offered voluntarily by you → Mandatory right of withdrawal for consumers in the EU → “Right of withdrawal” section (required by law for European consumers) → Applicability of withdrawal right → You offer goods or services that the right of withdrawal applies to→ Advanced: voluntary extensions of the withdrawal right → Withdrawal target audience → Who the withdrawal right applies to (you can extend it here contractually)

However, we strongly recommend you to seek legal advice on the specific requirements of the market that you intend to target.

EU law

EU consumer law applies to contracts or other legal relationships between consumers (on one side) and professionals, businesses, companies on the other (B2C). It does not apply to B2B (e.g. a supermarket places an order with its fruit supplier) or C2C relationships (e.g. I sell my old bike over eBay).

Among other things, under EU consumer law, consumers have an unconditional right to withdraw (“cooling off period”) of 14 days. This means that consumers may cancel or withdraw from distance contract (sales occurring online, over the phone, mail order) for any or no reason for 14 days after receiving the product (in the cases involving goods).

It’s worth noting that 14 days is the statutory minimum; in specific countries, national rules may extend this period, or single providers may extend is contractually.

This right to withdraw does not apply in all situations.

Some common exemptions are:

  • Event and travel tickets & car rental reservations, but more in general any contract related to leisure activities, if the it provides for a specific date or period of performance;
  • Sealed media items such as CDs which have been unsealed by the recipient;
  • Digital content as soon as it’s downloaded by the consumer;
  • Made to order or distinctly personalized items (eg. a tailored dress);
  • Under some additional conditions, any contract about the delivery of a service, etc.

Consumers located in the EU are also protected by a default legal 2 year guarantee on products purchased at no additional cost. Here again: 2-years is the statutory minimum; in specific countries, national rules may extend this period, and it can be extended also contractually.

These rules usually apply to any company selling to EU residents but may vary for international sellers on a case-by-case basis. It is worth noting, however, that in recent cases US courts have chosen to uphold the applicable EU law.

So what’s the difference between returning a product on the grounds of withdrawal and returning it on the grounds of a guarantee?

Withdrawal rightLegal guarantee
Applies for 14 days after receipt of the product or signing of the contractApplies for 24 months after receiving the product
You don’t need to have any reason for exercising this right — you can simply change your mindYou may only return a product on guarantee grounds because it’s faulty or otherwise unsuitable for the purposes it has been sold and purchased for
You may have to bear the costs of returning the product (but it must be specified)You may not be required to bear any cost (it’s “the seller’s fault” if the product is faulty)
Applies with some exceptions (some of which are mentioned above)Always applies to products, never applies to services

EU law also mandatorily requires that sellers inform consumers of the European Online Dispute Resolution (ODR) platform via direct link. The ODR, or “online dispute resolution” is a process that allows consumers based in the EU to easily file complaints (in regards to online sales) against companies also established in the EU. This means that ODR requirements can also apply to US companies that have any kind of physical presence in the EU.

Note: UK businesses and UK consumers can no longer access the ODR platform after Brexit.

Generally, privately owned websites (or similarly private social network profiles, blogs etc.) that merely have a private and personal purpose are not subject to additional regulations, however, various EU and national acts require online commercial operators to disclose certain information.

In order to be deemed “commercial”, it is not necessary that you actually “sell” anything — a personal website may easily be considered commercial if, for instance, it generates considerable traffic an thereby creates relevant advertising revenue (e.g influencers) — however, if you do “sell” products or services, the information duties increase.

If you sell directly to consumers (B2C), you’ll face additional information duties including but not limited to those listed above, as well as linking to the EU online resolution platform for consumers, listing precise delivery times, making disclosures regarding prices and applicable taxes as outlined in Directive 83/2011/EU.

Emails and Newsletters

An e-mail address is considered personal data. Therefore, whenever dealing with e-mail addresses, privacy law is triggered. As we have mentioned already, under most legislations you’re required to inform extensively about the processing activities, their purposes and the rights of users.

Generally, such legislations apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list, as in such a case you may not know the recipient’s country of residence.

For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.

US law

Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.

EU law

Under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.

💡 You can read more about legal requirements regarding Newsletters and Email lists here.

Children

US law

Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.

A central requirement of this Act is having a COPPA-compliant privacy policy in place. You can read more about compliance in the sections below and learn more about COPPA here.

EU law

Under EU GDPR regulations, consent is one of the lawful bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.

? You can learn more about legal requirements regarding children here.


Other Legal Considerations

Setting Terms and protecting your business

Though not always legally required, a Terms & Conditions (T&C) document (also known as a Terms of Service, End-user license agreement or a Terms of Use agreement) is often necessary for the sake of practicality and safety. It allows you to regulate the contractual relationship between you and your users and is therefore essential for, among other things, setting the terms of use and protecting you from potential liabilities.

The T&C document is essentially a legally binding agreement; therefore not only is it important to have one in place, but it’s also necessary to ensure that it meets legal requirements.

Generally, standard contract terms will apply and under the most laws, contracts used by traders must be fair. This means that the document must be up-to-date with all applicable regulations, precise, visible and easily understandable so that users can both easily see it and agree to it.

The “agreeing action” should be done in an unambiguous way (e.g. clicking a checkbox with a visible link to the document before being able to create an account or use the service).

While the full content may vary based on the particulars of your business, the Terms and Conditions should at least include the following:

  • Identification of the business
  • Description the service that your site/app provides
  • Information on risk allocation, liability, and disclaimers
  • Warranty/Guarantee information (where applicable)
  • The existence of a withdrawal right (if applicable)
  • Safety information, including instructions for proper use (where applicable)
  • Terms of delivery of product/service
  • Rights of use (if applicable)
  • Conditions of use/ purchase (eg. age requirements, location-based restrictions)
  • Refund policy/exchange/termination of service and related info
  • Info related to methods of payment
  • Any additional applicable terms

? You can learn more about Terms and Conditions here and how to create them.


Third-party Requirements

Third-party apps and services also need to follow the law. As organizations themselves, they too can be exposed to major reputational damage, fines, and sanctions if their legal obligations are not met. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards.

Generally, they require that organizations that use their services have in place a compliant privacy policy (and cooky policy if cookies are in use) that discloses relevant details about the relationship and services rendered.

Third-party apps and services also need to follow the law. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards

One example is Google. In order to access certain services and tools (for example, AdSense, Google Analytics, Google Play store), Google requires that you have a comprehensive and up-to-date privacy policy in place. Here’s an excerpt from the Google Analytics terms of use:

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data”, and “You must not circumvent any privacy features (e.g, an opt-out) that are part of the Service.”

Another example is that of Amazon. Here’s an excerpt of what they had to say:

We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.

From time to time third party requirements can change in response to internal or regional regulations. It is, therefore, necessary to ensure that your policies meet the latest requirements in order to avoid potential penalties or interruption of service.

? You can read more about Google‘s requirements here, and Amazon‘s here.


Consequences of non-compliance

The legal ramifications of non-compliance include:

Fines

Non-compliance with CalOPPA or COPPA may lead to government officials bringing suit or seeking civil penalties against you. In one example, the owners of the Imbee website were fined US$130,000 for COPPA violations of allowing children under 13 to register without parental consent.

Similar fines can apply under other state and federal laws. Non-compliance with GDPR requirements can carry fines up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).

Disciplinary measures

Disciplinary measures may be implemented against you if you are found to be in violation of regulations. These measures may include but are not limited to official reprimands (for first-time violations) and periodic data protection audits. The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations.

So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of the data subject of the inquiry. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.

Non-compliance with consumer or competition law (acts of unfair competition) may also entail fines by the competent (mostly national) authorities.

Liability damages

It is a general principle of civil law, that you have to compensate any unjust damage you’ve caused to someone else, in particular by violating a legal prescription. Among other acts, both the GDPR and the CalOPPA grant individual users the right to claim compensation for any damages resulting from a violation of their rights. The same reasoning would apply to any other applicable act or law, such as the EU’s consumer protection provisions.

Remember that liability for damages applies in all relationships: also a business partner may be entitled to compensation if you violated a legal provision. For example, selling counterfeit goods via a partner platform like Amazon might result in the company taking legal action against you alongside the customers who purchased the counterfeit goods.

Loss of services and contractual penalties

Some third-party services (including marketplaces and app stores) may make compliance with specific regulations a part of their terms of use; violation of their terms may lead to service termination or potentially, permanent bans.

Here is an example from Amazon Web Services Partner Network’s Terms and Conditions in regards to consent:

For any Third-Party Data you provide to AWS, you represent and warrant that you have received all necessary consents for (a) you to share the Third Party Data with AWS and its Affiliates, and (b) AWS and its Affiliates to use the Third-Party Data to contact its subject(s) to market our goods and services and the Program.

Criminal law

Lastly, but perhaps most significantly, where certain conditions are met, it’s possible to face consequences via criminal law. If, for instance, you wilfully breach or ignore data protection provisions for commercial purposes (e.g. you sell peoples’ personal data without telling them) you may face severe consequences. However, criminal law is largely a national issue: conditions and consequences must be checked on a case-by-case basis.


How iubenda can help you with compliance

We believe in the importance of a comprehensive approach to data law compliance, for this reason, we keep track of the major legislations and build solutions with the strictest regulations in mind — giving you full options to customize as needed.

This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers, building trust and credibility.

We keep track of the major legislations and build solutions with the strictest regulations in mind

Here’s what you need to get started with full compliance:

Informing users about personal data with a privacy policy

As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.

Our Privacy Policy Generator is affordable, available in several languages, lawyer crafted, customizable and self-updating (as it’s monitored remotely by our lawyers). It easily allows you to create a beautiful, precise privacy policy and seamlessly integrate it with your website or app. You can simply add any of several pre-created clauses at the click of a button or easily write your own custom clauses.

The privacy policy also comes with the option to include a cookie policy (it’s necessary to include it if your website or app is using cookies). The policies are customized to your needs and remotely maintained by a legal team.

 

? For more information on how to generate your privacy policy click here

Complying with the EU Cookie Law

Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law.

There are 4 parts of this:

  1. Cookie policy, which you can find included as an option in the privacy policy generator mentioned above.
  2. Cookie banner which you can get with the iubenda Privacy Controls and Cookie Solution.
  3. Facilitating consent — giving the user the information and option to give, refuse or withdraw consent.
  4. Preemptively blocking (prior blocking) cookie-installing scripts prior to obtaining user consent.

Our Privacy Controls and Cookie Solution complies with provisions of the ePrivacy Directive (Cookie Law). It allows you to easily inform users and obtain their consent while including the option to preemptively block any scripts that install cookies prior to user consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.

→ Have your questions answered live and learn more about both the Privacy and Cookie Policy Generator and the Privacy Controls and Cookie Solution by attending one of our free English webinars.

? For more information on our Privacy Controls and Cookie Solution, click here.

Protecting you or your business with proper Terms and Conditions

Though not always legally required, terms & conditions are pragmatically required. It governs the contractual relationship between you and your users and sets the way in which your product, service or content may be used, in a legally binding way.

It is therefore vital that this contract be precise and up-to-date with all applicable regulations. It should include the general conditions for use of your service with special attention to “limitation of liability” clauses and disclaimers.

Our Terms & Conditions generator helps you to easily generate and manage Terms and Conditions that are professional, customizable from over 100 clauses, available in 8 languages, drafted by an international legal team and up to date with the main international legislations.

It is powerful, precise, and capable of handling even the most complex, individual scenarios and customization needs.

It comes with:

  • guided set-up;
  • hundreds of possible personalizations;
  • legislation monitoring;
  • plug-and-go integrations for popular store platforms such as Shopify and WooCommerce;
  • pre-defined scenarios: buildable text modules for marketplace, affiliate programs, copyright, e-commerce, mobile, and more.

The solution is optimized for everything from e-commerce, blogs, and apps, to complex scenarios like marketplace and, SaaS.

Getting started is easy. Simply activate the Terms and Conditions (uses 1 Ultra license) within your dashboard and start generating.

💡 For a list of the full features of the Terms and Conditions Generator, click here or read the guide here.

Managing consent and maintaining detailed records related to it

In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected.

These records must show:

  • when consent was provided;
  • who provided the consent;
  • what their preferences were at the time of the collection;
  • which legal or privacy notice they were presented with at the time of the consent collection;
  • which consent collection form they were presented with at the time of the collection.

Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.

To use, simply activate the Consent Database and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.

💡 For a list of the full features of the Consent Database click here or read the guide here.

Register of Data Processing Activities

Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for your register of data processing activities. In order to be compliant, you must be able to keep track of and to describe:

  • which data you collect;
  • for which purposes it was collected;
  • the legal basis for processing;
  • data retention policy for each processing activity;
  • the parties involved (both inside and outside your organization);
  • security measures;
  • data transfer outside of the EU, if any; and
  • other related details which may apply company-wide, including data of employees.

Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations.

It allows you to create records of processing activity:

  • add processing activities from 1700+ pre-made options;
  • divide them by area (sub-divisions within which data processing activities are the same);
  • assign processors and other member roles; and
  • document legal bases and other GDPR-required records.

Please note: Even if your processing activities somehow fall outside of the situations mentioned previously in this guide, your information duties to users (Articles 13 & 14) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone

Additionally, even though the GDPR is a common reason to put more effort into your register of data processing activities, our tool is not exclusively made for application under the GDPR. It can also be used for all your data processing activities in general, even by companies who do not have any users/customers within the EU.

→ Have your questions answered live and learn more about both the Consent Database and Register of Data Processing Activities Solution by attending one of our free English webinars.

Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.

See also