Law for Data Privacy


In today’s time, globally data privacy is being recognized as one of the most valuable assets of organizations and triggering the need for a stringent level of data protection. 2020 is set to become a momentous year for data protection legislation across the globe, with the enforcement of the California Consumer Privacy Act (CCPA) likely to grab headlines and set the tone for further US legislation at the state and federal levels. New data protection legislation also came into force in Brazil and Thailand. Countries such as India and South Korea joined the global movement, for stricter data protection laws.

The year 2020 kicked off with a bang on 1st January as the California Consumer Privacy Act (CCPA) officially came into force. While the CCPA cannot be enforced by the California Attorney General (AG), the final regulations might be promulgated on 1st July 2020; Attorney General Xavier Becerra has stated that the CCPA compliance deadline remained 1st January. This means that enforcement will be applied retroactively by the Attorney General, covering violations dating back to 1 January 2020. The CCPA gives consumers a private right of action and statutory damages against businesses that suffer data breaches due to a failure on their part to implement and maintain reasonable security procedures and practices. The private right of action, however, applies only to some of the categories of personal information as defined under California’s breach notification statute, not the CCPA.

Another two significant data protection laws coming into effect in 2020 are Brazil’s Lei Geral de Protecao de Dados (LGPD) and Thailand’s Personal Data Protection Act (PDPA). The LGPD, closely modeled after the EU’s General Data Protection Regulation (GDPR), will come into force on 15 August 2020 and will apply to all companies that handle the personal information of Brazilian residents, whether they are physically located within the country or not. With the provisions providing for the creation of the Autoridade Nacional de Proteção de Dados (ANPD), the body tasked with enforcing the new legislation, finally promulgated in 2019, the LGPD is now set to follow in the steps of the GDPR.

Several data protection legislation initiatives are likely to go through the final approval stages in 2020. Most prominent among these are one of India’s Personal Data Protection Bill, 2020. The Bill has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session, 2020. The Bill seeks to provide for the protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose.

On 9 January 2020, South Korea introduces 3 major Amendments in the Personal Information Protection Act (‘PIPA’), the Act on the Promotion of Information and Communications Network Utilization and Information Protection (‘Network Act’) and the Act on the Use and Protection of Credit Information (‘Credit Information Act’).

The Amendments largely aim to: ü Minimize the burden of redundant regulatory activities and confusion among regulated persons stemming from previously overlapping data privacy regulations and multiple supervisory bodies; and ü Develop a ‘data economy’ by introducing the concept of ‘pseudonymized data’ and a legal basis upon which data may be utilized more flexibly (to an extent reasonably related to the original purpose of collection).


Yes, you do! Because your application will collect user information for its analytics and mobile advertising features and this implies you must have a privacy policy visible in the App Store or Google Play profile of your application and accessible within the application itself. So you are required to have Privacy Policy by the Law. With rare exceptions; privacy policies are required by law for website owners and mobile app developers. Mobile app developers are under far more scrutiny for privacy violations than websites or blog owners so it is even more important to get it right. Although not required by law, having a good privacy policy is essential to protect yourself, your products, and your mobile app. The four major reasons your app needs a privacy policy are:

  1. Adhering to the law
  2. Staying above board with third-party distributors
  • Building trust with consumers
  1. Making more money (and keeping it)

In most countries, privacy laws require that you tell your users when you are collecting their data through your app or website. User location data will most certainly be classed as “personal” information or data for most privacy laws. This means that not only, you need a Privacy Policy, but you also need you to include certain things into it. Depending on the country, some laws may be stricter or more comprehensive than others. Laws that require a privacy policy include:

  1. European Union: General Data Protection Regulation (GDPR)Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  2. USA: The California Online Privacy Protection Act (CalOPPA) and The California Consumer Privacy Act (CCPA)
  3. UK: Data Protection Act 1998(DPA)

Privacy is considered to be a fundamental human right and violations of this right are taken extremely seriously around the world. The punishment for not displaying a Privacy Policy on your website or app, when you collect personal information very much depends on the country whose privacy laws you have breached.


One of the primary functions of a Privacy Policy is to state that, which type of personal data is collected from the app users, and how the owner of the application or website uses this information. An application requires a Privacy Policy by law if it collects personal data. Legally, the application doesn’t need a privacy policy if the app doesn’t collect data. It’s best to have a Privacy Policy, but indeed if you are not collecting any kind of data, having a Privacy Policy is not a legal requirement, but it shows a common courtesy to your users.

The main reasons are that the people expect websites and apps to have a Privacy Policy and may distrust a company that doesn’t have one. If an App does not have a Privacy Policy, it may be constantly asked to prove that it doesn’t collect data. A business that doesn’t require a Privacy Policy may require one in the future and it is far easier to update an existing policy than to draft a whole new one. Also, 3rd party services applications may use to collect personal information if the application users don’t expect from the app to do so. The application also needs a Privacy Policy if the app uses 3rd party services that track users for analytics or display targeted advertising. Even seemingly anonymous data, like someone who uses a web browser, is considered their personally identifiable information because it can be used in combination with another type of data to identify an individual. Because of this, you have to post a privacy policy. Privacy Policy keeps users and yourself legally compliant.


Well, technically it’s a copyright infringement. The better approach is to review all the Privacy Policy of the major sites that do the similar things, to what you plan to do to get an idea of the issues that they are addressing and then use that information (which is public and therefore not a trade secret) to draft your Privacy policy. The dangers and legal consequences of copying another website’s privacy policy expand beyond the likelihood that the policy will not fill your business needs. Privacy policies are copyright-protected documents. In other words, it is illegal to copy them without permission. If your agent – web developer, employee, or web service – copies the policies, you are still legally responsible for their acts. There’s a lot of cut and paste in lawyering, some of the similarity in privacy policy may come from the groups of attorneys within a firm borrowing from their past work and the work of their colleagues, rather than cribbing from agreements from others. The value of using a firm that has done start-up work for years is that they have tools and examples from years of deals. General advice: don’t scrimp too much on legal advice in your alpha stage. It may save you a lot of money and drama later.


Especially for new business owners and start-ups, drafting legal agreements like a Privacy Policy can be a daunting task. Once the final draft takes place and the Privacy Policy is published, you can breathe a brief sigh of relief, but your work is not yet finished. A legally compliant Privacy Policy won’t do your business any good if no one sees it. Also, having your Privacy Policy is easy to locate and access, is a requirement of some privacy laws. There was a time when internet privacy practices were decidedly shady. When the Federal Trade Commission (FTC) and other authorities suggested that online businesses post a public Privacy Policy, many companies posted the policy, but website navigation to the page would be nearly invisible or non-existent.

To circumvent loopholes like these, regulations were put into a place to ensure that the consumers had easy access to Privacy Policies that may concern personal data. These two laws are the pertinent regulations that apply to most online businesses:

  • CalOPPA – California’s Online Privacy protection applies to any business that collects personal data from California residents. Regarding Privacy Policy accessibility, CalOPPA states that:

“The website or online service shall “conspicuously post its privacy policy” in a way that is “set off from the surrounding text” so that “a reasonable person would notice it.”

  •       GDPR– Europe’s General Data Protection Regulation can be enforced on any company that collects personal information from European residents. The GDPR states the following regarding Privacy Policies:

“The Privacy Policy must be “easily accessible” and written in a way that is “concise, transparent, and intelligible…using clear and plain language.”

Beyond these specific requirements, regulations like the GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also requires that consumers should be informed of how their information is used when they give their consent for data processing.

Ultimately it’s up to you to determine what kind of privacy policy your Application needs, and you should consult with a legal professional. However, there are some helpful links, to get you started. Likewise, there are privacy policy generators that often offer basic privacy policies for free. Additionally, the FTC’s website has a bunch of information to help guide US businesses in particulars. Again, we emphasize that you should consult with an attorney on what type of policy is best for your needs.


So if you run a mobile app that collects personal information from the app users, you need a Privacy Policy to comply with legislation around the world. Even if your app doesn’t directly collect personal data, you may still need a Privacy Policy if you utilize a third-party tool such as Google Analytics to collect data on your behalf. Personal data can be taken in many forms. It could be the user’s name, email address, telephone number, or physical address. It can also be less obvious types of data such as IP addresses, log data, and information collected through cookies.

This article has provided information about the law designed to help our readers better understand the legal issues surrounding internet marketing. But legal information is not the same as legal advice, the application of the law to an individual’s specific circumstances. Although we have researched to better ensure that our information is accurate and useful, we insist that you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is accurate. To clarify further, you may not rely upon this information as legal advice, nor as a recommendation or endorsement of any particular legal understanding.